为什么要对网络传授数据进行加密?
我们日常使用软件传输数据的时候,通常会用到如下不安全的协议:
- FTP、telnet、POP3等的不安全密码
- http、smtp、NFS等的不安全信息
- Ldap、NIS、rsh等的不安全验证
这些协议的不安全导致数据很容易被黑客劫持(即使使用SSL加密),网络安全威胁分为6大类(STRIDE):
- Spoofing 身份伪装 -------> 认证
- Tampering 篡改 -------> 完整性
- Repudiation 抵赖 -------> 防抵赖
- Information Disclosure 信息泄漏 -------> 机密性
- Denial of Services 拒绝服务 -------> 可用性
- Elevation of Privileges 特权提升 -------> 授权
一些常用的网络安全技术:防火墙、口令管理、身份认证、病毒防护、审计等。
常用的加密算法
对称加密
DES、3DES、AES、IDEA,RC6,CAST5
特点:
(1)加密、解密使用同一个密钥,效率高;(2)将原始数据分割成固定大小的块,逐个进行加密
缺点:
(1)数据发送前,发送方和接收方必须协商好秘钥;
(2)如果任何一方的秘钥泄露,都会导致加密信息不安全
(3)秘钥量过大,管理不方便
非对称加密
公钥加密
密钥都是成对出现,包含对所有人公开的公钥(public key)和自己留存的私钥(secret key)。加密算法:RSA(加密,数字签名),DSA(数字签名),ELGamal
特点:
用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
缺点:
密钥长,加密解密效率低下
单向加密
如MD5、sha等,不可逆的,无法解密
OpenSSL
OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连接者的身份。包含三个组件:
(1)openssl: 多用途的命令行工具,包openssl
(2)libcrypto: 加密算法库,包openssl-libs
(3)libssl:加密模块应用库,实现了ssl及tls,包nss
查看版本信息
[root@mysql ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
openssl命令分类
标准命令
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
信息摘要命令
Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1
加密命令
Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
对称加密
对称加密需要使用的标准命令为 enc ,用法如下:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
常用选项有:
-in filename:指定要加密的文件存放路径
-out filename:指定加密后的文件存放路径
-salt:自动插入一个随机数作为文件内容加密,默认选项
-e:可以指明一种加密算法,若不指的话将使用默认加密算法
-d:解密,解密时也可以指定算法,若不指定则使用默认算法,但一定要与加密时的算法一致
-a/-base64:使用-base64位编码格式
[root@mysql ~]# echo 1234 >> test [root@mysql ~]# openssl enc -e -des3 -a -salt -in test -out test.txt enter des-ede3-cbc encryption password:123456 Verifying - enter des-ede3-cbc encryption password:123456 [root@mysql ~]# openssl enc -d -des3 -a -salt -in test.txt -out test1 enter des-ede3-cbc decryption password:123456 [root@mysql ~]# cat test1 1234
单向加密
可以使用的工具:md5sum, sha1sum, sha224sum,sha256sum等
使用命令为:openssl dgst
语法:
openssl dgst [-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1] [-c] [-d] [-hex] [-binary] [-r] [-non-fips-allow] [-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [-non-fips-allow] [-fips-fingerprint] [file...]
