中间人攻击:
1.篡改 算法消息验证算法 消息验证码 MD5 哈西算法
2.窃听 加密1.对称加密2.非对称加密 2把密钥 公钥加密 私钥解密 成对出现
3.欺骗伪装 身份验证 数字签名 证书 根级验证 数字签名:证实身份的过程 就是验证 真假和标识 实际就是 非对称加密反着:用 公钥解密 私钥加密
用公钥和标识组成的证书请求文件去找CA验证 ca的密钥 私钥对证书求文件加密 加密的文件就叫证书 将证书给B这个工程就叫数字签名 A有CA的公钥 当B将证书给A A用CA的公钥将证书解密
查看的标识 与B一致 要公钥 私钥加密
4.中断 备份
密码学/中间人攻击
数据机密性-----------加密----------避免窃听
数据完整性-----------消息验证码-------防止篡改
数据的不可否认性--------验证/数字签名-----伪装
tcpdump -i eth0 -vnn host 192.168.0.5 and port 23 -w /tmp/telnet.tcpdump 保存到那个文件 抓包
yum install wireshark(图形显示抓包)
yum install wireshark-gnome
wireshark network analyzer-->打开telnet.tcpdump-->找到telnet右键选择follow tcp stream
加密:
1.对称算法 DES 标准加密算法 3DES AES(标准高级加密算法 )
特点:加密解密同一把密钥 适合高效的加密大量的信息
一把钥匙开个门
2.非对称加密算法 RSA(数字签名) DSA 非对称加密
一对密钥 一把公钥 一把私钥
公钥加密 私钥解密
加密少量的信息,更加安全 ,但是效率相对底
两把钥匙 开1个门
sed 'y(一一对应字符)/abc.........:/jkl.....*' /etc/passwd
\-----------------/
密钥
\-------------------/
算法
算法固定 密钥不同 密文不一样
算法公开的情况下,密钥不一样,密文也是不一样的
命令:openssl对称加密
gpg 非对称加密
........
加密:
openssl -enc(表示加密)--help
openssl enc -e(加密) -des3(算法) -a -in /etc/passwd -out(保存到) /var/ftp/pg/passwd.des3
[root@localhost ~]# openssl enc -e -des3 -a -in /etc/passwd -out /var/ftp/pg/passwd.des3
enter des-ede3-cbc encryption password:1234
Verifying - enter des-ede3-cbc encryption password:1234
reset重置
in
解密
openssl enc -d(解密) -a -des3 - in /linux123/1207/passwd.des3
[root@localhost ~]# openssl enc -d -a -des3 -in /var/ftp/pg/passwd.des3
密钥:
[root@localhost ~]# cat /key.txt12
如何把密钥安全地传给对方???
b用公钥给密钥加密 将加密国的密钥传给C C用自己的私钥解密
例如:
如何把密钥安全地传给对方???192。168。0。5
1.192。168。0。5:
生成一对密钥把公钥给192.168.0.253 非对称加密
2.把公钥给192.168.0.253
[root@5 .gnupg]# scp pubring.gpg 192.168.0.253:/tmp/
root@192.168.0.253's password:
pub 100% 923 0.9KB/s 00:00
3.192.168.0.253
用0.5的公钥加密 key.txt文件.然后传给0.5
4.192.168.0.5
用自己的私钥解密
公钥
0.5(生成一对密钥)--------->253(加密密钥)
0.5(0.5用自己的私钥解密)<-----将加密的密钥文件
1.192.68.0.5
生成一对密钥把公钥给192.168.0.253 非对称加密
在ssh的应用
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub user@192.168.1.88
scp /root/.ssh/id_rsa.pub 192.168.1.254:/root/.ssh/authorized_keys
[root@5 ~]# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want: //请选择您要使用的密钥种类:
(1) DSA and Elgamal (default) //(1) DSA 和 ElGamal (默认)
(2) DSA (sign only) // DSA (仅用于签名)
(5) RSA (sign only) //RSA (仅用于签名)
Your selection? 1//您的选择?
