Loading... <p style="text-align: center"> <strong>Openssl</strong><strong><span style="font-family: 宋体">加</span></strong><strong><span style="font-family: 宋体">密解密原理</span>+CA<span style="font-size: 24px"><span style="font-family: 宋体">自建实现</span></span></strong></p> <p style="margin: 3px 0px 0px"><span style="font-family: Calibri;font-size: 10px"> </span></p> <h1><span style="font-family: Calibri;font-size: 10px"> </span> <span style="font-family: 宋体">前言</span> </h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">互联网的惊人发展使企业和消费者都感到非常兴奋,它正改变着我们的生活和工作方式。但是,互联网的安全程度如何——尤其是在通过它发送机密信息时的安全性——已经成为人们关心的主要问题。随着时代的发展</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">加密原理也不断地在更新换代</span><span style="font-family: Calibri">. </span><span style="font-family: 宋体">数据的加密目前已广泛地运用于战争</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">商业活动</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">信息交换等领域</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">。其实加密技术也不是什么新生事物,只不过应用在当今电子商务、电脑网络中还是近几年的历史。以下我们将了解一下加密技术的方方面面,愿能为那些对加密技术有兴趣的朋友提供一个详细了解的机会</span><span style="font-family: Calibri">!</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">在电子商务没有出现之前,我们基本上通过面对面的钱权交易,不存在加密解密问题;随着电子商务的兴起,我们现在很多的交易都是在互联网上完成的,银行转账,网上购物等等。早期的各种传输软件都没有考虑到安全的问题,都是以明文进行传输,信息被别人窃取,篡改等等;因此有很多群体靠网络发家!!犯罪!!但是网络交易确实给我们的生活带来了极大的方便,怎么解决这个问题呢;美国</span><span style="font-family: Calibri">NIST,</span><span style="font-family: 宋体">为了保证计算机的安全,提出了几个要求:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> 1</span><span style="font-family: 宋体">、数据要有保密性:数据保密性和隐私性;确保信息不被别人获取,个人存储的信息不能被别人收集到;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> 2</span><span style="font-family: 宋体">、完整性:包括数据完整性和系统完整性;数据完整性确保数据和程序只能以特定权限的进行授权和改变,只能授权之后才能改变或者被改变;确保系统以一种正常的方式执行预定的功能,不会因别人的介入改变方向;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> 3 </span><span style="font-family: 宋体">可用性,工作迅速,可正常使用的情况并获取到信息;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">以下我们将说一下基本概念,然后再说明一下在互联网上如何安全的进行传输数据进行安全交易的过程;</span></p> <h1>一、<span style="font-family: 宋体">基本概念</span></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">加密:</span></strong><span style="font-family: 宋体">我们将文字转换成不能直接阅读的形式(即密文)的过程称为加密。数据加密的基本过程就是对原来为明文的文件或数据按某种算法进行处理,使其成为不可读的一段代码,通常称为</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">密文</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">,使其只能在输入相应的密钥之后才能显示出本来内容,通过这样的途径来达到保护数据不被非法人窃取、阅读的目的。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">解密:</span></strong><span style="font-family: 宋体">我们将密文转换成能够直接阅读的文字(即明文)的过程称为解密。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">大多数计算机加密系统都属于以下两种类型之一:</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">对称式</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">和</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">非对称式</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">对称加密:</span></strong><span style="font-family: 宋体">采用单钥密码系统的加密方法,同一个密钥可以同时用作信息的加密和解密,这种加密方法称为对称加密,也称为单密钥加密。需要对加密和解密使用相同密钥的加密算法。由于其速度快,对称性加密通常在消息发送方需要加密大量数据时使用。对称性加密也称为密钥加密。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">常用的对称加密:</span><span style="font-family: Calibri">DES</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">3DES</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">AES</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">DH</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">因为对称式的加密方法如果是在网络上传输加密文件就很难把密钥告诉对方,不管用什么方法都有可能被别窃听到。且通信方如果比较多,秘钥过多,不便于管理,密钥传输和交换难以实现;因此产生了公钥加密(也叫非对称加密):</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">非对称式加密</span></strong><span style="font-family: 宋体">就是加密和解密所使用的不是同一个密钥,通常有两个密钥,称为</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">公钥</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">和</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">私钥</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">,它们两个必需配对使用,否则不能打开加密文件。这里的</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">公钥</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">是指可以对外公布的,</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">私钥</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">则不能,只能由持有人一个人知道。</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">公钥</span><span style="font-family: Calibri">"</span><span style="font-family: 宋体">是可以公开的,也就不怕别人知道,收件人解密时只要用自己的私钥即可以,这样就很好地避免了密钥的传输安全性问题。