常用选项有:
[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] :指定一种加密算法
-out filename:将加密的内容保存到指定文件中
[root@mysql ~]# echo 1234 >> mima1 [root@mysql ~]# openssl dgst -sha1 mima1 SHA1(mima1)= 1be168ff837f043bde17c0314341c84271047b3
生成密码
生成密码需要使用的标准命令为 passwd
语法:
# man sslpasswd openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
常用选项有:
-1:使用md5加密算法
-salt string:加入随机数,最多8位随机数
-in file:对输入的文件内容进行加密
-stdin:对标准输入的内容进行加密
[root@mysql ~]# openssl passwd -1 -salt 12asdfg12as Password: $1$12asdfg1$jz7VSaOj.kme.PaKxFIp6. [root@mysql ~]# openssl passwd -1 -salt test Password: $1$test$XazGnbtBRMhBkmTPV1qav/
生成随机数
生成随机数需要用到的标准命令为 rand
语法:
[root@mysql ~]# man sslrand openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num
常用选项有:
-out file:将生成的随机数保存至指定文件中
-base64:使用base64 编码格式
-hex:使用16进制编码格式
[root@mysql ~]# openssl rand -base64 15 /vKP+psLtjBiXwwpdHSW [root@mysql ~]# openssl rand -hex 10 -out num.txt [root@mysql ~]# cat num.txt fcf82fdc64c144568e97
生成密钥对
首先需要先使用 genrsa 标准命令生成私钥,然后再使用 rsa 标准命令从私钥中提取公钥
genrsa生成私钥
语法
openssl genrsa [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
常用选项有:
-out filename:将生成的私钥保存至指定的文件中
-des|-des3|-idea:不同的加密算法
numbits:指定生成私钥的大小,默认是2048
生成私钥文件
[root@mysql ~]# (umask 077; openssl genrsa -out test.key -des 2048) Generating RSA private key, 2048 bit long modulus ..................................................................................................+++ ....................................+++ e is 65537 (0x10001) Enter pass phrase for test.key: Verifying - Enter pass phrase for test.key:
rsa提取公钥
语法
openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id]
常用选项:
-in filename:指明私钥文件
-out filename:指明将提取出的公钥保存至指定文件中
-pubout:根据私钥提取出公钥
[root@mysql ~]# openssl rsa -in test.key -pubout -out test.key.pub Enter pass phrase for test.key: writing RSA key [root@mysql ~]# cat test.key.pub -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsp8Ieno0SD0d3ca1VTXC sBI5vIasfrAKUX4CsxeQVxm+1muPOR6NARpa0wKDldEF6zM6qPzY8jeqwRODYwYo xEk5mjYwI59d7EH7426DXLBPGELKEcCO/x+HgZbrMDOMhHA+WIpHOT/7NtaPzbaa qYBPmvpB48qP6w5GiR7OzOzxizbdMc0EX3J6qZQ+JO38UkcNSV9eYcryUebIe5LY Ry3Whc2wmxUmlxbiV/xI5iI6w9Xqn3KH4EIzYDc5nRYCE2gtNsLRf9W+jJPs2hzk lr085uE9OUh1RgQkT6cAYrFv7qhvypxhr0yybb/DMoTqjpm2njiWMn2yYLT6yj5m twIDAQAB -----END PUBLIC KEY-----
创建CA
openssl配置文件
openssl的配置文件/etc/pki/tls/openssl.cnf,改文件中定义了证书的存储位置等信息:
#################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options
申请和颁发证书流程
1、创建CA所需文件
# 创建生成证书索引数据库文件 [root@mysql ~]# touch /etc/pki/CA/index.txt # 指定第一个颁发证书的序列号 [root@mysql ~]# echo 01 > /etc/pki/CA/serial
2、生成私钥
[root@mysql ~]# cd /etc/pki/CA/ [root@mysql CA]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus ....................................++ ..............................................................++ e is 65537 (0x10001)
3、生成自签证书
[root@mysql ~]# ll /etc/pki/CA/private/cakey.pem -rw------- 1 root root 3247 Jul 7 05:17 /etc/pki/CA/private/cakey.pem
[root@mysql pki]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 365 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:zms.com
Organizational Unit Name (eg, section) []:zms
Common Name (eg, your name or your server's hostname) []:zhanghao
Email Address []:todo@163.com
命令中用到的选项解释:
-new:表示生成一个新证书签署请求
-x509:专用于CA生成自签证书,如果不是自签证书则不需要此项
-key:生成请求时用到的私钥文件
-out:证书的保存路径
-days:证书的有效期限,单位是day(天),默认是365天
4、颁发证书
(1)在需要使用证书的主机生成证书请求
# 生成私钥 [root@mysql pki]# (umask 066; openssl genrsa -out /etc/pki/tls/private/dker-registry.key 4096) Generating RSA private key, 4096 bit long modulus .....................................................................++ ......++ e is 65537 (0x10001) # 生成证书申请文件
[root@mysql pki]# openssl req -new -key /etc/pki/tls/private/dker-registry.key -days 365 -out /etc/pki/tls/dker-registry.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:zms.com
Organizational Unit Name (eg, section) []:zms
Common Name (eg, your name or your server's hostname) []:zhanghao
Email Address []:todo@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(2)将上一步生成的证书请求文件通过可靠方式传输给CA
(3)CA机构签署证书,并将证书颁发给请求者
[root@mysql pki]# openssl ca -in /etc/pki/tls/dker-registry.csr -out /etc/pki/CA/certs/docker-reg.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 8 01:36:27 2021 GMT Not After : Jul 8 01:36:27 2022 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = zms.com organizationalUnitName = zms commonName = zhanghao emailAddress = todo@163.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:BB:EA:28:14:58:83:4F:A4:8B:9C:2A:EA:BF:37:AB:8D:05:1E:44 X509v3 Authority Key Identifier: keyid:E2:E4:92:F0:3E:6C:22:94:D3:CA:69:1C:1A:F8:8C:F2:20:83:F8:2F Certificate is to be certified until Jul 8 01:36:27 2022 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意:默认国家,省,公司名称三项必须和CA一致
5、x509 查看证书中的信息
语法
openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-ocspid] [-subject] [-issuer] [-nameopt option] [-email] [-ocsp_uri] [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus] [-pubkey] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-set_serial n] [-signkey filename] [-passin arg] [-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename] [-force_pubkey key] [-text] [-certopt option] [-C] [-md2|-md5|-sha1|-mdc2] [-clrext] [-extfile filename] [-extensions section] [-engine id]
5.1 查看刚刚创建的证书信息
[root@mysql pki]# openssl x509 -in /etc/pki/CA/certs/docker-reg.crt -noout -subject -serial -issuer -dates subject= /C=CN/ST=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com serial=01 issuer= /C=CN/ST=BeiJing/L=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com notBefore=Jul 8 01:36:27 2021 GMT notAfter=Jul 8 01:36:27 2022 GMT
5.2 查看指定编号的证书
[root@mysql pki]# openssl ca -status 01 Using configuration from /etc/pki/tls/openssl.cnf 01=Valid (V)
吊销证书
(1)在客户机上获取要吊销证书的 serial 和 subject 信息 (命令为上面5.1)
[root@mysql CA]# openssl x509 -in /etc/pki/CA/certs/docker-reg.crt -noout -subject -serial subject= /C=CN/ST=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com serial=01
(2)在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致(默认在/etc/pki/CA/index.txt)
[root@mysql CA]# cat index.txt V 220708013627Z 01 unknown /C=CN/ST=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com
(3)CA执行吊销证书
[root@mysql CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
查看证书吊销后,index文件的变化,以及索引文件名的变化
吊销前
