码迷,mamicode.com
首页 > 系统相关 > 详细

Linux加密和安全

时间:2018-09-17 11:44:36      阅读:210      评论:0      收藏:0      [点我收藏+]

标签:选择   size   ide   sig   防火墙   特性   单向加密   closure   lis   

墨菲定律

 墨菲定律:一种心理学效应,是由爱德华·墨菲(Edward A. Murphy)提出的,原话:如果有两种或两种以上的方式去做某件事情,而其中一种选择方式将导致灾难,则必定有人会做出这种选择
 主要内容:
    任何事都没有表面看起来那么简单
    所有的事都会比你预计的时间长
    会出错的事总会出错
    如果你担心某种情况发生,那么它就更有可能发生

安全机制

  1、信息安全防护的目标:
    保密性 Confidentiality
    完整性 Integrity
      数据不能被串改,要保证数据的完整性
    可用性 Usability
      让系统一直处于稳定可用状态
    可控制性 Controlability
      系统要处于可控制的范围内
    不可否认性 Non-repudiation
      否定事情的正确性
  2、安全防护环节:
    物理安全:各种设备/主机、机房环境
    系统安全:主机或设备的操作系统
    应用安全:各种网络服务、应用程序
    网络安全:对网络访问的控制、防火墙规则
    数据安全:信息的备份与恢复、加密解密
    管理安全:各种保障性的规范、流程、方法

安全防护

安全×××: STRIDE
  Spoofing 假冒
  Tampering 篡改
  Repudiation 否认
  Information Disclosure 信息泄漏
  Denial of Service 拒绝服务
  Elevation of Privilege 提升权限
安全设计基本原则:
  使用成熟的安全系统
  以小人之心度输入数据
  外部系统是不安全的
  最小授权
  减少外部接口
  缺省使用安全模式
  安全不是似是而非
  从STRIDE思考
  在入口处检查
  从管理上保护好你的系统

安全算法

  常用安全技术
    认证
    授权
    审计
    安全通信
      在通信的过程中,要保证信息的安全
  密码算法和协议
    对称加密
    公钥加密
    单向加密
    认证协议

最早的加密算法

凯撒密码
加密思想是在当前字母往后移三位,比如说:LOVE,ORYH,如果最后一位是Z的话继续转圈回来从A开始继续往下走

对称加密算法

  对称加密:加密和解密使用同一个密钥
    DES:Data Encryption Standard,56bits
    3DES:相对于DES的三倍加密方式
    AES:Advanced (128, 192, 256bits)
    Blowfish,Twofish
    IDEA,RC6,CAST5
  特性:
    1、加密、解密使用同一个密钥,效率高
    2、将原始数据分割成固定大小的块,逐个进行加密
  缺陷:
    1、密钥过多
    2、密钥分发
    3、数据来源无法确认
算法的几个要求:
  1、公钥可以公开
   2、key
  算法和密钥配合起来一块使用,密钥不公开,保证用不同的密钥结合相同算法加密出来的结果是破解不了的

非对称加密算法

  公钥加密:密钥是成对出现
    公钥:公开给所有人;public key
    私钥:自己留存,必须保证其私密性;secret key
  特点:
    用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
  功能:
    数字签名:主要在于让接收方确认发送方身份
    对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
    数据加密:适合加密较小数据
  缺点:
    密钥长,加密解密效率低下
  算法:
    RSA(加密,数字签名)
    DSA(数字签名)
    ELGamal
  基于一对公钥/密钥对
    用密钥对中的一个加密,另一个解密
实现加密:
  接收者
    生成公钥/密钥对:P和S
    公开公钥P,保密密钥S
  发送者
    使用接收者的公钥来加密消息M
    将P(M)发送给接收者
  接收者
    使用密钥S来解密:M=S(P(M))
结合签名和加密
分离签名

