机密性:明文(plaintext)-->转换规则-->加密(ciphertext)算法
完整性:安全
对称加密:使用同一个密钥加密和解密信息,算法计算速度快,安全性彻底依赖于密钥bash
意向加密算法:提取数据特征码(指纹),校验数据的完整性服务器
输入同样,输出必然相同
ssh
雪崩效应:输入的微小改变,将会引发结果的巨大改变
socket
定长输出:不管原始数据是多大,结果大小都是相同的
ide
不可逆:没法根据特征码还原原来的数据
工具
协商生成密码:密钥交换(Internet Key Exchange,IKE),密钥交换须要使用互联网协议支撑,协议以下:测试
diffie-hellman协议(比较早的),工做以下:
ui
A-->B
P ,g(大素数,生成数)
A:x
B: y
A: g^x%p -->B
B: g^y%p -->A
A:(g^y%p)^x=g^yx%p
B:(g^x%p)^y=g^xy%p
共同的密钥为:g^xy%p
非对称加密算法:公钥加密算法
密钥对:
公钥:P
私钥:S
发送方使用本身的私钥加密数据,能够实现身份验证
发送方使用对方的公钥加密数据,能够保证数据机密性
公钥加密算法,不多用来加密数据,速度太慢
PKI:Public key Infrastructure
CA:certificate authority
证书格式:X509,pkcs12
x509包含的信息:
一、公钥及有效期限
二、证书的合法拥有者
三、证书该如何被使用
四、CA的信息
五、CA签名的校验码
PKI:TLS/SSL:X509格式的证书
PKI:OpenGPG:
CRL:CA中证书吊销列表
TLS/SSL Handshake
SSL:secure socket layer
TLS:Transport layer security
对称加密算法:
DES(早期):Data Encrption Standard,56bit
3DES
AES:Advancd Data Encrption Standard,128bit
AES192,AES256,AES512
Blowfish
单向加密:
MD4
MD5:128bit
SHA1:160bit
SHA192,SHA256,SHA384
CRC-32:循环冗余校验
非对称加密,也叫公钥加密:(加密签名)
RSA:便可加密还能够签名
DSA:签名
ElGamal:商业算法
非对称加密的做用:
身份认证(数字签名)
数据加密
密钥交换
管理加密的软件:
Openssl
GPG
OpenSSL:ssl的开源实现
组成部分:
libcrypto:通用加密库
libssl:TLS/SSL的实现
基于会话的,实现了身份认证,数据机密性和会话完整性的TLS/SSL库
openssl:多用途命令行工具
实现私有证书颁发机构
Openssl命令:
speed:测试算法的速度
enc:对文件加密
openssl实现私有CA:
一、生成一对密钥
[root@Centos6 ~]# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ....................++++++ ....++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDcho9k5FoZj7Q23aFyWbLJAHKeglvRKckyFM//RWjU27xfivNd iPaFmuEJukVeSPA+gTgwuFCk+Uwuwsmq+kqQO1cfNpoGfRgAIHKe8h7ovPr74IT+ 0/wMXeiXtOMN6JMe+jBkqPbnAcqkmqk6tUrOMbj9+4eXWEBB91kBsBBFewIDAQAB AoGBAI9RZB/NyECUhCqkHyiR4v9+qv8Y+VMWNQu3OvZLxbWQmPv+8er3+D8cSORp imucO4ZjtID1SHPvEPPS4/2abJnaXRjl9eMCZzAw1fb4hHXoGVFzdFZ5oeHFaBMT dYxdlOVjDeHOAeq0UorEud2lIbXF6ZPdX+Q2cfqqV6PHVmkBAkEA/uyNWoERKP55 joII65LXJBCIodT3jAXGUoLoJJtO/jzg2Xrh39xowHU0MeY3nji+SUDsvoDYfbW8 R+jyVLXM1QJBAN101xUh8bhwKF+CtwU6bmugDf/CPaDeERuvx9MpW44B+z42ih56 g1CLfbuhiAAvtmz+KdDQfz+TpsoP/8iisQ8CQBF+B+EK9DN86rhlodkQVWTrIYUB SQ85ojctNmK0qYH2iXNC5FbpF+ME59T4uB5KRHxgUR5tVu2hV88TY/V+GBUCQGPJ 0V0hZYVhbJ/VC9lcQgNXJNe5VAHX7seWBqnc+fdcZzTaaJRhSiiSIn7Yw6qp1T75 rCf+u0gPpVlpqi1jOfsCQQDesjYIBgNUlg+HslmgROBA+C1TU2oCuc/s/W3zoz/k +QAKkIWEkiRz0CgF6GK69fKOqZ+hHMMVm4QU+XeQnYZu -----END RSA PRIVATE KEY----- #生成私钥,指定生成算法为rsa,长度为1024 [root@Centos6 ~]# openssl rsa -in server.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOvGgRSVCVVH9OyEzLsf0ao/Z4 l+IDfL5BMJTKY2VZiJTnkljNDpcj1ZU3aZbH9S9ScHwGneB76yewUGvAIyLvOIDf 1dK2pSE4oBnaoakLfHA7L/xiYuQjxt4uF0V34mHxAFjeIZpUg2pqhFObdBn/K+xa Z2Nv+Cm6gW6xOhlRqQIDAQAB -----END PUBLIC KEY----- #从私钥指定的文件中生成公钥
二、生成自签署证书