[root@mysql CA]# ll total 20 -rw-r--r-- 1 root root 2086 Jul 7 21:25 cacert.pem drwxr-xr-x. 2 root root 44 Jul 7 21:36 certs drwxr-xr-x. 2 root root 6 Dec 16 2020 crl -rw-r--r-- 1 root root 100 Jul 7 21:36 index.txt -rw-r--r-- 1 root root 21 Jul 7 21:36 index.txt.attr -rw-r--r-- 1 root root 0 Jul 7 05:15 index.txt.old drwxr-xr-x. 2 root root 20 Jul 7 21:36 newcerts drwx------. 2 root root 23 Jul 7 05:17 private -rw-r--r-- 1 root root 3 Jul 7 21:36 serial -rw-r--r-- 1 root root 3 Jul 7 05:16 serial.old
吊销后
[root@mysql CA]# ll total 28 -rw-r--r-- 1 root root 2086 Jul 7 21:25 cacert.pem drwxr-xr-x. 2 root root 44 Jul 7 21:36 certs drwxr-xr-x. 2 root root 6 Dec 16 2020 crl -rw-r--r-- 1 root root 113 Jul 7 22:01 index.txt -rw-r--r-- 1 root root 21 Jul 7 22:01 index.txt.attr -rw-r--r-- 1 root root 21 Jul 7 21:36 index.txt.attr.old -rw-r--r-- 1 root root 100 Jul 7 21:36 index.txt.old drwxr-xr-x. 2 root root 20 Jul 7 21:36 newcerts drwx------. 2 root root 23 Jul 7 05:17 private -rw-r--r-- 1 root root 3 Jul 7 21:36 serial -rw-r--r-- 1 root root 3 Jul 7 05:16 serial.old
[root@mysql CA]# cat index.txt R 220708013627Z 210708020127Z 01 unknown /C=CN/ST=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com
[root@mysql CA]# cat index.txt.attr unique_subject = yes
(4)生成吊销证书的吊销编号 (第一次吊销证书时执行)
[root@mysql CA]# echo 01 > /etc/pki/CA/crlnumber
(5)更新证书吊销列表
[root@mysql CA]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl Using configuration from /etc/pki/tls/openssl.cnf
(6)查看 crl 文件命令
[root@mysql CA]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=BeiJing/L=BeiJing/O=zms.com/OU=zms/CN=zhanghao/emailAddress=todo@163.com Last Update: Jul 8 02:10:04 2021 GMT Next Update: Aug 7 02:10:04 2021 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: Jul 8 02:01:27 2021 GMT Signature Algorithm: sha256WithRSAEncryption 67:de:c5:48:d0:5a:fb:c6:9e:52:0b:d3:13:70:ce:e8:94:00: 26:2e:4e:62:25:18:72:c7:74:89:51:67:2b:7c:16:96:18:e2: 56:45:9e:c9:ec:bc:d5:52:0d:a3:a6:4d:85:cb:b5:1d:c5:82: a1:26:53:eb:42:e8:00:14:ef:4d:2d:2c:88:e0:0a:84:db:92: fb:79:6f:b4:c3:96:68:f9:af:1d:06:68:62:06:4f:c9:4a:e4: a7:e3:ab:55:d0:bb:fe:f6:8a:a4:ed:ee:7e:a5:fe:6f:f1:7c: 66:e0:06:0d:18:cf:33:9b:5a:8d:b9:75:b6:6b:04:32:60:cc: 39:42:53:a9:3f:71:39:27:c3:1f:65:b0:50:87:78:b7:c0:fb: d8:2f:e3:ed:d6:bf:f3:ea:d6:d3:a6:01:c6:27:6d:e9:b0:18: 9e:1a:2c:7f:64:46:45:7b:79:70:82:35:6f:fe:e9:ac:9b:26: 6d:d0:02:5d:37:d4:4a:94:b2:a8:52:00:bb:e3:5d:a9:11:47: 44:66:42:9e:35:7c:8c:34:ea:ca:b0:7d:98:54:28:6a:f7:88: ad:f8:ab:34:9f:12:79:fe:dd:cf:06:96:0a:d8:f8:92:a4:eb: 5d:76:af:db:51:6d:2e:4a:5a:cc:e4:80:d5:9a:9c:c5:1a:3d: 5a:1b:26:13:49:58:a9:7b:67:f8:e8:23:c4:7c:da:13:e9:b4: 43:a8:da:7b:9b:7a:f7:24:fa:a1:28:8b:1f:8e:9c:b5:bc:28: 1e:96:19:48:68:b1:22:c1:a3:00:83:cc:16:e4:94:95:ad:51: f7:68:c4:32:68:41:fe:63:8f:8f:e8:9c:f0:a9:7d:95:f7:4c: 2c:94:57:e9:51:71:d6:db:ed:17:e6:08:a9:a6:5d:a9:3c:a8: 40:56:1c:3b:e0:ef:f5:a0:8b:1f:fd:61:b6:b1:73:67:18:70: 96:7d:7d:1a:8e:f6:eb:93:b8:30:c6:60:e9:4c:8f:82:c3:d4: 6f:29:56:b2:b0:56:dd:e8:61:59:fe:85:75:65:9c:42:3f:8d: 21:9e:3f:21:f1:40:d8:ee:5f:9e:f4:4e:66:87:22:94:12:63: 27:1f:3a:97:31:28:63:07:39:39:2a:c0:aa:bd:91:47:c9:eb: ce:c1:0d:5b:76:d1:48:9c:c4:f2:88:06:69:0b:b6:71:53:58: 18:ff:e1:55:c9:58:a3:86:bf:05:7d:db:79:10:67:02:34:dd: 48:f0:65:ca:71:ad:6a:b4:a7:cb:72:14:a5:a5:53:a9:26:4b: 7d:48:76:0d:f2:d2:d7:8d:a9:75:22:9b:8f:df:7c:af:8f:16: 42:6b:c2:b7:01:50:b4:80