openssl學習
傳輸過程要素:完整性、機密性、身份驗證
1、加密演算法
1)對稱加密:
2)公鑰加密演算法(非對稱加密演算法):
公鑰:任何人都可以看到
私鑰:自己才能看到
3)ike:秘鑰交換協議
4)PKI:公鑰基礎設施
對稱加密:
使用同一個密碼
加密演算法:DES、3DES
AES192、AES256、AES512
單向加密:
演算法:MD5、SHA1、CRC-32、SHA192
公鑰加密:身份認證、資料加密
演算法:RSA(加密、簽名)、DSA(簽名)、Elgamal
OpenSSL:SSL的開源實現
通用加密庫:libcrypto
libssl:TLS/SSL的實現
基於會話的、實現了身份認證、資料機密性和會話完整性的TLS/SSL庫
openssl:命令列工具
實現私有的證照頒發
[root@192 ~]# rpm -q openssl openssl-1.0.2k-12.el7.x86_64 [root@192 ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [root@192 ~]#
openssl官方網站:
子命令:
-?
openssl speed 速度測試工具
[root@192 ~]# openssl speed des Doing des cbc for 3s on 16 size blocks: 11523085 des cbc's in 2.96s Doing des cbc for 3s on 64 size blocks: 3017947 des cbc's in 2.98s Doing des cbc for 3s on 256 size blocks: 767332 des cbc's in 2.98s Doing des cbc for 3s on 1024 size blocks: 189100 des cbc's in 2.97s Doing des cbc for 3s on 8192 size blocks: 23942 des cbc's in 2.97s Doing des ede3 for 3s on 16 size blocks: ^
openssl enc:加密,解密檔案
[root@192 demo]# openssl enc -des3 -salt -in /tmp/demo/1.txt -out 1.txt.des3 enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@192 demo]# ll 總用量 8 -rw-r--r-- 1 root root 10 10月 21 22:01 1.txt -rw-r--r-- 1 root root 32 11月 24 23:47 1.txt.des3 [root@192 demo]# view 1.txt [root@192 demo]# view 1.txt.des3 [root@192 demo]#
openssl dgst:計算軟體特徵碼
[root@192 demo]# md5sum 1.txt c7fd8dfd6902d5503d5d1f41940174bf 1.txt [root@192 demo]# sha1sum 1.txt 7eac1643c87e8a425c3e361c7e0a2a48e8bba9b8 1.txt [root@192 demo]# md5sum 1.txt.2 c7fd8dfd6902d5503d5d1f41940174bf 1.txt.2 [root@192 demo]# openssl dgst -md5 1.txt MD5(1.txt)= c7fd8dfd6902d5503d5d1f41940174bf [root@192 demo]#
openssl passwd -1:生產加密字串
[root@192 demo]# openssl passwd -1 Password: Verifying - Password: $1$93NfzJP4$vIiNiNwVPt.kqR232B6KJ. [root@192 demo]#
2、證照吊銷列表:CRL
3、CA:證照頒發機構
PKI:定義CA,CA之間的信任關係、CA的吊銷列表
PKI:TLS/SSL:x509
PKI:OpenGPG
4、證照格式:
1)x509:TLS/SSL
公鑰,有效期限
證照的合法擁有者
證照該如何被使用
證照該如何被使用
CA資訊
CA簽名的公鑰、私鑰
2)pkcs12
5、TLS/SSL OpenGPG
四層模型:鏈路層、網路層、傳輸層、應用層
七層模型:物理層、資料鏈路層、網路層、傳輸層、會話層、表示層、應用層
TCP/IP、http、smtp、ftp
https:使用443埠
SSL:安全套接字 sercure socket layer
SSLv2、SSLv3
TLS:傳輸層安全協議
HTTP:基於TCP協議
HTTPS:使用443埠
0)TCP三次握手
1)建立SSL會話
2)server端將證照發給客戶端
3)client驗證證照、生成隨機對稱秘鑰
4)client傳輸透過公鑰加密後的密碼,傳送給server
二、openssl實現私有CA
2.1、生成一對秘鑰
[root@192 demo]# openssl genrsa 2048 >> server.key Generating RSA private key, 2048 bit long modulus .......................................................................................................................................................................................................+++ ..............................................................+++ e is 65537 (0x10001) [root@192 demo]# ll 總用量 16 -rw-r--r-- 1 root root 10 10月 21 22:01 1.txt -rw-r--r-- 1 root root 10 11月 24 23:49 1.txt.2 -rw-r--r-- 1 root root 32 11月 24 23:47 1.txt.des3 -rw-r--r-- 1 root root 1675 11月 25 00:15 server.key
