数据安全由NIST(美国国家标准技术研究研究)提出, 主要有三个方面:
数据最主要的风险是安全攻击, 分为主动攻击和被动攻击:
安全服务主要有以下几个特点:
加密和解密使用同一个密钥的方法就是对称加密, 现目前流行的对称加密算法有如下:
对称加密的特性:
对称加密的缺陷:
公钥加密的秘钥是成对出现, 一个公钥(Pubkey), 一个私钥(Secret key); 公钥可以公开给任何人, 自己留存私钥, 但是必须要保证秘钥的私密性.
公钥加密的特点: 用公钥加密的数据, 只能使用与之配对的私钥解密; 反之亦然.
公钥加密的用途:
只能加密, 不能解密的加密方法称之为单向加密, 单向加密是通过提取数据指纹来生成一串随机子串.
单向加密具有如下特点:
单向加密算法有如下:
单向加密主要用于验证数据的完整性.
密钥交换(Internet Key Exchange), 可以使用公钥加密和Diffie-Hellman算法进行.
PKI(Public Key Infastructure)是一种遵循标准和利用公钥加密技术为电子商务的开展提供一套安全基础平台的技术和规范, 由以下几个组件组成:
PKI的x.509标准定义了证书的结构, 以及证书的协议标准, 如下所示:
SSL(Secure Socket Layer)中文名是安全套接字层, 由网景(Netscape)公司设计, 用于对互联网上发送的数据进行加密, 防止数据在传输过程中被嗅探和篡改; 由于SSL的广泛应用, 在1999年由IETF(The Internet Engineering Task Force, 国际互联网工程任务组)将其标准化, 标准化之后改名为TLS(Transport Layer Security, 传输层安全协议), SSL的发展历程如下:
SSL/TLS采用分层设计, 总共分四层, 最底层为基础算法原语的实现(aes, rsa, md5); 向上一层为各种算法的实现; 在向上一层为组合算法实现的变成品; 最顶层为用各种组件拼接二次的种种成品密码学协议/软件(TLS, SSH).
OpenSSL是SSL的开源实现, 由三个组件组成:
openssl - 多用途命令行工具
# 用法: openssl command [command_options] [command_ args]
# 查看程序版本号: openssl version
[root@docker-package ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
openssl的命令分为三类, 标准命令、消息摘要命令和加密命令, 可以直接使用man openssl命令查看相关说明.
# enc命令:
# 加密: oepnssl enc -e 加密算法 -a -salt -in /PATH/TO/FILE -out /PATH/TO/FILE.OUT
# 加密算法: 使用oepnssl enc ?查看
[root@docker-package ~]# openssl enc -e -aes256 -salt -in /etc/fstab -out /tmp/fstab.cipher
enter aes-256-cbc encryption password: # 输入密码
Verifying - enter aes-256-cbc encryption password: # 再次输入密码
[root@docker-package ~]# cat /tmp/fstab.cipher
Salted__$?B8h?tR‘Bnd)t?bv;|ΖH=1PW<?o&CP‘?+}f_Jvxx.T)?6(M{
l_8B_AULfc}1B$?6Y"Ok
# 解密: openssl enc -d 加密算法 -a -salt -in /PATH/TO/FILE -OUT /PAHT/TO/FILE.OUT
# 加密用的什么算法, 解密就用什么算法
[root@docker-package ~]# openssl enc -d -aes256 -salt -in /tmp/fstab.cipher -out /tmp/fstab
enter aes-256-cbc decryption password: # 输入加密时使用的密码
[root@docker-package ~]# cat /tmp/fstab
#
# /etc/fstab
# Created by anaconda on Wed Jul 5 16:40:52 2017
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk‘
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos_docker--package-root / xfs defaults 0 0
