一、详细描述一次加密通讯的过程,结合图示最佳
以Bob和Alice安全通讯为例:
Bob<———>Alice
1. Bob要和Alice安全通信首先要取得对方的公钥,即对方的证书,并验证证书的合法性。验证过程和内容:
1)、用CA的公钥(双方已知)解密对方证书中CA的签名;能解密说明证书来原可靠;
2)、用证书中标记的“签名算法”来计算证书的相关信息,并将散列计算的结果与证书“发行者签名”解密的结果(证书特征码)进行比较,如果一致说明证书完整性可靠;
3)、检查证书的有效期限是否在合法范围内,防止证书过期;
4)、验证证书的“主体名称”和预通信的人是否对应;
5)、检查证书是否被吊销;
以上验证成功则说明对方证书可靠,并信任该证书。
2. 取得对方证书(即公钥)后进行如下操作:
加密:
1)、Bob对明文数据进行散列计算,提取出数据指纹(特征码,也叫信息摘要);
2)、Bob使用自己的私钥对该数据指纹进行加密,生成数字签名,并将该数字签名附加在明文数据之后;
3)、Bob使用一个一次性的对称加密算法密钥对明文和数字签名进行加密,生成密文;
4)、Bob再使用Alice的公钥对对称加密算法的密钥进行加密,生成数字信封;
5)、Bob将密文和数字信封打包发送给Alice;
解密:
1)、Alice收到数据(密文+数字信封)后,使用自己的私钥解密数字信封,得到对称加密算法的密钥;
2)、使用对称加密密钥解密密文,得到明文数据和数字签名。保证了数据的私密性;
3)、使用Bob的公钥解密数字签名,得到明文的数据指纹(特征码)。如果能解出,说明数据为Bob发送,保证了数据的不可否认性;
4)、Alice使用同样的散列算法对明文计算得出数据指纹(特征码),并与Bob计算的数据指纹进行比对,如果一致,说明数据没有被篡改。保证的数据的完整性;
二、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
在CA服务器上操作:
1.创建所需要的文件
# cd /etc/pki/CA/
# touch ./{serial,index.txt}
# echo 01 > serial
2.创建CA私钥
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
…………………………….+++
……………………………………………+++
e is 65537 (0x10001)
3.生成CA自签证书
# openssl req -new -x509 -key /etc/pki/CAprivate/cakey.pem -out /etc/pki/CA/pkcacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:gjj
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.gjj.com
Email Address []:caadmin@gjj.com
4.在httpd服务器上操作
1).创建生成私钥文件
# mkdir /etc/httpd/ssl
# cd /etc/httpd/ssl/
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
…………++++++
.++++++
e is 65537 (0x10001)
2).生成一个证书请求
# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:gjj
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.gjj.com
Email Address []:caadmin@gjj.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3).将请求文件传给CA服务器 地址为:192.168.4.240
# scp httpd.csr root@192.168.4.240:/tmp
5.在CA服务器操作
1).对HTTP服务器的公钥证书进行认证
# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 16 11:27:50 2017 GMT
Not After : Oct 16 11:27:50 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = gjj
organizationalUnitName = Ops
commonName = ca.gjj.com
emailAddress = caadmin@gjj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:88:6E:C4:96:57:BE:1C:9D:7E:18:E5:00:D9:A2:C8:76:7E:55:E1
X509v3 Authority Key Identifier:
keyid:CC:2F:CA:A2:2A:F9:3A:25:08:A5:46:DB:6A:35:14:44:10:58:35:F7
Certificate is to be certified until Oct 16 11:27:50 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2).将签署过的证书发到请求证书的httpd服务器,地址:192.168.4.241
# scp /tmp/httpd.crt root@192.168.4.241:/etc/httpd/ssl/
3).查看证书签发的内容:
# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout –text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=guangdong, L=guangdong, O=gjj, OU=Ops, CN=ca.gjj.com/emailAddress=caadmin@gjj.com
Validity
Not Before: Oct 16 11:27:50 2017 GMT
