数据非常重要，这是大家的共识，为了保证数据的安全，就会涉及到加密及其解密，本文主要介绍加密

解密相关概念及其在Linux平台下加密解密的具体实现openssl基础，及openssl创建CA和签发证书：

 一：加密解密框架

     二：openssl的基础

     三 : openssl的应用：创建CA和发证

一：A 加密解密

分类：对称加密，非对称加密，单向加密

a对称加密:才用单钥密码系统的加密方法,同一密钥可以同时加密和解密,这种方式也叫对称加密.加密的安全

性不仅取决于算法,也取决于密钥的传递,因此对称加密的密钥的传递也会影响加密.

优点是这种加密速度快,缺点是密钥难于管理(一对一的关系)和传递

常见的加密对称加密有:DES(56bits),3DES,AES(128bits),Blowfish,Twofish,IDEA,RC6,CAST5,Serpent

b非对称加密:非对称加密需要公钥和私钥,公开密钥与私有密钥是一对

优点:安全 缺点:加密速度较慢

用途:密钥的交换

c单向加密:生存数据的特征码,不可逆,可验证数据的完整性

常见的单向加密算法有:MD5,SHA1,SHA512,CRC-32

特征:雪崩效应

定长输出

三者相互关系:用公钥加密实现身份认证,单向加密实现数据完整性,对称加密实现数据机密性

B:PKI:PKI(public key infranstructure)  即"公钥基础设施" ,简单来说,PKI就是利用公钥理论和技术建立的提供

安全服务的基础设施.

X509:证书格式

公钥及其有效期限

证书的合法拥有者

证书该如何被使用

CA的信息

CA签名的校验码

C通信过程加密机制:

A发送方:

1.计算数据的特征码(单向加密);

2.用自己的私密加密特征码,并附加在数据后面

3.生成一个临时对称密钥

4.用此密钥结合某算法加密数据及加密后的特征码;

5.对接收方的公钥机密此对称密钥,并附加加密后的数据后面;

6.发送至接收方;

B接收方:

1 用自己的私钥解密加密的对称密码

2 用对称密钥解密数据;

3 用对方的公钥解密加密的特征码

4 用同样的算法计算数据的特征码,并与解密而来的特征码进行比较

二:openssl基础

为网络通信提供安全及数据完整性的一种安全协议,包含了主要的密码算法,常用的密钥和证书封装管理

功能以及SSL协议,并提供了丰富的应用程序供测试或者其它目的使用

libecrypto: 通用功能的加密库

libssl:用于实现TLS/SSL的功能

openssl:多功能命令行工具

生成密钥.创建数字证书,手动加密解密数据

加密: openssl enc -des3 -a -salt -in /etc/fastab -out /tmp/fstab.cipher

解密: openssl enc -d -dec3 -a -salt -in /tmp/fstab.cipher -out /tmp/fstab

enc 为对称密 -des3表示已des3的方式进行加密，-salt表示密码中加入一些盐

openssl dgst [-md5|-md4|-md2|-sha1|-sha1|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile

dgst 为才用单向加密， 后面为接的算法 -out 为输出文件 /path/to/somefile 为源文件

三：CA的创建及签发证书

数字证书是互联网通讯中标识通讯2各方身份信息的一串数字，提供了一种在internet上验证通信实体身份的方式，一般用CA签发，人们

可以利用通过数字证书来验证对方的身份，面以apache为例来说明CA的创建和签发及其吊销数字证书

server 签发CA端 （192.168.2.3）端操作：

[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
...................................................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:ca.limeizhi.com
Email Address []:8@qq.com
[root@localhost CA]#
[root@localhost CA]#
[root@localhost CA]# touch index.txt serial crlnumber
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# cp /root/httpd.csr .
[root@localhost CA]# ls
cacert.pem  crl        httpd.csr  newcerts  serial
certs       crlnumber  index.txt  private
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar  9 08:11:01 2014 GMTNot After : Mar  9 08:11:01 2015 GMTSubject:countryName               = cnstateOrProvinceName       = hnorganizationName          = maorganizationalUnitName    = linuxcommonName                = www.limeizhi.comemailAddress              = 8@qq.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:F6:71:9B:1D:97:F6:87:09:E7:36:41:60:8D:6B:4D:59:3C:8C:E3:B1X509v3 Authority Key Identifier:keyid:8C:E4:19:25:B4:F4:46:74:64:F5:90:7F:A6:71:A4:6B:E2:74:B5:F3
Certificate is to be certified until Mar  9 08:11:01 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]#
[root@localhost CA]#
[root@localhost CA]# cp httpd.crt 192.168.2.4:/etc/httpd/ssl
cp: cannot create regular file `192.168.2.4:/etc/httpd/ssl': No such file or directory
[root@localhost CA]# scp httpd.crt 192.168.2.4:/etc/httpd/ssl
httpd.crt                            100% 3780     3.7KB/s   00:00
[root@localhost CA]# openssl ca -revoke httpd.crt

client端操作 192.168.2.4

[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# ls
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
...++++++
...............++++++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:vn^C
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.k^C
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.limeizhi.com
Email Address []:8@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# scp httpd.csr httpd.
httpd.csr  httpd.key
[root@localhost ssl]# scp httpd.csr httpd.
httpd.csr  httpd.key
[root@localhost ssl]# scp httpd.csr server:/root/
The authenticity of host 'server (172.16.0.1)' can't be established.
RSA key fingerprint is 11:fc:5f:c3:95:fe:9f:c8:62:ac:a5:5b:80:ec:ae:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,172.16.0.1' (RSA) to the list of known hosts.
root@server's password: [root@localhost ssl]# ^C
[root@localhost ssl]# scp httpd.csr 192.168.2.3:/root
The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established.
RSA key fingerprint is 61:70:80:57:75:96:07:e8:cc:66:67:b0:06:fc:f0:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.3' (RSA) to the list of known hosts.
httpd.csr                                                100%  672     0.7KB/s   00:00
[root@localhost ssl]# pwd
/etc/httpd/ssl