UUID=ed124d13-489a-40dd-b64b-a64a26bff6c5 /boot xfs defaults 0 0
/dev/mapper/centos_docker--package-swap swap swap defaults 0 0
# 用法: oepnssl dgst 加密算法 FILE
[root@docker-package ~]# openssl dgst -sha512 /etc/fstab
SHA512(/etc/fstab)= 69005c142d6b7d0cd37433c17709baa65b843da2fd242d5ceef135c57565a67a683064d7b83da19bd9ea4cb0553eb0a3a81e8639d977fcd515f2850fdff7929d
# 用法: openssl passwd [OPTIONS] [PASSWORDS]
# OPTIONS:
# -crypt: 标准unix密码算法, 默认
# -1: 基于MD5的密码算法
# -slat string: 使用私有的salt
# 更多请自行man
# 在最后直接更上密码会直接返回加密后的密码, 不跟上密码则会进入交互式的密码输入
[root@docker-package ~]# openssl passwd newmedia
nECdgB7ycMZRI
[root@docker-package ~]# openssl passwd
Password:
Verifying - Password:
uMYOK7Q9rexkY
[root@docker-package ~]# openssl passwd -1 -salt sdfjle newpass
$1$sdfjle$rFYuazowo.o0yWgnNrhdL/
# 用法: openssl rand -base64|-hex NUM(字节数, -hex时, 每个字符4位, 出现的字符数为NUM*2)
[root@docker-package ~]# openssl rand -base64 32
P4kboBNrBYyKoJ8T8ISZxlcbjKY2Jd81qyxFLBbV0Io=
[root@docker-package ~]# openssl rand -hex 18
77e90f2e4f136dbcd4e8819c636c77d0e17a
# 在上一个生成用户密码的示例中的salt就可以用随机数来生成
[root@docker-package ~]# openssl passwd -1 -salt $(openssl rand -base64 6)
Password:
$1$u1ieZgLy$DXFW2JjJPWWS2iD45Kfbj.
# 生成密钥对: openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
[root@docker-package ~]# openssl genrsa -out /tmp/mykey.pri 2048
Generating RSA private key, 2048 bit long modulus
........+++
....+++
e is 65537 (0x10001)
[root@docker-package ~]# cat /tmp/mykey.pri
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAusWeo507dh7PcXyvEejKEd5ABGWhRlNwitjWsuf6rdEMpTM/
QO95QgzU39/HZfOSgnjBibOYNc/g7jvKGbY6JbRtdmvDIjM6HtZo+tsY1zx3kC3q
h2iZyM2dlVwLzbnnmwTFgugwK015nkd1CQ62pVHvZRBFn9XvZaVfDbk1c4aAHKW7
JX8CRGNi4GVJSG1Tn5sPRA8prcI2Ms/SOChzrAt7WcyidKjTrtBJ0vrET9vgF5re
FmfE9jEfJZjRRkJu4T09thTCwHlZfcEmUYFLwNzGWhoPmMOq1BU58wR+k1paRZ4Q
0/Whl4Lp/8DJf/0HlgDlpAUMf/eO9MiWFhnFQQIDAQABAoIBAH6HTpds91FoQgSS
AVBSskI0nI3eA8nO0RlfGOQOwAZs7vIjq6BkG3Ohmb0orr7kqcZ15DdTUbRy5eC+
5IVSrEXK27Uz//f1WFR30JrRPxzhO+aTFKUzOauNkEoVF3IBlWOxcdTjU26ih9ew
dRrzusx4m4ON6H0Fw67Kv4BejlV6CpxmkHFH89/8D//CJVm2DFd2WjKFpEfeteGu
GFZUvdAXfMrLDGADo9w78F9viMrlRANRR9u8NSwdw/dtfJuNQ3qeOmN9ZXOgOpZG
