Linux—加密解密openssl的基本应用及CA的实现过程
1、
在21世纪这个信息化高度发达的年代,通过互联网来处理各种数据业务变得越来越广泛,几乎各行各业都离不开互联网,互联网行业的发展也相对的达到了一个前所未有的高度,互联网让我们的日常生活更加便利,我们对互联网的依赖程度也越来越高,特别是京东、亚马逊、易迅等电商的快速发展以及最近热门的互联网金融的出现更是将互联网的发展推向了一个前所未有的高度,然而互联网行业的发展不得不面对信息安全性的问题,数据的安全性特别是用户的私密性信息如何保证,互联网公司是如何保证自己的信息安全呢?京东、天猫、易迅等这些大的电商是如何加密来保证信息安全性?特别是申请一个CA价格昂贵,那又该如何自建CA呢?本博文根据自己对加密的理解简单介绍一下加密的原理、oepnssl的基本应用以及自建CA的实现过程。
2、加密的三种基本方式
1)对称加密、加密算法有:DES、3DES、AES、Blowfish、Twofish、IDEA、RC6、CAST5、Serpent
2)非对称加密,加密算法有:RSA、DSA、EIGamal
通过CA证书以及CA吊销列表来验证防止被冒充
3)单向加密,加密算法:MD5、SHA1、SHA512、CRC-32
4)PKI(公钥基础设施),目前大多数互联网公司采用此种机制保证安全性
3、加密的常用工具-openssl
对称加密:
对文件进行加密:
[[email protected] ~]# openssl enc -des3 -a -salt -in /etc/fstab -out /root/fstab.cipher enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [[email protected] ~]# ls -l ./fstab.cipher -rw-r--r-- 1 root root 1118 Mar 19 17:52 ./fstab.cipher [[email protected] ~]# cat ./fstab.cipher U2FsdGVkX1+pP0xxwJRYkpfPW2rSkKY1qTIqrmbSD1WVk+8HoixNPxUP5GSpbd4e YJUhMCfVZwPLbKgTuWfUclPMox7yJ2o2kAwfi0WfAWORsOGyO9MENl0/l/iY1xJ/ s7zwqmJwycTib3fHleDmCkxiNm/X5969n1SCGiSKGElTTQYGE2295yP+RySmheU+ c3gwQrj2hDq7CPS038ZmnNsrRVlsTBykcLtxOxDvelckdSS3N3z6V6VmTSOcudqC ZfXPcAVYwLB5/9C+x/S1CjbBPzQM2i2PD8jG1V3g9V44xRVe/1lcJpSFkUyPxTkj a5NQZqi6JtXbSywY7cZjAHXu7F/DpTKUX3hLB8A+VuLLb8x2VI5uj+oCePFw7Exz xj51iJHsLmf9sXq2N6C+4ZlvHONXcD7K3WCQW/UwuYWGYY0sssuvbkyPMO5JEX9f qLzKxb79e9RUfg5KMTMaqmCHNtvmCWEBKZyeTIJmWKmzvOgnEy+BhqPhCfQMhEPf pbN3Yi+tVFs5GvyBN7MKV8vG3qoGJKzHG2Nn/RgvV/+GcnQZiRHYSdZjLxIUIuNj gZ5uJWif9vbdYRVB6KMbp2F50l41pUJFXFsRY+C6Fk/wcCcQJDakHGrKWWiC0yDm T5DdBsV0zy8A4EEtSxUa4TxWYgeLPBZSUDAxT9o5llzmX1QkP0TBNNEaITFKmsXJ 7Tv4V58JsiwxhmPvW+TirN7MLfK26/v+1TB+49DZjMQfSxS6aw9EAl+sk6LSrNwe XIdTzvQlkTPlxW4Lj8QqsAannfqVR8kQYvx9QnzSpjFiGHcG1fBsrG8oUeqWj7uY bN4AInv0V7Eq5kMb51XlZD4rxajgepdX8jjl/A5gCx+8BqLvqffkh99dem2ov9GY FSyT+tKT69YvuHITI1VbwD+4VrxyF558W3Gwo1T8D8XnSAYgfosM4Lly1np1UN0w VqlFDenH6sxslutag/CuKc5eNRZJf8mVk54QElL956APwPWSSlOtBzsBqA37M7MO QKR4tjITJYWxuup0rvagBJQ6fhHYqlU81rbGcHRBP5HeJ/D3gl6/ePnCAbHnpPeA rna7jWPVOEM= [[email protected] ~]#
对文件进行解密:
[[email protected] ~]# openssl enc -d -des3 -a -salt -in ./fstab.cipher -out ./fstab enter des-ede3-cbc decryption password: [[email protected] ~]# ls -l ./fstab -rw-r--r-- 1 root root 805 Mar 19 17:57 ./fstab [[email protected] ~]# cat ./fstab # # /etc/fstab # Created by anaconda on Fri Mar 14 08:41:02 2014 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=b7e89175-1bb1-4f9b-af34-7450d276bc62 / ext4 defaults 1 1 UUID=85a0d4fa-fc8b-4147-95ff-cdee4fbe5869 /boot ext4 defaults 1 2 UUID=02bca372-7b18-46b0-9c81-67b807847d36 swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 [[email protected] ~]#
单向加密:加密不可逆,加密之后不能加密只能用来验证数据完整性
对文件进行加密:
[[email protected] ~]# ls anaconda-ks.cfg install.log install.log.syslog [[email protected] ~]# cp /etc/fstab . [[email protected] ~]# ls anaconda-ks.cfg fstab install.log install.log.syslog [[email protected] ~]# md5sum fstab 35a092e2a7f450fdc2d8fb0e48ba8f07 fstab [[email protected] ~]# openssl dgst -md5 fstab MD5(fstab)= 35a092e2a7f450fdc2d8fb0e48ba8f07 [[email protected] ~]#
温馨提醒:同一文件使用同一单向加密算法所得结果一致
公钥加密:公钥加密一般用来进行身份认证,生成一对**申请CA,由于其加密速度慢,很少用来加密数据。下边实现自建CA以及申请CA中会有公钥加密的使用,这里就不再列举。
