1、简述常见加密算法及常见加密算法原理,最好使用图例解说
OpenSSL由三部分组成:
libencrypto库
libssl库
openssl多用途命令行工具
加密算法和协议:
对称加密:加密和解密使用同一个密钥;
DES:Data Encryption Standard;
3DES:Triple DES;
AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)
Blowfish
Twofish
IDEA
RC6
CAST5
特性:
1、加密、解密使用同一个密钥;
2、将原始数据分割成为固定大小的块,逐个进行加密;
缺陷:
1、密钥过多;
2、密钥分发困难;
公钥加密:密钥分为公钥与私钥
公钥:从私钥中提取产生;可公开给所有人;pubkey
私钥:通过工具创建,使用者自己留存,必须保证其私密性;secret key;
特点:用公钥加密的数据,只能使用与之配对儿的私钥解密;反之亦然;
用途:
数字签名:主要在于让接收方确认发送方的身份;
密钥交换:发送方用对方公钥加密一个对称密钥,并发送给对方;
数据加密
一般地,一次加密的通信过程:
发送者:
1.使用单向加密算法私钥提取生成数据的特征码;
2.使用自己的私钥加密特征码附加在数据后面;
3.生成用于对称加密的临时密钥;
4.用此对称密钥加密数据和已经使用私钥加密后的特征码;
5.使用接收方的公钥加密此对称密钥,附加在对称加密后的数据后方;
接收方:
1.使用自己的私钥解密加密的对称(临时)密钥,从而获得对称密钥;
2.使用对称密钥解密对称加密的数据和私钥加密的特征码密文;从而获得数据和特征码密文;
3.使用发送方的公钥解密特征码密文,从而获得计算生成的特征码;
4.使用与对方相同的单向加密算法计算数据的特征码,并与解密而来的特征码进行比较;
算法:RSA, DSA, ELGamal
DSS: Digital Signature Standard
DSA:Digital Signature Algorithm
单向加密:只能加密,不能解密,其作用主要就是提取数据的特征码,又称指纹信息。
单向加密特点:
(1) 定长输出:无论原来的数据是多大级别,其加密结果长度是一样的;
(2)雪崩效应:原始数据微小改变,将导致结果巨大变化
(3) 不可逆
单向加密的功能:
(1) 数据完整性
(2)系统帐号密码校验
算法:
md5:Message Digest 5, 128bits
sha1:Secure Hash Algorithm 1, 160bits
sha224, sha256, sha384, sha512
常用工具:
md5sum | sha1sum [ --check ] fileopenssl、gpg
rpm -V
密钥交换: IKE(Internet Key Exchange)
公钥加密
DH(Deffie-Hellman)
A:p, g
B:p, g
A: x
--> p^x%g ==> B
A: (p^y%g)^x=p^yx%g
B: y
--> p^y%g ==> A
B: (p^x%g)^y=p^xy%g
PKI:Public Key Infrastructure
公钥基础设施:
签证机构:CA
注册机构:RA
证书吊销列表:CRL
证书存取库:
X.509v3:定义了证书的结构以及认证协议标准
证书的组成部分:
版本号
序列号
签名算法ID
发行者名称
有效期限
主体名称
主体公钥
发行者的惟一标识(CA的唯一标识)
主体的惟一标识
扩展
发行者的签名 用发行者的私钥加密上述信息,作为证书发行者的签名
SSL: Secure Socket Layer
SSL(Secure Sockets Layer 安全套接层),及其继任者传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的一种安全协议。TLS与SSL在传输层对网络连接进行加密。
1995:SSL 2.0 Netscape1996: SSL 3.0
1999: TLS 1.0
2006: TLS 1.1 RFC(Request For Comments )4346
2008:TLS 1.2 当前使用2015: TLS 1.3
SSL协议位于TCP/IP协议与各种应用层协议之间,为数据通讯提供安全支持。SSL协议可分为两层:
SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。
SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。
2、搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run ssl
[root@localhost httpd]# cd ssl/
生成私钥;
[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++
..............................+++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:admin@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:wjh
[root@localhost ssl]# ls
httpd.csr httpd.key
[root@localhost ssl]# cat httpd.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC/zCCAecCAQAwgY4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw
DgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZNYWdlZHUxDDAKBgNVBAsMA09wczEb
MBkGA1UEAwwSd3d3Lm1hZ2VkdcOjw6MuY29tMR8wHQYJKoZIhvcNAQkBFhBhZG1p
bkBtYWdlZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVtK
5r/XUS37gxkekdjSMbb1Edd1A1qzxCLLJ4IB1SxJmhXutYmSqlrBrWGTu8rLU5oo
lNAvYdmE7sgWNlssO1KklTFApUHUFSIiW24EVRORD7mZrT44G34s5sOAZxS0DeaY
/SaFk5zKIymrLETorh0wmiZhs1D5gwiCGJV/XYIye9jpYOjI62WL7QdwvLlfoWsv
GNo8CWQ7HVBpd5132Z9zcEW+d+ojn1X6+Ca6tU8j+g6dZ3E3IIiYj2BwYT1lIZor