[root@Centos6 ~]# openssl req -new -x509 -key server.key -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:ogilvy Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:ogilvy-server Email Address []:caadmin@ogilvy.com [root@Centos6 ~]# ll total 84 drwxr-xr-x. 2 root root 4096 May 8 11:57 Server.bak -rw-------. 1 root root 1394 Apr 21 11:07 anaconda-ks.cfg -rw-------. 1 root root 745 Apr 21 13:00 grub.conf_ -rw-r--r--. 1 root root 45941 Apr 21 11:07 install.log -rw-r--r--. 1 root root 10033 Apr 21 11:04 install.log.syslog -rw-r--r--. 1 root root 1074 May 28 16:30 server.crt -rw-r--r--. 1 root root 891 May 28 16:17 server.key [root@Centos6 ~]# openssl x509 -text -in server.crt #查看证书并以文本方式输出 Certificate: Data: Version: 3 (0x2) Serial Number: 13458625215858170171 (0xbac6a453b457593b) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=ogilvy, OU=Tech, CN=ogilvy-server/emailAddress=caadmin@ogilvy.com Validity Not Before: May 28 08:30:51 2015 GMT Not After : May 27 08:30:51 2016 GMT Subject: C=CN, ST=shanghai, L=shanghai, O=ogilvy, OU=Tech, CN=ogilvy-server/emailAddress=caadmin@ogilvy.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ce:bc:68:11:49:50:95:54:7f:4e:c8:4c:cb:b1: fd:1a:a3:f6:78:97:e2:03:7c:be:41:30:94:ca:63: 65:59:88:94:e7:92:58:cd:0e:97:23:d5:95:37:69: 96:c7:f5:2f:52:70:7c:06:9d:e0:7b:eb:27:b0:50: 6b:c0:23:22:ef:38:80:df:d5:d2:b6:a5:21:38:a0: 19:da:a1:a9:0b:7c:70:3b:2f:fc:62:62:e4:23:c6: de:2e:17:45:77:e2:61:f1:00:58:de:21:9a:54:83: 6a:6a:84:53:9b:74:19:ff:2b:ec:5a:67:63:6f:f8: 29:ba:81:6e:b1:3a:19:51:a9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 69:21:70:6E:30:FC:33:BA:07:5E:69:97:17:90:02:DD:4E:3E:46:13 X509v3 Authority Key Identifier: keyid:69:21:70:6E:30:FC:33:BA:07:5E:69:97:17:90:02:DD:4E:3E:46:13 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 32:06:9d:be:4d:28:3d:3f:dc:6a:53:b1:9f:9d:b8:8c:6e:4a: 89:6d:85:a6:e7:eb:2c:e8:11:5c:60:1c:35:c7:c8:e8:88:13: 25:15:2b:f7:ad:c9:29:10:db:5f:53:98:b3:c5:a9:96:2b:0b: 3b:8c:af:0a:2f:2d:a4:04:d0:5b:a1:5a:e3:a4:22:26:15:27: fb:65:9c:ec:ac:72:24:23:d5:49:d9:89:bb:cd:03:ca:c6:2f: ca:dd:a9:49:90:30:f3:4f:a7:13:19:a6:55:fb:77:9f:8f:6c: f8:4d:89:a2:03:f6:d2:36:8a:eb:3e:31:49:f6:07:5e:22:dd: ee:ef -----BEGIN CERTIFICATE----- MIIC7DCCAlWgAwIBAgIJALrGpFO0V1k7MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD VQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ8w DQYDVQQKDAZvZ2lsdnkxDTALBgNVBAsMBFRlY2gxFjAUBgNVBAMMDW9naWx2eS1z ZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEmNhYWRtaW5Ab2dpbHZ5LmNvbTAeFw0xNTA1 MjgwODMwNTFaFw0xNjA1MjcwODMwNTFaMIGOMQswCQYDVQQGEwJDTjERMA8GA1UE CAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQ8wDQYDVQQKDAZvZ2lsdnkx