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">常用加密算法:</span><span style="font-family: Calibri">RSA, DSA, EIGamal </span><span style="font-family: 宋体">;</span><span style="font-family: Calibri">RSA:</span><span style="font-family: 宋体">身份认证和加密;</span><span style="font-family: Calibri">DSA:</span><span style="font-family: 宋体">身份认证</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">公钥私钥的原则:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1. </span><span style="font-family: 宋体">一个公钥对应一个私钥。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2. </span><span style="font-family: 宋体">密钥对中,让大家都知道的是公钥,不告诉大家,只有自己知道的,是私钥。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">3. </span><span style="font-family: 宋体">如果用其中一个密钥加密数据,则只有对应的那个密钥才可以解密。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">4. </span><span style="font-family: 宋体">如果用其中一个密钥可以进行解密数据,则该数据必然是对应的那个密钥进行的加密。</span></p> <h1><span style="font-family: 宋体">二、加密传输原理</span></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">加密的各种算法只是对文件进行了加密,可是如何让其能在网络上进行安全的传输,而不被窃听,篡改呢?</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">用电子邮件的方式说明一下原理。</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> </span><span style="font-family: 宋体">使用公钥与私钥的目的就是实现安全的电子邮件,必须实现如下目的:</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> 1. </span><span style="font-family: 宋体">我发送给你的内容必须加密,在邮件的传输过程中不能被别人看到。</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> 2. </span><span style="font-family: 宋体">必须保证是我发送的邮件,不是别人冒充我的。</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> </span><span style="font-family: 宋体">要达到这样的目标必须发送邮件的两人都有公钥和私钥。</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> <strong><span style="color: red"> </span></strong></span><strong><span style="color: red;font-family: 宋体">公钥,</span></strong><span style="font-family: 宋体">就是给大家用的,你可以通过电子邮件发布,可以通过网站让别人下载,公钥其实是用来加密</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">验章用的。私钥,就是自己的,必须非常小心保存,最好加上</span> <span style="font-family: 宋体">密码,私钥是用来解密</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">签章,首先就</span><span style="font-family: Calibri">Key</span><span style="font-family: 宋体">的所有权来说,私钥只有个人拥有。公钥与私钥的作用是:用公钥加密的内容只能用私钥解密,用私钥加密的内容只能</span> <span style="font-family: 宋体">用公钥解密。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">随着计算机网络技术的迅速发展和信息化建设的大力推广,越来越多的传统办公和业务处理模式开始走向电子化和网络化,从而极大地提高了效率、节约了成本。与传统的面对面的手工处理方式相比,基于网络的电子化业务处理系统必须解决以下问题:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1</span><span style="font-family: 宋体">如何在网络上识别用户的真实身份;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2</span><span style="font-family: 宋体">如何保证网络上传送的业务数据不被篡改;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">3</span><span style="font-family: 宋体">如何保证网络上传送的业务数据的机密性;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">4</span><span style="font-family: 宋体">如何使网络上的用户行为不可否认;</span><span style="font-family: Calibri">———-</span><span style="font-family: 宋体">如我们网上购物,东西到了,我们不承认,商家将遭受损失;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">例如:</span> <span style="font-family: 宋体">假设用户甲要寄信给用户乙,他们互相知道对方的公钥。甲就用乙的公钥加密邮件寄出,乙收到后就可以用自己的私钥解密出甲的原文。由于别人不知道乙的私钥,所以即使是甲本人也无法解密那封信,这就解决了信件保密的问题。另一方面,由于每个人都知道乙的公钥,他们都可以给乙发信,<span style="color: red">那么乙怎么确信是不是甲的来信呢?那就要用到基于加密技术的数字签名了</span>。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">基于公开密钥算法的<span style="color: red">数字签名技术</span>和加密技术,为解决上述问题提供了理论依据和技术可行性;同时,《中华人民共和国电子签名法》的颁布和实施为数字签名的使用提供了法律依据,使得数字签名与传统的手工签字和盖章具有了同等的法律效力。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red"><span style="font-family: Calibri">PKI</span></span></strong><strong><span style="color: red;font-family: 宋体">(</span><span style="color: red"><span style="font-family: Calibri">Public Key Infrastructure</span></span></strong><strong><span style="color: red;font-family: 宋体">)</span></strong><span style="font-family: 宋体">是使用公开密钥密码技术来提供和实施安全服务的基础设施,其中</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">(</span><span style="font-family: Calibri">Certificate Authority</span><span style="font-family: 宋体">)系统是</span><span style="font-family: Calibri">PKI</span><span style="font-family: 宋体">体系的核心,主要实现数字证书的发放和密钥管理等功能。数字证书由权威公正的</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">中心签发,是网络用户的身份证明。使用数字证书,结合数字签名、数字信封等密码技术,可以实现对网上用户的身份认证,保障网上信息传送的真实性、完整性、保密性和不可否认性。