openss加密算法l和dns服务

时间 2020-05-30

标签 openss 加密算法 dns 服务栏目系统网络繁體版

原文原文链接

一、简述常见加密算法及常见加密算法原理，最好使用图例解说

密钥算法和协议

对称加密
公钥加密
单向加密
认证协议

openssl

分为三部分
- 加密解密库 libencrypt
- 安全通讯库 libssl
- 命令行工具 openssl

加密系统和协议

对称加密

DES Data Encryption Standard 64位，已经破解
3DES
AES Advanced Encryption Standard 128 192 256 384位
其余：blowfish twofish idea rc6 casts
特色：
- 加密和解密使用同一个密钥
- 分割块大小，逐个加密
缺陷：
- 密钥太多
- 密钥分发困难

公钥加密

公钥：从私钥中提取
私钥：使用者留存
特色：用公钥加密，配对私钥解密
用途：数字签名，身份确认，密钥交换，数据加密
过程：
- 1.加密方利用单向加密提取数据特征码
- 2.加密方使用本身的私钥加密附在后面
- 3.加密方生成临时的对称密钥，加密整段数据
- 4.加密方获取解密方的公钥并加密后附在后面
- 5.发送给解密方
- 6.解密方用本身的私钥解密
- 7.解密方使用对称密钥解密
- 8.解密方获取加密方的公钥解密，完成身份认证
- 9.解密方单向加密提取数据特征码比对，查看完整性
缺陷：中间人攻击
解决：双方经过CA证书颁发机构获取对方的公钥，此CA能够吊销
算法：RSA 能够签名和加解密，DSA只能签名

单向加密

只能加密，不能解密，用来提取数据特征码进行完整性认证
定长输出，雪崩效应
算法：md5，sha160，sha224，sha256，sha384，sha512

密钥交换

IKE
两种算法：公钥加密，DH算法协商生成密钥

二、搭建apache或者nginx并使用自签证书实现https访问，自签名证书的域名自拟

+ 1.CA服务器生成私钥

[root@center ~]# cd /etc/pki/CA/
[root@center CA]# (umask 077; openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
.....................................................................................................++++++
......++++++
e is 65537 (0x10001)
[root@center CA]# ll private/
total 4
-rw------- 1 root root 891 Jul 29 22:54 cakey.pem

+ 2.CA服务器生成自签证书

[root@center CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.xlc.com
Email Address []:
[root@center CA]# ll
total 4
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private

+ 3.CA服务器生成目录和文件

[root@center CA]# touch index.txt
[root@center CA]# ll
total 8
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
-rw-r--r-- 1 root root 0 Jul 29 23:00 index.txt
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
-rw-r--r-- 1 root root 3 Jul 29 23:00 serial

+ 4.httpd服务器建立私钥

[root@web1 httpd]# cd /etc/httpd/
[root@web1 httpd]# mkdir ssl
[root@web1 httpd]# ll
total 0
drwxr-xr-x 2 root root 37 Jul 29 22:16 conf
drwxr-xr-x 2 root root 255 Jul 29 22:46 conf.d
drwxr-xr-x 2 root root 165 Jul 29 22:43 conf.modules.d
lrwxrwxrwx 1 root root 19 Jul 28 11:49 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Jul 28 11:49 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 10 Jul 28 11:49 run -> /run/httpd
drwxr-xr-x 2 root root 6 Jul 29 23:02 ssl
[root@web1 httpd]# (umask 077; openssl genrsa 1024 > /etc/httpd/ssl/httpd_key.pem)
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)
[root@web1 httpd]# ll ssl
total 4
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 5.httpd服务器生成请求证书

[root@web1 httpd]# openssl req -new -key /etc/httpd/ssl/httpd_key.pem -out /etc/httpd/ssl/httpd_csr.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.xlc.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@web1 httpd]# ll ssl
total 8
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 6.http服务器将csr请求发送给ca主机

[root@web1 httpd]# scp -P 37777 ssl/httpd_csr.pem xlc@192.168.1.9:~/
xlc@192.168.1.9's password:
httpd_csr.pem 100% 655 275.9KB/s 00:00
[root@center CA]# mv /home/xlc/httpd_csr.pem /etc/pki/CA/certs/
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 xlc xlc 655 Jul 29 23:11 httpd_csr.pem
[root@center CA]# chown root:root /etc/pki/CA/certs/httpd_csr.pem
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem

+ 7.CA主机上将csr签证为crt

[root@center CA]# openssl ca -in /etc/pki/CA/certs/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 29 15:16:20 2018 GMT
            Not After : Jul 29 15:16:20 2019 GMT
        Subject:
            countryName = CN
            stateOrProvinceName = GUANGDONG
            organizationName = xlc
            organizationalUnitName = devops
            commonName = www.xlc.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AC:23:F3:AA:82:30:85:DF:33:CB:FB:8B:99:40:FE:97:77:27:35:19
            X509v3 Authority Key Identifier:
                keyid:1D:46:AF:3A:D4:63:84:11:CC:40:B1:E2:D1:B1:93:C4:3C:6A:6B:B4