Not After : Oct 16 11:27:50 2018 GMT
Subject: C=CN, ST=guangdong, O=gjj, OU=Ops, CN=ca.gjj.com/emailAddress=caadmin@gjj.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:be:ea:e8:83:08:da:4c:b7:f4:f6:24:52:d8:dc:
c2:df:ee:75:8a:0a:5e:c5:d2:43:e8:0f:2e:3d:76:
5b:2f:b5:a1:46:20:4c:90:54:37:f4:c4:20:d6:76:
1e:ba:b3:ec:a5:28:73:ff:be:11:24:48:64:28:2e:
76:66:d1:7a:4d:d7:22:35:da:ca:fa:9a:a3:02:9d:
70:2a:65:61:1a:82:ed:17:f3:ef:62:a3:b1:1c:d2:
28:08:55:e7:11:3c:eb:1a:d2:29:45:c3:a6:e2:da:
e2:9c:be:c0:2e:15:f6:53:ff:95:23:e1:90:ae:e4:
22:1f:55:63:a4:f6:bb:4a:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:88:6E:C4:96:57:BE:1C:9D:7E:18:E5:00:D9:A2:C8:76:7E:55:E1
X509v3 Authority Key Identifier:
keyid:CC:2F:CA:A2:2A:F9:3A:25:08:A5:46:DB:6A:35:14:44:10:58:35:F7
Signature Algorithm: sha256WithRSAEncryption
a0:94:c7:5f:41:db:07:b0:7c:a1:35:ae:bd:cb:c1:e3:37:ef:
f8:66:45:f6:7a:ce:a3:96:4e:c9:81:ee:fa:15:60:05:6d:0d:
61:96:98:7e:fb:d3:57:c2:85:50:e1:4b:e8:35:bf:c2:d4:c9:
84:90:db:b1:3e:e1:b1:9e:d8:3f:f6:1a:90:12:9e:cb:af:f4:
02:3a:e9:d5:b1:5b:66:13:29:1f:6a:4c:eb:28:e9:cc:58:12:
2d:76:e8:74:5e:75:d9:f0:ba:bc:aa:49:ba:07:2d:f7:0e:d5:
a1:2b:e2:6a:62:ee:4b:b5:15:4c:1e:56:ea:e6:c6:fd:82:dc:
6f:c8:d4:f8:ed:91:d6:9a:c3:6a:9e:11:12:08:7a:b0:5d:2e:
f5:a5:1a:a1:2f:80:2d:a9:e2:e0:45:eb:78:93:e2:26:7a:24:
86:6d:e6:9c:30:28:84:37:72:17:3e:94:8f:14:d3:a8:c3:b9:
5d:1f:25:cb:36:5d:5b:67:5e:d1:a6:4f:9f:74:21:06:f4:a3:
bb:31:88:e9:d0:fe:46:14:ff:82:30:c2:d4:5a:2f:9b:cf:15:
aa:ed:9d:80:e9:6c:62:8c:d0:dc:fe:0a:16:20:11:90:d1:f0:
89:44:b5:34:f7:86:d2:2e:c8:4a:2f:20:93:62:a6:8c:45:f1:
f0:f1:c0:4a
三、描述DNS查询过程以及DNS服务器类别
1.DNS的查询过程
Client –> hosts文件 –> DNS Service –> Local Cache
–> DNS Server (recursion) –> Server Cache –> iteration(迭代)
2.在浏览器中输入www.qq.com域名,操作系统会先检查自己本地的hosts文件是否有这个网址映射关系,如果有,就先调用这个IP地址映射,完成域名解析。
3.如果hosts里没有这个域名的映射,则查找本地DNS解析器缓存,是否有这个网址映射关系,如果有,直接返回,完成域名解析。
4.如果hosts与本地DNS解析器缓存都没有相应的网址映射关系,首先会找TCP/ip参数中设置的首选DNS服务器,在此我们叫它本地DNS服务器,此服务器收到查询时,如果要查询的域名,包含在本地配置区域资源中,则返回解析结果给客户机,完成域名解析,此解析具有权威性。
5.如果要查询的域名,不由本地DNS服务器区域解析,但该服务器已缓存了此网址映射关系,则调用这个IP地址映射,完成域名解析,此解析不具有权威性。
6.如果本地DNS服务器本地区域文件与缓存解析都失效,则根据本地DNS服务器的设置(是否设置转发器)进行查询,如果未用转发模式,本地DNS就把请求发至13台根DNS,根DNS服务器收到请求后会判断这个域名(.com)是谁来授权管理,并会返回一个负责该顶级域名服务器的一个IP。本地DNS服务器收到IP信息后,将会联系负责.com域的这台服务器。这台负责.com域的服务器收到请求后,如果自己无法解析,它就会找一个管理.com域的下一级DNS服务器地址(qq.com)给本地DNS服务器。当本地DNS服务器收到这个地址后,就会找qq.com域服务器,重复上面的动作,进行查询,直至找到www.qq.com主机。
7.如果用的是转发模式,此DNS服务器就会把请求转发至上一级DNS服务器,由上一级服务器进行解析,上一级服务器如果不能解析,或找根DNS或把转请求转至上上级,以此循环。不管是本地DNS服务器用是是转发,还是根提示,最后都是把结果返回给本地DNS服务器,由此DNS服务器再返回给客户机。
8.从客户端到本地DNS服务器是属于递归查询,而DNS服务器之间就是的交互查询就是迭代查询。
9.DNS服务器的类型:
主DNS服务器:维护所负责解析的域内解析库服务器
辅助DNS服务器:从主DNS服务器或其他从DNS服务器复制一份解析库
缓存DNS服务器:为客户端缓存DNS的记录,缓存DNS中没有的执行迭代查询