DSA keypair will have 1024 bits.//DSA 密钥对会有 1024 位
ELG-E keys may be between 1024 and 4096 bits long.//ELG-E 密钥长度应在 1024 位与 4096 位之间。
What keysize do you want? (2048) 1024 //您想要用多大的密钥尺寸?(2048)
Requested keysize is 1024 bits//您所要求的密钥尺寸是 1024 位
Please specify how long the key should be valid.//请设定这把密钥的有效期限
0 = key does not expire // 0 = 密钥永不过期
<n> = key expires in n days //密钥在 n 天后过期
<n>w = key expires in n weeks //密钥在 n 周后过期
<n>m = key expires in n months//密钥在 n 月后过期
<n>y = key expires in n years //密钥在 n 年后过期
Key is valid for? (0) 5//密钥的有效期限是?5天过期
Key expires at Sat 11 Dec 2010 10:41:37 AM PST //密钥于 2010年12月12日 星期日 11时10分38秒 CST 过期
Is this correct? (y/N) y //以上正确吗?(y/n)
You need a user ID to identify your key; the software constructs the user ID//您需要一个用户标识来辨识您的密钥;本软件会用真实姓名、注释和电子邮件地址组合
from the Real Name, Comment and Email Address in this form: //成用户标识,如下所示:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: client1 //真实姓名
Email address: client1@client.com //电子邮件地址:
Comment: 1111 注释
You selected this USER-ID: 您选定了这个用户标识
"client1 (1111) <client1@client.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O //更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)
You need a Passphrase to protect your secret key.//您需要一个密码来保护您的私钥 123456
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的),这会让随机数字发生器有更好的机会获得足够的熵数。
+++++.+++++++++++++++++++++++++++++++++++.+++++..+++++.+++++.+++++.+++++++++++++++++++++++++.+++++++++++++++.++++++++++++++++++++++++++++++.++++++++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)
lkklgdfklllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllWe need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++++++++++++++++++++++.l+++++++++++++++.++++++++++.+++++++++++++++++++++l++++++++l++++++.++++++++++.+++l++++++++++++++++++++++++++++++++>+++++l..l...l..l...l..l..l...l..l...l..l..l..>.+++++l..l.<+++++..+++++^^^^
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E7306868 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-12-11
pub 1024D/E7306868 2010-12-06 [expires: 2010-12-11]
Key fingerprint = 495B D2E4 F11C F446 DB64 D71D 2E42 ED35 E730 6868
uid client1 (1111) <client1@client.com>
sub 1024g/BAC738CA 2010-12-06 [expires: 2010-12-11]
随机字节不够多。请再做一些其他的琐事,以使操作系统能搜集到更多的熵!
(还需要11字节)
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的),这会让随机数字发生器有更好的机会获得足够的熵数。
+++++++++++++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++++++++++++++++++++++..+++++.++++++++++.+++++++++++++++>.+++++................................+++++^^^^
gpg: 密钥 4C96131E 被标记为绝对信任
公钥和私钥已经生成并经签名。
gpg: 正在检查信任度数据库
gpg: 需要 3 份勉强信任和 1 份完全信任,PGP 信任模型
gpg: 深度:0 有效性: 1 已签名: 0 信任度:0-,0q,0n,0m,0f,1u
gpg: 下次信任度数据库检查将于 2010-12-12 进行
pub 1024D/4C96131E 2010-12-07 [有效至:2010-12-12]
密钥指纹 = C13A D6F5 794A 946C 0190 0F11 191C E2D7 4C96 131E
uid yuxiang (haha) <stgk8868@163.com>
sub 1024g/570AFD0D 2010-12-07 [有效至:2010-12-12]
[root@5 ~]# cd /root/.gnupg/