Certificate is to be certified until Jul 29 15:16:20 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@center CA]# ll certs/
total 8
-rw-r--r-- 1 root root 3078 Jul 29 23:16 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem

+ 8.CA主机将crt签证颁发给httpd服务器

[root@center CA]# scp -P 37777 certs/httpd_crt.pem xlc@192.168.1.11:~/
The authenticity of host '[192.168.1.11]:37777 ([192.168.1.11]:37777)' can't be established.
ECDSA key fingerprint is SHA256:wzY0qfeE6RuadsJGxl4+808KAv7mKRR8sbdXEFIYZOc.
ECDSA key fingerprint is MD5:78:f2:b3:f9:e7:4c:1e:5e:06:46:c6:64:35:37:97:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.11]:37777' (ECDSA) to the list of known hosts.
xlc@192.168.1.11's password:
httpd_crt.pem 100% 3078 919.8KB/s 00:00
[root@web1 httpd]# mv /home/xlc/httpd_crt.pem ssl/
[root@web1 httpd]# ll ssl/
total 12
-rw-r--r-- 1 xlc xlc 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
[root@web1 httpd]# chown root:root ssl/httpd_crt.pem
[root@web1 httpd]# ll ssl
total 12
-rw-r--r-- 1 root root 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 9.修改ssl.conf

DocumentRoot "/home/www"
ServerName www.xlc.com:443
DirectoryIndex index.html
    <Directory "/home/www">
        Options None
        AllowOverride None
        Require all granted
    </Directory>
<location /server-status>
    SetHandler server-status
    <RequireAll>
        Require ip 192.168.1.3
    </RequireAll>
</location>
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd_key.pem

+ 10.重启服务

[root@web1 conf.d]# httpd -t
Syntax OK
[root@web1 conf.d]# !sys
systemctl restart httpd.service
[root@web1 conf.d]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.1.11:37777 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::443 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 100 ::1:25 :::*

+ 11.浏览器从受权中心导入CA证书
    + 将cacert.pem导入受信任的根证书颁发机构

三、简述DNS服务器原理，并搭建主-辅服务器

域名解析原理

客户机先查找本地的host文件
客户机查找本地的dns缓存记录
客户机根据指定的dns运营商地址，将解析请求发送给对方
dns运营商以递归的方式向上转发请求
dns运营商将请求发送给根服务器
根将请求发送给一级域名服务器，以迭代的方式向下查询
一级域名服务器发送给二级域名服务器
最终的域名服务器找到结果发送给运营商dns
运营商dns记录在本身的数据库中，并将结果返给客户端

正向解析和反向解析

名称到ip是正向解析，为A记录
ip到名称是反向解析，为PTR记录

域名服务商

万网
godaddy

主副dns服务器

主dns能够随时改变
副dns根据主dns随时同步
主从能够负载
序列号：数据库版本号 serial
刷新时间间隔：refresh
重试时间间隔：retry
过时时长：expire
主服务器也能够通知从服务器随时同步数据
同步方式：全量，增量

其余概念

区域zone
域名domain 有正向区域和反向区域

区域数据库文件

资源记录：rr
A：address
AAAA：address ipv6
PTR：反向解析
SOA：起始受权
NS：name service 域名解析
CNAME：canonical name 别名
MX: mail exchange 邮件交换 0-99 数字越小优先级越小

语法格式

name [ttl] IN RR_TYPE value
SOA必需要有，且放第一条
SOA的value 包括
- 区域名称
- 管理员邮箱地址，不能@，点代替
- (serial;refresh;retry;expire;negtive answer ttl) HMWD
ttl 能够继承
最后要加.
@表示区域
相邻name，相同记录能够省略name

配置从dns

从服务器：
- 1.定义区域
- 2.重载配置

[root@python ~]# tail -6 /etc/named.rfc1912.zones
zone "xlc.com" IN {
        type slave;
        file "slaves/xlc.com.zone";
        masters { 192.168.1.9; };
};

主服务器：
- 确保从服务器有ns记录，并a记录
- 修改后serial +1并重载配置
- 手工传送：dig -t axfr 域名
- 保证时间相同ntpdate

[root@center ~]# cat /var/named/xlc.com.zone
$TTL 3600
$ORIGIN xlc.com.
@ IN SOA ns1.xlc.com. admin.xlc.com. (
                20180727
                1H
                10M
                3D
                1D
                )
        IN NS ns1
        IN NS ns2
        IN MX 10 mx1
        IN MX 10 mx2
ns1 IN A 192.168.1.9
ns2 IN A 192.168.1.10
www IN A 192.168.1.9
www IN A 192.168.1.10
web IN CNAME www
mx1 IN A 192.168.1.9
mx2 IN A 192.168.1.10

四、搭建并实现智能DNS

view视图里设置联通用户区域和电信用户区域

view "internal" {
    match-clients { 10.0.0.0/25; };
    zone "" {
        type
        file
    };
};