加密解密概述及openssl应用及其创建CA和签发证书的实现
数据非常重要,这是大家的共识,为了保证数据的安全,就会涉及到加密及其解密,本文主要介绍加密
解密相关概念及其在Linux平台下加密解密的具体实现openssl基础,及openssl创建CA和签发证书:
一:加密解密框架
二:openssl的基础
三 : openssl的应用:创建CA和发证
一:A 加密解密
分类:对称加密,非对称加密,单向加密
a对称加密:才用单钥密码系统的加密方法,同一密钥可以同时加密和解密,这种方式也叫对称加密.加密的安全
性不仅取决于算法,也取决于密钥的传递,因此对称加密的密钥的传递也会影响加密.
优点是这种加密速度快,缺点是密钥难于管理(一对一的关系)和传递
常见的加密对称加密有:DES(56bits),3DES,AES(128bits),Blowfish,Twofish,IDEA,RC6,CAST5,Serpent
b非对称加密:非对称加密需要公钥和私钥,公开密钥与私有密钥是一对
优点:安全 缺点:加密速度较慢
用途:密钥的交换
c单向加密:生存数据的特征码,不可逆,可验证数据的完整性
常见的单向加密算法有:MD5,SHA1,SHA512,CRC-32
特征:雪崩效应
定长输出
三者相互关系:用公钥加密实现身份认证,单向加密实现数据完整性,对称加密实现数据机密性
B:PKI:PKI(public key infranstructure) 即"公钥基础设施" ,简单来说,PKI就是利用公钥理论和技术建立的提供
安全服务的基础设施.
X509:证书格式
公钥及其有效期限
证书的合法拥有者
证书该如何被使用
CA的信息
CA签名的校验码
C通信过程加密机制:
A发送方:
1.计算数据的特征码(单向加密);
2.用自己的私密加密特征码,并附加在数据后面
3.生成一个临时对称密钥
4.用此密钥结合某算法加密数据及加密后的特征码;
5.对接收方的公钥机密此对称密钥,并附加加密后的数据后面;
6.发送至接收方;
B接收方:
1 用自己的私钥解密加密的对称密码
2 用对称密钥解密数据;
3 用对方的公钥解密加密的特征码
4 用同样的算法计算数据的特征码,并与解密而来的特征码进行比较
二:openssl基础
为网络通信提供安全及数据完整性的一种安全协议,包含了主要的密码算法,常用的密钥和证书封装管理
功能以及SSL协议,并提供了丰富的应用程序供测试或者其它目的使用
libecrypto: 通用功能的加密库
libssl:用于实现TLS/SSL的功能
openssl:多功能命令行工具
生成密钥.创建数字证书,手动加密解密数据
加密: openssl enc -des3 -a -salt -in /etc/fastab -out /tmp/fstab.cipher
解密: openssl enc -d -dec3 -a -salt -in /tmp/fstab.cipher -out /tmp/fstab
enc 为对称密 -des3表示已des3的方式进行加密,-salt表示密码中加入一些盐
openssl dgst [-md5|-md4|-md2|-sha1|-sha1|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile
dgst 为才用单向加密, 后面为接的算法 -out 为输出文件 /path/to/somefile 为源文件
三:CA的创建及签发证书
数字证书是互联网通讯中标识通讯2各方身份信息的一串数字,提供了一种在internet上验证通信实体身份的方式,一般用CA签发,人们
可以利用通过数字证书来验证对方的身份,面以apache为例来说明CA的创建和签发及其吊销数字证书
server 签发CA端 (192.168.2.3)端操作:
[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............+++ ...................................................+++ e is 65537 (0x10001) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:ca.limeizhi.com Email Address []:8@qq.com [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# touch index.txt serial crlnumber [root@localhost CA]# echo 01 > serial [root@localhost CA]# cp /root/httpd.csr . [root@localhost CA]# ls cacert.pem crl httpd.csr newcerts serial certs crlnumber index.txt private [root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar 9 08:11:01 2014 GMTNot After : Mar 9 08:11:01 2015 GMTSubject:countryName = cnstateOrProvinceName = hnorganizationName = maorganizationalUnitName = linuxcommonName = www.limeizhi.comemailAddress = 8@qq.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:F6:71:9B:1D:97:F6:87:09:E7:36:41:60:8D:6B:4D:59:3C:8C:E3:B1X509v3 Authority Key Identifier:keyid:8C:E4:19:25:B4:F4:46:74:64:F5:90:7F:A6:71:A4:6B:E2:74:B5:F3 Certificate is to be certified until Mar 9 08:11:01 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# cp httpd.crt 192.168.2.4:/etc/httpd/ssl cp: cannot create regular file `192.168.2.4:/etc/httpd/ssl': No such file or directory [root@localhost CA]# scp httpd.crt 192.168.2.4:/etc/httpd/ssl httpd.crt 100% 3780 3.7KB/s 00:00 [root@localhost CA]# openssl ca -revoke httpd.crt
client端操作 192.168.2.4
[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# ls [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ...++++++ ...............++++++ e is 65537 (0x10001) [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:vn^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.k^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.limeizhi.com Email Address []:8@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr server:/root/ The authenticity of host 'server (172.16.0.1)' can't be established. RSA key fingerprint is 11:fc:5f:c3:95:fe:9f:c8:62:ac:a5:5b:80:ec:ae:01. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server,172.16.0.1' (RSA) to the list of known hosts. root@server's password: [root@localhost ssl]# ^C [root@localhost ssl]# scp httpd.csr 192.168.2.3:/root The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established. RSA key fingerprint is 61:70:80:57:75:96:07:e8:cc:66:67:b0:06:fc:f0:ff. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.3' (RSA) to the list of known hosts. httpd.csr 100% 672 0.7KB/s 00:00 [root@localhost ssl]# pwd /etc/httpd/ssl
转载于:https://blog.51cto.com/limeizhi/1370870
加密解密概述及openssl应用及其创建CA和签发证书的实现相关推荐
- openssl创建CA并签发证书
一.创建私有CA根证书 1.创建CA目录 root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# mkdir -pv /etc/pki/CA/{private,cert ...