[root@5 .gnupg]# ls
gpg.conf random_seed
pubring.gpg secring.gpg
pubring.gpg~ trustdb.gpg
2.把公钥给192.168.0.253
[root@5 .gnupg]# scp pubring.gpg 192.168.0.253:/tmp/
root@192.168.0.253's password:
pub 100% 923 0.9KB/s 00:00
gpg --help
gpg -
支持的算法:
公钥:RSA, RSA-E, RSA-S, ELG-E, DSA
对称加密:3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
散列:MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
压缩:不压缩, ZIP, ZLIB, BZIP2
语法:gpg [选项] [文件名]
签名、检查、加密或解密
默认的操作依输入数据而定
指令:
-s, --sign [文件名] 生成一份签名
--clearsign [文件名] 生成一份明文签名
-b, --detach-sign 生成一份分离的签名
-e, --encrypt 加密数据
-c, --symmetric 仅使用对称加密
-d, --decrypt 解密数据(默认)
--verify 验证签名
--list-keys 列出密钥
--list-sigs 列出密钥和签名
--check-sigs 列出并检查密钥签名
--fingerprint 列出密钥和指纹
-K, --list-secret-keys 列出私钥
--gen-key 生成一副新的密钥对
--delete-keys 从公钥钥匙环里删除密钥
--delete-secret-keys 从私钥钥匙环里删除密钥
--sign-key 为某把密钥添加签名
--lsign-key 为某把密钥添加本地签名
--edit-key 编辑某把密钥或为其添加签名
--gen-revoke 生成一份吊销证书
--export 导出密钥
--send-keys 把密钥导出到某个公钥服务器上
--recv-keys 从公钥服务器上导入密钥
--search-keys 在公钥服务器上搜寻密钥
--refresh-keys 从公钥服务器更新所有的本地密钥
--import 导入/合并密钥
--card-status 打印卡状态
--card-edit 更改卡上的数据
--change-pin 更改卡的 PIN
--update-trustdb 更新信任度数据库
--print-md 算法 [文件]
使用指定的散列算法打印报文散列值
选项:
-a, --armor 输出经 ASCII 封装
-r, --recipient 某甲 为收件者“某甲”加密
-u, --local-user 使用这个用户标识来签名或解密
-z N 设定压缩等级为 N (0 表示不压缩)
--textmode 使用标准的文本模式
-o, --output 指定输出文件
-v, --verbose 详细模式
-n, --dry-run 不做任何改变
-i, --interactive 覆盖前先询问
--openpgp 行为严格遵循 OpenPGP 定义
--pgp2 生成与 PGP 2.x 兼容的报文
(请参考在线说明以获得所有命令和选项的完整清单)
范例:
-se -r Bob [文件名] 为 Bob 这个收件人签名及加密
--clearsign [文件名] 做出明文签名
--detach-sign [文件名] 做出分离式签名
--list-keys [某甲] 显示密钥
--fingerprint [某甲] 显示指纹
3.192.168.0.253
用0.5的公钥加密 key.txt文件.然后传给0.5
gpg -r(用谁的公钥加密) -e(加密)-a(64阿四骒马)
root@localhost ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/61129D4F 2010-12-07 [有效至:2010-12-12]
uid yuxiang <yuxiang@yuxiang.com>
sub 1024g/FD3EF214 2010-12-07 [有效至:2010-12-12]
[root@localhost ~]# gpg --import /tmp/pubring.gpg (导入公钥)
gpg: 钥匙环‘/root/.gnupg/secring.gpg’已建立
gpg: 密钥 E7306868:公钥“client1 (1111) <client1@client.com>”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1
[root@localhost ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/E7306868 2010-12-06 [有效至:2010-12-11]
uid client1 (1111) <client1@client.com>
sub 1024g/BAC738CA 2010-12-06 [有效至:2010-12-11]
[root@localhost ~]# gpg -ear client1 /key.txt
以上加密后生成 一个叫/key.txt.asc 的文件
[root@localhost ~]# ls /key.txt.asc
/key.txt.asc
[root@localhost ~]# scp /key.txt.asc 192.168.0.5:/tmp/
root@192.168.0.5's password:
key 100% 567 0.6KB/s 00:00
[root@localhost ~]#
4.192.168.0.5
用自己的私钥解密
[root@5 .gnupg]# gpg -d /tmp/key.txt.asc > /tmp/key
[root@5 .gnupg]# cat /tmp/key
1234
[root@localhost ~]# gpg -er client1 /key.txt
gpg: BAC738CA:没有证据表明这把密钥真的属于它所声称的持有者
pub 1024g/BAC738CA 2010-12-06 client1 (1111) <client1@client.com>
主钥指纹: 495B D2E4 F11C F446 DB64 D71D 2E42 ED35 E730 6868
子钥指纹: F39C B671 FFF8 ACA0 60C4 60BC 46A5 71B2 BAC7 38CA
