当前位置:网站首页>Documentary on Security Reinforcement of Network Range Monitoring System (1)—SSL/TLS Encrypted Transmission of Log Data
Documentary on Security Reinforcement of Network Range Monitoring System (1)—SSL/TLS Encrypted Transmission of Log Data
2022-08-04 17:53:00 【Debate】
The safety of network range monitoring system strengthening documentary(1)—SSL/TLSThe log data encryption transmission
背景
Japan's thought has a network of unit range(网络靶场(Cyber Range),对真实网络空间中的网络架构、系统设备、The operation of the business process and operation environment simulation and testing ground emersion of platform,以更有效地实现与网络安全相关的学习、研究、检验、竞赛、演习等行为,从而提高人员及机构的网络安全对抗水平.),Network range of some physical drone equipment need to monitor,The acquisition of the drone log to the back-end log analysis system.
领导需求:Drone to the back-end log log analysis system transmission to be safe.
目前现状:Filebeat Distributed deployment in each drone,Acquisition target log in clear text transmission through a firewall to the backendKafKa;Log transmission in plaintext form;Filebeat与KafkaNo identity authentication between;Filebeat对KafkaNo resource access control;(Ps:Increase the network diagram here)
Combining the present situation and the leadership needs,Japan's speculative gives a preliminary safety reinforcement scheme.
安全加固方案:Kafka的认证机制SASL/SCRAM 对Filebeat的身份鉴权 + SSL/TLSThe log data encryption transmission + KafKa的授权机制ACL控制FilebeatThe resource access.
“The safety of network range monitoring system strengthening documentary”系列,Shinohara speculation here,In the direction of the three reinforced implementation,With three articles to record:
Filebeat 与 Kafka (Kraft模式)通过SSL/TLSAgreement encrypted log data; Kafka的认证机制SASL/SCRAM ; KafKa的授权机制ACLResource access control;
This paper is the first article documentary"SSL/TLSAgreement encrypted log data",The article context as follows:
Understand the concepts of all kinds of let you give up openssl生成&签发证书 SSL/TLS握手协商 Filebeat 与 Kafka (Kraft模式)The encrypted log data configuration instance
Understand the concepts of all kinds of let you give up
1. 对称加解密/非对称加密解密/公钥&私钥/签名&验证签名
对称加密:Encryption is encrypted with a password,然后解密也用同样的密码,This is a symmetric encryption to decrypt.
非对称加密:而有些加密时,加密用的一个密码,And decryption with another password,这个叫非对称加密.
公钥&私钥:Asymmetric encryption is used for encryption of two passwords,称为公钥和私钥.Public/private key can be used to encrypt the data.一般来说,公钥加密数据,Then decrypted known as asymmetric encryption to decrypt.
签名&签名验证:通过公钥&The private key is another usage of asymmetric encryption,私钥加密数据,Public key to decrypt the process commonly referred to as the signature and verifying the signature.
2. RSA/DSA/SHA/MD5
RSA/DSA:Is known as asymmetric encryption algorithm,不同的是RSACan be used to add/解密,Can also be used for signature attestation;DSAOnly used for signing.
SHA/MD5:Known as the algorithm,Is generally not used to encrypt decrypt or signature,On the basis of the data content to generate a fixed length of the.This series of corresponding relations between the value and the original data is,Is the original data will be generated this paper,但是,This paper is to cannot be reverted to the original data of,所以,Nature cannot decrypt the original data,Also cannot be used for encryption or signing up.
3. CA/OPENSSL/PEM/DER/X509/KEYTOOL/KeyStore/TrustStore/PKCS/JKS
CA(Certification Authority)
The general public will not clear transmission to others,为什么呢?实际应用中,一般都是和对方交换公钥,然后你要发给对方的数据,用对方的公钥加密,After each other get used his private key to decrypt the,Each other to process data sent to you the same.But if the hackers malicious damage in the process of transmission,To each other's public key to the hacker's public key,Then you are unwittingly in the hacker's public key to encrypt data,So that you and the other communication data will be leaked(这就是中间人攻击).
为了解决这个问题,Need to do a notary confirm the public key is who hair,The notary party isCA.
CAConfirm the principle of public key is simple,基本流程如下:
CAThe public key release to everyone; Anyone want to post a public key can be their own public key and some identity information sent toCA, CAAfter review will be the applicant's public key and identity information to generate the,Then his private key encrypted,Here is called the signature;This contains the information on the applicant's public key and identity document called a certificate file. You need to use the public key file,通过CA的公钥解密文件,如果正常解密,Then prove that the certificate isCA认证过的.
Root certificate according to the application in different ways generally divided into two kinds of:向权威机构CA申请签名证书、自签名证书;
其中,A self-signed certificate is divided into self-signed private certificate with self-signedCA证书;两者区别在于:
Private certificate cannot be revoked,自签的CA证书可以被吊销; You need to create multiple client certificate,推荐使用CA证书,For as long as give all the client(Questionable)都安装了 CA 根证书,So in the CA Root certificate signing a client certificate is trust,Don't need to repeat the installation of client certificate; They sign a certificate of the secondary command also different;
实际应用中,Most people don't find authorityCA去签名,Because that is to receive the money,So I can make a self-signedCA证书文件.