</span> </p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">数字证书目前已广泛应用于安全电子邮件、网上商城、网上办公、网上签约、网上银行、网上证券、网上税务等行业和业务领域。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">数字证书</span></strong><span style="color: red;font-family: 宋体">是一种数字标识,如同我们的身份证一样,是网络上的身份证明,它是由证书授权机构(</span><span style="color: red"><span style="font-family: Calibri">CA</span></span><span style="color: red;font-family: 宋体">)签名颁发的数字文件,该签名使得第三者不能伪造和篡改证书。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">数字证书:</span></strong><strong> </strong><span style="font-family: Calibri"> </span><span style="font-family: 宋体">数字证书为实现双方安全通信提供了电子认证。在因特网、公司内部网或外部网中,使用数字证书实现身份识别和电子信息加密。数字证书中含有密钥对(公钥和私钥)所有者的识别信息,通过验证识别信息的真伪实现对证书持有者身份的认证。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">ITU-T</span><span style="font-family: 宋体">的</span><span style="font-family: Calibri">X..509</span><span style="font-family: 宋体">国际标准定义了数字证书的格式,目前</span><span style="font-family: Calibri">X .509v3</span><span style="font-family: 宋体">数字证书的主要内容如图:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> <img title="1432463111939894.png" alt="1.png" src="//cto.wang/usr/uploads/2016/07/20160703145001-61.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">注册授权服务器(</span><span style="color: red"><span style="font-family: Calibri">RA</span></span></strong><strong><span style="color: red;font-family: 宋体">)</span></strong> <span style="font-family: 宋体">:负责定期从数据库中提取已审核通过的证书申请</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">更新</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">作废信息,按既定格式打包提交到</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">服务器,并接收和记录返回的结果。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">证书签发服务器(</span><span style="color: red"><span style="font-family: Calibri">CA</span></span></strong><strong><span style="color: red;font-family: 宋体">)</span></strong><span style="font-family: 宋体">:负责密钥对(公私钥对)的产生,可采用软件方式或硬件方式(加密机);接收</span><span style="font-family: Calibri">RA</span><span style="font-family: 宋体">服务器的请求,签发</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">更新</span><span style="font-family: Calibri">/</span><span style="font-family: 宋体">作废用户证书;定期签发</span><span style="font-family: Calibri">CRL</span><span style="font-family: 宋体">(证书撤销列表)。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">是证书的签发机构</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">它是</span><span style="font-family: Calibri">PKI</span><span style="font-family: 宋体">的核心。</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">是负责签发证书、认证证书、管理已颁发证书的机关。它要制定政策和具体步骤来验证、识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">CA </span><span style="font-family: 宋体">也拥有一个证书(内含公钥)和私钥。网上的公众用户通过验证</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">的签字从而信任</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">,任何人都可以得到</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">的证书(含公钥),用以验证它所签发的证书。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">如果用户想得到一份属于自己的证书,他应先向</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">提出申请。在</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">判明申请者的身份后,便为他分配一个公钥,并且</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">如果一个用户想鉴别另一个证书的真伪,他就用</span><span style="font-family: Calibri"> CA </span><span style="font-family: 宋体">的公钥对那个证书上的签字进行验证,一旦验证通过,该证书就被认为是有效的。</span></p> <h1 style="margin: 13px 0px 0px;text-indent: 40px"><img title="1432463125405923.png" alt="2.png" src="//cto.wang/usr/uploads/2016/07/20160703145001-51.png" /></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">上面我了解了基本的概念和原来后,我们来根据上图来说一下</span>一次会话,发邮件,用户和用户之间的数据加密的全过程:</p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Bob</span><span style="font-family: 宋体">生成数据</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2</span><span style="font-family: 宋体">、用单向加密数据生成特征码</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">3</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Bob</span><span style="font-family: 宋体">用自己的私钥加密特征码放在数据后面</span><span style="font-family: Calibri">———-</span><span style="font-family: 宋体">用自己的私钥进行签名;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">4</span><span style="font-family: 宋体">、生成临时会话密钥加密特征码和数据</span><span style="font-family: Calibri">——-</span><span style="font-family: 宋体">因为之前没有对数据进行加密;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">5</span><span