6RrpcEW290WyJz1U1fznftOCbpSnLKesc3m98P3oz6O2vNyULKjbcyBMq1tYU6GA
nixa8a+vd5j2YG1EXQIDAQABoCswEgYJKoZIhvcNAQkCMQUMA3dqaDAVBgkqhkiG
9w0BCQcxCAwGMTIzNDU2MA0GCSqGSIb3DQEBCwUAA4IBAQBrexju58+SwJiGdmfr
Wu6UMNtP27dPj93q9tH2OnluV1uWkJ58yb1vlA3MUdNOy3DV5cP1LJQhXVQ8x7KN
/rN9pWXnWE9xw1BYKFMRXt5Xvh3A9GQc2zg//BYRHg3fnygyTny8jbztGcCayQlx
0heVxKO1VMENtSjik0v+EGfcUb/bsZ0evUlIec2+/+6jS2zD8bn1jsHfWd2jWZrj
VwIlA+RC1p71+vHLvjdjjSpn43s+Z7ym5zqEEp6qOhrxAFJzSLk3x2ohZhJLEdVL
POp6fjtOXhl5qSSdYEWeN6lNi4EY13aIUJOlLul0HZg8rmX1VV30kZgdMAsnzGew
k3jn
-----END CERTIFICATE REQUEST-----
[root@localhost ssl]# scp httpd.csr root@192.168.170.9:/tmp/
root@192.168.170.9's password:
httpd.csr 100% 1115 39.7KB/s 00:00
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# cd ..
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run ssl
[root@localhost httpd]# cd ssl/
[root@localhost ssl]# ls
http.crt httpd.csr httpd.key
[root@localhost ssl]# openssl x509 -in http.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Magedu/OU=Ops/CN=www.magedu\xC3\xA3\xC3\xA3.com/emailAddress=admin@magedu.com
部署DNS主从服务器
作为重要的互联网基础设施服务,保证DNS域名解析服务的正常运转至关重要,只有这样才能提供稳定、快速且不间断的域名查询服务。在DNS域名解析服务中,从服务器可以从主服务器上获取指定的区域数据文件,从而起到备份解析记录与负载均衡的作用,因此通过部署从服务器可以减轻主服务器的负载压力,还可以提升用户的查询效率。
在本实验中,主服务器与从服务器分别使用的操作系统和IP地址。
主机名称 操作系统 IP地址
master服务器 RHEL 7 192.168.170.8
slave服务器 RHEL 7 192.168.170.9
首先在2台服务器安装Bind服务程序
[root@Master ~]# yum -y install bind
主配置文件(/etc/named.conf):这些参数用来定义bind服务程序的运行。
区域配置文件(/etc/named.rfc1912.zones):用来保存域名和IP地址对应关系的所在位置。
数据配置文件目录(/var/named):该目录用来保存域名和IP地址真实对应关系的数据配置文件。
[root@Master ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
第1步:在主服务器的区域配置文件中允许该从服务器的更新请求。
[root@Master ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { 192.168.170.9; }; #允许更新区域信息的主机地址
};
zone "8.168.192.in-addr.arpa" IN {
type master;
file "192.168.8.zone";
allow-update { 192.168.170.9; };
};
[root@Master named]# vim test.com.zone
$TTL 1D
@ IN SOA test.com. root.test.com. (
#授权信息开始: #DNS区域的地址 #域名管理员的邮箱
0;serial #更新序列号
1D;refresh #更新时间
1H;retry #重试延时
1W;expire #失效时间
3H;)minimum #无效解析记录的缓存时间
NS ns.test.com. #域名服务器记录
ns IN A 192.168.170.8 #地址记录(ns.test.com.)
IN MX 8 mail.test.com. #邮箱交换记录
mail IN A 192.168.170.8 #地址记录(mail.test.com.)
www IN A 192.168.170.8 #地址记录(www.test.com.)
bbs IN A 192.168.170.9 #地址记录(bbs.test.com.)
[root@Master ~]# chgrp named /var/named/test.com.zone
[root@Master ~]# chmod o= /var/named/test.com.zone
[root@Master named]# named-checkzone test.com /var/named/test.com.zone
[root@Master named]# named-checkconf
[root@Master named]# systemctl restart named
测试正向解析:
[root@test ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192
添加主从DNS服务器的ip地址
DNS1="192.168.170.8"
DNS2="192.168.170.9
[root@test named]# yum -y install bind-utils //安装bind客户端程序
[root@test ~]# nslookup www.test.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.test.com
Address: 192.168.170.8
[root@Master named]# vim 192.168.170.zone
$TTL 1D
@ IN SOA test.com. root.test.com. (
0;serial
1D;refresh
1H;retry
1W;expire
3H);minimum
NS ns.test.com.