转发器:DNS记录不在自己负责的解析域内,转发器去迭代查询
四、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
环境:
主DNS服务器:192.168.0.11
从DNS服务器:192.168.0.21
子域DNS服务器:192.168.0.12
******1. 正反向解析******
1).安装DNS服务器软件
~]# yum install bind* -y
2).编辑配置,添加magedu.com的正向域和反向域
~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
allow-query { any; };
.
.
.
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
.
.
.
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
};
zone “0.168.192.in-addr.arpa” IN {
type master;
file “named.192.168.0”;
};
.
.
.
3).创建正向域数据库文件
~]# vim /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com dnsadmin.magedu.com. (
2017032001
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.0.11
www IN A 192.168.0.11
bbs IN A 192.168.0.12
4).创建反向域数据库文件
~]# vim /var/named/named.192.168.0
$TTL 86400
$ORIGIN 0.168.192.in-addr.arpa.
@ IN SOA ns1.magedu.com dnsadmin.magedu.com. (
2017032001
1H
10M
3D
1D )
IN NS ns1.magedu.com.
11 IN PTR ns1.magedu.com.
11 IN PTR www.magedu.com.
12 IN PTR bbs.magedu.com.
5).修改数据库文件权限
]# chown root.named magedu.com.zone named.192.168.0
]# chmod 640 magedu.com.zone named.192.168.0
6).配置和语法检查
]# named-checkconf
]# named-checkzone magedu.com /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 2017032001
OK
]# named-checkzone 0.168.192.in-addr.arpa /var/named/named.192.168.0
zone 0.168.192.in-addr.arpa/IN: loaded serial 2017032001
OK
7).重载配置文件和域数据库文件
]# systemctl reload named.service
8).结果验证
]# dig -t A bbs.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A bbs.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12637
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.magedu.com. IN A
;; ANSWER SECTION:
bbs.magedu.com. 86400 IN A 192.168.0.12 #能正确解析到bbs.magedu.com
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.0.11
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 19 21:39:00 EDT 2017
;; MSG SIZE rcvd: 93
]# dig -x 192.168.0.12
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -x 192.168.0.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6916
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;12.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
12.0.168.192.in-addr.arpa. 86400 IN PTR bbs.magedu.com. #能正确反解析
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.0.11
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 19 21:39:31 EDT 2017
;; MSG SIZE rcvd: 116
******2. 子域授权******
9).在子域DNS服务器配置文件中添加下列配置
]# vim /etc/named.rfc1912.zones
.
.
.
zone “cdn.magedu.com” IN {
type master;
file “cdn.magedu.com.zone”;
};
zone “magedu.com” IN {
type forward;
forward only;
forwarders { 192.168.0.11; };
};
10).在子域DNS服务器上创建域数据库文件
]# vim cdn.magedu.com.zone
$TTL 3600
$ORIGIN cdn.magedu.com.