1fQ1W222gVM63trsiaZeE+zduk9+K59JG9y5NDOKVOFC7TavmK8FdWRjHVL7j5C0
UylIMxkCgYEA3HgOegkRLJTKnlWPzyyj1lw7QMFnxuw4fisPgmHmuHawiFL7PV8d
xREy40PnYx88ZEYfEOsYq//5IiZc1E1r+ET8Ts2Oj3BkR6PgrEvQGNJlDQspQxqZ
Bunls+hcQY9ULwiyQFHTdMoJ+av2Nds8A1q9AHNk4CrSar2WmTMPsEMCgYEA2N9R
GZpnI7NbR2i4o/WM3XF8pnpCawQJn02lqUP6XsBMJgr1eM8ylXvWsDe7hACyCJM8
11ibQu/EUkITxpS0qC0BcYiRODsqPckIKDgpEK/KllJXaRZ2Wz8BZMoOf27sZl2t
8y+pYgq0XGto+m5UXXxrpNSY1DRAJXiYGtxmjisCgYEAnEzJBp9y+4Yo94N1Rs1B
AfG1WD1FU3OYwWnJvwelSFVs5djeoS3Tryh4SUKUwmMcr4I++AGUJix89Ub5PNH+
n65YqY11ah+mGFwIJl5BE7flSBAHmrk6j/o2jQtIjHoOlqG1rX/VR9EMrWLKVHgu
3bnwkGc+tuXk8yOhps7aan0CgYBEdpMyovSmZ4uMSnnngK/8hEQWhggLopWrDacb
fVM/sDMZ22HMxpQwbozCyoVO0a1iWaDeVqGFCw4N7cAyc2VopfSLs9IsTzkxkhIa
KEiGdQheVhY0HZw1h/lXqRXUkt7cHfy5BbXSNpDjkCDu1f+aF5ofyeGJNAmACsbx
y9wwSwKBgCNiFDKDb3EekPUTfosmENGiWkCo+Q+f/Rr8PBUM7BAdFhDr3k5k+07W
l+Yxfm6qz+I/sC6I1wrozhFWabeRfAMY7e5KYn5z027KAFOaZ4L9XgZrojg/vyPc
lqjqodTuCS3YynEwk5AZLa4Ym24qtyzBEkl+afZRlmYr9wIV61O8
-----END RSA PRIVATE KEY-----
# 提取出公钥: openssl rsa -in /PATH/TO/PRIVATEKEY.FILE -pubout
[root@docker-package ~]# openssl rsa -in /tmp/mykey.pri -pubout -out /tmp/mykey.pub
writing RSA key
[root@docker-package ~]# cat /tmp/mykey.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAusWeo507dh7PcXyvEejK
Ed5ABGWhRlNwitjWsuf6rdEMpTM/QO95QgzU39/HZfOSgnjBibOYNc/g7jvKGbY6
JbRtdmvDIjM6HtZo+tsY1zx3kC3qh2iZyM2dlVwLzbnnmwTFgugwK015nkd1CQ62
pVHvZRBFn9XvZaVfDbk1c4aAHKW7JX8CRGNi4GVJSG1Tn5sPRA8prcI2Ms/SOChz
rAt7WcyidKjTrtBJ0vrET9vgF5reFmfE9jEfJZjRRkJu4T09thTCwHlZfcEmUYFL
wNzGWhoPmMOq1BU58wR+k1paRZ4Q0/Whl4Lp/8DJf/0HlgDlpAUMf/eO9MiWFhnF
QQIDAQAB
-----END PUBLIC KEY-----
# 对文件签名, 文件内容不能太长
[root@docker-package ~]# echo "hello" > /tmp/fstab
# 将以16进制格式输出
[root@docker-package ~]# openssl rsautl -sign -inkey /tmp/mykey.pri -in /tmp/fstab -hexdump
0000 - 6f 6c c5 ca 30 c0 f3 fd-fd 8d 7f da 43 80 12 e2 ol..0.......C...
0010 - 28 cf 29 88 10 d9 3a 31-70 e2 bc 48 7f 20 5a 09 (.)...:1p..H. Z.
0020 - c3 f8 cd 35 6b e0 f6 77-f2 45 38 16 95 b9 62 5d ...5k..w.E8...b]
0030 - 7d ac 4e 0f f9 9a 47 42-cd 99 ea 41 f9 c3 80 02 }.N...GB...A....