这把密钥并不一定属于用户标识声称的那个人。如果您真的知道自
己在做什么,您可以在下一个问题回答 yes。
无论如何还是使用这把密钥吗?(y/N)y
[root@localhost ~]#
消息验证码:
MD5 SHA1
sha1sum /etc/passwd
md5sum /etc/passwd
信息不变SHA1不变
消息验证码:
MD5 SHA1
[root@5 .gnupg]# sha1sum /etc/passwd
1136775e80a3958b746da0b5214b86c342212176 /etc/passwd
[root@5 .gnupg]# md5sum /etc/passwd
cff69e2a1e51247f15962eef0e3b969a /etc/passwd
数字签名:
主机A 需要向其他主机证明自己的身份 ,他要有证书,要向CA申请证书
A要先生成一对密钥,把{公钥和个人标识}-->生成一个xxx.csr证书请求文件
把证书请求文件拷贝给CA,让CA用自己的私钥加密,生成A的证书,在拷贝给A
(CA应该有自己的一对密钥,和证明自己身份的证书。证书是找上级CA申请的,其中包含有CA的公钥和ca的标识!)
SSl协议正式命名TLS 安全套接 security socket layer
HTTPS
SMTPS
POP3S
IMAPS
LDAPS
FTPS
SSL工作原理
SSL的四次握手的过程
以http+ssl为例!
用户使用个人PC,想上招行的网银,将输入比较重要的卡号,密码信息。此时,肯定要加密方式传输数据(对称加密大量信息),并且要确定对方确定是招行网站。
Client HTTPS Server
1、首先客户端向服务器发送一个SSL的请求包,要求进行安全的会话,请证明你的身份,并且我们双方来协商一下一会将用对对称加密算法,数字签名算法。。。。。。
----------------->
2、HTTPS server收到请求后,响应client,把Serer证书传给client
<----------------
3、Client需要验证Server证书,client会有CA的证书,可以对S证书进行验证(看是否可以解密,再看标识[服务器域名/主机名]是否对得上)。
Client需要产生一把对称加密的KEY,通过S公钥把KEY加密,然后传给Server
------------------->
4、HTTPS Server用自己的私钥解密得到KEY。随机产生一些信息,用KEY加密,传给Client。
<--------------------
接下来,双方通过KEY加密页面数据,安全传输
<--------------------->
配置:
CA 192.168.0.5
1、生成一对密钥
2、自签署得到自己的证书
-----
3、给SERVER签发证书
HTTP+SSL server
(有自己的域名192.168.0.253 --www.pg.com,能DNS解析,或者HOSTS文件解析)
1、生成一对密钥
2、把公钥+标识 生成证书请求文件,并传给CA,让CA做签名,生成证书,再传回来
3、配置HTTPD让其支持SSL,通过Apache来配置
client 需要手动导入CA的证书到浏览器
CA 192.168.0.5
1、生成一对密钥
]# vim /etc/pki/tls/openssl.cnf
178 basicConstraints=CA:TRUE
必须修改 否则客户端无法导入证书出现
这不是一个证书授权证书,因此无法导入至证书授权列表
2、自签署得到自己的证书
[root@5 misc]# cd /etc/pki/CA/
[root@5 misc]# /etc/pki/tls/misc/CA -h
usage: CA -newcert|-newreq|-newca|-sign|-verify
[root@5 CA]# /etc/pki/tls/misc/CA -newca 通过此脚本直接方便的生成CA的证书和CA的私钥
[root@5 CA]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)直接回车
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
.........++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:输入密码保护私钥123456
Verifying - Enter PEM pass phrase:确认密码123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BJ
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:UPLOOKING
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:ca@ca.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:不填
An optional company name []:不填
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:输入之前的私钥的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 7 20:03:01 2010 GMT
Not After : Dec 6 20:03:01 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = UPLOOKING
commonName = ca
emailAddress = ca@ca.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:35:AA:DE:CF:EB:21:C6:6C:03:99:77:1D:EF:45:67:D6:4B:94:52
X509v3 Authority Key Identifier:
keyid:80:35:AA:DE:CF:EB:21:C6:6C:03:99:77:1D:EF:45:67:D6:4B:94:52
Certificate is to be certified until Dec 6 20:03:01 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@5 CA]# ls ../../CA/private/./cakey.pem 生成 了这个私钥文件
../../CA/private/./cakey.pem