ns A 192.168.170.8
8 PTR ns.test.com. #PTR为指针记录,仅用于反向解析中。
8 PTR mail.test.com.
8 PTR www.test.com.
9 PTR bbs.test.com.
[root@Master named]# chgrp named /var/named/192.168.170.zone
[root@Master named]# chmod o= /var/named/192.168.170.zone
[root@Master named]# named-checkzone 192.168.170.in-addr.arpa /var/named/192.168.170.zone
[root@Master named]# named-checkconf
[root@Master named]# systemctl restart named
测试反向解析:
[root@test named]# nslookup 192.168.170.9
Server: 192.168.170.9
Address: 192.168.170.9#53
9.170.168.192.in-addr.arpa name = bbs.test.com.
第2步:在从服务器中填写主服务器的IP地址与要抓取的区域信息,然后重启服务。
[root@Slave ~]#vi /etc/sysconfig/network-scripts/ifcfg-ens192
添加主从DNS ip地址
DNS1="192.168.170.8"
DNS2="192.168.170.9
[root@Slave ~]# yum -y install bind
[root@Slave ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
[root@Slave ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
masters { 192.168.170.8; };
file "slaves/test.com.zone";
};
zone "170.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.170.8; };
file "slaves/192.168.170.arpa";
};
第3步:检验解析结果。当从服务器的DNS服务程序在重启后,一般就已经自动从主服务器上同步了数据配置文件,而且该文件默认会放置在区域配置文件中所定义的目录位置中。
[root@Slave ~]# cd /var/named/slaves
[root@Slave slaves]# ls
192.168.8.arpa test.com.zone
[root@test slaves]# nslookup
> www.test.com
Server: 192.168.170.9
Address: 192.168.170.9#53
Name: www.test.com
Address: 192.168.170.8
5、实现智能DNS
要实现DNS服务器的智能DNS解析,首先需要了解view的概念:view就是将不同IP地址段发来的查询响应到不同的DNS解析。如需要对两个不同的IP地址段进行配置,就需要明确这些IP地址段的范围,这样view才能生效。需要注意的是,一旦使用了view,所有域都必须定义在view中。
我这里以192.168.0.189/32代表电信网络,192.168.0.190/32代表联通网络,进行模拟测试:
配置修改此前实例DNS主服务器的named.conf:
acl "telecom"{
192.168.170.8;
};
acl "unicom"{
192.168.170.9;
};
options{
...
};
logging{
...
};
view telecom {
match-clients { telecom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.telecom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view unicom {
match-clients { unicom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.unicom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view others {
match-clients { any;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
新建charlie.com.zone.telecom:
[root@Master ~]# vim /var/named/charlie.com.zone.telecom
$TTL 3600
@ IN SOA ns.charlie.com. admin.charlie.com (
00
1D
1H
1W
3H )
IN NS ns.charlie.com.
ns IN A 192.168.170.8
IN MX 8 mx.charlie.com.
mx IN A 192.168.170.8
www IN A 1.1.1.1
blog IN A 1.1.1.2
新建charlie.com.zone.unicom:
[root@Master ~]# vim /var/named/charlie.com.zone.unicom
$TTL 3600
@ IN SOA ns.charlie.com. admin.charlie..com. (
00
1D
1H
1W
3H )
IN NS ns.charlie.com.
ns IN A 192.168.170.8
IN MX 8 mx.charlie.com.
mx IN A 192.168.170.8
www IN A 2.2.2.1
blog IN A 2.2.2.2
检查相应的配置文件:
[root@Master ~]# named-checkconf /etc/named.conf
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.telecom
zone charlie.com/IN: loaded serial 0
OK
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.unicom
zone charlie.com/IN: loaded serial 0
OK
重启或重载named服务:
[root@Master ~]# systemctl restart named
在192.168.0.189从服务器上验证解析结果:
[root@slave1 ~]# nslookup
> server 192.168.170.8
Default server: 192.168.170.8
Address: 192.168.170.8#53
> set q=A
> www.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.charlie.com
Address: 1.1.1.1 #能正确解析出指定的telecomIP;
> blog.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: blog.charlie.com
Address: 1.1.1.2 #能正确解析出指定的telecomIP;
> ns1.magedu.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: ns1.magedu.com
Address: 192.168.170.8
在192.168.170.9从服务器上验证解析结果:
[root@slave2 ~]# nslookup
> server 192.168.170.8
Default server: 192.168.170.8
Address: 192.168.170.8#53
> set q=A
> www.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: www.charlie.com
Address: 2.2.2.1 #能正确解析出指定的unicomIP;
> blog.charlie.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: blog.charlie.com
Address: 2.2.2.2 #能正确解析出指定的unicomIP;
> ns1.magedu.com
Server: 192.168.170.8
Address: 192.168.170.8#53
Name: ns1.magedu.com
Address: 192.168.170.8
>