导言:
我们知道在互联网上进行文件传输、电子邮件商务往来存在许多不安全因素,特别是对于一些大公司和一些机密文件在网络上传输,所以为了保证安全,我们必须给文件加密。今天,我们就来谈谈加密、解密、openssl的使用以及CA的实现过程。
数据的3大加密方式
对称加密
含义
指加密解密使用同一组密钥,是按数据分块以后进行加密的,前后数据块彼此之间有关联关系。
特性
加密算法严重依赖口令,加密算法很有可能是公开的,所有人都有可能知道这个算法;加密本身不能仅依赖于算法,也依赖于可变化的口令来实现;加密方,解密方使用同一个口令。
对称加密的相关算法
DES(56bit),3DES,AES(128bit),Blowfish,Twofish,Rc6,CAST5。
非对称加密
含义
对消息的加密和解密使用不同的密钥,即用于加密、可以公开的公钥(public key),和用于解密、需要保密的私钥(private key)。
特性
非对称加密算法的保密性比较好,它消除了最终用户交换密钥的需要,但加密和解密花费时间长、速度慢,它不适合于对文件加密而只适用于对少量数据进行加密。
非对称加密的相关算法
RSA,EIGamal,DSA。
单向加密
含义
是抽取数据特征码来验证数据的完整性。
特性
雪崩效应:输入数据的微小改变会导致结果的巨大变化。
定长输出:无论输入数据多大,单向加密结果中的输出长度是相同的。
openssl的使用
openssl的简介:
openssl是一种多命令行工具,它能够实现数据的加密、解密,还能当做CA来用,它能保证让你创建证书、吊销证书。
组成:
libcrypto:通用功能的加密库
libssl:用于实现TLX/SSL的功能
openssl:多功能命令工具,用于生成密钥,创建数字证书,手动加密解密数据
openssl实现的功能
生成密钥、创建数字证书、创建CA、手动加密解密数据。
下面来介绍openssl的具体使用。
openssl中的命令
1.Standard commands
2.asn1parse ca ciphers cms
3.crl crl2pkcs7 dgst dh
4.dhparam dsa dsaparam ec
5.ecparam enc engine errstr
6.gendh gendsa genpkey genrsa
7.nseq ocsp passwd pkcs12
8.pkcs7 pkcs8 pkey pkeyparam
9.pkeyutl prime rand req
10.rsa rsautl s_client s_server
11.s_time sess_id smime speed
12.spkac ts verify version
13.x509
14.
15.Message Digest commands (see the `dgst' command for more details)
16.md2 md4 md5 rmd160
17.sha sha1
18.
19.Cipher commands (see the `enc' command for more details)
20.aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
21.aes-256-cbc aes-256-ecb base64 bf
22.bf-cbc bf-cfb bf-ecb bf-ofb
23.camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
24.camellia-256-cbc camellia-256-ecb cast cast-cbc
25.cast5-cbc cast5-cfb cast5-ecb cast5-ofb
26.des des-cbc des-cfb des-ecb
27.des-ede des-ede-cbc des-ede-cfb des-ede-ofb
28.des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
29.des-ofb des3 desx idea
30.idea-cbc idea-cfb idea-ecb idea-ofb
31.rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
32.rc2-cfb rc2-ecb rc2-ofb rc4
33.rc4-40 seed seed-cbc seed-cfb
34.seed-ecb seed-ofb zlib
说明:standard command中为标准命令,Message Digest commands中为生成信息摘要的命令,Cipher commands中为加密(enc)的命令。
使用enc加密数据:
语法结构:
1.openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV][-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
使用3DES的对称加密方式,并使用salt(加点盐),以增强安全性的方式加密/etc/fstab文件并生成密文文件fstab.cipher:
1.[root - www ~]#>openssl enc -e -des3 -a -salt -in /etc/fstab -out fstab.cipher
查看fstab.cipher已成加密后的文件
1.[root - www ~]#>cat fstab.cipher
2.U2FsdGVkX19hIUb2aVCcypDobX14dY/7FbJsjfIJwSYC/XCSJZ+0i9FyEwzyjawL
3.2uMTLvMD9/A0Py0XgG4WBxtGn5AmeYEdCOE5B8Gib4/iW6xCSCkyq2jDCvYiajJ6
4.o+7BGJfO1vTHyk24Nf2Z+n+u+hzwjtwtJe99Z/supkWBEyDH4McKfOBC8CIJdDci
5.cmQAbGZrRNzqeuEZaf1syEy+GEO6UMDYdbPOiu5fMHNGGh4lqNPXDVUzACLe/7sH
6.I/4xd0zOlX2BtWDp3CqiikLgyul8Ry7IWBzrAnSpy837Syl3hN51bobhhBVwpK39
7.CzyTdvwQ8KaPaUXTkjpe4cp8lPdE+ANBF6NxDcSNRGAjos3bw4gM7/PkVMtt/Cwi
8.Uasylmt13KZrbBG12U8XeW1OBr/EzgtZ4Rqg57XgvyAWW4FbvOVlDEXwspvsfKpD
9.mEGqogX1mO9fQRV3AP85waiFVOVwJAxkZsjiiHcmvxFEAJoKuyDG56p3LmqqttPT
