機密性:明文(plaintext)-->轉換規則-->加密(ciphertext)
完整性:
對稱加密:使用同一個密鑰加密和解密信息,算法計算速度快,安全性完全依賴於密鑰
意向加密算法:提取數據特徵碼(指紋),校驗數據的完整性
輸入一樣,輸出必然相同
雪崩效應:輸入的微小改變,將會引起結果的巨大改變
定長輸出:無論原始數據是多大,結果大小都是相同的
不可逆:無法根據特徵碼還原原來的數據
協商生成密碼:密鑰交換(Internet Key Exchange,IKE),密鑰交換需要使用互聯網協議支撐,協議如下:
diffie-hellman協議(比較早的),工作如下:
A-->B
P ,g(大素數,生成數)
A:x
B: y
A: g^x%p -->B
B: g^y%p -->A
A:(g^y%p)^x=g^yx%p
B:(g^x%p)^y=g^xy%p
共同的密鑰爲:g^xy%p
非對稱加密算法:公鑰加密算法
密鑰對:
公鑰:P
私鑰:S
發送方使用自己的私鑰加密數據,可以實現身份驗證
發送方使用對方的公鑰加密數據,可以保證數據機密性
公鑰加密算法,很少用來加密數據,速度太慢
PKI:Public key Infrastructure
CA:certificate authority
證書格式:X509,pkcs12
x509包含的信息:
1、公鑰及有效期限
2、證書的合法擁有者
3、證書該如何被使用
4、CA的信息
5、CA簽名的校驗碼
PKI:TLS/SSL:X509格式的證書
PKI:OpenGPG:
CRL:CA中證書吊銷列表
TLS/SSL Handshake
SSL:secure socket layer
TLS:Transport layer security
對稱加密算法:
DES(早期):Data Encrption Standard,56bit
3DES
AES:Advancd Data Encrption Standard,128bit
AES192,AES256,AES512
Blowfish
單向加密:
MD4
MD5:128bit
SHA1:160bit
SHA192,SHA256,SHA384
CRC-32:循環冗餘校驗
非對稱加密,也叫公鑰加密:(加密簽名)
RSA:即可加密還可以簽名
DSA:簽名
ElGamal:商業算法
非對稱加密的作用:
身份認證(數字簽名)
數據加密
密鑰交換
管理加密的軟件:
Openssl
GPG
OpenSSL:ssl的開源實現
組成部分:
libcrypto:通用加密庫
libssl:TLS/SSL的實現
基於會話的,實現了身份認證,數據機密性和會話完整性的TLS/SSL庫
openssl:多用途命令行工具
實現私有證書頒發機構
Openssl命令:
speed:測試算法的速度
enc:對文件加密
openssl實現私有CA:
1、生成一對密鑰
[root@Centos6 ~]# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ....................++++++ ....++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDcho9k5FoZj7Q23aFyWbLJAHKeglvRKckyFM//RWjU27xfivNd iPaFmuEJukVeSPA+gTgwuFCk+Uwuwsmq+kqQO1cfNpoGfRgAIHKe8h7ovPr74IT+ 0/wMXeiXtOMN6JMe+jBkqPbnAcqkmqk6tUrOMbj9+4eXWEBB91kBsBBFewIDAQAB AoGBAI9RZB/NyECUhCqkHyiR4v9+qv8Y+VMWNQu3OvZLxbWQmPv+8er3+D8cSORp imucO4ZjtID1SHPvEPPS4/2abJnaXRjl9eMCZzAw1fb4hHXoGVFzdFZ5oeHFaBMT dYxdlOVjDeHOAeq0UorEud2lIbXF6ZPdX+Q2cfqqV6PHVmkBAkEA/uyNWoERKP55 joII65LXJBCIodT3jAXGUoLoJJtO/jzg2Xrh39xowHU0MeY3nji+SUDsvoDYfbW8 R+jyVLXM1QJBAN101xUh8bhwKF+CtwU6bmugDf/CPaDeERuvx9MpW44B+z42ih56 g1CLfbuhiAAvtmz+KdDQfz+TpsoP/8iisQ8CQBF+B+EK9DN86rhlodkQVWTrIYUB SQ85ojctNmK0qYH2iXNC5FbpF+ME59T4uB5KRHxgUR5tVu2hV88TY/V+GBUCQGPJ 0V0hZYVhbJ/VC9lcQgNXJNe5VAHX7seWBqnc+fdcZzTaaJRhSiiSIn7Yw6qp1T75 rCf+u0gPpVlpqi1jOfsCQQDesjYIBgNUlg+HslmgROBA+C1TU2oCuc/s/W3zoz/k +QAKkIWEkiRz0CgF6GK69fKOqZ+hHMMVm4QU+XeQnYZu -----END RSA PRIVATE KEY----- #生成私鑰,指定生成算法爲rsa,長度爲1024 [root@Centos6 ~]# openssl rsa -in server.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOvGgRSVCVVH9OyEzLsf0ao/Z4 l+IDfL5BMJTKY2VZiJTnkljNDpcj1ZU3aZbH9S9ScHwGneB76yewUGvAIyLvOIDf 1dK2pSE4oBnaoakLfHA7L/xiYuQjxt4uF0V34mHxAFjeIZpUg2pqhFObdBn/K+xa Z2Nv+Cm6gW6xOhlRqQIDAQAB -----END PUBLIC KEY----- #從私鑰指定的文件中生成公鑰
2、生成自簽署證書