2.2、生成公鑰
[root@192 demo]# openssl rsa -in server.key -pubout -out client.key writing RSA key [root@192 demo]# ll 總用量 20 -rw-r--r-- 1 root root 10 10月 21 22:01 1.txt -rw-r--r-- 1 root root 10 11月 24 23:49 1.txt.2 -rw-r--r-- 1 root root 32 11月 24 23:47 1.txt.des3 -rw-r--r-- 1 root root 451 11月 25 00:20 client.key -rw-r--r-- 1 root root 1675 11月 25 00:15 server.key
2.3、生成自簽署證照
[root@192 demo]# openssl req -new -x509 -key server.key -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:fullgoal Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:test Email Address []:test@test.com [root@192 demo]# ll 總用量 24 -rw-r--r-- 1 root root 10 10月 21 22:01 1.txt -rw-r--r-- 1 root root 10 11月 24 23:49 1.txt.2 -rw-r--r-- 1 root root 32 11月 24 23:47 1.txt.des3 -rw-r--r-- 1 root root 451 11月 25 00:20 client.key -rw-r--r-- 1 root root 1391 11月 25 00:24 server.crt -rw-r--r-- 1 root root 1675 11月 25 00:15 server.key [root@192 demo]#
2.4、輸出證照資訊
[root@192 demo]# openssl x509 -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: e4:15:8c:18:56:55:8c:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=fullgoal, OU=IT, CN=test/emailAddress=test@test.com Validity Not Before: Nov 24 16:24:04 2018 GMT Not After : Nov 24 16:24:04 2019 GMT Subject: C=CN, ST=shanghai, L=shanghai, O=fullgoal, OU=IT, CN=test/emailAddress=test@test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:ba:c2:13:78:d5:51:56:85:aa:99:6d:61:73: 8d:87:c4:57:a1:ca:90:2d:4c:d0:6c:61:15:98:82: 1d:c4:e5:4a:d9:57:e4:86:46:f5:f2:9b:84:f5:76: 69:d2:11:7a:7d:d5:c1:57:c2:35:8f:6f:46:51:fb: d7:35:dc:21:cd:e9:f2:16:3c:00:dd:56:f1:6e:76: 58:a3:cd:52:31:6b:fa:04:51:e1:92:a9:f0:d9:2a: 57:20:aa:c1:88:df:b2:ca:45:14:cc:06:18:d1:2f: 62:da:5c:90:50:a4:ed:c8:42:49:2b:81:4c:ae:1f: a3:3c:88:38:21:25:7a:9f:8b:c5:69:8e:69:2d:af: 23:65:03:0e:69:16:ab:b9:48:18:25:08:ff:4e:ce: c0:10:39:a7:ed:94:9f:a1:a9:d3:cb:f3:4b:c2:24: 4d:fe:87:86:f9:91:80:a7:23:01:0f:ad:8c:f4:e1: d3:ff:85:24:07:39:64:32:02:46:a8:df:5a:83:bf: 70:2e:d0:a3:7e:0c:d5:71:39:a7:21:fa:2d:5a:a3: 41:16:1a:06:38:7c:37:c4:12:59:fc:c2:83:c5:93: 0f:b8:de:f1:ca:57:64:ad:9f:5f:a7:2c:43:63:b2: 61:93:dd:fc:4a:bb:bf:d8:e2:e2:9e:a3:82:a8:1a: 27:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Authority Key Identifier: keyid:59:88:62:54:A7:93:A7:7D:71:D2:97:45:29:6C:5A:63:0A:55:14:90 