数据加密特性:机密性、完整性与身份认证。
常见的加密算法
对称加密
在对称加密算法在加密与解密过程中都使用同一密钥,不能有有效管理密钥。
对称加密算法有:DES;3DES;AES:Advanced;AES192 AES256 AES512;OpenSSL;gpg
单向加密
能够有效保证数据的完整性,单向加密算法,提取特征码;输入一样,输出必然一样;雪崩效应:输入的微小改变,会引起结果的巨大改变;定长输出,无论原始数据有多大,结果大小相同;具有不可逆,无法根据特征码来还原原来的数据。md4;md5;SHA1;SHA192,SHA265,SHA384;CRC-32。
公钥加密
即非对称加密,公钥加密会生成一对密钥,公钥与私钥,用公钥加密,就只能用私钥解密,反之易然。发送方用自己私钥加密数据,可以用公钥解密,可以验证身份验证。发送方用对方公钥加密数据,可以保证数据的机密性(很少用)。公钥加密算法很少用来加密数据:速度太慢。
公钥加密:身份认证(数字签名);数据加密;密钥交换;RSA:加密、签名;DSA:签名;ElGamal商业算法
OpenSSL:SSL的开源实现
组成:
libcrypto:通用加密库
libssl:TLS/SSL的实现,基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库
openssl:多用途命令行工具
实现私有证书颁发机构
1.加密、解密
[root@desktop3 ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3 #加密enter des-ede3-cbc encryption password:Verifying - enter des-ede3-cbc encryption password:[root@desktop3 ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittabbs #-d解密enter des-ede3-cbc decryption password:
2.生成密码
[root@desktop3 ~]# openssl passwd -1Password: redhatVerifying - Password: $1$CVJwthEO$4BHZTPhDSp67ISeTsM0YZ0[root@desktop3 ~]# openssl passwd -1 -salt CVJwthEO #指定saltPassword: $1$CVJwthEO$4BHZTPhDSp67ISeTsM0YZ0
3.配置CA,以实现证书签发
配置 /etc/pki/tls/openssl.cnf修改
[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = CNcountryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = JiangSulocalityName = Locality Name (eg, city)localityName_default = WuXi0.organizationName = Organization Name (eg, company)0.organizationName_default = TVMorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default = Tech
创建相应文件
[root@desktop3 CA]# touch index.txt[root@desktop3 CA]# echo 01 > serial
为CA生成密钥
[root@desktop3 CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus...+++.................................................................+++e is 65537 (0x10001)
CA自签证书
[root@desktop3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [JiangSu]:Locality Name (eg, city) [WuXi]:Organization Name (eg, company) [TVM]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:desktop3.example.comEmail Address []:root@example.com
4.为应用httpd生成密钥及证书并签名
为应用http创建密钥
[root@desktop3 ssl]# (umask 077;openssl genrsa -out httpd.key 1024)Generating RSA private key, 1024 bit long modulus.....++++++.....................++++++e is 65537 (0x10001)
为httpd应用生成证书请求
[root@desktop3 ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [JiangSu]:Locality Name (eg, city) [WuXi]:Organization Name (eg, company) [TVM]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:www.example.comEmail Address []:root@example.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
CA对证书进行签名
[root@desktop3 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 13 03:36:22 2015 GMT Not After : Sep 12 03:36:22 2016 GMT Subject: countryName = CN stateOrProvinceName = JiangSu organizationName = TVM organizationalUnitName = Tech commonName = www.example.com emailAddress = root@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 3C:67:BB:BC:C4:B0:64:66:DF:DC:26:A7:FC:72:85:65:D4:9F:02:88 X509v3 Authority Key Identifier: keyid:38:E7:94:C4:86:9E:54:71:29:B4:25:70:63:58:FB:BB:34:A3:E3:BDCertificate is to be certified until Sep 12 03:36:22 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
5.两主机基于密钥认证
生成一对密钥
[student@desktop3 ~]$ ssh-keygen -t rsa -f .ssh/id_rsa -N ''Generating public/private rsa key pair.Your identification has been saved in .ssh/id_rsa.Your public key has been saved in .ssh/id_rsa.pub.The key fingerprint is:0d:1d:d8:1b:a5:08:09:ce:2d:a0:cf:75:b7:a4:19:44 student@desktop3.example.comThe key's randomart p_w_picpath is:+--[ RSA 2048]----+| . .oE. o... || . + o...ooo ||. = + = oo || o . o * +. || o o S . || || || || |+-----------------+
将公钥传输至服务器端某用户的家目录下的.ssh/authorized_keys文件中
[student@desktop3 ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@192.168.0.1The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.RSA key fingerprint is 4f:eb:da:77:1e:ab:bc:2a:f3:8f:52:db:b8:bc:44:9c.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.root@192.168.0.1's password: Now try logging into the machine, with "ssh 'root@192.168.0.1'", and check in: .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.
测试登录