0040 - 74 a3 ae 51 e3 51 13 a3-1e 48 ee f7 63 9e 34 84 t..Q.Q...H..c.4.
0050 - f7 1b 29 cf 14 c8 bc a9-b9 97 6d f2 7e 72 05 f2 ..).......m.~r..
0060 - 33 f6 27 f6 34 34 ab 65-0b a8 a7 8b 84 48 38 fc 3.‘.44.e.....H8.
0070 - 21 48 e3 78 9d 1e b3 53-e1 07 21 25 2b 11 cf cb !H.x...S..!%+...
0080 - 74 4e 3e 49 0e 7c 89 4c-78 5b 3f 2c 5a 6a b3 b2 tN>I.|.Lx[?,Zj..
0090 - fb f1 72 95 9a 9a 0b 74-21 c5 8f 22 f4 e6 56 3f ..r....t!.."..V?
00a0 - 4d d5 1e 16 bb 21 73 52-7a 3e 15 3b e9 3e ea 62 M....!sRz>.;.>.b
00b0 - ad 74 21 7f 4a bd 6e 41-0b f7 33 08 4b 7b ba a7 .t!.J.nA..3.K{..
00c0 - 66 e1 ae 47 10 f1 95 d6-40 6c 77 36 1c 80 54 b4 f..G....@lw6..T.
00d0 - 27 63 69 89 09 9c e1 f4-5a f9 b7 50 a4 3e 03 26 ‘ci.....Z..P.>.&
00e0 - 12 06 0f f7 70 b6 df 4b-d7 7b cc 07 22 b7 dd b0 ....p..K.{.."...
00f0 - 5b ef ea 54 3d 70 07 e4-ca e3 a6 fc ce ed 35 40 [..T=p........5@
# 输出到自定文件
[root@docker-package ~]# openssl rsautl -sign -inkey /tmp/mykey.pri -in /tmp/fstab -out /tmp/fstab.s
# 验证签名
[root@docker-package ~]# openssl rsautl -verify -inkey /tmp/mykey.pri -in /tmp/fstab.s
hello
# 公钥加密
[root@docker-package ~]# openssl rsautl -encrypt -pubin -inkey /tmp/mykey.pub -in /tmp/fstab -out /tmp/fstab.lock
[root@docker-package ~]# cat /tmp/fstab.lock
kn&
O Z`%1?fffN
rh?|1|7xjFs#P6q&`2?b
# 私钥解密
[root@docker-package ~]# openssl rsautl -decrypt -inkey /tmp/mykey.pri -in /tmp/fstab.lock
hello
[root@docker-package ~]# openssl rsautl -decrypt -inkey /tmp/mykey.pri -in /tmp/fstab.lock -out /tmp/fstab1
[root@docker-package ~]# cat /tmp/fstab1
hello
建立私有CA有两个工具可以使用:
证书申请及签署总共有四步:
openssl的配置文件定义了CA的位置, 证书存放路径和默认加密算法类型等, 路径为/etc/pki/tls/openssl.conf
# 创建所需要的文件, 仅第一次需要
[root@docker-package CA]# touch index.txt
[root@docker-package CA]# echo 01 > serial
# 生成证书
[root@docker-package CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/testcert.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................................................+++
....................................................+++
e is 65537 (0x10001)
# 证书自签
[root@docker-package CA]# openssl req -new -x509 -key /etc/pki/CA/private/testcert.pem -days 365 -out /etc/pki/CA/testcacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:HuaQiYun
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:ca.leistudy.com
Email Address []:mail.leistudy.com
# -new: 生成新证书签署请求
# -509: 专用于CA生成自签证书
# -key: 生成 请求时用到的私钥文件
# -days n: 证书的有效期限
# -out /PATH/TO/SOMECERTFILE: 证书的保存路径
# 用到证书的主机生成证书请求
[root@docker-package CA]# cd /etc/httpd/
[root@docker-package httpd]# mkdir ssl
[root@docker-package httpd]# cd ssl/
[root@docker-package ssl]# ls
[root@docker-package ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
..................................+++
e is 65537 (0x10001)
[root@docker-package ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:Mycompany