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 8e:f7:ad:3a:04:7d:dd:41:67:df:b2:3b:d3:31:02:33:c2:e1: 20:d0:29:0d:7e:98:c8:8c:87:e0:2b:62:70:3a:6e:fb:d3:9a: 20:a6:89:ef:04:5d:d6:3f:ac:ae:12:91:ce:fb:a4:bf:b5:32: 49:cb:09:e5:f1:09:71:a9:e8:4b:1c:84:de:cc:e7:70:7c:24: 8d:66:38:05:63:7f:40:bd:1a:c7:1b:43:df:69:9b:0c:de:22: 26:b0:26:00:b7:2b:61:12:a8:d4:18:7f:b8:24:59:f3:43:35: 26:d4:90:23:db:80:8a:37:a4:63:74:aa:9f:50:bf:9c:a6:86: 0c:a1:60:65:1d:80:20:8b:e2:0d:fb:32:a4:00:01:99:9a:df: e6:f8:6b:15:7a:3b:52:3c:92:0a:51:d6:9e:31:03:6e:65:90: af:ca:77:e7:37:69:ac:75:f7:3e:09:fa:64:b7:39:3b:a1:e3: c3:02:e7:5f:85:25:7f:78:cf:c6:37:1a:80:41:1b:a2:e3:7d: c0:fc:bc:e1:a8:70:3a:da:29:79:c2:83:2b:63:07:ce:8e:81: 0b:1f:47:91:84:df:23:1f:bc:67:2d:5c:3a:3e:95:f2:b4:82: d5:99:0e:8e:b3:0e:cd:2a:74:98:37:50:b0:1c:e7:01:7e:4f: b8:6c:0f:7c -----BEGIN CERTIFICATE----- MIID1TCCAr2gAwIBAgIJAOQVjBhWVYxOMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYD VQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMREw DwYDVQQKDAhmdWxsZ29hbDELMAkGA1UECwwCSVQxDTALBgNVBAMMBHRlc3QxHDAa BgkqhkiG9w0BCQEWDXRlc3RAdGVzdC5jb20wHhcNMTgxMTI0MTYyNDA0WhcNMTkx MTI0MTYyNDA0WjCBgDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMREw DwYDVQQHDAhzaGFuZ2hhaTERMA8GA1UECgwIZnVsbGdvYWwxCzAJBgNVBAsMAklU MQ0wCwYDVQQDDAR0ZXN0MRwwGgYJKoZIhvcNAQkBFg10ZXN0QHRlc3QuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybrCE3jVUVaFqpltYXONh8RX ocqQLUzQbGEVmIIdxOVK2Vfkhkb18puE9XZp0hF6fdXBV8I1j29GUfvXNdwhzeny FjwA3VbxbnZYo81SMWv6BFHhkqnw2SpXIKrBiN+yykUUzAYY0S9i2lyQUKTtyEJJ K4FMrh+jPIg4ISV6n4vFaY5pLa8jZQMOaRaruUgYJQj/Ts7AEDmn7ZSfoanTy/NL wiRN/oeG+ZGApyMBD62M9OHT/4UkBzlkMgJGqN9ag79wLtCjfgzVcTmnIfotWqNB FhoGOHw3xBJZ/MKDxZMPuN7xyldkrZ9fpyxDY7Jhk938Sru/2OLinqOCqBonxQID AQABo1AwTjAdBgNVHQ4EFgQUWYhiVKeTp31x0pdFKWxaYwpVFJAwHwYDVR0jBBgw FoAUWYhiVKeTp31x0pdFKWxaYwpVFJAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQsFAAOCAQEAjvetOgR93UFn37I70zECM8LhINApDX6YyIyH4CticDpu+9OaIKaJ 7wRd1j+srhKRzvukv7UyScsJ5fEJcanoSxyE3szncHwkjWY4BWN/QL0axxtD32mb DN4iJrAmALcrYRKo1Bh/uCRZ80M1JtSQI9uAijekY3Sqn1C/nKaGDKFgZR2AIIvi DfsypAABmZrf5vhrFXo7UjySClHWnjEDbmWQr8p35zdprHX3Pgn6ZLc5O6HjwwLn X4Ulf3jPxjcagEEbouN9wPy84ahwOtopecKDK2MHzo6BCx9HkYTfIx+8Zy1cOj6V 8rSC1ZkOjrMOzSp0mDdQsBznAX5PuGwPfA== -----END CERTIFICATE----- [root@192 demo]#
2.5、 建立CA
