1、详细描述一次加密通讯的过程,结合图示最佳。
发送方Bob:自上至下 1、生成数据 2、Bob用单向加密算法对数据提取特征码 3、Bob用自己的私钥加密特征码,并附加在数据后面 4、Bob使用对称加密算法生成临时会话密钥加密特征码和数据 5、Bob用Alice的公钥加密临时会话密钥,并附加在数据后 接收方Alice:自下至上 1、Alice收到Bob数据,使用自己的私钥解密,获取临时会话秘钥 2、Alice使用临时会话密钥解密获取Bob私钥加密过的特征码和明文数据 3、Alice使用Bob公钥解密Bob私钥加密过的特征码,确认Bob身份和特征码 4、Alice使用单项加密算法对数据计算生成特征码 5、对比3和4中特征码是否一致,确认数据的完整性。
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行颁发证书。
(1)创建CA所需文件 [root@192 ~]# cd /etc/pki/CA/ cd /etc/pki/CA/ [root@192 CA]# touch index.txt [root@192 CA]# echo 01 > serial (2)CA自签证书 [root@192 CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .........................+++ .............................+++ e is 65537 (0x10001) [root@192 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7000 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:ZJFT Organizational Unit Name (eg, section) []:ZJFT Common Name (eg, your name or your server's hostname) []:CA.magedu.com Email Address []:caadmin@magedu.com (3)证书颁发 a、客户机创建证书申请 [root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .+++ .............+++ e is 65537 (0x10001) b、拷贝证书申请文件至CA服务器 [root@localhost certs]# scp httpd.csr root@192.168.139.136:/tmp The authenticity of host '192.168.139.136 (192.168.139.136)' can't be established. RSA key fingerprint is 95:e1:b1:a6:ba:4a:04:71:2b:d1:cd:2c:f0:be:07:f8. Are you sure you want to continue connecting (yes/no)? e^Hye Please type 'yes' or 'no': yes Warning: Permanently added '192.168.139.136' (RSA) to the list of known hosts. root@192.168.139.136's password: httpd.csr c、CA签署证书,颁发给证书请求者 [root@192 CA]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 21 22:42:18 2016 GMT Not After : Oct 21 22:42:18 2017 GMT Subject: countryName = CN stateOrProvinceName = GD organizationName = ZJFT organizationalUnitName = ZJFT commonName = WEB1.magedu emailAddress = web1@magedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7C:D2:12:24:A3:0C:03:88:17:48:BE:BE:3C:06:74:05:22:15:56:1F X509v3 Authority Key Identifier: keyid:39:50:40:BA:02:C4:FC:DD:45:9F:B9:E9:D0:2F:9B:D8:46:07:58:D9 Certificate is to be certified until Oct 21 22:42:18 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@192 CA]# ls certs/ httpd.crt web1.magedu.com.crt [root@192 CA]# openssl x509 -in certs/httpd.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GD, L=SZ, O=ZJFT, OU=ZJFT, CN=CA.magedu.com/emailAddress=caadmin@magedu.com Validity Not Before: Oct 21 22:42:18 2016 GMT Not After : Oct 21 22:42:18 2017 GMT Subject: C=CN, ST=GD, O=ZJFT, OU=ZJFT, CN=WEB1.magedu/emailAddress=web1@magedu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:02:ec:31:1b:dc:17:91:4f:69:0f:02:69:6b: ff:18:ce:ac:69:9c:3c:24:e3:ca:d1:c5:81:53:ea: 