加密解密基础、PKI及SSL、创建私有CA

最新推荐文章于 2019-07-20 10:42:00 发布

weixin_33800593

最新推荐文章于 2019-07-20 10:42:00 发布

阅读量199

点赞数

原文链接：http://blog.51cto.com/sonlich/1965404

版权

进程间通信

socket通信

客户端-->请求--> 路由转发 --> 服务端，取出资源 --> 封装为可响应给客户端的请求报文从接收请求端口发出

SSL/TLS协议的实现 OpenSSL

OpenSSL程序组件

[root@localhost CA]# rpm -ql openssl 
/usr/lib/libcrypto.so.10  //加密解密库 (C，C++程序员调用的库)
/usr/lib/libssl.so.10    //ssl/tls实现 (C,C++程序员调用的库) HTTP --> HTTPS
/usr/bin/openssl        //命令行工具

SSL Secure Socket Layer 安全的套接字层

TLS Transfer Layer Secure 传输层安全

SSL分层

用组件拼装而成的密码学协议软件(TLS, SSL)
标准算法组合成半成品
算法实现：AES-128-CBC-PKCS7
算法原语：AES(对称加密)，RSA(非对称加密),MD5(单向加密)

NIST制定的安全标准:保密性、完整性、可用性

SOCKET通信模型中面临的风险:窃听、伪装、重放、消息篡改、拒绝服务

保证安全的手段(安全机制)：加密、身份认证、访问控制、完整性校验、路由控制、公证

提供安全机制的服务：认证、访问控制、保密性、完整性、不可否认性

保证服务的安全(算法和协议)：对称、非对称、单向、密钥交换

加密解密的基础原理

对称加密、非对称加密、单向加密、密钥交换

证书颁发机构CA、证书的作用

PKI

证书的规范

# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -text -subject -serial
Certificate:
    Data:
        Version: 3 (0x2)    //版本号
        Serial Number: 1 (0x1) //序列号（每个从的惟一标识)
    Signature Algorithm: sha1WithRSAEncryption   //签名算法ID
        Issuer: C=CD, ST=CD, L=ChengDu           //CA名称
                                                 //证书有效期
            Not Before: Sep 21 07:16:20 2017 GMT
            Not After : Sep 21 07:16:20 2018 GMT
        Subject: C=CD, ST=CD, O=MageEdu,        //主体名称(主机名)
        Subject Public Key Info:                //主体公钥
                Modulus:
                    00:eb:bd:58:2d:05:54:49:6d:ac:42:98:ee:cb:fb:
                    ec:62:20:e1:1e:e4:64:ef:a3:0f:23:17:5b:fb:66:
                    6d:a9:ce:81:c3:53:b5:f8:d9:87:da:c5:f3:2d:77:
                    f2:de:3b:ed:92:81:a5:6c:73:f6:83:3c:c2:e5:71:
                    49:02:02:ae:45:d0:e0:45:f2:41:34:f8:25:87:41:
                    82:aa:27:e2:17:ca:fc:74:f3:50:98:b0:6c:b0:26:
                    8b:a5:0d:a7:ca:4b:f5:72:f9:44:87:8b:15:51:ea:
                    9a:84:6d:22:aa:fe:84:62:5a:59:33:c3:ff:29:51:
                    a9:1a:56:c3:63:22:9a:6d:2c:65:10:a0:57:78:c2:
                    aa:70:3d:32:eb:59:dc:f7:a9:0c:ea:e5:8e:29:1c:
                    2f:27:0d:53:87:e1:2b:eb:fe:f8:8f:61:8f:86:ab:
                    f1:9c:ee:29:11:c1:71:ca:41:24:3e:1d:e1:3c:84:
                    60:8a:d8:4d:ad:4c:b2:ca:8f:25:29:8a:11:1a:6f:
                    1c:03:88:4a:66:99:73:34:7d:76:da:85:77:da:65:
                    3a:e5:d3:ca:58:9f:8c:3a:3b:d5:e2:9e:77:1e:b2:
                    f3:c8:5a:b6:2d:2b:68:71:20:9f:94:41:0c:4b:2f:
                    93:f5:11:4c:89:9e:d9:48:ac:de:62:d9:5e:16:73:
                    5d:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:          //扩展信息
            X509v3 Subject Key Identifier:   //发行者的惟一标识
                C5:AE:93:32:58:BC:DC:F4:97:E5:D7:52:15:37:11:4D:ED:4C:B1:8E
            X509v3 Authority Key Identifier:  //主体的惟一标识
                keyid:D4:F7:60:6F:E8:F4:2D:A6:F7:5D:09:55:D2:5D:56:DE:1F:93:91:33