style="font-family: 宋体">、用对方</span><span style="font-family: Calibri">Alice</span><span style="font-family: 宋体">的公钥加密临时密钥</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">6</span><span style="font-family: 宋体">、数据加密完后一并发给对方</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">7</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Alice</span><span style="font-family: 宋体">用自己的私钥解密对称密钥(原图有误不是</span><span style="font-family: Calibri">BOb</span><span style="font-family: 宋体">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">8</span><span style="font-family: 宋体">、拿到密码后解密对方加密的数据</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">9</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Alice</span><span style="font-family: 宋体">用</span><span style="font-family: Calibri">Bob</span><span style="font-family: 宋体">的公钥解密特征码</span><span style="font-family: Calibri">—————–</span><span style="font-family: 宋体">使用发送者的公钥对签名进行认证;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">10</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Alice</span><span style="font-family: 宋体">用相同的单向加密验证数据的完整性</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">11</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">Alice</span><span style="font-family: 宋体">接收数据</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><strong><span style="color: red;font-family: 宋体">使用数字证书能做什么</span><span style="font-family: Calibri"><span style="color: red">?</span> </span></strong><strong> </strong></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">数字证书在用户公钥后附加了用户信息及</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">的签名。公钥是密钥对的一部分,另一部分是私钥。公钥公之于众,谁都可以使用。私钥只有自己知道。由公钥加密的信息只能由与之相对应的私钥解密。为确保只有某个人才能阅读自己的信件,发送者要用收件人的公钥加密信件;收件人便可用自己的私钥解密信件。同样,为证实发件人的身份,发送者要用自己的私钥对信件进行签名;收件人可使用发送者的公钥对签名进行验证,以确认发送者的身份。如此我们便可以安全的在网上进行各种交易,接下来我们实践操作一下此过程的实现。</span></p> <h1><span style="font-family: 宋体">三、</span>Openssl <span style="font-size: 24px"><span style="font-family: 宋体">基本使用方法</span></span></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">OpenSSL </span><span style="font-family: 宋体">是一个强大的安全套接字层密码库</span><span style="font-family: Calibri">, </span><span style="font-family: 宋体">在应用层和传输层之间加了一个半层,基于套接字传输时专用的;所以不是对所有的数据进行加密;</span><span style="font-family: Calibri">Appache</span><span style="font-family: 宋体">使用它加密</span><span style="font-family: Calibri">HTTPS</span><span style="font-family: 宋体">,</span><span style="font-family: Calibri">http(80/tcp)->ssl—>https(443/tcp)</span><span style="font-family: 宋体">:两个完全不同的协议;</span><span style="font-family: Calibri">OpenSSH</span><span style="font-family: 宋体">使用它加密</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">,它不止是一个库,而且还是一个多用途、跨平台的密码加密工具。整个软件包有三部份构成:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">密码算法库</span><span style="font-family: Calibri">(7</span><span style="font-family: 宋体">种分组加密算法、</span><span style="font-family: Calibri">RC4</span><span style="font-family: 宋体">的流加密算法</span><span style="font-family: Calibri">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">SSL </span><span style="font-family: 宋体">协议库</span><span style="font-family: Calibri">(SSLv2,v3</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">TLSv2,v3)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">应用程序</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">密码生成、证书管理、格式转换、数据加密签名</span><span style="font-family: Calibri">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">openssl</span><span style="font-family: 宋体">基本用法</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">可以使用</span><span style="font-family: Calibri">rpm –ql openssl </span><span style="font-family: 宋体">查看是否安装;</span><span style="font-family: 宋体"><img title="1432463146223718.png" alt="3.png" src="//cto.wang/usr/uploads/2016/07/20160703145001-2.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">Standar commands</span><span style="font-family: 宋体">:命令功能</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">Message Digest command </span><span style="font-family: 宋体">:信息摘要支持的算法</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">Cipher</span><span style="font-family: 宋体">:加密支持的算法</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">查看</span><span style="font-family: Calibri">OpenSSL </span><span style="font-family: 宋体">的安装文件,配置之前建议先去读</span><span style="font-family: Calibri">/etc/pki/tls/openssl.cnf </span><span style="font-family: 宋体">配置文件,了解</span><span style="font-family: Calibri">openssl </span><span style="font-family: 宋体">工具家目录下各个文件夹的作用。