17:81:c1:37:a7:83:06:3c:f7:74:f9:2c:a1:7f:c0: 48:34:09:59:82:e6:a6:35:01:c9:05:d7:71:8f:18: 54:ae:10:0c:ef:78:44:f6:db:b9:b4:4b:0d:34:6d: cb:4e:f3:19:ae:f9:3d:d9:12:6b:d4:8d:c1:48:be: b3:bb:64:9d:1e:6b:2d:3c:0f:0e:6c:ce:c7:ae:cc: e7:33:e1:78:00:2f:dc:73:fa:e8:06:55:66:86:7e: 11:5c:ad:2e:e4:19:bf:57:5d:44:85:2f:2b:66:b7: 03:16:da:a3:32:fc:5f:ad:12:93:02:a8:e8:43:c8: 47:2d:d7:16:b6:6d:57:c8:39:52:ef:a3:13:2f:18: fe:89:94:6a:51:c2:5a:bc:69:b9:fa:b6:f7:54:d5: 39:e9:9a:63:83:5b:3c:87:51:df:95:a0:b0:f2:f4: b0:5d:3e:92:aa:43:9a:c3:c1:90:64:8b:62:f3:c9: 26:bf:25:c0:3e:e6:77:82:5b:47:6a:1e:48:a2:29: ec:2e:98:f3:9f:ac:53:99:e3:3a:2b:ee:53:a2:04: 6f:93:0a:7b:9a:47:36:07:6e:c9:87:db:ac:25:c1: 30:87 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7C:D2:12:24:A3:0C:03:88:17:48:BE:BE:3C:06:74:05:22:15:56:1F X509v3 Authority Key Identifier: keyid:39:50:40:BA:02:C4:FC:DD:45:9F:B9:E9:D0:2F:9B:D8:46:07:58:D9 Signature Algorithm: sha256WithRSAEncryption 74:84:93:ba:39:21:b9:87:6c:4c:40:8d:fe:a3:f1:1e:21:87: f4:fe:09:6c:91:4d:3f:fd:f8:06:49:cb:dd:1c:38:57:6d:7c: bc:9d:5e:84:2a:70:4c:ce:91:f5:a5:35:f1:fd:d8:8e:bb:9c: 1f:57:90:06:12:ab:1e:4b:5d:6b:20:aa:5a:fa:20:5a:fb:81: af:17:58:dd:c6:84:64:41:eb:bf:28:79:5d:4a:af:7e:37:9c: 0c:f8:97:48:65:10:0f:b2:e0:85:6a:99:bc:64:b6:b5:24:c8: 9d:9a:3d:0d:a8:56:e7:88:02:09:95:88:2b:d1:54:8f:86:b6: ab:1c:0c:04:6a:16:3c:57:4e:8d:56:4c:62:de:3c:0e:58:d4: 12:1f:17:82:db:a5:17:0b:f1:8f:58:c1:50:22:a1:68:3a:04: 31:7b:57:d6:c7:e9:a1:e5:0b:f0:0d:ab:26:6d:72:ee:a3:25: 6e:4d:29:29:45:49:80:27:c8:ef:c7:94:3c:42:f1:33:e0:71: ad:2d:8f:e3:1e:d5:44:a8:9c:f3:c2:bd:80:56:69:4a:52:39: 87:84:32:54:38:fa:e4:8a:7d:36:1a:b4:71:81:10:ad:92:84: a9:7f:42:b9:d4:c4:3f:1d:dd:52:d6:6c:7b:da:fb:f7:b2:4c: 2d:bc:c1:66
3、描述DNS查询过程以及DNS服务器类别。
DNS查询类型: 递归查询(发出一次请求,一定能得到最终结果) 迭代查询(服务器发出查询可能是参考可能是最终答案,一般需要发起多次查询才能获得最终结果) DNS查询过程: Client --> hosts文件 --> DNS Service --> Local Cache --> DNS Server (recursion递归) --> Server Cache --> iteration(迭代) --> 其他DNS服务器 DNS服务器类别: 主DNS服务器:维护所负责解析的域内解析库服务器;解析库由管理员维护; 辅助DNS服务器:从主DNS服务器或其它的从DNS服务器那里“复制”(区域传递)一份解析库; 缓存DNS服务器:为客户端缓存客户端曾经查询的记录,找不到时,DNS服务器去迭代查询; 转发器(不常见):当请求的DNS记录不在自己所负责的解析区域时,交给转发器处理,转发器去迭代查询。
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
(1)、能够对一些主机名进行正向解析和逆向解析;
1、yum install bind -y
dns服务,程序包名bind,程序名named
程序包:
bind 提供服务
bind-libs 提供库文件
bind-utils 提供测试服务、工具是否正常
一般而言,不是最小化安装,只需安装bind即可
2、vi /etc/named.conf
修改或注释以下内容(绿色标记)
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; }; 注释表示允许
recursion yes;
// 允许递归
dnssec-enable no;
dnssec-validation no;
// dnssec-enable yes; 默认启用
// dnssec-validation yes;默认启用
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3、service named start