4、自建CA并实现CA证书申请,架构图如下:
CA端生成**对:通过子进程只对自己有效的特性来设置umask直接取消**文件除宿之外用户的只读权限
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# ls certs crl newcerts private [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ ........+++ e is 65537 (0x10001) [[email protected] CA]# ls -l private/cakey.pem -rw------- 1 root root 1675 Mar 19 18:55 private/cakey.pem [[email protected] CA]#
生成自签证书
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# ls certs crl newcerts private [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ ........+++ e is 65537 (0x10001) [[email protected] CA]# ls -l private/cakey.pem -rw------- 1 root root 1675 Mar 19 18:55 private/cakey.pem [[email protected] CA]#
创建需要的文件:
[[email protected] CA]# touch index.txt serial crlnumber [[email protected] CA]# echo 01 > serial [[email protected] CA]#
应用服务器生成**,保存至应用此证书的服务的配置文件目录下,
[[email protected] ~]# mkdir /etc/httpd/ssl [[email protected] ~]# cd /etc/httpd/ssl [[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ......................++++++ ...++++++ e is 65537 (0x10001) [[email protected] ssl]# ls -l total 4 -rw------- 1 root root 887 Mar 19 11:24 httpd.key [[email protected] ssl]#
生成证书签署请求
[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:Shenzhen Organization Name (eg, company) [Default Company Ltd]:mesada Organizational Unit Name (eg, section) []:Linux Operation Common Name (eg, your name or your server's hostname) []:ca.mesada.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] ssl]# ls -l httpd.csr -rw-r--r-- 1 root root 720 Mar 19 11:27 httpd.csr [[email protected] ssl]#
将请求文件发往CA
[[email protected] ssl]# ls httpd.csr httpd.key [[email protected] ssl]# scp httpd.csr [email protected]:/etc/pki/CA The authenticity of host '172.16.5.3 (172.16.5.3)' can't be established. RSA key fingerprint is b1:b0:d8:51:a6:10:63:6f:ec:9a:47:96:2b:81:f4:75. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.5.3' (RSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 720 0.7KB/s 00:00 [[email protected] ssl]#
CA签署证书
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# ls -l httpd.csr -rw-r--r-- 1 root root 720 Mar 19 19:28 httpd.csr [[email protected] CA]# openssl ca -in httpd.csr -out httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 19 11:31:27 2014 GMT Not After : Mar 16 11:31:27 2024 GMT Subject: countryName = CN stateOrProvinceName = Guangdong organizationName = mesada organizationalUnitName = Linux Operation commonName = ca.mesada.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F X509v3 Authority Key Identifier: keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2 Certificate is to be certified until Mar 16 11:31:27 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
将证书传回请求者
[[email protected] CA]# scp httpd.crt [email protected]:/etc/httpd/ssl The authenticity of host '172.16.5.6 (172.16.5.6)' can't be established. RSA key fingerprint is 4e:15:59:c4:6e:b3:10:5b:46:e5:a8:b5:2d:05:29:be. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.5.6' (RSA) to the list of known hosts. [email protected]'s password: httpd.crt 100% 3929 3.8KB/s 00:00 [[email protected] CA]#
查看证书