10.zP9rAmka94NATEpB37Pe7ssSk6jGuSG3Tt0wfZrDOXJLt9XNwuDrjNzBz6x9z9t3
11.d2j/CVHSMY3IMdmCx0AA8mHJgKcdUh42v7lTBz6T7dIcaMdQI/1PyhxzlkD8iIvN
12.Xn0huIwE3R399LhgDsuaR5ig5HJy2iS+ct8Dn4bP+WZxLF8CaCNbTRjGN4KknFFr
13.DDeQ6N7OovUynqgX4Aym6MPSkSDU+pEdKY9mT7bHJZBTxUUnBnkItYBZ5QWd5fmH
14.rJp9IMP5HqO+Jp7z/HGKCSeaWw4KJbrhIeaCpb0UASjtlPxgbV6z+46gAPNhGtoA
15.lQl4aCTqKXbPxgvvWqyhT4su81hQeEQ98oQXy7z2d+4OEOyVhJq2l0HqoeJ4NF3Y
16.MidRc1vTNzAD5wbLFKrIi8aH+YzLbCfA/6WK80vmrMJG3RWrI1nDG6cZhSbzX6VA
17.pxUjq2dWY5JISPXQETwXdTH9xDj8jqSmbcCYlkrhkADAOU4rVrXKMEh1KFOVtKBi
18.YTng+2IlxaCZ3k620zZwM9VTtiVyT+74poIqK7GtnTcHFpRjhbwjGydle6KAF0KZ
19.DWf+m0wbqUTACuUBrgjD1Auc67wqFEP98DkRf1C7W27V6wzMoj7TRUMZ8gmDyRT/
20.+EOvlXML5EJElsZ1fySpVw==
使用-d选项来解密加密的文件
1.[root - www ~]#>openssl enc -d -des3 -a -salt -out test-openssl -in fstab.cipher
查看解密后的文件fstab.clear
1.[root - www ~]#>cat test-openssl
2.
3.#
4.# /etc/fstab
5.# Created by anaconda on Wed Nov 9 00:19:14 2016
6.#
7.# Accessible filesystems, by reference, are maintained under '/dev/disk'
8.# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
9.#
10./dev/mapper/VolGroup-lv_root / ext4 defaults 1 1
11.UUID=8d6c4661-f3e4-456f-ba07-96202e9c985a /boot ext4 defaults 1 2
12./dev/mapper/VolGroup-lv_home /home ext4 defaults 1 2
13./dev/mapper/VolGroup-lv_swap swap swap defaults 0 0
14.tmpfs /dev/shm tmpfs defaults 0 0
15.devpts /dev/pts devpts gid=5,mode=620 0 0
16.sysfs /sys sysfs defaults 0 0
17.proc /proc proc defaults 0 0
使用openssl dgst获取数据的特征码:
语法结构:
1.openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary] [-out filename] [-sign filename] [-keyform arg][-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [file...][md5|md4|md2|sha1|sha|mdc2|ripemd160] [-c] [-d] [file...]
使用单向加密的算法工具sha512获取文件fstab.cipher的特征码
1.[root - www ~]#>openssl dgst -sha512 test-openssl
2.SHA512(test-openssl)= 4ae7b4173d3e13404a82047207c405f7b33b4eacb88e8bac5725e51f3916990c21617d907b8f88109bd3014ed43d7ae0d228ced16650a6fcd026cd4160c3b639
使用openssl passwd生成用户认证的密码
语法结构:
1.openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
使用openssl passwd生成密码
1.[root - www ~]#>openssl passwd -1 -salt 1234561
2.Password:
3.$1$1234561$nG4PnFet7QHl/5DWjRb/S1
4.[root - www ~]#>openssl passwd -1 -salt 123456
5.Password:
6.$1$123456$xReuMlWnj5YwaBv2OBHMR0
使用openssl passwd输入的密码后生成的密码一样,但salt不同,最后加密后的结果则完全不同。
使用openssl speed来测试当前主机的加密速度
1.[root - www ~]#>openssl speed sha512
2.Doing sha512 for 3s on 16 size blocks: 7970707 sha512's in 3.00s
3.Doing sha512 for 3s on 64 size blocks: 8025641 sha512's in 3.00s
4.Doing sha512 for 3s on 256 size blocks: 3094489 sha512's in 3.00s
5.Doing sha512 for 3s on 1024 size blocks: 1101347 sha512's in 3.00s
6.Doing sha512 for 3s on 8192 size blocks: 158289 sha512's in 3.01s
7.OpenSSL 1.0.1e-fips 11 Feb 2013
8.built on: Tue Sep 27 12:27:19 UTC 2016
9.options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
10.compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
11.The 'numbers' are in 1000s of bytes per second processed.