    Signature Algorithm: sha1WithRSAEncryption     //发行者签名，签名算法
         3c:90:f8:cf:d6:91:36:ab:4b:12:27:22:78:85:7f:32:15:4e:
         ac:60:30:63:65:fe:91:be:1b:e5:22:65:34:4d:f0:b2:2c:d9:
         43:38:b9:76:1e:10:ca:27:ab:e9:db:00:bd:d9:87:96:b5:a9:
         ee:34:34:01:05:88:fc:59:ef:1d:9b:3f:8e:49:fa:e8:c9:54:
         15:d0:63:14:7d:51:e9:c8:8c:50:77:81:5c:f2:56:f8:c2:ba:
         16:46:cc:7f:e2:72:27:56:4e:a7:c4:2c:b4:64:44:9a:84:bc:
         b2:19:5e:dd:3c:20:1c:a9:8c:93:ae:94:e4:8d:8e:d1:b7:47:
         3a:c5:f6:df:42:6f:d9:66:d8:25:97:03:94:01:60:f5:a7:60:
         c3:33:55:c3:cb:12:f8:14:1e:df:17:00:26:49:ce:74:fc:8f:
         56:16:10:b3:16:6e:09:06:8c:8f:84:e9:ec:e2:84:06:82:ac:
         27:8d:c5:f6:83:d8:3d:8d:de:d9:3e:e7:ae:15:41:a9:8d:42:
         e9:9d:8d:b8:d7:29:47:21:45:3c:39:49:7a:96:31:bb:95:93:
         7b:1b:29:07:dc:fe:ad:7c:f0:28:c5:cb:b5:65:8f:1f:7e:60:
         a3:86:50:9f:c3:da:53:1f:6b:ec:ab:7c:1a:7e:39:40:37:23:
         83:17:39:54
subject= /C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com
serial=01


1、找到CA名，和签名算法 
2、找到信任机构的CA证书
3、用证书中的公钥解密加密的数字签名     //身份认证
4、用相同的签名算法对证书提取特征码     //完整性检验
5、比对特征码是否相同

基于公钥加密通信机制

SSL Hand shark：一个IP地址只能建立一个SSL会话

openssl工具使用

对称加密

使用示例

使用示例：
1、创建临时文件
# mktemp -p /tmp lcc.XXXX
/tmp/lcc.hFdo

2、加密
    # openssl enc -e -seed-cfb -a -salt -in lcc.hFdo -out lcc.ciphertext
3、解密
    # openssl enc -d -seed-cfb -a -salt -in lcc.ciphertext -out lcc.txt

单向加密

使用示例

# sha1sum lcc.txt 
5448d7dc19288c6ee87a25d4e2e990f72d786971  lcc.txt

# openssl dgst -sha1 -hex lcc.txt 
SHA1(lcc.txt)= 5448d7dc19288c6ee87a25d4e2e990f72d786971

生成用户密码

使用示例

# openssl passwd -1 -salt $(openssl rand -hex 4) 
# openssl passwd -1 -salt $(openssl rand -hex 4) 123

生成随机数

使用示例

# openssl rand -hex 4      (8位)
# openssl rand -base64 16 | tr -d '='

生成密钥对

使用示例

# openssl genrsa -out lcc.private 1024

# openssl rsa -in lcc.private -out lcc.pubkey -pubout

私有网络安全通信的实现方案

构建私有CA

#  echo "01" > /etc/pki/CA/serial        //必须为01，否则签发不了
#  touch /etc/pki/CA/index.txt

# cd /etc/pki/CA
# (umask 077;openssl genrsa -out private/cakey.pem 1024)
# openssl req -new -x509 -key  private/cakey.pem -out cacert.pem -days 7300