[root@Centos6 ~]# openssl req -new -x509 -key server.key -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:ogilvy Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:ogilvy-server Email Address []:[email protected] [root@Centos6 ~]# ll total 84 drwxr-xr-x. 2 root root 4096 May 8 11:57 Server.bak -rw-------. 1 root root 1394 Apr 21 11:07 anaconda-ks.cfg -rw-------. 1 root root 745 Apr 21 13:00 grub.conf_ -rw-r--r--. 1 root root 45941 Apr 21 11:07 install.log -rw-r--r--. 1 root root 10033 Apr 21 11:04 install.log.syslog -rw-r--r--. 1 root root 1074 May 28 16:30 server.crt -rw-r--r--. 1 root root 891 May 28 16:17 server.key [root@Centos6 ~]# openssl x509 -text -in server.crt #查看證書並以文本方式輸出 Certificate: Data: Version: 3 (0x2) Serial Number: 13458625215858170171 (0xbac6a453b457593b) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=ogilvy, OU=Tech, CN=ogilvy-server/[email protected] Validity Not Before: May 28 08:30:51 2015 GMT Not After : May 27 08:30:51 2016 GMT Subject: C=CN, ST=shanghai, L=shanghai, O=ogilvy, OU=Tech, CN=ogilvy-server/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ce:bc:68:11:49:50:95:54:7f:4e:c8:4c:cb:b1: fd:1a:a3:f6:78:97:e2:03:7c:be:41:30:94:ca:63: 65:59:88:94:e7:92:58:cd:0e:97:23:d5:95:37:69: 96:c7:f5:2f:52:70:7c:06:9d:e0:7b:eb:27:b0:50: 6b:c0:23:22:ef:38:80:df:d5:d2:b6:a5:21:38:a0: 19:da:a1:a9:0b:7c:70:3b:2f:fc:62:62:e4:23:c6: de:2e:17:45:77:e2:61:f1:00:58:de:21:9a:54:83: 6a:6a:84:53:9b:74:19:ff:2b:ec:5a:67:63:6f:f8: 29:ba:81:6e:b1:3a:19:51:a9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 69:21:70:6E:30:FC:33:BA:07:5E:69:97:17:90:02:DD:4E:3E:46:13 X509v3 Authority Key Identifier: keyid:69:21:70:6E:30:FC:33:BA:07:5E:69:97:17:90:02:DD:4E:3E:46:13 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 32:06:9d:be:4d:28:3d:3f:dc:6a:53:b1:9f:9d:b8:8c:6e:4a: 89:6d:85:a6:e7:eb:2c:e8:11:5c:60:1c:35:c7:c8:e8:88:13: 25:15:2b:f7:ad:c9:29:10:db:5f:53:98:b3:c5:a9:96:2b:0b: 3b:8c:af:0a:2f:2d:a4:04:d0:5b:a1:5a:e3:a4:22:26:15:27: fb:65:9c:ec:ac:72:24:23:d5:49:d9:89:bb:cd:03:ca:c6:2f: ca:dd:a9:49:90:30:f3:4f:a7:13:19:a6:55:fb:77:9f:8f:6c: f8:4d:89:a2:03:f6:d2:36:8a:eb:3e:31:49:f6:07:5e:22:dd: ee:ef -----BEGIN CERTIFICATE----- MIIC7DCCAlWgAwIBAgIJALrGpFO0V1k7MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD VQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ8w DQYDVQQKDAZvZ2lsdnkxDTALBgNVBAsMBFRlY2gxFjAUBgNVBAMMDW9naWx2eS1z ZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEmNhYWRtaW5Ab2dpbHZ5LmNvbTAeFw0xNTA1 MjgwODMwNTFaFw0xNjA1MjcwODMwNTFaMIGOMQswCQYDVQQGEwJDTjERMA8GA1UE CAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ8wDQYDVQQKDAZvZ2lsdnkx