12.type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
13.sha512 42510.44k 171213.67k 264063.06k 375926.44k 430798.50k
使用openssl rand生成随机数,并把它充当salt
1.[root - www ~]#>openssl passwd -1 -salt `openssl rand -hex 5`
2.Password:
3.$1$c9639777$gf7R6uRxD6kCbIBGknzkf.
4.[root - www ~]#>openssl passwd -1 -salt `openssl rand -hex 5`
5.Password:
6.$1$53966a1f$HCpDJJ1izdxwQQhjtkloc0
公钥加密:(发送方用接收方的公钥加密,接收方用自己的私钥解密)
密钥对儿:(公钥:pkey和私钥:skey)
算法:RSA,EIGamal
公钥加密通常用来实现密钥交换和身份认证,不是用来数据加密。
公钥加密的工具:gpg,openssl rsautl
公钥加密的延伸:
数字签名:发送方用自己的私钥加密,接收方用发送方的公钥解密。
数字签名会加密语言数据的特征码,而不会加密语言数据本身。
算法:RSA,EIGamal,DSA(只能用来做签名,而无法用来加密)
DSA:digital signature algorithm
DSS: digital signature standard(只能私钥加密,公钥解密)
密钥交换:IKE
算法:DH(diffie-Hellman),公钥加密
数字证书:公钥加密的另一个应用 。
证书格式:x509
x509证书包含:
1.公钥和有效期限;
2.持有者的个人合法身份信息;
3.证书的使用方式;
4.CA颁发机构的信息;
5.CA的数字签名。
用openssl实现私有CA:
openssl的配置文件:/etc/pki/tls/openssl.cnf
CA的工作目录:/etc/pki/CA
吊销列表的存放位置:/etc/pki/CA/crl
刚签署的证书的存放位置:/etc/pki/CA/newcerts
CA自身的公钥的位置:/etc/pki/CA/cacert.pem
发出的证书的编号位置:/etc/pki/CA/serial
为吊销的证书编号的位置:/etc/pki/CA/crlnumber
CA自己的私钥位置:/etc/pki/CA/private/cakey.pem
随机数文件:/etc/pki/CA/private/.rand
测试为centos创建CA
环境前提
CA服务器主机:centos7(192.168.2.104)
CA客户机主机:centos6(192.168.2.103)
CA服务器主机:centos7(192.168.2.104)配置搭建CA服务器
1.[root - localhost ~]#>cd /etc/pki/CA/
2.[root - localhost /etc/pki/CA]#>(umask 077;openssl genrsa -out private/cakey.pem 2048)
3.Generating RSA private key, 2048 bit long modulus
4...................................+++
5................................................................................................+++
6.e is 65537 (0x10001)
7.[root - localhost /etc/pki/CA]#>openssl req -new -x509 -key private/cakey.pem -out cacert.pem
8.You are about to be asked to enter information that will be incorporated
9.into your certificate request.
10.What you are about to enter is what is called a Distinguished Name or a DN.
11.There are quite a few fields but you can leave some blank
12.For some fields there will be a default value,
13.If you enter '.', the field will be left blank.
14.-----
15.Country Name (2 letter code) [XX]:CN
16.State or Province Name (full name) []:Beijing
17.Locality Name (eg, city) [Default City]:Beijing
18.Organization Name (eg, company) [Default Company Ltd]:gwx
19.Organizational Unit Name (eg, section) []:OPS
20.Common Name (eg, your name or your server's hostname) []:www.gwx.com
21.Email Address []:admin@gwx.com
22.[root - localhost /etc/pki/CA]#>touch serial index.txt
23.[root - localhost /etc/pki/CA]#>echo 01 >> serial
24.[root - localhost /etc/pki/CA]#>cat serial
25.01
CA客户机主机:centos6(192.168.2.103)配置发送CA申请
1.[root - localhost ~]#>cd /etc/httpd/
2.conf/ conf.d/ logs/ modules/ run/
3.[root - localhost ~]#>cd /etc/httpd/
4.[root - localhost /etc/httpd]#>mkdir ssl
5.[root - localhost /etc/httpd]#>cd ssl/
6.[root - localhost /etc/httpd/ssl]#>(umask 077;openssl genrsa -out httpd.key 1024)
7.Generating RSA private key, 1024 bit long modulus
8...............++++++
9.................................++++++
10.e is 65537 (0x10001)
11.[root - localhost /etc/httpd/ssl]#>openssl req -new -key httpd.key -out httpd.csr
12.You are about to be asked to enter information that will be incorporated
13.into your certificate request.
