本文共 15123 字,大约阅读时间需要 50 分钟。
数据安全由NIST(美国国家标准技术研究研究)提出, 主要有三个方面:
数据最主要的风险是安全***, 分为主动***和被动***:
安全服务主要有以下几个特点:
加密和解密使用同一个密钥的方法就是对称加密, 现目前流行的对称加密算法有如下:
对称加密的特性:
对称加密的缺陷:
公钥加密的秘钥是成对出现, 一个公钥(Pubkey), 一个私钥(Secret key); 公钥可以公开给任何人, 自己留存私钥, 但是必须要保证秘钥的私密性.
公钥加密的特点: 用公钥加密的数据, 只能使用与之配对的私钥解密; 反之亦然.
公钥加密的用途:
只能加密, 不能解密的加密方法称之为单向加密, 单向加密是通过提取数据指纹来生成一串随机子串.
单向加密具有如下特点:
单向加密算法有如下:
单向加密主要用于验证数据的完整性.
密钥交换(Internet Key Exchange), 可以使用公钥加密和Diffie-Hellman算法进行.
PKI(Public Key Infastructure)是一种遵循标准和利用公钥加密技术为电子商务的开展提供一套安全基础平台的技术和规范, 由以下几个组件组成:
PKI的x.509标准定义了证书的结构, 以及证书的协议标准, 如下所示:
SSL(Secure Socket Layer)中文名是安全套接字层, 由网景(Netscape)公司设计, 用于对互联网上发送的数据进行加密, 防止数据在传输过程中被嗅探和篡改; 由于SSL的广泛应用, 在1999年由IETF(The Internet Engineering Task Force, 国际互联网工程任务组)将其标准化, 标准化之后改名为TLS(Transport Layer Security, 传输层安全协议), SSL的发展历程如下:
SSL/TLS采用分层设计, 总共分四层, 最底层为基础算法原语的实现(aes, rsa, md5); 向上一层为各种算法的实现; 在向上一层为组合算法实现的变成品; 最顶层为用各种组件拼接二次的种种成品密码学协议/软件(TLS, SSH).
OpenSSL是SSL的开源实现, 由三个组件组成:
openssl - 多用途命令行工具
# 用法: openssl command [command_options] [command_ args]# 查看程序版本号: openssl version[root@docker-package ~]# openssl versionOpenSSL 1.0.2k-fips 26 Jan 2017
openssl的命令分为三类, 标准命令、消息摘要命令和加密命令, 可以直接使用man openssl命令查看相关说明.
# enc命令:# 加密: oepnssl enc -e 加密算法 -a -salt -in /PATH/TO/FILE -out /PATH/TO/FILE.OUT # 加密算法: 使用oepnssl enc ?查看[root@docker-package ~]# openssl enc -e -aes256 -salt -in /etc/fstab -out /tmp/fstab.cipherenter aes-256-cbc encryption password: # 输入密码Verifying - enter aes-256-cbc encryption password: # 再次输入密码[root@docker-package ~]# cat /tmp/fstab.cipherSalted__$ҸB8htR'Bnd)tϔbv;|ΖH=1PW
# 用法: oepnssl dgst 加密算法 FILE[root@docker-package ~]# openssl dgst -sha512 /etc/fstab SHA512(/etc/fstab)= 69005c142d6b7d0cd37433c17709baa65b843da2fd242d5ceef135c57565a67a683064d7b83da19bd9ea4cb0553eb0a3a81e8639d977fcd515f2850fdff7929d
# 用法: openssl passwd [OPTIONS] [PASSWORDS] # OPTIONS: # -crypt: 标准unix密码算法, 默认 # -1: 基于MD5的密码算法 # -slat string: 使用私有的salt # 更多请自行man# 在最后直接更上密码会直接返回加密后的密码, 不跟上密码则会进入交互式的密码输入[root@docker-package ~]# openssl passwd newmedianECdgB7ycMZRI[root@docker-package ~]# openssl passwdPassword: Verifying - Password: uMYOK7Q9rexkY[root@docker-package ~]# openssl passwd -1 -salt sdfjle newpass$1$sdfjle$rFYuazowo.o0yWgnNrhdL/
# 用法: openssl rand -base64|-hex NUM(字节数, -hex时, 每个字符4位, 出现的字符数为NUM*2)[root@docker-package ~]# openssl rand -base64 32P4kboBNrBYyKoJ8T8ISZxlcbjKY2Jd81qyxFLBbV0Io=[root@docker-package ~]# openssl rand -hex 18 77e90f2e4f136dbcd4e8819c636c77d0e17a# 在上一个生成用户密码的示例中的salt就可以用随机数来生成[root@docker-package ~]# openssl passwd -1 -salt $(openssl rand -base64 6)Password: $1$u1ieZgLy$DXFW2JjJPWWS2iD45Kfbj.