申请请求

# install -d /etc/httpd/ssl

# cd /etc/httpd/ssl
# (umask 077;openssl genrsa -out httpd.key 1024)
# openssl req -new -key httpd.key -out httpd.csr -days 365

传给CA

CA所在的主机必须有软件能得以实现SSH协议<dropbear, telnet, openssh-server>，才能使用客户端工具<scp, sftp, ssh>

# scp -P 9999 /etc/httpd/ssl/httpd.csr root@192.168.80.129

CA验证

CA签发

# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365

从证书存取库中获取证书

# scp -P 9999 root@192.168.80.129:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

验证证书

# openssl x509 -in certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com

在客户端进行吊销证书

1、获取serial

# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject

2、在CA，index.txt中查看serial与客户端是否相同

吊销

# openssl ca -revoke newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

3、生成吊销证书编号

# echo "01" > /etc/pki/CA/crlnumber

4、更新吊销列表

# openssl ca -gencrl -out thisca.crl
Using configuration from /etc/pki/tls/openssl.cnf

5、查看crl文件

# openssl crl -in thisca.crl -noout -text

Certificate Revocation List (CRL):
        Version 2 (0x1)        //版本号
    Signature Algorithm: sha1WithRSAEncryption       //签名算法
        Issuer: /C=CD/ST=CD/L=ChengDu/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=lccnx@foxmail.com
        Last Update: Sep 21 08:14:35 2017 GMT 有效期
        Next Update: Oct 21 08:14:35 2017 GMT
        CRL extensions:    扩展信息
            X509v3 CRL Number:  吊销号码
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep 21 08:12:49 2017 GMT
    Signature Algorithm: sha1WithRSAEncryption
         5d:9e:a2:60:e3:78:9d:24:42:92:b6:72:81:92:43:d7:02:12:
         54:f0:8e:08:21:d8:55:34:1c:70:53:8d:ac:bd:44:15:37:30:
         ba:ef:d2:79:24:52:83:a1:bb:39:70:af:93:10:64:06:b6:e6:
         76:fd:12:cf:b5:f7:07:16:c6:cd:08:a9:46:d3:76:64:24:93:
         7d:b4:5a:6d:da:38:08:31:7b:6e:76:a6:4e:5a:c2:cc:e6:24:
         be:76:b9:38:46:ed:c7:16:61:88:8c:ac:90:bd:4e:c9:9d:e5:
         73:8a:76:c4:57:82:80:29:06:c8:81:cd:7b:37:08:ee:81:25:
         d6:04:8e:dd:dd:d8:1b:47:44:e4:bb:bc:3c:7f:cb:97:68:27:
         b0:32:ea:fb:d1:84:91:7e:50:05:14:0a:1d:65:2a:5e:ba:41:
         1d:dd:a4:39:e5:d2:b5:2b:33:b0:56:b3:78:cc:99:69:c9:89:
         0e:a0:71:f1:5f:ca:40:57:73:72:4d:f0:3d:ea:57:d7:53:6d:
         90:ca:59:57:65:1b:ec:b5:4d:6f:7e:41:64:c1:c6:d4:ab:b1:
         01:b5:a3:e3:67:0c:59:c9:bc:e6:6c:d1:ae:20:05:3f:85:87:
         32:f8:bf:3c:9a:ba:e8:c2:e9:fd:e8:b8:54:92:86:45:95:ca:
         c3:53:13:41

转载于:https://blog.51cto.com/sonlich/1965404