DTALBgNVBAsMBFRlY2gxFjAUBgNVBAMMDW9naWx2eS1zZXJ2ZXIxITAfBgkqhkiG 9w0BCQEWEmNhYWRtaW5Ab2dpbHZ5LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAzrxoEUlQlVR/TshMy7H9GqP2eJfiA3y+QTCUymNlWYiU55JYzQ6XI9WV N2mWx/UvUnB8Bp3ge+snsFBrwCMi7ziA39XStqUhOKAZ2qGpC3xwOy/8YmLkI8be LhdFd+Jh8QBY3iGaVINqaoRTm3QZ/yvsWmdjb/gpuoFusToZUakCAwEAAaNQME4w HQYDVR0OBBYEFGkhcG4w/DO6B15plxeQAt1OPkYTMB8GA1UdIwQYMBaAFGkhcG4w /DO6B15plxeQAt1OPkYTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA Mgadvk0oPT/calOxn524jG5KiW2FpufrLOgRXGAcNcfI6IgTJRUr963JKRDbX1OY s8WplisLO4yvCi8tpATQW6Fa46QiJhUn+2Wc7KxyJCPVSdmJu80DysYvyt2pSZAw 80+nExmmVft3n49s+E2JogP20jaK6z4xSfYHXiLd7u8= -----END CERTIFICATE----- [root@Centos6 ~]#
创建根服务器步骤:
[root@Centos6 private]# openssl genrsa -out cerkey.pem 2048 #建立私钥 Generating RSA private key, 2048 bit long modulus .................................................................+++ .......................................+++ e is 65537 (0x10001) [root@Centos6 private]# ll total 4 -rw-r--r--. 1 root root 1679 May 28 17:05 cerkey.pem [root@Centos6 private]# chmod 600 cerkey.pem [root@Centos6 private]# ls cerkey.pem [root@Centos6 private]# ll total 4 -rw-------. 1 root root 1679 May 28 17:05 cerkey.pem [root@Centos6 private]# cd .. [root@Centos6 CA]# ls certs crl newcerts private [root@Centos6 CA]# openssl req -new -x509 -key private/cerkey.pem -out cacert.pem #自签名证书创建 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #预设信息能够从配置文件中修改 shanghai []: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Tech []: Common Name (eg, your name or your server's hostname) []:ogilvyserver01 Email Address []:caadmin@ogilvy.com [root@Centos6 CA]# ll total 20 -rw-r--r--. 1 root root 1334 May 28 17:08 cacert.pem drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts drwx------. 2 root root 4096 May 28 17:05 private [root@Centos6 CA]# touch index.txt serial #创建索引文件及序列文件 [root@Centos6 CA]# echo 01 > serial #输入起始序号 [root@Centos6 CA]#
完整建立CA自签证书并使用客户端证书请求颁布证书:
[root@Centos6 ~]# cd /etc/pki/CA/private/ [root@Centos6 private]# ls [root@Centos6 private]# openssl genrsa -out cakey.pem 2048 #建立根证书私钥 Generating RSA private key, 2048 bit long modulus ....................+++ ........+++ e is 65537 (0x10001) [root@Centos6 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem #使用私钥建立自签证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:www.btsbox.com Email Address []: [root@Centos6 CA]# touch index.txt #根据/etc/pki/tls/openssl.cnf文件建立相应的文件和目录 [root@Centos6 CA]# touch serial [root@Centos6 CA]# echo 01 > serial #对serial给一个起始序列号 [root@Centos6 CA]# cat serial 01 [root@Centos6 tmp]# mkdir httpd/tls -p #模拟HTTP服务,申请CA证书 [root@Centos6 tmp]# cd httpd/tls/ [root@Centos6 tls]# openssl genrsa -out httpd.key 2048 #申请本身的私钥 Generating RSA private key, 2048 bit long modulus ...........................................