[root@5 CA]# ls /etc/CA/cacert.pem /etc/CA/private/cakey.pem
/etc/CA/cacert.pem 这个是CA的证书
/etc/CA/private/cakey.pem 这个是CA的私钥
-----
3、给SERVER签发证书
HTTP+SSL server
(有自己的域名192.168.0.253 --www.pg.com,能DNS解析,或者HOSTS文件解析)
1、生成一对密钥
[root@localhost ~]# openssl genrsa -out /tmp/server.key -des3 1024
Generating RSA private key, 1024 bit long modulus
.++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for /tmp/server.key:12345678
Verifying - Enter pass phrase for /tmp/server.key:12345678
2、把公钥+标识 生成证书请求文件,并传给CA,让CA做签名,生成证书,再传回来
[root@localhost ~]# openssl req -new -key /tmp/server.key -out /tmp/server.csr
Enter pass phrase for /tmp/server.key:提示输入server.key这把私钥的密码12345678
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BJ
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:UPLOOKING
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.pg.com
Email Address []:pg@pg.com
CA 和Sever的标识必须一致否则无法辨识
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]#
[root@localhost ~]# openssl req -new -key /tmp/server.key -out /tmp/server.csr
[root@localhost ~]# ls /tmp/server.csr 证书请求文件有了,要传给CA
/tmp/server.csr
[root@localhost ~]# scp /tmp/server.csr 192.168.0.5:/tmp/
root@192.168.0.5's password:
ser 100% 655 0.6KB/s 00:00
生成密钥openssl genrsa
请求文件openssl req
生成证书openssl ca
到192.168.0.5CA上,通过命令手动签发证书
以下为标识
[root@5 CA]# cd /etc/CA/certs/
[root@5 certs]# openssl ca -in /tmp/server.csr -out /tmp/server.crt -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 7 20:19:34 2010 GMT
Not After : Dec 7 20:19:34 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = UPLOOKING
commonName = www.pg.com
emailAddress = pg@pg.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
53:D9:70:7E:02:C7:02:FB:6F:28:32:45:16:61:A4:D1:AF:CF:D9:98
X509v3 Authority Key Identifier:
keyid:80:35:AA:DE:CF:EB:21:C6:6C:03:99:77:1D:EF:45:67:D6:4B:94:52
Certificate is to be certified until Dec 7 20:19:34 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成了Server的证书,拷回给192。168。0。253
[root@5 certs]# scp /tmp/server.crt 192.168.0.253:/tmp/
root@192.168.0.253's password:
serve 100% 3006 0.6KB/s 00:00
3、配置HTTPD让其支持SSL,通过Apache来配置
[root@localhost ~]# ls /tmp/server.key /tmp/server.crt
/tmp/server.crt server的证书
/tmp/server.key server的私钥 sercer.key
[root@localhost ~]#l yum -y install httpd mod_ssl
vim /etc/httpd/conf.d/ssl.conf 找到如下两行,改为正确的文件路径
SSLCertificateFile /tmp/server.crt
SSLCertificateKeyFile /tmp/server.key
[root@localhost ~]# service httpd restart
停止 httpd: [失败]
启动 httpd:Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:12345678
OK: Pass Phrase Dialog successful.
[确定]
[root@localhost ~]# service httpd restart
[root@localhost ~]# netstat -tnlp | grep 443
tcp 0 0 :::443 :::* LISTEN 6047/httpd
client 需要手动导入CA的证书到浏览器
[root@5 certs]# scp /etc/CA/cacert.pem 192.168.0.253:/var/ftp/pg
client下载ca的证书,打开浏览器导入
客户端无法导入
工作原理:ssl 四次握手
以https为例:
用户使用自己的PC,想上招行的网银,将输入比较重要的卡号,密码信息。此时可定要加密的方式传输
第一次握手:客户端向服务器发送一个SSL的 证明服务器端的身份
1.客户端客户端都验证身份
2.