DTALBgNVBAsMBFRlY2gxFjAUBgNVBAMMDW9naWx2eS1zZXJ2ZXIxITAfBgkqhkiG 9w0BCQEWEmNhYWRtaW5Ab2dpbHZ5LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAzrxoEUlQlVR/TshMy7H9GqP2eJfiA3y+QTCUymNlWYiU55JYzQ6XI9WV N2mWx/UvUnB8Bp3ge+snsFBrwCMi7ziA39XStqUhOKAZ2qGpC3xwOy/8YmLkI8be LhdFd+Jh8QBY3iGaVINqaoRTm3QZ/yvsWmdjb/gpuoFusToZUakCAwEAAaNQME4w HQYDVR0OBBYEFGkhcG4w/DO6B15plxeQAt1OPkYTMB8GA1UdIwQYMBaAFGkhcG4w /DO6B15plxeQAt1OPkYTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA Mgadvk0oPT/calOxn524jG5KiW2FpufrLOgRXGAcNcfI6IgTJRUr963JKRDbX1OY s8WplisLO4yvCi8tpATQW6Fa46QiJhUn+2Wc7KxyJCPVSdmJu80DysYvyt2pSZAw 80+nExmmVft3n49s+E2JogP20jaK6z4xSfYHXiLd7u8= -----END CERTIFICATE----- [root@Centos6 ~]#
建立根服務器步驟:
[root@Centos6 private]# openssl genrsa -out cerkey.pem 2048 #創建私鑰 Generating RSA private key, 2048 bit long modulus .................................................................+++ .......................................+++ e is 65537 (0x10001) [root@Centos6 private]# ll total 4 -rw-r--r--. 1 root root 1679 May 28 17:05 cerkey.pem [root@Centos6 private]# chmod 600 cerkey.pem [root@Centos6 private]# ls cerkey.pem [root@Centos6 private]# ll total 4 -rw-------. 1 root root 1679 May 28 17:05 cerkey.pem [root@Centos6 private]# cd .. [root@Centos6 CA]# ls certs crl newcerts private [root@Centos6 CA]# openssl req -new -x509 -key private/cerkey.pem -out cacert.pem #自簽名證書建立 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #預設信息可以從配置文件中修改 shanghai []: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Tech []: Common Name (eg, your name or your server's hostname) []:ogilvyserver01 Email Address []:[email protected] [root@Centos6 CA]# ll total 20 -rw-r--r--. 1 root root 1334 May 28 17:08 cacert.pem drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts drwx------. 2 root root 4096 May 28 17:05 private [root@Centos6 CA]# touch index.txt serial #建立索引文件及序列文件 [root@Centos6 CA]# echo 01 > serial #輸入起始序號 [root@Centos6 CA]#
完整創建CA自簽證書並使用客戶端證書請求頒佈證書:
[root@Centos6 ~]# cd /etc/pki/CA/private/ [root@Centos6 private]# ls [root@Centos6 private]# openssl genrsa -out cakey.pem 2048 #創建根證書私鑰 Generating RSA private key, 2048 bit long modulus ....................+++ ........+++ e is 65537 (0x10001) [root@Centos6 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem #使用私鑰創建自簽證書 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:www.btsbox.com Email Address []: [root@Centos6 CA]# touch index.txt #根據/etc/pki/tls/openssl.cnf文件創建相應的文件和目錄 [root@Centos6 CA]# touch serial [root@Centos6 CA]# echo 01 > serial #對serial給一個起始序列號 [root@Centos6 CA]# cat serial 01 [root@Centos6 tmp]# mkdir httpd/tls -p #模擬HTTP服務,申請CA證書 [root@Centos6 tmp]# cd httpd/tls/ [root@Centos6 tls]# openssl genrsa -out httpd.key 2048 #申請自己的私鑰 Generating RSA private key, 2048 bit long modulus ...........................................