TCP/IP:安全
A------->B
机密性:明文传输(ftp,http,smtp,telnet),被窃听
完整性:消息被篡改
身份验证:你访问的主机就是你真实要访问的那台,而不是钓鱼网站
机密性:
加密,即转换规则。算法不变,密钥规则要变。
对称加密:加密和解密的密钥是一致的
完整性:
单向加密算法:提取数据特征码
输入一样:输出必定一样
雪崩效率:输入的微小改变,将会引起结果的巨大改变
定长输出:无论原始数据是多大,结果大小都是相同的
不可逆:无法根据特征码还原原来的数据
协商生成密码:密钥交换(Internet Key Exchange,IKE)
Diffie-Hellman协议
A: p(大质数),g(生成数)
A:x(只有A知道)
B: y(只有B知道)
A: 传输g^x%p--->B
B: 传输g^y%p--->A
A: 收到以后计算(g^y%p)^x=g^y^x%p
B: 收到以后计算(g^x%p)^y=g^x^y%p
公钥加密算法:非对称加密算法
密钥对:
公钥:p
私钥:s
发送方用自己的私钥加密数据,可以实现身份验证
发送方用对方的公钥加密数据,可以保证数据机密性
PKI:Public Key Infrastructure(基础)
CA:Certificate Authority
CRL:证书吊销列表
x509,pkcs12等证书格式
x509:公钥及其有效期限,
证书的合法拥有者,
证书改如何被使用,
CA的信息
CA签名的校验码
PKI:TLS/SSL:x509的证书格式
PKI:OpenGPG:
SSL:Secure Socket Layer(安全的套接字层),网景公司研发
嵌套在应用层和传输层之间。应用程序在到达传输层之前调用SSL模块的话就会被加密。
TLS:Transport Layer Security,更为开放,不为任何公司所有。
OSI七层模型:物理层,数据链路层,网络层,传输层,会话层,表示层,应用层
TCP/IP四层模型:网络接口层,网间层,传输层,应用层
对称加密:
DES:Data Encrption Standard,56bit
3DES:
AES:Advanced Encrption Standard,128bit
AES192,AES256,AES512
Blowfish:
加密工具:openssl,gpg
单向加密(定长输入):
MD4,MD5,SHA1,SHA192,SHA256,SHA384,SHA512,CRC-32
公钥加密(非对称加密):
身份认证
数据加密
密钥交换
RSA:加密、签名
DSA:签名
ElGamal:
OpenSSL: SSL的开源实现
libcrypto:加密库
libssl:TSL/SSL的实现(基于会话的、实现了身份认证、数据机密性和会话完整性的库)
openssl:多用途命令行工具(实现私有证书颁发机构)
Openssl实现私有CA:
1、生成一对密钥
公钥是源自私钥,从私钥提取的。
生成私钥:openssl genrsa -out KEYFILENAME NUMBITS
提取公钥:openssl rsa -in KEYFILENAME -pubout
2、生成自签署证书
Openssh:
1.基于口令的传输
2.基于密钥的传输
基于密钥的认证:
1.生产一对密钥
2.将公钥传输至服务器端某用户的.ssh/authorized_keys文件中
3.测试登陆
[hadoop@saltstack1 .ssh]$ ssh-copy-id -i id_rsa.pub root@192.168.144.50
10
root@192.168.144.50's password:
Now try logging into the machine, with "ssh 'root@192.168.144.50'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[hadoop@saltstack1 .ssh]$ ssh -l root 192.168.144.50
Last login: Wed Nov 30 12:34:29 2016 from saltstack1
[root@saltstack2 ~]# exit
logout
x509:
公钥及其有效期限
证书的合法拥有者
证书该如何被使用
CA的信息
CA签名的校验码
TLS/SSL:x509证书
对称加密工具: openssl AES,AES192,AES256,AES512
openssl:
libcrypto:加密库
libssl:TSL/SSL的实现
openssl:模拟实现私有证书颁发机构
whatis
openssl enc -des3 -salt -a -in inittab -out inittab.des3
以des3的方式加密inittab
openssl enc -des3 -salt -a -in inittab.des3 -out inittab
以des3的方式解密inittab.des3
计算md5值
md5sum inittab
openssl做私有CA:
1、先生成一对秘钥
2、生成自签署证书
公钥是从私钥中提取的,genrsa是产生私钥的。
openssl genrsa
openssl genrsa 2048 > server.key
(umask 077;openssl genrsa -out server1024.key 1024)
产生与之对应的公钥
openssl rsa -in server1024.key -pubout
生成自签的证书:
[root@localhost ~]# openssl req -new -x509 -key server1024.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:EBANK
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:dell.ebank.com
Email Address []:admin@ebank.com
查看证书的信息
[root@localhost ~]# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17961667793651459699 (0xf944a9b17e2b6673)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=EBANK, OU=Tech, CN=dell.ebank.com/emailAddress=admin@ebank.com
Validity
Not Before: Apr 17 11:53:47 2017 GMT
Not After : Apr 17 11:53:47 2018 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=EBANK, OU=Tech, CN=dell.ebank.com/emailAddress=admin@ebank.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a7:8b:10:6b:d6:5b:ae:29:51:83:73:c1:f0:aa:
b8:35:96:40:07:bb:26:30:a8:1b:69:9f:50:e4:2b:
b0:e3:45:02:cc:f8:93:e9:92:03:d2:2a:77:59:56:
cc:1c:19:b1:a4:70:2e:09:f6:d6:41:52:52:32:a6:
61:46:d5:85:e2:d7:9e:ce:33:6f:27:84:3d:f2:6f:
d0:3c:ec:35:1d:14:d4:5f:3a:77:9b:33:d0:46:81:
60:f6:83:3d:93:85:54:dd:78:23:50:75:0b:3d:18:
d9:08:dd:29:2b:7a:a8:4c:b6:3b:77:20:1a:17:eb:
20:d0:00:a0:66:2a:cb:a0:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:FF:FF:44:36:89:87:5D:43:DE:19:6B:A9:5A:D3:B8:68:25:0A:F7
X509v3 Authority Key Identifier:
keyid:FA:FF:FF:44:36:89:87:5D:43:DE:19:6B:A9:5A:D3:B8:68:25:0A:F7
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
20:fa:86:36:29:05:66:e4:b3:3b:75:e5:59:0d:77:1c:6d:90:
1f:59:cc:3f:90:e6:f7:96:51:0c:6e:2e:c5:fd:e0:5e:65:aa:
e8:18:cc:e2:b2:f1:81:af:e2:85:c6:8f:49:d1:da:98:ae:63:
db:45:19:0e:e0:b4:62:f2:cd:82:4e:f9:c4:76:83:9f:91:d1:
ed:f3:3b:f7:8c:79:3c:c8:b6:a3:d5:44:f5:e2:86:d4:18:6c:
60:82:b6:a7:6a:2b:67:37:7e:4c:20:3f:31:96:ef:9f:c1:0d:
9f:95:e8:11:2c:8a:95:d9:c5:ce:6f:e1:03:66:12:8e:e6:96:
af:3f
-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIJAPlEqbF+K2ZzMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
VQQGEwJDTjESMBAGA1UECAwJR3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjEO
MAwGA1UECgwFRUJBTksxDTALBgNVBAsMBFRlY2gxFzAVBgNVBAMMDmRlbGwuZWJh
bmsuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBlYmFuay5jb20wHhcNMTcwNDE3
MTE1MzQ3WhcNMTgwNDE3MTE1MzQ3WjCBjDELMAkGA1UEBhMCQ04xEjAQBgNVBAgM
CUd1YW5nRG9uZzERMA8GA1UEBwwIU2hlblpoZW4xDjAMBgNVBAoMBUVCQU5LMQ0w
CwYDVQQLDARUZWNoMRcwFQYDVQQDDA5kZWxsLmViYW5rLmNvbTEeMBwGCSqGSIb3
DQEJARYPYWRtaW5AZWJhbmsuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCnixBr1luuKVGDc8Hwqrg1lkAHuyYwqBtpn1DkK7DjRQLM+JPpkgPSKndZVswc
GbGkcC4J9tZBUlIypmFG1YXi157OM28nhD3yb9A87DUdFNRfOnebM9BGgWD2gz2T
hVTdeCNQdQs9GNkI3SkreqhMtjt3IBoX6yDQAKBmKsugbwIDAQABo1AwTjAdBgNV
HQ4EFgQU+v//RDaJh11D3hlrqVrTuGglCvcwHwYDVR0jBBgwFoAU+v//RDaJh11D
3hlrqVrTuGglCvcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQAg+oY2
KQVm5LM7deVZDXccbZAfWcw/kOb3llEMbi7F/eBeZaroGMzisvGBr+KFxo9J0dqY
rmPbRRkO4LRi8s2CTvnEdoOfkdHt8zv3jHk8yLaj1UT14obUGGxggranaitnN35M
ID8xlu+fwQ2flegRLIqV2cXOb+EDZhKO5pavPw==
-----END CERTIFICATE-----
/etc/pki/tls/openssl.cnf
配置文件
(umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:Ebank
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:dell.ebank.com
Email Address []:admin@ebank.com
CA目录下有这些文件
total 8
-rw-r--r--. 1 root root 1383 Apr 17 20:04 cacert.pem
drwxr-xr-x. 2 root root 6 Feb 20 22:41 certs
drwxr-xr-x. 2 root root 6 Feb 20 22:41 crl
-rw-r--r--. 1 root root 0 Apr 17 20:05 index.txt
drwxr-xr-x. 2 root root 6 Feb 20 22:41 newcerts
drwx------. 2 root root 22 Apr 17 20:02 private
-rw-r--r--. 1 root root 3 Apr 17 20:05 serial
并且echo 01> serial
假设有个web服务,为web服务申请证书
(umask 077;openssl genrsa -out httpd.key 1024)
生成一个证书请求
openssl req -new -key httpd.key -out httpd.csr
不需要-x509,自签证书才需要使用
把生成的httpd.csr发给CA,然后CA签署
openssl ca -in httpd.csr -out httpd.crt -days 365