单向散列

将任意数据缩小成固定大小的“指纹”
  任意长度输入
  固定长度输出
  若修改数据,指纹也会改变(“不会产生冲突”)
  无法从指纹中重新生成数据(“单向”)
功能:
   数据完整性
常见算法
   md5: 128bits、sha1: 160bits、sha224 、sha256、sha384、sha512
常用工具
   md5sum | sha1sum [ --check ] file
   openssl、gpg
   rpm -V

数字签名

技术分享图片

密钥交换

密钥交换: IKE( Internet Key Exchange )
  公钥加密:
  DH (Deffie-Hellman):生成会话密钥,由惠特菲尔德·迪菲(Bailey Whitfield Diffie)和马丁·赫尔曼(Martin Edward Hellman)在1976年发表
参看:https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
DH:
  A: g,p 协商生成公开的整数g, 大素数p
  B: g,p
  A:生成隐私数据 :a (a<p ),计算得出 g^a%p,发送给B
  B:生成隐私数据 :b,计算得出 g^b%p,发送给A
  A:计算得出 [(g^b%p)^a] %p = g^ab%p,生成为密钥
  B:计算得出 [(g^a%p)^b] %p = g^ab%p,生成为密钥

应用程序:RPM

文件完整性的两种实施方式
被安装的文件
  MD5单向散列
  rpm --verify package_name (or -V)
发行的软件包文件
  GPG公钥签名
  rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*
  rpm --checksig pakage_file_name (or -K)

使用gpg实现对称加密

对称加密file文件
   gpg -c file
   ls file.gpg

[root@node1 /data]#gpg -c fstab 

在另一台主机上解密file
  gpg -o file -d file.gpg

[root@node2 /app]#gpg -o f1 -d fstab.gpg 

使用gpg工具实现公钥加密

在hostB主机上用公钥加密,在hostA主机上解密
在hostA主机上生成公钥/私钥对
  gpg --gen-key
在hostA主机上查看公钥
  gpg --list-keys
在hostA主机上导出公钥到cobbler.pubkey
  gpg -a --export -o cobbler.pubkey
从hostA主机上复制公钥文件到需加密的B主机上
  scp cobbler.pubkey hostB:
在需加密数据的hostB主机上生成公钥/私钥对
  gpg --list-keys
  gpg --gen-key
在hostB主机上导入公钥
  gpg --import cobbler.pubkey
  gpg --list-keys
用从hostA主机导入的公钥,加密hostB主机的文件file,生成file.gpg
  gpg -e -r cobbler file
  file file.gpg
复制加密文件到hostA主机
  scp fstab.gpg hostA:
在hostA主机解密文件
  gpg -d file.gpg
  gpg -o file -d file.gpg
删除公钥和私钥
  gpg --delete-keys cobbler
  gpg --delete-secret-keys cobbler

gpg加密实验

[root@node1 /data]#gpg --gen-key 
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/root/.gnupg/secring.gpg‘ created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: cobbler
Email address: cobbler@dklwj.com
Comment: test
You selected this USER-ID:
    "cobbler (test) <cobbler@dklwj.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FD4CFEF9 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/FD4CFEF9 2018-09-12
      Key fingerprint = 3D2D 3674 D945 1271 919B  2671 9229 A6E0 FD4C FEF9
uid                  cobbler (test) <cobbler@dklwj.com>
sub   1024R/7CD048CE 2018-09-12

在/root/.gnupg
[root@node1 ~/.gnupg]#ll
total 28
-rw------- 1 root root 7680 Sep 12 21:13 gpg.conf
drwx------ 2 root root    6 Sep 12 21:13 private-keys-v1.d
-rw------- 1 root root 1872 Sep 12 21:42 pubring.gpg
-rw------- 1 root root 1872 Sep 12 21:42 pubring.gpg~
-rw------- 1 root root  600 Sep 12 21:42 random_seed
-rw------- 1 root root 3838 Sep 12 21:42 secring.gpg
srwxr-xr-x 1 root root    0 Sep 12 21:28 S.gpg-agent
-rw------- 1 root root 1360 Sep 12 21:42 trustdb.gpg