</span><span style="font-family: Calibri">这里看到CA </span><span style="font-family: 宋体">的家目录是在</span><span style="font-family: Calibri">/etc/pki/CA,</span><span style="font-family: 宋体">先去看看里面的目录结构<img title="1432463161850845.png" alt="4.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-2.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">certs</span><span style="font-family: 宋体">:签发的证书存放的地方</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">private</span><span style="font-family: 宋体">:存放</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">的私钥</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">很重要</span><span style="font-family: Calibri">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">crl</span><span style="font-family: 宋体">:吊销的证书存放的地方</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">newcerts</span><span style="font-family: 宋体">:签发新证书存放的地方</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">serial</span><span style="font-family: 宋体">:签发证书的序列号</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">需创建</span><span style="font-family: Calibri">),serial </span><span style="font-family: 宋体">起始序列号需要指定</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">index.txt</span><span style="font-family: 宋体">:数据库的索引文件</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">需创建</span><span style="font-family: Calibri">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">crlnumber</span><span style="font-family: 宋体">:吊销证书的序列号</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">需创建</span><span style="font-family: Calibri">)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">例如:</span><span style="font-family: Calibri">cp /var/messages /home/test</span><span style="font-family: 宋体">目录下对</span><span style="font-family: Calibri">messages</span><span style="font-family: 宋体">文件进行加密;使用</span><span style="font-family: Calibri">cat</span><span style="font-family: 宋体">查看是乱码;</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">openssl</span><span style="font-family: 宋体">命令选项:</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -e</span><span style="font-family: 宋体">:指定为加密,可以不写默认为加密。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -des3</span><span style="font-family: 宋体">:指定算法算法</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -salt</span><span style="font-family: 宋体">:默认设置,生成一段字符串放在密码最前面进行加密,提高解密难度。</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -a</span><span style="font-family: 宋体">:基于</span><span style="font-family: Calibri">base64</span><span style="font-family: 宋体">处理数据。加密结果进行</span><span style="font-family: Calibri">base64</span><span style="font-family: 宋体">编码处理</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -in</span><span style="font-family: 宋体">:读取那个文件进行加密</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -out</span><span style="font-family: 宋体">:输出到那里</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -d</span><span style="font-family: 宋体">:指定为解密<img title="1432463171114298.png" alt="5.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-61.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">对</span><span style="font-family: Calibri">messages</span><span style="font-family: 宋体">解密<img title="1432463179348233.png" alt="6.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-88.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">单项加密:</span><span style="font-family: Calibri">openssl dgst </span><span style="font-family: 宋体">用于实现在网络通信中保证所传输的数据的完整性</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -md5</span><span style="font-family: 宋体">:用</span><span style="font-family: Calibri">md5</span><span style="font-family: 宋体">方式加密</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -sha1</span><span style="font-family: 宋体">:</span><span style="font-family: Calibri">sha1</span><span style="font-family: 宋体">方式加密</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -out</span><span style="font-family: 宋体">:加密后密码保存到那里</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">例如:</span><span style="font-family: Calibri">md5sum messages </span><span style="font-family: 宋体">或者</span><span style="font-family: Calibri"> openssl dgst -md5 messages </span><span style="font-family: 宋体">二者提前的特征码相同<img title="1432463186756663.png" alt="7.