[[email protected] ssl]# ls -l httpd.crt -rw-r--r-- 1 root root 3929 Mar 19 11:33 httpd.crt [[email protected] ssl]# cat httpd.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=mesada, OU=Linux Operation, CN=ca.mesada.com/[email protected] Validity Not Before: Mar 19 11:31:27 2014 GMT Not After : Mar 16 11:31:27 2024 GMT Subject: C=CN, ST=Guangdong, O=mesada, OU=Linux Operation, CN=ca.mesada.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:f1:f6:5b:ad:82:7c:ca:27:df:7d:64:d2:bb:02: 69:81:3a:c0:10:1c:a8:d0:be:12:d3:e5:d6:02:b2: 3c:ee:49:9f:db:67:9e:65:3d:5f:36:8e:c2:0e:3b: 33:7e:b5:9a:25:e0:61:96:8f:79:e9:86:ca:d4:77: 6e:8a:b5:d2:f9:0e:72:f7:0b:dd:e6:55:63:ce:06: ee:0f:6c:2d:44:68:4d:bd:02:11:79:7c:1d:fb:06: 49:cf:f4:ff:3d:e7:6b:99:74:5b:43:3a:de:ab:83: a1:e0:d3:fe:64:f9:17:59:64:7a:c2:da:a5:46:8c: 74:94:93:9b:49:78:bc:cb:db Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F X509v3 Authority Key Identifier: keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2 Signature Algorithm: sha1WithRSAEncryption 15:c0:88:62:d1:e1:fe:f5:6d:95:f9:41:a3:51:f7:13:39:cb: dc:1d:ef:22:5b:77:e1:a2:3b:38:c5:85:b7:ad:b4:ac:18:93: 7c:0b:95:0c:32:a8:33:0d:d5:34:47:57:ae:b6:a5:04:6c:cc: 81:0b:64:97:a1:c9:91:ed:56:1b:da:0a:62:34:7a:48:8d:07: 3e:00:c2:df:53:fd:0d:a2:8a:84:33:af:5a:1c:c6:81:3c:22: e3:da:7e:ab:00:2e:57:8f:ba:34:2d:1d:06:5a:ce:d6:2a:f3: 6c:67:da:12:cf:94:54:19:9e:10:d3:38:d9:6d:ac:a8:06:34: a1:3c:95:3a:ba:3a:44:23:c1:c1:4f:31:d8:93:1a:09:58:80: d0:62:3f:00:a1:89:ec:ce:48:e9:86:1b:56:65:0f:84:90:9d: 9d:ee:94:09:25:2a:81:13:eb:61:e6:36:55:19:f6:22:34:94: 27:38:db:12:df:c0:f4:c1:80:b9:4d:36:43:1a:fe:1b:80:f5: 1c:25:6f:1d:8e:fa:6e:53:25:9c:47:54:82:c4:82:2c:1e:14: 68:6f:9c:ce:79:9c:45:38:e1:b0:d8:60:df:f2:f9:d1:d3:67: cf:6e:d4:6f:75:f8:c2:65:0b:9e:97:b4:02:a9:34:3a:99:65: 9a:dd:f7:c1 -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDzANBgNVBAoM Bm1lc2FkYTEYMBYGA1UECwwPTGludXggT3BlcmF0aW9uMRYwFAYDVQQDDA1jYS5t ZXNhZGEuY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQG1lc2FkYS5jb20wHhcN MTQwMzE5MTEzMTI3WhcNMjQwMzE2MTEzMTI3WjCBhzELMAkGA1UEBhMCQ04xEjAQ BgNVBAgMCUd1YW5nZG9uZzEPMA0GA1UECgwGbWVzYWRhMRgwFgYDVQQLDA9MaW51 eCBPcGVyYXRpb24xFjAUBgNVBAMMDWNhLm1lc2FkYS5jb20xITAfBgkqhkiG9w0B CQEWEmNhYWRtaW5AbWVzYWRhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA8fZbrYJ8yifffWTSuwJpgTrAEByo0L4S0+XWArI87kmf22eeZT1fNo7CDjsz frWaJeBhlo956YbK1HduirXS+Q5y9wvd5lVjzgbuD2wtRGhNvQIReXwd+wZJz/T/ PedrmXRbQzreq4Oh4NP+ZPkXWWR6wtqlRox0lJObSXi8y9sCAwEAAaN7MHkwCQYD VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm aWNhdGUwHQYDVR0OBBYEFCDrh3ehiywEsLkIKU1X84Epm1Y/MB8GA1UdIwQYMBaA FG5VuiT7ol6hRo9Vrl6RMvQKs56iMA0GCSqGSIb3DQEBBQUAA4IBAQAVwIhi0eH+ 9W2V+UGjUfcTOcvcHe8iW3fhojs4xYW3rbSsGJN8C5UMMqgzDdU0R1eutqUEbMyB C2SXocmR7VYb2gpiNHpIjQc+AMLfU/0NooqEM69aHMaBPCLj2n6rAC5Xj7o0LR0G Ws7WKvNsZ9oSz5RUGZ4Q0zjZbayoBjShPJU6ujpEI8HBTzHYkxoJWIDQYj8AoYns zkjphhtWZQ+EkJ2d7pQJJSqBE+th5jZVGfYiNJQnONsS38D0wYC5TTZDGv4bgPUc JW8djvpuUyWcR1SCxIIsHhRob5zOeZxFOOGw2GDf8vnR02fPbtRvdfjCZQuel7QC qTQ6mWWa3ffB -----END CERTIFICATE----- [[email protected] ssl]#
如果**丢失,要及时吊销证书
[[email protected] CA]# openssl ca -revoke httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [[email protected] CA]#
转载于:https://blog.51cto.com/il23f/1379552