制作CAThe certificate requires a set of tools,目前最流行的就是OPENSSL.
OPENSSL:
openssl[1] ,提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS 协议的实现.
The main components:密码算法库;密钥和证书封装管理功能;SSL通信API接口.
主要应用场景:建立 RSA、DH、DSA key 参数;建立 X.509 证书、证书签名请求(CSR)和CRLs(证书回收列表);计算消息摘要;使用各种 Cipher加密/解密;SSL/TLS 客户端以及服务器的测试;处理S/MIME Or encrypted mail, etc.
PEM和DER:The key file format,用OpenSSL生成的就只有PEM和DER两种格式.
PEM的是将密钥用base64编码表示出来的,直接打开你能看到一串的英文字母;DER格式是二进制的密钥文件,What also don't understand you!
X509:Is gm's certificate file format.
Keytool: 是一个Java[2] 数据证书的管理工具 ,Keytool 将密钥(key)和证书(certificates)存在文件中.
This file is divided into two kinds of:密钥库(keystore)和信任库(truststore).
keystore:密钥库,存储一个私钥和一个相关的证书,或者相关的证书链(由客户证书和一个或多个证书颁发机构(CA)证书组成). truststore:可信任的证书实体(trusted certificate entries),Save the certificate used to identify each other identity——只包含公钥.
JKS和PKCSA series of standards is to specify the store keys and certificates of file standard specification.其中,KS 和 PKCS12 的区别是:JKS 是 Java 特有的格式,而 PKCS12(Public Key Cryptography Standards, 公钥加密标准)Is to store encrypted私钥[3]And the certificate standard has nothing to do with the language.在 JDK8 之前,keystore 和 truststore 的默认格式为 JKS;从 JDK9 开始,默认格式为PKCS12.
openssl生成&签发证书
1. openssl生成&Private certificate issued general steps
生成证书的标准流程是这样的:
生成自己的私钥文件(.key); 基于私钥生成证书请求文件(.csr); 将证书请求文件(.csr)提交给CA,CA会对提交的证书请求中的所有信息生成一个摘要,然后使用CA根证书对应的私钥进行加密,这就是所谓的“签名”操作,完成签名后就会得到真正的签发证书(.cer或.crt); 用户拿到签发后的证书,可能需要导入到自己的密钥库中,如keystore;
Here is an important step3,Japan's speculative needs aCA,但是,Japan's speculative and want to spend the money,因此,Do it himself a self-signed hereCA证书,Use it to certificate signing for ourselves.
2. 自签名CA证书制作
这里不做赘述,Japan's speculative directly to field.
创建保存CACertificate and private key directory.
[[email protected] tls]# mkdir tls
[[email protected] tls]# mkdir /root/tls/{certs,private,crl}
[[email protected] tls]# touch serial crlnumber index.txt
[[email protected] tls]# echo 01 > serial
[[email protected] tls]# echo 1000 > crlnumber可以在
serial
和crlnumber
Any digital file to add to start,Now every time when we are signed or revoked certificates,The corresponding file entry will increase 1.生成CA的私钥.
[[email protected] tls]# openssl genrsa -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................++++
...............++++
e is 65537 (0x010001)生成rsa私钥,4096位强度,cakey.pem是CA秘钥文件名.
基于私钥(.pem)创建证书签名请求(.csr).
[[email protected] tls]# openssl req -new -key private/cakey.pem -out caroot.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=example/OU=it/CN=domain1/CN=domain2"
-nodes Don't encrypt the output key
-subj val Set or modify request subject
-new New request
-key val Private key to use
注意:这里的
-subj val
参数,val 是 申请人信息,格式是 /C=CN/O=Corp/.../CN=www.ez.com,可以使用 \ 转义,不会跳过空格;If disrelish here each time the input of trouble,我们可以设置 openssl.cnf[4]文件,配置文件的详细解释,就不在这里说了,We are interested in to baidu.
利用配置文件创建caCertificate signing request command
-config infile Request template file
[[email protected] tls]# openssl req -new -key private/cakey.pem -out caroot.csr -config openssl.cnf使用CA私钥(.pem)签名CA证书申请文件(.csr),生成CA自签名证书(.crt)
[[email protected] tls]# openssl x509openssl x509 -req -in caroot.csr -out certs/caRoot.pem -signkey private/cakey.pem -days 365
**(可选)**步骤1-3Can synthesize a command,直接生成CAThe private key with self-signed certificates.
[[email protected] tls]# openssl req -x509 -newkey rsa:4096 -nodes -keyout private/cakey.pem -out certs/caRoot.pem -days 3650 -subj "/C=CN/ST=shanghai/L=shanghai/O=example/OU=it/CN=domain1/CN=domain2"
查看生成的证书.
[[email protected] tls]# openssl x509 -noout -text -in certs/cacert.pem
接下来,Japan's speculative use generatedCA的密钥和CACertificate for your server to makeCA签名证书.
3. Production serverCASigning certificate with the key
生成服务器的私钥(server.key.pem) With the certificate application documents(server.csr).