# 生成密钥对: openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS[root@docker-package ~]# openssl genrsa -out /tmp/mykey.pri 2048Generating RSA private key, 2048 bit long modulus........+++....+++e is 65537 (0x10001)[root@docker-package ~]# cat /tmp/mykey.pri -----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAusWeo507dh7PcXyvEejKEd5ABGWhRlNwitjWsuf6rdEMpTM/QO95QgzU39/HZfOSgnjBibOYNc/g7jvKGbY6JbRtdmvDIjM6HtZo+tsY1zx3kC3qh2iZyM2dlVwLzbnnmwTFgugwK015nkd1CQ62pVHvZRBFn9XvZaVfDbk1c4aAHKW7JX8CRGNi4GVJSG1Tn5sPRA8prcI2Ms/SOChzrAt7WcyidKjTrtBJ0vrET9vgF5reFmfE9jEfJZjRRkJu4T09thTCwHlZfcEmUYFLwNzGWhoPmMOq1BU58wR+k1paRZ4Q0/Whl4Lp/8DJf/0HlgDlpAUMf/eO9MiWFhnFQQIDAQABAoIBAH6HTpds91FoQgSSAVBSskI0nI3eA8nO0RlfGOQOwAZs7vIjq6BkG3Ohmb0orr7kqcZ15DdTUbRy5eC+5IVSrEXK27Uz//f1WFR30JrRPxzhO+aTFKUzOauNkEoVF3IBlWOxcdTjU26ih9ewdRrzusx4m4ON6H0Fw67Kv4BejlV6CpxmkHFH89/8D//CJVm2DFd2WjKFpEfeteGuGFZUvdAXfMrLDGADo9w78F9viMrlRANRR9u8NSwdw/dtfJuNQ3qeOmN9ZXOgOpZG1fQ1W222gVM63trsiaZeE+zduk9+K59JG9y5NDOKVOFC7TavmK8FdWRjHVL7j5C0UylIMxkCgYEA3HgOegkRLJTKnlWPzyyj1lw7QMFnxuw4fisPgmHmuHawiFL7PV8dxREy40PnYx88ZEYfEOsYq//5IiZc1E1r+ET8Ts2Oj3BkR6PgrEvQGNJlDQspQxqZBunls+hcQY9ULwiyQFHTdMoJ+av2Nds8A1q9AHNk4CrSar2WmTMPsEMCgYEA2N9RGZpnI7NbR2i4o/WM3XF8pnpCawQJn02lqUP6XsBMJgr1eM8ylXvWsDe7hACyCJM811ibQu/EUkITxpS0qC0BcYiRODsqPckIKDgpEK/KllJXaRZ2Wz8BZMoOf27sZl2t8y+pYgq0XGto+m5UXXxrpNSY1DRAJXiYGtxmjisCgYEAnEzJBp9y+4Yo94N1Rs1BAfG1WD1FU3OYwWnJvwelSFVs5djeoS3Tryh4SUKUwmMcr4I++AGUJix89Ub5PNH+n65YqY11ah+mGFwIJl5BE7flSBAHmrk6j/o2jQtIjHoOlqG1rX/VR9EMrWLKVHgu3bnwkGc+tuXk8yOhps7aan0CgYBEdpMyovSmZ4uMSnnngK/8hEQWhggLopWrDacbfVM/sDMZ22HMxpQwbozCyoVO0a1iWaDeVqGFCw4N7cAyc2VopfSLs9IsTzkxkhIaKEiGdQheVhY0HZw1h/lXqRXUkt7cHfy5BbXSNpDjkCDu1f+aF5ofyeGJNAmACsbxy9wwSwKBgCNiFDKDb3EekPUTfosmENGiWkCo+Q+f/Rr8PBUM7BAdFhDr3k5k+07Wl+Yxfm6qz+I/sC6I1wrozhFWabeRfAMY7e5KYn5z027KAFOaZ4L9XgZrojg/vyPclqjqodTuCS3YynEwk5AZLa4Ym24qtyzBEkl+afZRlmYr9wIV61O8-----END RSA PRIVATE KEY-----# 提取出公钥: openssl rsa -in /PATH/TO/PRIVATEKEY.FILE -pubout[root@docker-package ~]# openssl rsa -in /tmp/mykey.pri -pubout -out /tmp/mykey.pubwriting RSA key[root@docker-package ~]# cat /tmp/mykey.pub-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAusWeo507dh7PcXyvEejKEd5ABGWhRlNwitjWsuf6rdEMpTM/QO95QgzU39/HZfOSgnjBibOYNc/g7jvKGbY6JbRtdmvDIjM6HtZo+tsY1zx3kC3qh2iZyM2dlVwLzbnnmwTFgugwK015nkd1CQ62pVHvZRBFn9XvZaVfDbk1c4aAHKW7JX8CRGNi4GVJSG1Tn5sPRA8prcI2Ms/SOChzrAt7WcyidKjTrtBJ0vrET9vgF5reFmfE9jEfJZjRRkJu4T09thTCwHlZfcEmUYFLwNzGWhoPmMOq1BU58wR+k1paRZ4Q0/Whl4Lp/8DJf/0HlgDlpAUMf/eO9MiWFhnFQQIDAQAB-----END PUBLIC KEY-----# 对文件签名, 文件内容不能太长[root@docker-package ~]# echo "hello" > /tmp/fstab# 将以16进制格式输出[root@docker-package ~]# openssl rsautl -sign -inkey /tmp/mykey.pri -in /tmp/fstab -hexdump0000 - 6f 6c c5 ca 30 c0 f3 fd-fd 8d 7f da 43 80 12 e2 ol..0.......C...0010 - 28 cf 29 88 10 d9 3a 31-70 e2 bc 48 7f 20 5a 09 (.)...:1p..H. Z.0020 - c3 f8 cd 35 6b e0 f6 77-f2 45 38 16 95 b9 62 5d ...5k..w.E8...b]0030 - 7d ac 4e 0f f9 9a 47 42-cd 99 ea 41 f9 c3 80 02 }.N...GB...A....0040 - 74 a3 ae 51 e3 51 13 a3-1e 48 ee f7 63 9e 34 84 t..Q.Q...H..c.4.0050 - f7 1b 29 cf 14 c8 bc a9-b9 97 6d f2 7e 72 05 f2 ..).......m.~r..0060 - 33 f6 27 f6 34 34 ab 65-0b a8 a7 8b 84 48 38 fc 3.'.44.e.....H8.0070 - 21 48 e3 78 9d 1e b3 53-e1 07 21 25 2b 11 cf cb !H.x...S..!%+...0080 - 74 4e 3e 49 0e 7c 89 4c-78 5b 3f 2c 5a 6a b3 b2 tN>I.|.Lx[?,Zj..0090 - fb f1 72 95 9a 9a 0b 74-21 c5 8f 22 f4 e6 56 3f ..r....t!.."..V?00a0 - 4d d5 1e 16 bb 21 73 52-7a 3e 15 3b e9 3e ea 62 M....!sRz>.;.>.b00b0 - ad 74 21 7f 4a bd 6e 41-0b f7 33 08 4b 7b ba a7 .t!.J.nA..3.K{..00c0 - 66 e1 ae 47 10 f1 95 d6-40 6c 77 36 1c 80 54 b4 f..G....@lw6..T.00d0 - 27 63 69 89 09 9c e1 f4-5a f9 b7 50 a4 3e 03 26 'ci.....Z..P.>.&00e0 - 12 06 0f f7 70 b6 df 4b-d7 7b cc 07 22 b7 dd b0 ....p..K.{.."...00f0 - 5b ef ea 54 3d 70 07 e4-ca e3 a6 fc ce ed 35 40 [..T=p........5@# 输出到自定文件[root@docker-package ~]# openssl rsautl -sign -inkey /tmp/mykey.pri -in /tmp/fstab -out /tmp/fstab.s# 验证签名[root@docker-package ~]# openssl rsautl -verify -inkey /tmp/mykey.pri -in /tmp/fstab.s hello# 公钥加密[root@docker-package ~]# openssl rsautl -encrypt -pubin -inkey /tmp/mykey.pub -in /tmp/fstab -out /tmp/fstab.lock[root@docker-package ~]# cat /tmp/fstab.lockkn&O Z`%1ƈfffNrhې|¹|7xjFs#P6q&`2˦b# 私钥解密[root@docker-package ~]# openssl rsautl -decrypt -inkey /tmp/mykey.pri -in /tmp/fstab.lock hello[root@docker-package ~]# openssl rsautl -decrypt -inkey /tmp/mykey.pri -in /tmp/fstab.lock -out /tmp/fstab1[root@docker-package ~]# cat /tmp/fstab1hello 建立私有CA有两个工具可以使用:
证书申请及签署总共有四步:
openssl的配置文件定义了CA的位置, 证书存放路径和默认加密算法类型等, 路径为/etc/pki/tls/openssl.conf
# 创建所需要的文件, 仅第一次需要[root@docker-package CA]# touch index.txt[root@docker-package CA]# echo 01 > serial# 生成证书[root@docker-package CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/testcert.pem 2048)Generating RSA private key, 2048 bit long modulus.............................................................................................................+++....................................................+++e is 65537 (0x10001)# 证书自签[root@docker-package CA]# openssl req -new -x509 -key /etc/pki/CA/private/testcert.pem -days 365 -out /etc/pki/CA/testcacert.pem You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:SiChuanLocality Name (eg, city) [Default City]:ChengduOrganization Name (eg, company) [Default Company Ltd]:HuaQiYunOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:ca.leistudy.comEmail Address []:mail.leistudy.com # -new: 生成新证书签署请求 # -509: 专用于CA生成自签证书 # -key: 生成 请求时用到的私钥文件 # -days n: 证书的有效期限 # -out /PATH/TO/SOMECERTFILE: 证书的保存路径# 用到证书的主机生成证书请求[root@docker-package CA]# cd /etc/httpd/[root@docker-package httpd]# mkdir ssl[root@docker-package httpd]# cd ssl/[root@docker-package ssl]# ls[root@docker-package ssl]# (umask 077; openssl genrsa -out httpd.key 2048)Generating RSA private key, 2048 bit long modulus...............................+++..................................+++e is 65537 (0x10001)[root@docker-package ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:SiChuanLocality Name (eg, city) [Default City]:ChengduOrganization Name (eg, company) [Default Company Ltd]:MycompanyOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:www.leistudy.comEmail Address []:httpadmin.leistudy.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 把请求文件传输给CA[root@docker-package ssl]# scp httpd.csr root@192.168.123.132:/tmp/# NOTE: 这里测试用的scp, 不代表一定使用此方式# 查看证书信息openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject# 签署证书, 并将证书发还给客户端[root@docker-package tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 27 06:48:43 2018 GMT Not After : Mar 27 06:48:43 2019 GMT Subject: countryName = CN stateOrProvinceName = SiChuan organizationName = HuaQiYun organizationalUnitName = IT commonName = www.leistudy.com emailAddress = httpadmin.leistudy.