@ IN SOA ns1.cdn.magedu.com. nsadmin.cdn.magedu.com. (
2017032001
1H
10M
1D
2H )
IN NS ns1
ns1 IN A 192.168.0.12
www IN A 192.168.0.13
11).修改域数据库文件权限
]# chmod 640 cdn.magedu.com.zone
]# chown root.named cdn.magedu.com.zone
12).配置和语法检查
]# named-checkconf
]# named-checkzone cdn.magedu.com /var/named/cdn.magedu.com.zone
zone cdn.magedu.com/IN: loaded serial 2017032001
OK
13)在父域DNS的域数据库文件中添加子域DNS的相关信息
]# vim /var/named/magedu.com.zone
.
.
.
cdn IN NS ns1.cdn
ns1.cdn IN A 192.168.0.12
14).重载子域DNS和父域DNS的配置和域数据库文件
]# rndc reload
server reload successful
15).结果验证
]# dig -t A www.cdn.magedu.com @192.168.0.11 #通过父域进行解析
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A www.cdn.magedu.com @192.168.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50092
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdn.magedu.com. IN A
;; ANSWER SECTION:
www.cdn.magedu.com. 3150 IN A 192.168.0.13 #解析到子域www服务器,说明子域授权成功
;; AUTHORITY SECTION:
cdn.magedu.com. 3150 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 3150 IN A 192.168.0.12
;; Query time: 3 msec
;; SERVER: 192.168.0.11#53(192.168.0.11)
;; WHEN: Mon Mar 20 09:53:23 EDT 2017
;; MSG SIZE rcvd: 97
******3. 主从同步******
16).在从DNS服务器的配置文件中添加下列配置:
~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
allow-query { any; };
.
.
.
zone “magedu.com” IN {
type slave;
file “slaves/magedu.com.zone”;
masters { 192.168.0.11; };
};
17).在主DNS服务上修改配置文件,允许从服务器与主服务器同步
]# vim /etc/named.conf
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
allow-transfer { 192.168.0.21; };
};
18).在主DNS服务器上的域数据库文件中添加从DNS服务器的相关信息
]# vim /var/named/magedu.com.zone
.
.
.
IN NS slave
slave IN A 192.168.0.21
.
.
.
19).重载主从服务器上的配置
]# rndc reload
server reload successful
20).主从同步测试
]# vim magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com dnsadmin.magedu.com. (
2017032002 #每更改一次序列号要加1
1H
10M
3D
1D )
IN NS ns1
IN NS slave
slave IN A 192.168.0.21
ns1 IN A 192.168.0.11
www IN A 192.168.0.11
bbs IN A 192.168.0.12
cdn IN NS ns1.cdn
ns1.cdn IN A 192.168.0.12
blog IN A 192.168.0.14 #新添加一个条目
]# rndc reload #重载配置生效
server reload successful
#在从DNS服务器上观察系统日志,发现已经有同步信息
]# tail -f /var/log/messages
Mar 19 21:37:06 centos6 named-sdb[4223]: zone magedu.com/IN: transferred serial 2017032002
Mar 19 21:37:06 centos6 named-sdb[4223]: transfer of ‘magedu.com/IN’ from 192.168.0.11#53: Transfer completed: 1 messages, 11 records, 293 bytes, 0.005 secs (58600 bytes/sec)
Mar 19 21:37:06 centos6 named-sdb[4223]: zone magedu.com/IN: sending notifies (serial 2017032002)
]# cd /var/named/slaves/
]# cat magedu.com.zone
$ORIGIN .
$TTL 86400 ; 1 day
magedu.com IN SOA ns1.magedu.com.magedu.com. dnsadmin.magedu.com. (
2017032002 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
259200 ; expire (3 days)
86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS slave.magedu.com.
$ORIGIN magedu.com.
bbs A 192.168.0.12
blog A 192.168.0.14 #主DNS上新增的条目已经同步过来了
ns1 A 192.168.0.11
ops NS ns1.ops
$ORIGIN ops.magedu.com.
ns1 A 192.168.0.12
$ORIGIN magedu.com.
slave A 192.168.0.21
www A 192.168.0.11
本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/87946