- OpenSSL生成root CA及签发证书
一.openssl 简介 openssl 是目前最流行的 SSL 密码库工具,其提供了一个通用.健壮.功能完备的工具套件,用以支持SSL/TLS 协议的实现.官网:https://www.openss ...
- 自建ca根证书_如何创建私有 CA 并签发证书
为什么需要自己的 CA? 因为公共 CA (比如排名前几的这几家:Comodo, Symantec, GlobalSign, DigiCert, StartCom)颁发证书要收费,而且价格很贵.当然现 ...
- Centos7创建CA和申请证书
转载:http://rackie386.blog.51cto.com/11279229/1947999 Centos7.3创建CA和申请证书 openssl 的配置文件:/etc/pki/tls/op ...
- Java bouncycastle API 创建 CSR 和签发证书
引入 API <dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk ...
- java csr 证书_Java bouncycastle API 创建 CSR 和签发证书
引入 API org.bouncycastle bcprov-jdk15on 1.64 创建 CSR CSR,即证书请求文件(Certificate Signing Request).生成 X509 ...
- 加密解密技术基础、PKI及创建私有私有CA
Linux基础中的加密.解密及openssl 数据为什么要加密? 由于互联网刚开始时使用的人非常少,在互联网中交流信息的人都比较"单纯"几乎没有安全问题:但随着互联网 ...
- Linux加密解密 及使用openssl工具实现CA
互联网迅速发展的今天,数据安全凸显其重要性 1.常见Linux加密方式 对称加密 公钥加密(非对称加密) 单向加密 2.详解加密解密 2.1 对称加密 对称加密算法: DES(56bits) AES( ...
- openssl 加密解密 指令_Shell openssl命令加密解密字符串
Linux下的 openssl 命令解密 我们以在线加密网站为例 http://tool.chacuo.net/cryptdes 我们选择des cbc模式,密钥为abcdefgh, 偏移量为1234 ...
最新文章
- 执行高性能任务的强大桌面计算机是,用于高性能任务的强大的桌面计算机是一个______。...
- iptables自定义链增加和删除
- 指定的网络文件夹目前是以其他用户名和密码进行映射的_使用 GitLab CI 与 Argo CD 进行 GitOps 实践
- css33d图片轮播_1.Web前端之CSS3中3D立方体以及3D轮播图
- SPOJ4487(Splay树)
- Oracle入门(十四.21)之创建DML触发器:第二部分
- 新工科背景下的计算机类专业人才培养探讨
- 微信小程序|开发实战篇之一
- 第九:Pytest进阶之xunit fixture
- mysql 参数 innodb_flush_log_at_trx_commit
- vb在服务器上新建文件夹,VB 创建文件夹
- 多渔:赚钱,就是专注和刻意练习!
- php求闰年的公式,php判断闰年(闰年计算方法)
- android视频适配与裁剪
- 在AID Learning中用IPad或电脑连接手机
- 19年6月英语六级阅读单词
- 天融信上网行为管理如何做短信验证?
- .net core release 发布
- 移动硬盘加密软件TrueCrypt使用指南
- poj 3095 Linear Pachinko
热门文章
- python博客源码下载_Python生成并下载文件后端代码实例
- myeclipse java注释模板_Eclipse/MyEclipse Java注释模板设置详解 ---转载自百度空间
- 文件路径和模块路径、nodemon工具
- const修饰是指针和常量
- 想系统化提升自己产品能力,就要读这些书籍
- 淘汰率最高的腾讯产品面试题
- 给年份year,定义一个宏,以判别该年份是否闰年。提示:宏名可以定义为LEAP_YEAR,形参为y,既定义宏的形式为 #define LEAP_YEAR(y) (读者设计的字符串)
- 百万数据php7取出循环_PHP7带来了哪些重要的变化
- c++ 按键暂停继续 程序_加工中心程序代码 M30 M03 M04 M05 M07 M08 M09 S F R IJK
- python 序列化压缩成字符串_Python 将json序列化后的字符串转换成字典(推荐)