思路:
1.CA 可以和sever是一起的 0.5
1.生成一对密钥
2.自签署得到自己的证书(证明自己合法)
不产生公钥 可用CA的私钥推导出CA公钥
2. server 域名DNS解析 hosts解析
1.生成一对密钥
将公钥和
3需要手动导入
teq(选项) 产生新的私钥
SSL
DES 3DES AES
RSA DSA
md5 SHA1
数字签名
------使用3DES算法实现对称加密过程:-----------
1 、1。253加密
[root@ xinetd.d]# openssl enc -e -des3 -a -in /etc/passwd -out /passwd.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@ xinetd.d]# file /passwd.des3
2、1。9解密
[root@stu9 ~]# openssl enc -d -des3 -a -in /root/passwd.des3 -out /root/passwd
enter des-ede3-cbc decryption password:
----------使用RSA算法进行非对称加密演示过程:----
1、
[root@stu9 ~]# 1 1.9 产生一对密钥 ,把公钥给1。253。
操作如下:
gpg –gen-key
– 选择密钥种类
– 选择密钥尺寸
– 选择有效时间
– 用户标识来辨识密钥(用户名,邮件和注释)
– 确定并输入密码保护密钥
ls . /. gunpg/公钥和私钥
[root@stu9 ~]# ls .gnupg/pubring.gpg .gnupg/secring.gpg
.gnupg/pubring.gpg .gnupg/secring.gpg
2、
[root@stu9 ~]# 2 1.53用1.的公钥 把/etc/passwd文件进行加密 。把加密过的文件传给 1。9
[root@stu9 ~]# scp .gnupg/pubring.gpg 192.168.1.253:/
root@192.168.1.253's password:
pubring.gpg 100% 2095 2.1KB/s 00:00
[root@ /]# gpg --import /pubring.gpg
[root@ /]# gpg --list-key
[root@ /]# gpg -e -a -r pingguo /etc/passwd
[root@ /]# ls /etc/passwd.asc -l
-rw-r--r-- 1 root root 2350 07-28 10:27 /etc/passwd.asc
[root@ /]# scp /etc/passwd.asc 192.168.1.9:/root
root@192.168.1.9's password:
passwd.asc 100% 2350 2.3KB/s 00:00
[root@stu9 ~]# 3 1。9拿自己对应的那把私钥进行解密
[root@stu9 ~]# gpg -d -a /root/passwd.asc > /root/passwd
You need a passphrase to unlock the secret key for
user: "pingguo (uplooking) <ping321guo@hotmail.com>"
1024-bit ELG-E key, ID B1DFA7D7, created 2010-07-28 (main key ID 5B523FB7)
gpg: encrypted with 1024-bit ELG-E key, ID B1DFA7D7, created 2010-07-28
"pingguo (uplooking) <ping321guo@hotmail.com>"
--------------
A 0.254
gpg --import /tmp/pubring.gpg
gpg -ear uplooking /etc/passwd
ls /etc/passwd.asc
----------
scp /etc/passwd.asc 192.168.0.3:/tmp
B 0.3
生成一对密钥
gpg --gen-key
ls ./.gnupg/pubring.gpg
scp pubring.gpg 192.168.0.254:/tmp/
------------
gpg -dar /tmp/passwd.asc
------消息验证码,保证数据完整性--
[root@ pg]# openssl dgst -md5 /etc/passwd
MD5(/etc/passwd)= f50b2e08ce93fbdd2a0aa9ee8ac2da8f
[root@ pg]# md5sum /etc/passwd
f50b2e08ce93fbdd2a0aa9ee8ac2da8f /etc/passwd
[root@ pg]# sha1sum /etc/passwd
49321f372c979535e20123d933826be4b7c5d4c8 /etc/passwd
[root@ pg]# openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= 49321f372c979535e20123d933826be4b7c5d4c8
---HTTP+SSL-------------------------------
思路:
1 创建CA ,并自签署
1)要生成一对密钥,公钥和私钥
2) 自签署
ca要用自己的私钥对SERVER提交的证书请求文件做数字签名,生成证书,并颁发给SERVER
2 SERVER
1)安装http + ssl modules
2)生成一对密钥
3)把公钥和个人标识导出来做成证书请求文件,再提交给ca(等待ca签名完成并颁发给自己证书。)
4)有了证书+有了公钥,需要去配置apache,指定证书文件的位置和公钥文件的位置
启动apache.
