加密
我们先认识一下加密
加密:认证和数据可靠性,加密本身并不能保证数据完整性。
加密无法保证通信的对方是谁。
了解一下加密方式
单项加密 One Way Hashes(包含md2 md5 mdc2 rmd160 sha sha1)
对称加密 Symmetric Algorithms( DES 3DES RC2 RC4 RC5 IDEA CAST5 )
非对称加密 Asymmetric Algorithms( 要有公钥和私钥)
公钥基础架构 Public Key Infrastructure (PKI)
数字证书 Digital Certificate (这是PKI的核心)
在Linux上加密工具有openssl 和 gpg
openssl 有三个关键文件
libcrypo 加密库实现通用的加密
libssl 支持TLS/SSL协议 保证协议并附加安全机制
openssl 多目标的通用加密,可生成X.509格式证书并显示概要信息
接下来我们来看一下加密过程
比如A和B两个用户想传一些重要文件,但两者从来没通信过
第一步:A先通过单项加密提取文件的特征码
把特征码和数据重新组合即把特征码放在要传输数据头部。
第二步:A通过对称加密算法特征码和数据加密并且会产生一个密钥口令
第三步:A通过非对称机密算法(此时A和B都有自己的公钥和私钥)利用B的公钥加密自己的私钥(因为私钥是唯一的)
第四步:A通过B的公钥把第二步中的口令加密传输给B
第五步: 此时接收方就可以查看文件了
虽然过程都已经有了我们还注意到这样通信需要密钥
那么我们怎么得到密钥呢
通过数字证书就可以了,接下来我们来看一下如何生成数字证书登陆Linux
要想生成证书则必须有签发机构,我们先去做自签[root@server37 ~]# cd /etc/pki/CA/
[root@server37 CA]# openssl genrsa 1024 > private/cakey.pem
我们去看一下生成文件了么
[root@server37 CA]# ls private/
cakey.pem
这是生成证书请求
[root@server37 CA]# openssl req -new -x509 -key private/cakey.pem -out ./cacer.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:station90@example.com
Email Address []:root@example.com
接下来我们去编辑一下/etc/pki/tls/openssl.cnf文件
[ CA_default ]
dir = ../../CA # Where everything is kept
修改为
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
接着我们见几个要用的文件和目录
[root@station90 tls]# cd ../CA/
[root@station90 CA]# mkdir ./newcerts
[root@station90 CA]# touch ./{serial,index.txt}
[root@station90 CA]# echo "00" > ./serial
[root@station90 CA]# ls
cacert.pem index.txt newcerts private serial
好了准备工作完成了,接下来我们去测试一下看能否生成证书
先生成密钥文件
[root@station90 CA]# mkdir /root/testcrt
[root@station90 CA]# cd /root/testcrt/
[root@station90 testcrt]# openssl genrsa 512 > test.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
.++++++++++++
e is 65537 (0x10001)
生成证书请求
[root@station90 testcrt]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:wo
Email Address []:root@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
生成证书
[root@station90 testcrt]# openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 25 06:39:13 2010 GMT
Not After : Feb 25 06:39:13 2011 GMT
Subject:
countryName = GB
stateOrProvinceName = Berkshire
organizationName = My Company Ltd
organizationalUnitName = CA
commonName = wo
emailAddress = root@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DD:5B:D7:7D:6C:7D:93:C0:D8:D3:B3:01:F3:9E:CE:92:4A:C8:2F:D0
X509v3 Authority Key Identifier:
keyid:7E:3B:36:53:18:08:1C:08:D5:2E:83:88:AB:7D:C0:D4:55:1F:CE:C2
Certificate is to be certified until Feb 25 06:39:13 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@station90 testcrt]# ls
test.crt test.csr test.key
我们去查看一下证书
[root@station90 testcrt]# openssl x509 -in test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, OU=CA, CN=station90@example.com/emailAddress=root@example.com
Validity
Not Before: Feb 25 06:39:13 2010 GMT
Not After : Feb 25 06:39:13 2011 GMT
Subject: C=GB, ST=Berkshire, O=My Company Ltd, OU=CA, CN=wo/emailAddress=root@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d4:72:57:91:92:f3:0d:be:1a:05:8d:ef:86:43:
67:4c:57:37:da:f8:a6:25:14:15:33:b4:4e:d6:57:
8f:90:ed:3c:9b:06:70:c7:8f:29:d2:a0:58:ca:bd:
6a:06:64:98:77:e9:fb:b1:40:2d:16:cf:56:f9:db:
9c:4f:63:94:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DD:5B:D7:7D:6C:7D:93:C0:D8:D3:B3:01:F3:9E:CE:92:4A:C8:2F:D0
X509v3 Authority Key Identifier:
keyid:7E:3B:36:53:18:08:1C:08:D5:2E:83:88:AB:7D:C0:D4:55:1F:CE:C2
Signature Algorithm: sha1WithRSAEncryption
51:13:6d:15:ff:92:4d:10:40:42:8a:fc:28:aa:10:e5:98:67:
5f:6e:48:e3:80:c5:98:5d:b9:52:56:20:4a:0c:47:a4:9d:03:
2f:60:83:0d:14:d4:e3:3f:5a:65:eb:6b:5c:8a:c1:0e:ec:67:
d7:6b:ee:c0:08:b2:0a:26:e2:e8:d0:2d:96:3f:49:4c:a2:ca:
31:fa:4e:7c:93:5c:73:57:35:6a:ca:53:65:74:96:b1:ce:88:
36:eb:ad:00:41:d5:d5:77:14:a5:58:6e:e4:3b:9f:41:91:58:
0a:69:8a:86:6d:f8:82:8a:ff:3f:c9:21:b4:47:77:9d:86:ef:
8e:9c
[root@station90 testcrt]# openssl x509 -in test.crt -noout -subject
subject= /C=GB/ST=Berkshire/O=My Company Ltd/OU=CA/CN=wo/emailAddress=root@example.com
好了我们已经完成。