# 启动服务
4、ss -tunl | grep :53
# 查看监听状态
5、vim /etc/named.rfc1912.zones
# 末行添加
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
6、rndc reload
# 重载配置文件
rndc reload
rndc status
tail /var/log/messages 提示区域解析库文件未创建
7、vim /var/named/magedu.com.zone
$TTL
$ORIGIN magedu.com
@ IN SOA ns1.magedu.com. admin.magedu.com(
2015042501
1H
5M
3D
1D)
IN NS ns1
IN NS ns2
ns1 IN A 172.16.100.11
ns2 IN A 172.16.100.18
www IN A 172.16.100.11
* IN A 172.16.100.11
8、named-checkzone "magedu.com" /var/named/magedu.com.zone
# 检查语法是否有误
9、chown :named magedu.com.zone
# 修改属主属组
10、chmod 640 magedu.com.zone
# 修改文件权限
11、rndc reload
12、!tail
13、dig -t A www.magedu.com @172.16.100.1
有加*,所以ftp.magedu.com也可解析
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
子域配置步骤:
1、yum install bind -y
2、vi /etc/named.conf
修改或注释以下内容(绿色标记)
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };注释表示允许
recursion yes;
// 允许递归
dnssec-enable no;
dnssec-validation no;
// dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
3、service named start
启动服务
4、ss -tunl | grep :53
查看监听状态
5、vim /etc/named.rfc1912.zones
末行添加
zone "ops.magedu.com" IN {
type master;
file "ops.magedu.com.zone";
};
6、rndc reload
重载配置文件
rndc reload
rndc status tail /var/log/messages 提示区域解析库文件未创建7、vim /var/named/ops.magedu.com.zone
$TTL
$ORIGIN ops.magedu.com
@ IN SOA ns1.ops.magedu.com. admin.ops.magedu.com(
2015042501
1H
10M
3D
1D)
IN NS ns1
IN NS ns2
ns1 IN A 172.16.100.12
ns2 IN A 172.16.100.19 //随便编个地址,与前面定义的一致
www IN A 172.16.100.20 //随便编个地址
* IN A 172.16.100.11 //随便编个地址
8、named-checkzone "ops.magedu.com" /var/named/magedu.com.zone
检查语法是否有误
9、chown :named ops.magedu.com.zone
修改属主属组
10、chmod 640 ops.magedu.com.zone
修改文件权限
11、rndc reload
rndc flush 清空缓存
12、!tail
13、dig -t A www.ops.magedu.com @172.16.100.12
可解析
dig -t NS ops.magedu.com @172.16.100.12
可解析
有加*,所以ftp.ops.magedu.com也可解析
查父域www.magedu.com无法找到,只能通过.根找下来
14、在父域服务器上
dig -t NS ops.magedu.com @172.16.100.11
dig -t NS ops.magedu.com @172.16.100.11 -norecurse
15、rndc reload
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
为了实现DNS服务系统的高可用性建议搭建一主多从,一主一从,主服务器如上,下面是从服务器实施过程:
1、配置从服务器
配置区域,使成为缓存名称服务器
再配置成正向的从服务器:
vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave;
masters { 192.168.1.129; };
file "slaves/magedu.com.zone";
};
vim magedu.com.zone
$ORIGIN .
$TTL 86400 ; 1 day
meer1.com IN SOA ns1.meer1.com. admin.meer1.com. ( 2016091001 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 259200 ; expire (3 days) 86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
$ORIGIN magedu.com.
* A 10.0.0.3
ns1 A 10.0.0.2
ns2 A 10.0.0.3
www A 10.0.0.3
原创文章,作者:N21-孟然,如若转载,请注明出处:http://www.178linux.com/54140
评论列表(1条)
博客写得非常的好,32个赞,加密通信过程的图画得非常的详细,加油!