3 client只需要有浏览器,就可以通过https://server_ip
----------------------
HTTPs的实现:
1、创建CA(0.65)
vim /etc/pki/tls/openssl.cnf
178 basicConstraints=CA:TRUE 取消注释
---
[root@stu65 CA]# pwd
/etc/pki/CA
[root@stu65 CA]# ls
private
[root@stu65 CA]# /etc/pki/tls/misc/CA -h
usage: CA -newcert|-newreq|-newca|-sign|-verify
执行如下脚本 : 生成自己的证书,生成自己的私钥
[root@stu65 CA]# /etc/pki/tls/misc/CA -newca
[root@stu65 CA]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
...............++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:输入密码保护私钥1234
Verifying - Enter PEM pass phrase:重复输入1234
-----
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Haidian
Organization Name (eg, company) [My Company Ltd]:my ca ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:ca@ca.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:1234
生成的两个文件如下:
[root@stu65 pki]# ls /etc/CA/cacert.pem /etc/CA/private/cakey.pem
/etc/CA/cacert.pem 证书
/etc/CA/private/cakey.pem 私钥
2、web (1.253)
rpm -ivh httpd-2.2.xx......rpm
[root@ Server]# rpm -ivh mod_ssl-2.2.3-22.el5.i386.rpm
• 产生一对密钥,并找CA做数字签名,生成证书
– 1)生成一对密钥
openssl genrsa –out /tmp/server.key -des3 1024 输入密码保
护此密钥:123456
[root@ /]# openssl genrsa -out /etc/httpd/conf.d/server253.key -des3 1024
Generating RSA private key, 1024 bit long modulus
.............................++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server253.key:123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server253.key:123456
– 2)导出公钥,做成证书请求文件(csr)给CA做签名
openssl req -new -key /tmp/server.key -out /tmp/server.csr
提示输入server.key的保护密码(123456).
提示输入web服务器的国家,省,等信息(要同CA,否则会出
现server.crt证书为空的情况)
提示输入国家,省,地区,公司,注释,邮件地址
CN,Beijing,Haidian,uplooking ltd,uplooking,pg@uplooking.com
---
[root@ /]#
[root@ /]# openssl req -new -key /etc/httpd/conf.d/server253.key -out server253.csr
Enter pass phrase for /etc/httpd/conf.d/server253.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Haidian
Organization Name (eg, company) [My Company Ltd]:uplooking Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.uplooking.com
Email Address []:pg@uplooking.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ /]# openssl req -new -key /etc/httpd/conf.d/server253.key -out server253.csr
[root@ /]# ls server253.csr
server253.csr
---
把证书请求文件拷给CA(1。65),去做数字签名
1。65 对1。253的server253.csr文件做签名 ,生成证书,并拷给1。253
• CA 1。65上:
openssl ca -in /tmp/server.csr -out server.crt
提示输入ca的密钥(myca.key) 密码:1234
cat server.crt 看签名后的证书(大小不可为
空)
scp server.crt 192.168.1。253:/etc/http/conf
把证书拷贝给web server
配置web使用ssl模块:
rpm -ivh mod_ssl.x.x.x.rpm
vim /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/server.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/server.key
service httpd restart 需要输入server.key的密码(123456)
3、client (0.2)
https://192.168.0.3
ssh服务 1.基于用户名和密码2.基于key(自动化登录)
1.一台
ssh-keygen
scp -id_rsa.pub 192.168.0.5:/root/.ssh/authorized_key
2.多台except脚本
客户端 服务器端
客户端生成一对密钥将公钥传给服务器端 ,服务器端用客户端的公钥加密在传给客户端客户端用自己的私钥解密
转载于:https://www.cnblogs.com/centos-python/articles/8523644.html
扫一扫
172
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