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-25.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">生成用户密码:</span><span style="font-family: Calibri">openssl passwd -1 [-salt string] password</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -1</span><span style="font-family: 宋体">:</span><span style="font-family: Calibri">md5</span><span style="font-family: 宋体">加密</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> -salt</span><span style="font-family: 宋体">:自己指定附加信息</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"> </span><span style="font-family: 宋体">生成随机数:</span><span style="font-family: Calibri">openssl rand -base64 4</span><span style="font-family: 宋体">或</span><span style="font-family: Calibri">openssl rand -hex 4</span><span style="font-family: 宋体">,生成</span><span style="font-family: Calibri">8</span><span style="font-family: 宋体">位随机数<img title="1432463196107319.png" alt="8.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-7.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">生成私钥和公钥:</span><span style="font-family: Calibri">openssl genrsa</span><span style="font-family: 宋体"> </span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">默认生成的权限时</span><span style="font-family: Calibri">644</span><span style="font-family: 宋体">的,如果想在生成后就是</span><span style="font-family: Calibri">600</span><span style="font-family: 宋体">的权限,可以使用</span><span style="font-family: Calibri">umask;<img title="1432463212499824.png" alt="9.png" src="//cto.wang/usr/uploads/2016/07/20160703145002-51.png" /></span></p> <h1><span style="font-family: 宋体">四、自建</span>CA<span style="font-family: 宋体">过程</span></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1</span><span style="font-family: 宋体">、建立私有</span><span style="font-family: Calibri">CA</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="color: red"><span style="font-family: Calibri">1.1</span></span><span style="color: red;font-family: 宋体">、在</span><span style="color: red"><span style="font-family: Calibri">CA</span></span><span style="color: red;font-family: 宋体">上生成私钥文件</span><span style="color: red"> </span><span style="color: red;font-family: 宋体">在</span><span style="color: red"><span style="font-family: Calibri">/etc/pki/CA/private</span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">用</span><span style="font-family: Calibri">()</span><span style="font-family: 宋体">是为了在子</span><span style="font-family: Calibri"><span style="color: black">shell</span></span><span style="font-family: 宋体">中运行,不影响当前的</span><span style="color: black"><span style="font-family: Calibri">umask </span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">-out</span><span style="font-family: 宋体">为输出私钥的位置</span><span style="color: black;font-family: Consolas"> </span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2048</span><span style="font-family: 宋体">为密钥的长度<img title="1432463494115099.png" alt="100.png" src="//cto.wang/usr/uploads/2016/07/20160703145003-85.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="color: red"><span style="font-family: Calibri">1.2</span></span><span style="color: red;font-family: 宋体">、在</span><span style="color: red"><span style="font-family: Calibri">CA</span></span><span style="color: red;font-family: 宋体">上生成自签署证书</span><span style="color: red"><span style="font-family: Calibri"> </span></span><span style="color: red;font-family: 宋体">必须在</span><span style="color: red"><span style="font-family: Calibri">/etc/pki/CA</span></span><span style="color: red;font-family: 宋体">目录下</span><img title="1432463501654300.png" alt="101.png" src="//cto.wang/usr/uploads/2016/07/20160703145003-59.png" /></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">-new </span><span style="font-family: 宋体">为生成新的证书,会要求用户填写相关的信息</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">–<span style="color: black">x509 </span></span><span style="font-family: 宋体">通常用于自签署证书,生成测试证书或用于</span><span style="font-family: Calibri"><span style="color: black">CA</span></span><span style="font-family: 宋体">自签署</span><span style="color: black"><span style="font-family: Calibri"> </span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">–<span style="color: black">key</span></span><span style="font-family: 宋体">私钥位置</span><span style="color: black"><span style="font-family: Calibri"> </span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">–<span style="color: black">days</span></span><span style="font-family: 宋体">申请的天数(默认</span><span style="font-family: Calibri">30</span><span style="font-family: 宋体">天)</span><span style="color: black"><span style="font-family: Calibri"> </span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">-out</span><span style="font-family: 宋体">生成位置</span></p> <p style="margin: 0px 0px 13px;line-height: 30px;text-indent: 28px">以上自签时填写的相关信息可以通过<span style="font-family: Calibri">/etc/pki/tls/openssl.cnf</span>配置文件添加,从而可以复制到其他主机生成签署请求的时候重复填写;以下2个不能使用默认值;commonName ;emailAddress。</p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="color: red;font-family: 宋体">2</span><span style="color: red;font-family: 宋体">、给</span><span style="color: red"><span style="font-family: Calibri">http</span></span><span style="color: red;font-family: 宋体">服务器发放证书</span></p> <p style="margin: 0px 0px 13px;text-indent: 28px">假设:用<span style="font-family: Calibri">httpd</span>服务,其位置为<span style="font-family: Calibri">/etc/httpd/conf/certs</span>,<span style="font-family: Calibri">certs</span>为自己创建的文件夹</p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="color: red"><span style="font-family: Calibri">2.1</span></span><span style="color: red;font-family: 宋体">、</span><span style="color: red"><span style="font-family: Calibri">http</span></span><span style="color: red;font-family: 宋体">服务器申请证书:在</span><span style="color: red"><span style="font-family: Calibri">http</span></span><span style="color: red;font-family: 宋体">服务器上进行</span></p> <p style="margin: 0px 0px 13px;text-indent: 28px">生成私钥</p> <p style="margin: 0px 0px 13px;text-indent: 28px">生成证书签署请求<span style="font-family: Calibri">/etc/httpd/conf/certs<img title="1432463547181912.png" alt="102.png" src="//cto.wang/usr/uploads/2016/07/20160703145003-85-1.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="color: red"><span style="font-family: Calibri">2.2</span></span><span style="color: red;font-family: 宋体">、在</span><span style="color: red"><span style="font-family: Calibri">CA</span></span><span style="color: red;font-family: 宋体">上给</span><span style="color: red"><span style="font-family: Calibri">http</span></span><span style="color: red;font-family: 宋体">服务器签署证书</span></p> <p style="margin: 0px 0px 13px;text-indent: 28px">需要把<span style="font-family: Calibri">http</span>那台主机的证书申请文件拷贝到<span style="font-family: Calibri">CA</span>(位置随意)</p> <p style="margin: 0px 0px 13px;text-indent: 28px">第<span style="font-family: Calibri">1</span>次签署在<span style="font-family: Calibri">/etc/pki/CA</span>目录下创建以下文件</p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"># touch {index.txt,serial}</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"># echo "01" > serial </span><span style="color: red;font-family: 宋体">首次必须添加序列号否则会报错</span></p> <p style="margin: 0px 0px 13px;text-indent: 28px"><span style="font-family: Calibri">CA</span>给<span style="font-family: Calibri">http</span>服务器签署证书<img title="1432463577847441.png" alt="103.png" src="//cto.wang/usr/uploads/2016/07/20160703145003-49.png" /><span style="color: fuchsia;font-size: 14px"></span></p> <p style="margin: 0px 0px 13px;text-indent: 28px">确认签署</p> <p style="margin: 0px 0px 13px;text-indent: 31px"><span style="color: black;font-family: 宋体;font-size: 15px">查看</span><span style="color: black;font-family: Consolas;font-size: 15px">index</span><span style="color: black;font-family: Consolas;font-size: 15px">.