首页 > 其他 > 详细

加密、解密原理和openssl自建CA

时间:2014-08-04 11:16:18      阅读:659      评论:0      收藏:0      [点我收藏+]

openssl协议简介

SSL(Secure Socket Layer)netscape公司提出的主要用于web的安全通信标准。一般情况下的网络协议应用中,数据在机器中经过简单的由上到下的几次包装,就进入网络,如果这些包被截获的话,那么可以很容易的根据网络协议得到里面的数据。

SSL就是为了加密这些数据而产生的协议,可以这么理解,它是位与应用层和TCP/IP之间的一层,数据经过它流出的时候被加密,再往TCP/IP送,而数据从TCP/IP流入之后先进入它这一层被解密,同时它也能够验证网络连接俩端的身份。所以对网络中数据的加密解密的安全知识的理解就显得尤为重要。

一、信息安全的标准

网络信息安全与保密的三个要素(CIA):

保密性 完整性 可用性

除了CIA外,还有另外两个标准也被经常提醒:

真实性 可追溯性

二、加密方式和算法

(1)对称加密:采用单钥密码系统的加密方法,同一个密钥可以同时用作信息的加密和解密。

对称加密的算法:

DES : 数据加密标准(56位密钥)

3DES

AES :高级加密标准(128,192,256,384,512)

Blowfish

Twofish

IDEA

RC6

CAST5

对称加密的特性:

a)加密、解密使用同一口令;

b)将明文分隔成固定大小的块,逐个进行加密

对称加密的缺陷:

a)密钥过多;

b)密钥传输;

密钥交换、身份验正、数据完整性

(2)公钥加密:由对应的一对唯一性密钥(即公开密钥和私有密钥)组成的加密方法。

(公钥是从私钥中提取出来的。)

(公钥加密,只能私钥解密。私钥加密,也只能公钥解密。)

密钥:public key, secret key (p/s)

常用加密算法:

RSA, DSA, EIGamal

(DSA:只能用于身份验证)

(3)单向加密:不可逆的加密

单向加密特性:

定长输出: 无论原始数据是多大,结果大小都相同的

雪崩效应: 输入的微小改变,将会引起结果的巨大改变

单向加密算法:MD5(128位)、SHA1、SHA256、SHA384、SHA512

 

三、加密过程及原理

 

四、自建私有CA过程

A

①生成密钥

[root@bogon ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............+++
....+++
e is 65537 (0x10001)
[root@bogon ~]#

②自签证书 

 [root@bogon ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Zhenzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server‘s hostname) []:bogon
Email Address []:263607236@qq.com

 ③初始化环境(第一次必须)

# touch /etc/pki/CA/{index.txt,serial}

# echo 01 >> /etc/pki/CA/serial   (指定序列号从那个数字开始)

B

节点申请证书:

(1) 节点生成请求

mkdir /etc/httpd/ssl

[root@bogon ~]# ls /etc/httpd/
conf/    conf.d/  logs/    modules/ run/     ssl/ 

生成密钥对儿

[root@bogon ~]#  (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................+++
................+++
e is 65537 (0x10001)
[root@bogon ~]#................+++

、生成证书签署请求

[root@bogon ~]#  openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Zhenzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server‘s hostname) []:bogon
Email Address []:263607236@qq.com

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:00woaioo
An optional company name []:00woaioo

 

C、 CA签署证书

①、验正证书中的信息;

②、签署证书

[root@bogon ~]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 1000   
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  3 21:05:10 2014 GMT
            Not After : Apr 29 21:05:10 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Henan
            organizationName          = mageedu
            organizationalUnitName    = OPS
            commonName                = bogon
            emailAddress              = 263607236@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:6B:7E:1F:CD:78:D7:E6:9D:EE:65:86:E0:F0:8C:A3:64:4D:01:B2
            X509v3 Authority Key Identifier:
                keyid:1E:B0:D5:A7:25:BF:58:40:13:76:10:6B:8E:F6:7B:BA:AB:8D:86:5A

Certificate is to be certified until Apr 29 21:05:10 2017 GMT (1000 days)
Sign the certificate? [y/n]:

③、发送给请求者;

 

本文出自 “从零开始” 博客,请务必保留此出处http://zerofly.blog.51cto.com/4476065/1535137

加密、解密原理和openssl自建CA,布布扣,bubuko.com

加密、解密原理和openssl自建CA

原文:http://zerofly.blog.51cto.com/4476065/1535137

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!