+++ ........................................................+++ e is 65537 (0x10001) [root@Centos6 tls]# openssl req -new -key httpd.key -out httpd.csr #使用本身的私钥建立CA签证请求(即导出公钥给对方,让对方在公钥上进行签名) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [ogilvy]: Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:www.btsbox.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@Centos6 tls]# openssl ca -in httpd.csr -out httpd.crt -days 365 #在CA服务器端使用CA证书对客户端httpd.crt请求进行签名,有效期指定为365天。 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 4 08:25:27 2015 GMT Not After : Jun 3 08:25:27 2016 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = ogilvy organizationalUnitName = Tech commonName = www.btsbox.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1F:DA:7A:B4:3E:3F:34:30:AC:4F:36:92:D1:10:83:8C:C3:B6:F7:11 X509v3 Authority Key Identifier: keyid:53:7F:4C:E4:D6:53:F2:75:2B:CD:ED:45:70:3D:A7:1D:DA:37:18:CF Certificate is to be certified until Jun 3 08:25:27 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@Centos6 tls]# cat /etc/pki/CA/serial #CA签发的序列号自动增长一位 02
Openssh服务:
ssh:客户端
sshd:服务端
配置文件:/etc/ssh/sshd_config,服务端配置文件
/etc/ssh/ssh_config,客户端配置文件
/etc/ssh/sshd_config配置文件说明:
AddressFamily any :在哪上类服务提供服务,如IPV4 ,IPV6,any表示均可以
ListenAddress 0.0.0.0:哪一个地址提供服务,0.0.0.0表示都提供
KeyRegenerationInterval 1h:私钥从新生成间断
ServerKeyBits 768 :服务器端私钥长度为768位
LoginGraceTime 2m :登录的宽限期,输入账户后输入密码的间隔
PermitRootLogin yes:以否容许root用户登录
StrictModes yes :以否使用严格模式
MaxAuthTries 6 :设置错误登录密码的次数
RSAAuthentication yes :是否支持rsa认证
PubkeyAuthentication yes :是否私钥认证
AuthorizedKeyFile .ssh/authorized_key:存放公钥的文件路径,与上一条目结合使用
PasswordAuthentication yes:是否支持密码认证
ChallengeResponseAuthentication no :是否启用挑战式握手式认证
UsePAM yes:用户验证PAM文件
Subsystem sftp /usr/lib/openssh/sftp-server
ssh客户端使用:
ssh -l root 127.0.0.1: -l指定用户名
或者 ssh Username@Remote_HOST
ssh root@127.0.0.1 'ifconfig':在远程主机上执行命令,并把结果返回到本机。
-x:Enable x11 forwarding,不启用加密
-y:Enable trusted x11 forwarding,启用加密
基于密钥的认证:
一台主机为客户端(基于某个用户实现)
一、生成一对密钥
ssh-keygen -t(指定加密算法)rsa\dsa
-t:指定算法
-f:保存文件及路径
-N:'password'
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''
二、将公钥传输到服务器端某用户的家目录下.ssh/authorized_keys文件中
使用文件传输工具(ssh-copy-id,scp)
ssh-copy-id -i /path/to/pubkey USERNAME@REMETO_HOST
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.0.0.1
三、测试登录
SCP:基于ssh的远程复制命令,能够实现主机之间传输数据
scp [options] SRC DEST
-r:递归
-a:保存信息并复制文件及目录
REMOTE_MACHINE
USERNAME@HOSTNAME:/PATH/TO/SOMEFILE