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:www.leistudy.com
Email Address []:httpadmin.leistudy.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 把请求文件传输给CA
[root@docker-package ssl]# scp httpd.csr root@192.168.123.132:/tmp/
# NOTE: 这里测试用的scp, 不代表一定使用此方式
# 查看证书信息
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
# 签署证书, 并将证书发还给客户端
[root@docker-package tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 27 06:48:43 2018 GMT
Not After : Mar 27 06:48:43 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = SiChuan
organizationName = HuaQiYun
organizationalUnitName = IT
commonName = www.leistudy.com
emailAddress = httpadmin.leistudy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5F:35:94:FA:4F:6B:CE:FF:24:C6:ED:E8:6D:A6:78:0B:88:09:59:92
X509v3 Authority Key Identifier:
keyid:53:3D:29:41:A5:1A:2E:83:2B:86:39:14:C9:6C:3C:34:22:73:F9:FE
Certificate is to be certified until Mar 27 06:48:43 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 获取要吊销的证书的serial: openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
[root@docker-package CA]# openssl x509 -in /tmp/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=SiChuan/O=HuaQiYun/OU=IT/CN=www.leistudy.com/emailAddress=httpadmin.leistudy.com
# CA端根据客户端提交的serial与subject信息, 对比校验是否与index.txt文件中的信息一致
# 吊销证书: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
[root@docker-package CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
# 生成吊销证书的编号(一次吊销一个证书)
[root@docker-package CA]# echo 01 > /etc/pki/CA/crlnumber
# 更新证书吊销列表: openssl ca -gencrl -out thisca.crl
[root@docker-package CA]# openssl ca -gencrl -out /etc/pki/CA/thisca.crl
# 查看crl文件
[root@docker-package CA]# openssl crl -in thisca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=SiChuan/L=Chengdu/O=HuaQiYun/OU=Ops/CN=ca.leistudy.com/emailAddress=mail.leistudy.com
Last Update: Mar 27 06:55:01 2018 GMT
Next Update: Apr 26 06:55:01 2018 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 27 06:53:29 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
2c:29:ac:55:aa:46:e0:d5:8e:e9:3c:cb:3f:2d:17:72:ce:11:
1c:1a:42:72:02:0f:e5:d8:32:d7:32:37:86:1f:fe:82:6e:f9:
49:d3:5d:b1:5c:0a:7c:06:69:6b:49:a6:21:10:1d:b2:82:b7:
6c:dc:18:65:99:ef:c6:0f:b4:db:fd:ed:6d:33:33:02:d0:7d:
ba:8a:37:70:62:5d:9f:22:42:fc:60:87:7a:d5:48:1b:6c:1d:
5d:bb:fd:2e:8f:8e:fd:9a:4d:d6:19:6c:31:28:f1:0f:28:b0:
52:b6:7f:84:af:25:20:e9:28:16:fe:fb:2d:ab:0e:e1:22:03:
a9:d8:42:08:27:ec:de:10:11:6c:b0:30:3e:55:91:48:d0:1b:
4b:12:7d:c2:31:cd:85:bf:8b:90:b2:35:c3:35:ad:eb:63:a9:
a5:f2:65:50:63:69:3d:ee:73:51:0b:97:3b:d4:77:47:38:3b:
1d:f0:84:8c:00:02:d3:57:8b:b3:33:b3:c6:f0:4a:5b:86:d2:
3a:55:c2:cd:bf:6a:c6:01:31:aa:61:c5:bf:fb:37:8b:86:02:
e6:24:db:47:72:17:24:4b:aa:49:98:8b:ae:2c:01:24:b5:dd:
e9:e7:a6:ab:6c:a3:cb:d4:d2:c4:d5:dc:58:00:e8:33:7a:b2:
24:fe:9d:d8
原文地址:http://blog.51cto.com/13501622/2091617