? ? ? 數據非常重要，這是大家的共識，為了保證數據的安全，就會涉及到加密及其解密，本文主要介紹加密

解密相關概念及其在Linux平臺下加密解密的具體實現openssl基礎，及openssl創建CA和簽發證書：

? ? ?一：加密解密框架

? ? ?二：openssl的基礎

? ? ?三 : openssl的應用：創建CA和發證

---

一：A 加密解密

? ?分類：對稱加密，非對稱加密，單向加密

? ? ? a對稱加密:才用單鑰密碼系統的加密方法,同一密鑰可以同時加密和解密,這種方式也叫對稱加密.加密的安全

性不僅取決于算法,也取決于密鑰的傳遞,因此對稱加密的密鑰的傳遞也會影響加密.

? ? ? ? ?優點是這種加密速度快,缺點是密鑰難于管理(一對一的關系)和傳遞

? ? ? ? ?常見的加密對稱加密有:DES(56bits),3DES,AES(128bits),Blowfish,Twofish,IDEA,RC6,CAST5,Serpent

? ? ? b非對稱加密:非對稱加密需要公鑰和私鑰,公開密鑰與私有密鑰是一對

? ? ? ? ? 優點:安全 缺點:加密速度較慢

? ? ? ? ? 用途:密鑰的交換

? ? ? c單向加密:生存數據的特征碼,不可逆,可驗證數據的完整性

? ? ? ? ?常見的單向加密算法有:MD5,SHA1,SHA512,CRC-32

? ? ? ? ? 特征:雪崩效應

? ? ? ? ? ? ? ? ?定長輸出

? ? ? ? 三者相互關系:用公鑰加密實現身份認證,單向加密實現數據完整性,對稱加密實現數據機密性

? ? B:PKI:PKI(public key infranstructure) ?即"公鑰基礎設施" ,簡單來說,PKI就是利用公鑰理論和技術建立的提供

? ? ?安全服務的基礎設施. ?

? ? ? ? ? X509:證書格式

? ? ? ? ? 公鑰及其有效期限

? ? ? ? ? 證書的合法擁有者

? ? ? ? ? 證書該如何被使用

? ? ? ? ? CA的信息

? ? ? ? ? CA簽名的校驗碼

? ? ?C通信過程加密機制:

? ? ? ? ? ?A發送方: ?

? ? ? ? ? ?1.計算數據的特征碼(單向加密);

? ? ? ? ? ?2.用自己的私密加密特征碼,并附加在數據后面

? ? ? ? ? ?3.生成一個臨時對稱密鑰

? ? ? ? ? ?4.用此密鑰結合某算法加密數據及加密后的特征碼;

? ? ? ? ? ?5.對接收方的公鑰機密此對稱密鑰,并附加加密后的數據后面;

? ? ? ? ? ?6.發送至接收方;

? ? ? ? ? ?B接收方:

? ? ? ? ? ?1 用自己的私鑰解密加密的對稱密碼

? ? ? ? ? ?2 用對稱密鑰解密數據;

? ? ? ? ? ?3 用對方的公鑰解密加密的特征碼

? ? ? ? ? ?4 用同樣的算法計算數據的特征碼,并與解密而來的特征碼進行比較

二:openssl基礎

? ? ? ? ?為網絡通信提供安全及數據完整性的一種安全協議,包含了主要的密碼算法,常用的密鑰和證書封裝管理

功能以及SSL協議,并提供了豐富的應用程序供測試或者其它目的使用

? ? ? ? ?libecrypto: 通用功能的加密庫

? ? ? ? ?libssl:用于實現TLS/SSL的功能

? ? ? ? ?openssl:多功能命令行工具

? ? ? ? ? ? ? ? ? ? 生成密鑰.創建數字證書,手動加密解密數據

? ? ? ? 加密: openssl enc -des3 -a -salt -in /etc/fastab -out /tmp/fstab.cipher

? ? ? ? 解密: openssl enc -d -dec3 -a -salt -in /tmp/fstab.cipher -out /tmp/fstab

? ? ? ? ? ? ? ?enc 為對稱密 -des3表示已des3的方式進行加密，-salt表示密碼中加入一些鹽

? ? ? ? ? ? openssl dgst [-md5|-md4|-md2|-sha1|-sha1|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile

? ? ? ? ? ? ? ?dgst 為才用單向加密， 后面為接的算法 -out 為輸出文件 /path/to/somefile 為源文件

三：CA的創建及簽發證書

? ? ? ? ? ? ? 數字證書是互聯網通訊中標識通訊2各方身份信息的一串數字，提供了一種在internet上驗證通信實體身份的方式，一般用CA簽發，人們

可以利用通過數字證書來驗證對方的身份，面以apache為例來說明CA的創建和簽發及其吊銷數字證書

? ? ? ? ? ? server 簽發CA端 （192.168.2.3）端操作：

[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............+++ ...................................................+++ e is 65537 (0x10001) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:ca.limeizhi.com Email Address []:8@qq.com [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# touch index.txt serial crlnumber [root@localhost CA]# echo 01 > serial [root@localhost CA]# cp /root/httpd.csr . [root@localhost CA]# ls cacert.pem crl httpd.csr newcerts serial certs crlnumber index.txt private [root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar 9 08:11:01 2014 GMTNot After : Mar 9 08:11:01 2015 GMTSubject:countryName = cnstateOrProvinceName = hnorganizationName = maorganizationalUnitName = linuxcommonName = www.limeizhi.comemailAddress = 8@qq.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:F6:71:9B:1D:97:F6:87:09:E7:36:41:60:8D:6B:4D:59:3C:8C:E3:B1X509v3 Authority Key Identifier:keyid:8C:E4:19:25:B4:F4:46:74:64:F5:90:7F:A6:71:A4:6B:E2:74:B5:F3 Certificate is to be certified until Mar 9 08:11:01 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# cp httpd.crt 192.168.2.4:/etc/httpd/ssl cp: cannot create regular file `192.168.2.4:/etc/httpd/ssl': No such file or directory [root@localhost CA]# scp httpd.crt 192.168.2.4:/etc/httpd/ssl httpd.crt 100% 3780 3.7KB/s 00:00 [root@localhost CA]# openssl ca -revoke httpd.crt

?client端操作 192.168.2.4

[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# ls [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ...++++++ ...............++++++ e is 65537 (0x10001) [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:vn^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.k^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.limeizhi.com Email Address []:8@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr server:/root/ The authenticity of host 'server (172.16.0.1)' can't be established. RSA key fingerprint is 11:fc:5f:c3:95:fe:9f:c8:62:ac:a5:5b:80:ec:ae:01. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server,172.16.0.1' (RSA) to the list of known hosts. root@server's password: [root@localhost ssl]# ^C [root@localhost ssl]# scp httpd.csr 192.168.2.3:/root The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established. RSA key fingerprint is 61:70:80:57:75:96:07:e8:cc:66:67:b0:06:fc:f0:ff. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.3' (RSA) to the list of known hosts. httpd.csr 100% 672 0.7KB/s 00:00 [root@localhost ssl]# pwd /etc/httpd/ssl

轉載于:https://blog.51cto.com/limeizhi/1370870

總結

以上是生活随笔為你收集整理的加密解密概述及openssl应用及其创建CA和签发证书的实现的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。