OpenSSL
三个组建:
openssl : 多用途的命令行工具,包openssl
libcrypto : 加密算法库,包openssl-libs
libssl : 加密模块应用库,实现了ssl及tls,包nss
OpenSSL开源项目:
两种运行模式:交互模式和批处理模式
enc命令:
帮助:man enc
加密:
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher
解密:
openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile
openssl ?
单向加密工具:
md5sum
sha1sum
sha224sum
sha256sum
openssl dgst
dgst命令:
# 帮助
man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
MAC : Message Authenticatiom Code
单向加密的一种延伸应用,用于实现网络通讯中保证所传输数据的完整性机制
CBC-MAC
HMAC:使用md5或sha1算法
base64编码原理:不加密
openssl rand -base65 10
6和8的公倍数,3的公倍数就不会因为补充而有 =
Base64是一种任意二进制到文本字符串的编码方法,常用于在URL、Cookie、网页中传输少量二进制数据。
Openssl命令:
# 生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
(umask 077; openssl genrsa –out test.key –des 2048)
openssl rsa -in test.key –out test2.key # 将加密key解密
# 从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE
openssl rsa –in test.key –pubout –out test.key.pub
公钥隐藏在私钥中
随机数生成器:伪随机数字
键盘和鼠标、块设备中断
/dev/random
# 仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom
# 从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
建立CA
OpenCA
openssl
证书申请及签署步骤:
- 生成申请请求
- RA核验 :RA注册机构,收集注册申请
- CA签署
- 获取证书
常见CA和申请证书:
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file