[root@192 demo]# cd /etc/pki/tls/ [root@192 tls]# vi openssl.cnf [root@192 CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) Generating RSA private key, 2048 bit long modulus ...............................................+++ ..................+++ e is 65537 (0x10001) [root@192 CA]# ll 總用量 0 drwxr-xr-x. 2 root root 6 4月 11 2018 certs drwxr-xr-x. 2 root root 6 4月 11 2018 crl drwxr-xr-x. 2 root root 6 4月 11 2018 newcerts drwx------. 2 root root 23 11月 25 00:35 private [root@192 CA]# ll private/ 總用量 4 -rw------- 1 root root 1679 11月 25 00:35 cakey.pem [root@192 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:fullgoal Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:fullgoal Email Address []:fullgoal@fullgoal.com [root@192 CA]# ll 總用量 4 -rw-r--r-- 1 root root 1424 11月 25 00:37 cacert.pem drwxr-xr-x. 2 root root 6 4月 11 2018 certs drwxr-xr-x. 2 root root 6 4月 11 2018 crl drwxr-xr-x. 2 root root 6 4月 11 2018 newcerts drwx------. 2 root root 23 11月 25 00:35 private [root@192 CA]# touch index.txt [root@192 CA]# echo 01 > serial [root@192 CA]# ls cacert.pem certs crl index.txt newcerts private serial [root@192 CA]#
2.6、到CA申請許可
[root@192 ~]# cd /tmp/demo/ [root@192 demo]# ls 1.txt 1.txt.2 1.txt.des3 client.key server.crt server.key [root@192 demo]# mkdir ssl [root@192 demo]# cd ssl/ [root@192 ssl]# pwd /tmp/demo/ssl [root@192 ssl]# (umask 077; openssl genrsa -out httpd.key ) Generating RSA private key, 2048 bit long modulus ................................+++ ....................................................+++ e is 65537 (0x10001) [root@192 ssl]# ls httpd.key [root@192 ssl]# cat httpd.key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAm44b6MFJgXjNr87q+Tz4uaxj+IuCJe9yA0aGVSN7ZLAW/oej Eko8n5CRjQDdxn8zRK+bNZFoLknIJe8d58DynsqBQkPvjD2NdsT6TPnsbOQaujhq 5/TKiFH7dkSUI/bsf3fkMhSqy0hlgfu9PlBMHnIf4mPjKvr4ZpztgKi9ejsyUxhb cM8N/37er8+xUjI1TG6PtfET/LVoePdesIpH8gQV9qfDWfJ71ikVUpeqMqQH42wg zaVhvUZFdG0WppvUOIL1f65fYQ1ZjvkLCxXBubbn3jgSrY/E6A+nu4+nvpIdjyAo u5l3X5Z7VytM3+Lb5CE9x4Fz1nla0iNHreE6XwIDAQABAoIBADtw00Ne0MrTsa1z oSB6ZwT0VgM8tA/w7p1Hzr8r3tP74d2DURIFIiNLKAM8iIJ4Ssv9Wo7esHO3p+6u 77uGZG+/LCN5OElbn/n5jTfq7Kgzhe8Q7fES/m2W/kMUM5OGoJqY4q8sbJNfZ8KC wq7UGjIsI/jreHwNCOyVHMBkOntBGRhF8Yzj0cYRnD4N0SLVid91q03v3HygbH1i ME9tDqX1F07zcntsG9ZuKAYo5YzsmzBHAcKZRG9IiaD+5gGgIqKYyp1BV/98hdy2 UtqjLSTQx1uMHv6EANa9yLAzKAlf7cYLTGD0iwyz83tZpo1ccAPjBDE9tTB48736 NtHOwckCgYEAx7Zlh40L6B/Y7vHjPyMlcWZMc0AsBuzlNX/On2rsq15dmvuVlI6E /t2Llmc8ksg9smXpLknHpnO8VkI/w5Zeq0Xn94tcOoDrRxibW4zO+9v6ooKpPhtp HghMyN5ZBzezsh0wOPVtMLjFo1PDiCHTRGfPBS+Zn8w3rJ5Si3pDm10CgYEAx2Wu XL/GjjHNROiFEzNd9wLVDpedTUthVfdx8VsB5ytqPKoaDLRHMTzr5abDo5uRZlvD 664qjX7UG+8fcUFOGIiAqsjIthYxstmFgZrwlwbxWqsFqRFo7i2T/xM68EGaIee/ 9/2HNE9iKe7D0ohH5zeYdV+M59wHg0I9WbVaTOsCgYEAgO0a9jrz6NJGdVrqXSQP U/m6eNyAj6f3AGaVuQyJ5Mdynk6z7cdjzDSxnFLhI9DpI3Xu5tbycF5ew0DZcSZt zxu9+GybCZmYSbl08dEg/i6wyqCXKWUAo0awayw/RQ2Mj/uP2fV2m/FshVfZ7tQH