14.What you are about to enter is what is called a Distinguished Name or a DN.
15.There are quite a few fields but you can leave some blank
16.For some fields there will be a default value,
17.If you enter '.', the field will be left blank.
18.-----
19.Country Name (2 letter code) [XX]:CN
20.State or Province Name (full name) []:Beijing
21.Locality Name (eg, city) [Default City]:Beijing
22.Organization Name (eg, company) [Default Company Ltd]:gwx
23.Organizational Unit Name (eg, section) []:ops
24.Common Name (eg, your name or your server's hostname) []:www.gwx1.com
25.Email Address []:admin@gwx1.com
26.
27.Please enter the following 'extra' attributes
28.to be sent with your certificate request
29.A challenge password []:
30.An optional company name []:
31.#之后将生成的httpd.csr文件传送给CA服务器主机
32.[root - localhost /etc/httpd/ssl]#>scp httpd.csr root@192.168.2.104:/tmp/
33.root@192.168.2.104's password:
34.httpd.csr 100% 688 0.7KB/s 00:00
CA服务器主机:centos7(192.168.2.104)配置签发CA
1.[root - localhost ~]#>cd /etc/pki/CA/
2.[root - localhost /etc/pki/CA]#>openssl ca -in /tmp/httpd.csr -out certs/httpd.crt
3.Using configuration from /etc/pki/tls/openssl.cnf
4.Check that the request matches the signature
5.Signature ok
6.Certificate Details:
7. Serial Number: 1 (0x1)
8. Validity
9. Not Before: Dec 5 09:21:14 2016 GMT
10. Not After : Dec 5 09:21:14 2017 GMT
11. Subject:
12. countryName = CN
13. stateOrProvinceName = Beijing
14. organizationName = gwx
15. organizationalUnitName = ops
16. commonName = www.gwx1.com
17. emailAddress = admin@gwx1.com
18. X509v3 extensions:
19. X509v3 Basic Constraints:
20. CA:FALSE
21. Netscape Comment:
22. OpenSSL Generated Certificate
23. X509v3 Subject Key Identifier:
24. 61:FF:12:1A:11:11:14:C0:90:17:6C:A2:36:6D:56:03:E0:33:55:5E
25. X509v3 Authority Key Identifier:
26. keyid:40:1D:D3:F6:74:8E:AA:4C:94:08:31:4E:C5:56:9F:78:B1:25:26:15
27.
28.Certificate is to be certified until Dec 5 09:21:14 2017 GMT (365 days)
29.Sign the certificate? [y/n]:y
30.
31.1 out of 1 certificate requests certified, commit? [y/n]y
32.Write out database with 1 new entries
33.Data Base Updated
34.[root - localhost /etc/pki/CA]#>scp certs/httpd.crt root@192.168.2.103:/etc/httpd/ssl
35.The authenticity of host '192.168.2.103 (192.168.2.103)' can't be established.
36.RSA key fingerprint is c0:96:8e:a9:f2:92:da:88:31:2e:06:69:4f:a8:65:b9.
37.Are you sure you want to continue connecting (yes/no)? yes
38.Warning: Permanently added '192.168.2.103' (RSA) to the list of known hosts.
39.root@192.168.2.103's password:
40.httpd.crt 100% 3821 3.7KB/s 00:00
访问测试
为CA客户机添加mod_ssl模块
1.[root - localhost /etc/httpd/modules]#>yum install mod-ssl -y
2.#...安装过程略...
为CA客户机添加一个测试页面
1.[root - localhost ~]#>vi /var/www/html/index.html
1.<h1>This is a test page for 192.168.2.103 to ca</h1>
编辑httpd配置文件
1.[root - localhost ~]#>vi /etc/httpd/conf/httpd.conf
1.ServerName www.gwx1.com:443
2.DocumentRoot "/var/www/html"
访问机设置与访问
将目标主机添加进本机hosts文件
测试访问
原创文章,作者:N24-wenxuan,如若转载,请注明出处:http://www.178linux.com/62693