+++ ........................................................+++ e is 65537 (0x10001) [root@Centos6 tls]# openssl req -new -key httpd.key -out httpd.csr #使用自己的私鑰創建CA簽證請求(即導出公鑰給對方,讓對方在公鑰上進行簽名) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:www.btsbox.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@Centos6 tls]# openssl ca -in httpd.csr -out httpd.crt -days 365 #在CA服務器端使用CA證書對客戶端httpd.crt請求進行簽名,有效期指定爲365天。 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 4 08:25:27 2015 GMT Not After : Jun 3 08:25:27 2016 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = ogilvy organizationalUnitName = Tech commonName = www.btsbox.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1F:DA:7A:B4:3E:3F:34:30:AC:4F:36:92:D1:10:83:8C:C3:B6:F7:11 X509v3 Authority Key Identifier: keyid:53:7F:4C:E4:D6:53:F2:75:2B:CD:ED:45:70:3D:A7:1D:DA:37:18:CF Certificate is to be certified until Jun 3 08:25:27 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@Centos6 tls]# cat /etc/pki/CA/serial #CA簽發的序列號自動增加一位 02
Openssh服務:
ssh:客戶端
sshd:服務端
配置文件:/etc/ssh/sshd_config,服務端配置文件
/etc/ssh/ssh_config,客戶端配置文件
/etc/ssh/sshd_config配置文件說明:
AddressFamily any :在哪上類服務提供服務,如IPV4 ,IPV6,any表示都可以
ListenAddress 0.0.0.0:哪個地址提供服務,0.0.0.0表示都提供
KeyRegenerationInterval 1h:私鑰重新生成間斷
ServerKeyBits 768 :服務器端私鑰長度爲768位
LoginGraceTime 2m :登陸的寬限期,輸入帳戶後輸入密碼的間隔
PermitRootLogin yes:以否允許root用戶登陸
StrictModes yes :以否使用嚴格模式
MaxAuthTries 6 :設置錯誤登陸密碼的次數
RSAAuthentication yes :是否支持rsa認證
PubkeyAuthentication yes :是否私鑰認證
AuthorizedKeyFile .ssh/authorized_key:存放公鑰的文件路徑,與上一條目結合使用
PasswordAuthentication yes:是否支持密碼認證
ChallengeResponseAuthentication no :是否啓用挑戰式握手式認證
UsePAM yes:用戶驗證PAM文件
Subsystem sftp /usr/lib/openssh/sftp-server
ssh客戶端使用:
ssh -l root 127.0.0.1: -l指定用戶名
或者 ssh Username@Remote_HOST
ssh [email protected] 'ifconfig':在遠程主機上執行命令,並把結果返回到本機。
-x:Enable x11 forwarding,不啓用加密
-y:Enable trusted x11 forwarding,啓用加密
基於密鑰的認證:
一臺主機爲客戶端(基於某個用戶實現)
1、生成一對密鑰
ssh-keygen -t(指定加密算法)rsa\dsa
-t:指定算法
-f:保存文件及路徑
-N:'password'
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''
2、將公鑰傳輸到服務器端某用戶的家目錄下.ssh/authorized_keys文件中
使用文件傳輸工具(ssh-copy-id,scp)
ssh-copy-id -i /path/to/pubkey USERNAME@REMETO_HOST
ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
3、測試登陸
SCP:基於ssh的遠程複製命令,可以實現主機之間傳輸數據
scp [options] SRC DEST
-r:遞歸
-a:保存信息並複製文件及目錄
REMOTE_MACHINE
USERNAME@HOSTNAME:/PATH/TO/SOMEFILE