Uy3A05Q7FJH9jw5WM3ymkHECgYEAoDKMJI4bCvDuFvesuqFhU+vdmsyqn4f5WqTj 0WIppD1YLAcJyL0qGV/1slsKAS8iYRdGz9ns7CNCbHLwUwCBquo4XX3U653nLebf ASKnOt9kF1EhyhRntju+FIexqYc7OxRDQg1Zi+hfWIswnrvI8PXUsjAjN8Cp9IXK XoF6XCMCgYBmqpdLGf08mVzjiwlTxGmVITe8coC4wvdQ7rWMy555KR9rG60ixrla CXBBSAw+WWkrlnLv/zguwzH3U9SLAH5LgSIWFviUwNieheU9IGa3eC+1vw3/Ij/7 h7k/Csn9ceukVsEcIZV1l3mutqAAl5jh5v7MZ8pg85ZLHpR8Pwu27A== -----END RSA PRIVATE KEY----- [root@192 ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:fullgoal Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []: Email Address []:full@full1.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@192 ssl]# ls httpd.csr httpd.key [root@192 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 24 16:45:54 2018 GMT Not After : Nov 24 16:45:54 2019 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = fullgoal organizationalUnitName = IT commonName = emailAddress = full@full1.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D8:67:DC:DA:25:5F:1C:FC:7C:CB:BC:4F:9B:85:20:2B:9D:47:A2:61 X509v3 Authority Key Identifier: keyid:36:9F:EF:EF:DC:DF:CB:37:E7:69:EE:8C:EA:91:A0:30:A1:88:17:B8 Certificate is to be certified until Nov 24 16:45:54 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@192 ssl]# ls httpd.crt httpd.csr httpd.key [root@192 ssl]# cd /etc/pki/CA/ [root@192 CA]# cat index.txt V 191124164554Z 01 unknown /C=CN/ST=shanghai/O=fullgoal/OU=IT/CN=/emailAddress=full@full1.com [root@192 CA]#
私有證照頒發流程:
建立CA:生成加密字串->生成證照->放到openssl.conf指定路徑
申請證照:生成加密字串->生成私有證照->發給CA簽名
三、客戶端
sshd:主機秘鑰
ssh配置檔案:ssh_config客戶端、sshd_config伺服器端
待辦:
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31559099/viewspace-2220500/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- OpenSSL學習筆記:openssl命令列的使用筆記命令列
- End Of Live OpenSSL 1.1 vs Slow OpenSSL 3.0
- OpenSSL 入門:密碼學基礎知識密碼學
- OpenSSL命令
- openssl命令使用
- 解析OpenSSL漏洞
- openssl 簡介
- linux openssl升級-從OpenSSL1.0.2K-1.1.1iLinux
- centos7 openssl升級版本到OpenSSL 1.1.1nCentOS
- windows 安裝 opensslWindows
- openssl生成證書
- Centos安裝opensslCentOS
- openssl加密檔案加密
- Openssl的安裝
- Openssl pkeyutl命令
- Homebrew 安裝 openssl
- openssl加密入門加密
- OpenSSL測試-HMACMac
- 學習學習再學習
- PHP中使用OpenSSL下openssl_verify驗證簽名案例PHP
- 密碼學系列之:使用openssl檢測網站是否支援ocsp密碼學網站
- openssl命令列和API命令列API
- openssl常用使用總結
- Nginx如何升級OpensslNginx
- Windows安裝使用OpensslWindows
- 使用OpenSSL生成證書
- <Openssl下hash函式>函式
- openssl安裝與部署
- openssl 簽發證書
- Ubuntu中安裝OpenSSLUbuntu
- cmake openssl 生成失敗
- 深度學習——學習目錄——學習中……深度學習
- 深度學習(一)深度學習學習資料深度學習
- 深度學習學習框架深度學習框架
- OpenSSL + Windows 下載安裝Windows
- CentOS6.5 安裝opensslCentOS
- 非對稱加密與OpenSSL加密
- Openssl RSA基本加解密操作解密