数据加密特性:机密性、完整性与身份认证。
常见的加密算法
对称加密
在对称加密算法在加密与解密过程中都使用同一密钥,不能有有效管理密钥。
对称加密算法有:DES;3DES;AES:Advanced;AES192 AES256 AES512;OpenSSL;gpg
单向加密
能够有效保证数据的完整性,单向加密算法,提取特征码;输入一样,输出必然一样;雪崩效应:输入的微小改变,会引起结果的巨大改变;定长输出,无论原始数据有多大,结果大小相同;具有不可逆,无法根据特征码来还原原来的数据。md4;md5;SHA1;SHA192,SHA265,SHA384;CRC-32。
公钥加密
即非对称加密,公钥加密会生成一对密钥,公钥与私钥,用公钥加密,就只能用私钥解密,反之易然。发送方用自己私钥加密数据,可以用公钥解密,可以验证身份验证。发送方用对方公钥加密数据,可以保证数据的机密性(很少用)。公钥加密算法很少用来加密数据:速度太慢。
公钥加密:身份认证(数字签名);数据加密;密钥交换;RSA:加密、签名;DSA:签名;ElGamal商业算法
OpenSSL:SSL的开源实现
组成:
libcrypto:通用加密库
libssl:TLS/SSL的实现,基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库
openssl:多用途命令行工具
实现私有证书颁发机构
1.加密、解密
[root@desktop3 ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3 #加密 enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@desktop3 ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittabbs #-d解密 enter des-ede3-cbc decryption password:
2.生成密码
[root@desktop3 ~]# openssl passwd -1 Password: redhat Verifying - Password: $1$CVJwthEO$4BHZTPhDSp67ISeTsM0YZ0 [root@desktop3 ~]# openssl passwd -1 -salt CVJwthEO #指定salt Password: $1$CVJwthEO$4BHZTPhDSp67ISeTsM0YZ0
3.配置CA,以实现证书签发
配置 /etc/pki/tls/openssl.cnf修改
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JiangSu localityName = Locality Name (eg, city) localityName_default = WuXi 0.organizationName = Organization Name (eg, company) 0.organizationName_default = TVM organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Tech
创建相应文件
[root@desktop3 CA]# touch index.txt [root@desktop3 CA]# echo 01 > serial
为CA生成密钥
[root@desktop3 CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...+++ .................................................................+++ e is 65537 (0x10001)
CA自签证书
[root@desktop3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JiangSu]: Locality Name (eg, city) [WuXi]: Organization Name (eg, company) [TVM]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server‘s hostname) []:desktop3.example.com Email Address []:root@example.com
4.为应用httpd生成密钥及证书并签名
为应用http创建密钥
[root@desktop3 ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .....++++++ .....................++++++ e is 65537 (0x10001)
为httpd应用生成证书请求
[root@desktop3 ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JiangSu]: Locality Name (eg, city) [WuXi]: Organization Name (eg, company) [TVM]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server‘s hostname) []:www.example.com Email Address []:root@example.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
CA对证书进行签名
[root@desktop3 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 13 03:36:22 2015 GMT Not After : Sep 12 03:36:22 2016 GMT Subject: countryName = CN stateOrProvinceName = JiangSu organizationName = TVM organizationalUnitName = Tech commonName = www.example.com emailAddress = root@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 3C:67:BB:BC:C4:B0:64:66:DF:DC:26:A7:FC:72:85:65:D4:9F:02:88 X509v3 Authority Key Identifier: keyid:38:E7:94:C4:86:9E:54:71:29:B4:25:70:63:58:FB:BB:34:A3:E3:BD Certificate is to be certified until Sep 12 03:36:22 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
5.两主机基于密钥认证
生成一对密钥
[student@desktop3 ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -N ‘‘ Generating public/private rsa key pair. Your identification has been saved in .ssh/id_rsa. Your public key has been saved in .ssh/id_rsa.pub. The key fingerprint is: 0d:1d:d8:1b:a5:08:09:ce:2d:a0:cf:75:b7:a4:19:44 student@desktop3.example.com The key‘s randomart image is: +--[ RSA 2048]----+ | . .oE. o... | | . + o...ooo | |. = + = oo | | o . o * +. | | o o S . | | | | | | | | | +-----------------+
将公钥传输至服务器端某用户的家目录下的.ssh/authorized_keys文件中
[student@desktop3 ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@192.168.0.1 The authenticity of host ‘192.168.0.1 (192.168.0.1)‘ can‘t be established. RSA key fingerprint is 4f:eb:da:77:1e:ab:bc:2a:f3:8f:52:db:b8:bc:44:9c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.0.1‘ (RSA) to the list of known hosts. root@192.168.0.1‘s password: Now try logging into the machine, with "ssh ‘root@192.168.0.1‘", and check in: .ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting.
测试登录
本文出自 “eagle” 博客,谢绝转载!
原文地址:http://seneagle.blog.51cto.com/1319845/1695815