查看生成的公钥
[root@node1 ~/.gnupg]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/FD4CFEF9 2018-09-12
uid                  cobbler (test) <cobbler@dklwj.com>
sub   1024R/7CD048CE 2018-09-12

到处为易读的格式传给对方
[root@node3 ~]]#gpg -a --export -o cobbler.pubkey

导入客户端的公钥
[root@node1 ~/.gnupg]#gpg --import /data/cobbler.pubkey 
gpg: key A24FC96C: public key "cobbler" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

查看当前机器上的所有公钥
[root@node1 ~/.gnupg]#gpg --list-key

使用cobbler的公钥加密
[root@node1 /data]#gpg -e -r cobbler fstab
gpg: 98C7C0F4: There is no assurance this key belongs to the named user

pub  2048R/98C7C0F4 2018-09-12 cobbler
 Primary key fingerprint: 6FB7 75D3 2534 B4F8 7E1C  4FD2 DCEF 398E A24F C96C
      Subkey fingerprint: EE01 7CF1 D62D A366 7C15  D36A 0043 0625 98C7 C0F4

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

查看刚加密的文件
[root@node1 /data]#ll
total 16
-rw-r--r-- 1 root root 1683 Sep 12 22:23 cobbler.pubkey
-rw-r--r-- 1 root root  541 Sep 12 21:13 fstab
-rw-r--r-- 1 root root  609 Sep 12 22:32 fstab.gpg
-rw-r--r-- 1 root root  316 Sep 12 21:13 fstab.gpg.bak

把加密好的文件传给客户端然后通过客户端的私钥解密
[root@node1 /data]#scp fstab.gpg 172.20.7.53:/data

客户端解密的时候不用需要再输入密码来解密了自动解密,
[root@node3 /data]]#gpg -d fstab.gpg 
gpg: encrypted with 2048-bit RSA key, ID 98C7C0F4, created 2018-09-12
      "cobbler"

#
# /etc/fstab
# Created by anaconda on Wed Jul 18 20:40:37 2018
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk‘
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=3d4ae911-238f-4436-82eb-5bb4660c38c7 /boot                   xfs     defaults        0 0
/dev/mapper/centos-data /data                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0

不过-d只是在屏幕上显示出来要想解开需要加上-o 指定新文件名称
[root@node3 /data]]#gpg -o fs -d fstab.gpg 
gpg: encrypted with 2048-bit RSA key, ID 98C7C0F4, created 2018-09-12
      "cobbler"
查看文件
[root@node3 /data]]#ls
fs  fstab.gpg  lost+found
[root@node3 /data]]#cat fs

#
# /etc/fstab
# Created by anaconda on Wed Jul 18 20:40:37 2018
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk‘
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=3d4ae911-238f-4436-82eb-5bb4660c38c7 /boot                   xfs     defaults        0 0
/dev/mapper/centos-data /data                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0

现在所有的公钥都不想要了,删除它
[root@node1 /data]#gpg --delete-keys cobbler
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  2048R/A24FC96C 2018-09-12 cobbler

Delete this key from the keyring? (y/N) y

不过在删除第二个的时候它会提示你先让你删除私钥,
[root@node1 /data]#gpg --delete-keys zabbix
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "zabbix"!
gpg: use option "--delete-secret-keys" to delete it first.

[root@node1 /data]#gpg --delete-secret-keys zabbix
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  2048R/799524A3 2018-09-12 zabbix

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@node1 /data]#gpg --delete-keys zabbix       
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  2048R/799524A3 2018-09-12 zabbix

Delete this key from the keyring? (y/N) y
[root@node1 /data]#

Linux加密和安全

标签:选择   size   ide   sig   防火墙   特性   单向加密   closure   lis   

原文地址:http://blog.51cto.com/dklwj/2175918

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!