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5F:35:94:FA:4F:6B:CE:FF:24:C6:ED:E8:6D:A6:78:0B:88:09:59:92 X509v3 Authority Key Identifier: keyid:53:3D:29:41:A5:1A:2E:83:2B:86:39:14:C9:6C:3C:34:22:73:F9:FECertificate is to be certified until Mar 27 06:48:43 2019 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
# 获取要吊销的证书的serial: openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject[root@docker-package CA]# openssl x509 -in /tmp/httpd.crt -noout -serial -subjectserial=01subject= /C=CN/ST=SiChuan/O=HuaQiYun/OU=IT/CN=www.leistudy.com/emailAddress=httpadmin.leistudy.com# CA端根据客户端提交的serial与subject信息, 对比校验是否与index.txt文件中的信息一致# 吊销证书: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem[root@docker-package CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated# 生成吊销证书的编号(一次吊销一个证书)[root@docker-package CA]# echo 01 > /etc/pki/CA/crlnumber# 更新证书吊销列表: openssl ca -gencrl -out thisca.crl[root@docker-package CA]# openssl ca -gencrl -out /etc/pki/CA/thisca.crl# 查看crl文件[root@docker-package CA]# openssl crl -in thisca.crl -noout -textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=SiChuan/L=Chengdu/O=HuaQiYun/OU=Ops/CN=ca.leistudy.com/emailAddress=mail.leistudy.com Last Update: Mar 27 06:55:01 2018 GMT Next Update: Apr 26 06:55:01 2018 GMT CRL extensions: X509v3 CRL Number: 1Revoked Certificates: Serial Number: 01 Revocation Date: Mar 27 06:53:29 2018 GMT Signature Algorithm: sha256WithRSAEncryption 2c:29:ac:55:aa:46:e0:d5:8e:e9:3c:cb:3f:2d:17:72:ce:11: 1c:1a:42:72:02:0f:e5:d8:32:d7:32:37:86:1f:fe:82:6e:f9: 49:d3:5d:b1:5c:0a:7c:06:69:6b:49:a6:21:10:1d:b2:82:b7: 6c:dc:18:65:99:ef:c6:0f:b4:db:fd:ed:6d:33:33:02:d0:7d: ba:8a:37:70:62:5d:9f:22:42:fc:60:87:7a:d5:48:1b:6c:1d: 5d:bb:fd:2e:8f:8e:fd:9a:4d:d6:19:6c:31:28:f1:0f:28:b0: 52:b6:7f:84:af:25:20:e9:28:16:fe:fb:2d:ab:0e:e1:22:03: a9:d8:42:08:27:ec:de:10:11:6c:b0:30:3e:55:91:48:d0:1b: 4b:12:7d:c2:31:cd:85:bf:8b:90:b2:35:c3:35:ad:eb:63:a9: a5:f2:65:50:63:69:3d:ee:73:51:0b:97:3b:d4:77:47:38:3b: 1d:f0:84:8c:00:02:d3:57:8b:b3:33:b3:c6:f0:4a:5b:86:d2: 3a:55:c2:cd:bf:6a:c6:01:31:aa:61:c5:bf:fb:37:8b:86:02: e6:24:db:47:72:17:24:4b:aa:49:98:8b:ae:2c:01:24:b5:dd: e9:e7:a6:ab:6c:a3:cb:d4:d2:c4:d5:dc:58:00:e8:33:7a:b2: 24:fe:9d:d8
转载于:https://blog.51cto.com/13501622/2091617