</span><span style="color: black;font-family: Consolas;font-size: 15px">txt</span><span style="color: black;font-family: 宋体;font-size: 15px">,最前面有一个大</span><span style="color: black;font-family: Consolas;font-size: 15px">V</span></p> <p style="margin: 0px 0px 13px;text-indent: 31px"><span style="color: black;font-family: Consolas;font-size: 15px">serial</span><span style="color: black;font-family: 宋体;font-size: 15px">由</span><span style="color: black;font-family: Consolas;font-size: 15px">01</span><span style="color: black;font-family: 宋体;font-size: 15px">变</span><span style="color: black;font-family: Consolas;font-size: 15px">02</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black">ll /etc/pki/CA/newcerts/ </span></span><span style="color: black;font-family: 宋体">会有一个文件生成<img title="1432463588122754.png" alt="104.png" src="//cto.wang/usr/uploads/2016/07/20160703145003-54.png" /></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">2.3</span><span style="font-family: 宋体">、查看生成的证书的信息</span> <span style="font-family: 宋体">(</span><span style="font-family: Calibri">http.crt</span><span style="font-family: 宋体">文件)</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black">openssl x509 </span>-in<span style="color: black"> http</span>.<span style="color: black">crt </span>–<span style="color: black">noout </span>–<span style="color: black">subject</span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black">openssl x509 </span>-in<span style="color: black"> http</span>.<span style="color: black">crt </span>–<span style="color: black">noout </span>–<span style="color: black">serial</span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">4</span><span style="font-family: 宋体">、生成完需要拷贝到</span><span style="font-family: Calibri">http</span><span style="font-family: 宋体">服务器上</span><span style="font-family: Calibri"> </span><span style="font-family: 宋体">也用</span><span style="font-family: Calibri">scp</span><span style="font-family: 宋体">命令</span></p> <h1><span style="font-family: 宋体">五、<span style="line-height: 18px;font-size: 16px;font-style: italic;font-weight: bold"></span>吊销证书</span></h1> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">1</span><span style="font-family: 宋体">、第一次吊销需创建文件,生成编号,在</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">端进行</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">touch /etc/pki/CA/crlnumber</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri">echo "<span style="color: black">01" > /etc/pki/CA/crlnumber</span></span></p> <p style="margin: 0px 0px 13px;text-indent: 28px"><span style="color: black;font-size: 14px"><span style="font-family: Calibri">2</span></span><span style="color: black;font-family: 宋体;font-size: 14px">、在</span><span style="color: black;font-size: 14px"><span style="font-family: Calibri">CA</span></span><span style="color: black;font-family: 宋体;font-size: 14px">端,吊销证书</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black">openssl ca -revoke /etc/pki/CA/newcerts/01.pem </span></span><span style="color: black;font-family: 宋体">吊销证书</span></p> <p style="margin: 0px 0px 13px;text-indent: 32px"><span style="color: black;font-family: 宋体;font-size: 16px"># cd /etc/pki/CA/crl/ </span></p> <p style="margin: 0px 0px 13px;text-indent: 32px"><span style="color: black;font-family: 宋体;font-size: 16px"># openssl ca -gencrl -out thisca.crl </span><span style="color: black;font-family: 宋体;font-size: 16px">更新证书吊销列表</span></p> <p style="margin: 0px 0px 13px;text-indent: 28px"><span style="color: black;font-size: 14px"><span style="font-family: Calibri">3</span></span><span style="color: black;font-family: 宋体;font-size: 14px">、查看吊销信息</span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black"># cat index.txt </span></span><span style="color: black;font-family: 宋体">由</span><span style="font-family: Calibri"><span style="color: black">V</span></span><span style="color: black;font-family: 宋体">变成了</span><span style="color: black"><span style="font-family: Calibri">R</span></span></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: Calibri"><span style="color: black">cat crlnumber</span></span><span style="color: black;font-family: Consolas;font-size: 15px"> </span><span style="color: black;font-family: 宋体;font-size: 15px">增加(此处我吊销两次所以为</span><span style="color: black;font-family: Consolas;font-size: 15px">03</span><span style="color: black;font-family: 宋体;font-size: 15px">)</span><img title="1432463597800316.png" alt="105.png" src="//cto.wang/usr/uploads/2016/07/20160703145004-60.png" /></p> <p style="margin: 0px 0px 13px;text-indent: 29px"><span style="font-family: 宋体">以上是对加密解密文件,基于</span><span style="font-family: Calibri">CA</span><span style="font-family: 宋体">进行安全传输的个人理解和想法,如有问题请批评指正!希望对那些加密技术有兴趣的朋友有所帮助!</span></p> <p> </p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信