[[email protected] tls]# openssl req -new -newkey rsa:4096 -nodes -keyout private/server.key.pem -out server.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=example/OU=it/CN=domain1/CN=domain2"
Using the previously generatedCAFor the server certificate signed application documents.
[[email protected] tls]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out certs/server.x509.crt -days 3650
-CAcreateserial Create serial number file if it does not exist
注意:利用openssl Command to the server's certificate signed application documents ,有两种模式:x509 与 ca.那么,They are what are the similarities and differences between?
相同:Both can sign the certificate request.
区别:
openssl x509
具有更多功能,Like see certificate content,转换证书格式等;而openssl ca
没有这些特性;openssl ca
Maintain a list of certificate data file,而openssl x509
没有;这导致openssl x509
Multiple signature the same certificate,只是更新serial;而openssl ca
Can sign a certificate of the same,Signature must withdraw before the certificate again;openssl ca
Will check the server certificate application documents andCASome of the information root certificate matches,According to the content of the checkopenssl.cnf
的policy_match
部分;而openssl x509
不会去检查;还有一个问题就是
openssl x509
Won't the certificate application documents in theextension部分COPYTo the final signing certificate in,This may causeTLS握手阶段,The client when you start the host name check,握手失败(原因:The host check need calibration certificate inCommonName与extensionThe list fieldssubjectAltName,根据RFC 6125,在2011Released in the validator must first checkSAN,如果SAN存在,那么CNShould not be checked.).解决上述问题,Shinohara speculative pro try two ways:
openssl x509
通过增加-extfile extfile.cnf
;通过openssl ca
利用
penssl ca
生成签名证书,例子:[[email protected] tls]# openssl ca -in server_ext_san.csr -out server.ca.crt -days 3650 -cert ../ca_root.crt -keyfile ../ca.key -config openssl.cnf
SSL/TLS握手协商
1. 客户端与服务器SSL/TLSHandshake negotiation process
Pictured above is reproduced directly from“SSL/TLSProtocol interaction process analysis”[5](侵权请联系删除),More accurate and clear shows the handshake between the client and the server process of symmetric encryption key agreement.
这里补充几点:
The fourth step of client authentication certificate at the same time,If open the host name check need to verify the server host name,验证过程:In the certificateCommonName与extensionThe list fieldssubjectAltNameFind the request host domain withIP地址,如果匹配成功,则验证成功;否则,验证失败.
如果服务器需要验证客户端的身份,Need to send a client certificate to the server.
Combined with the first two chapters look at,Server needs to generate your own private key and public key,Packaged public with information about themselves generate a certificate application documents,提交给CA;这里的CAJapan's speculation by generated by means of the sign,CAThe server certificate to apply for the signature,生成服务端证书;Client authentication server certificate need toCA去验证,因此,The client to save and trust since the signing ofCA证书.如图所示:
Filebeat 与 Kafka (Kraft模式)The encrypted log data configuration instance
本章节,Shinohara speculative gives an example of a configuration.
1. 为Kafka broker 与Filebeat生成SSL KEY 与证书
Japan's speculative give a SHELL 脚本,It can facilitate your Settings SSL,代码如下:
#!/bin/bash
echo “0. create worker dir.....”
mkdir /root/tls
mkdir /root/tls/{server, client}
touch serial crlnumber index.txt
echo 01 > serial
echo 1000 > crlnumber
cd /root/tls
echo "1. create CA key certificate......"
openssl genrsa -out ./ca.key
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca_root.crt
echo "2. create kafka broker truststore keystore key certificate......"
cd ./server
keytool -keystore server_ext.keystore.jks -alias kafka_san -validity 3650 -genkey -keyalg RSA -storetype pkcs12 -ext SAN=DNS:kafka.pml.com.cn,IP:172.18.10.249
keytool -keystore server_ext.keystore.jks -alias kafka_san -certreq -file server_ext_san.csr
echo subjectAltName = DNS:kafka.pml.com.cn,IP:172.18.10.249 > extfile.cnf
openssl x509 -req -in server_ext_san.csr -CA ../ca_root.crt -CAkey ../ca.key -CAcreateserial -extfile extfile.cnf -out server_san.x509.crt -days 3650
keytool -keystore server_ext.keystore.jks -alias kafka_san -import -file server_san.x509.crt
keytool -keystore server_ext.keystore.jks -alias CARoot -import -file ../ca_root.crt
keytool -keystore kafka_trustchain -alias CARoot -import -file ../ca_root.crt
echo "3. create filebeat key certificate trust-ca......"
cd ../client
cat ../ca_root.crt > filebeat_trust.cert.pem
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -cert ../ca_root.crt -keyfile ../ca.key -out client.crt
openssl x509 -in client.crt -out client.crt.pem -outform PEM
最后,Need to put the server and the client certificateCOPY到指定的broker与Filebeat所在的宿主机上.
2. 修改Kafka配置文件
这里kafkaThere is no more generalzk模式,采用3.0之后最新的Kraft模式.server.properties部分配置如下:
42 listeners=PLAINTEXT://172.18.10.249:9192,SSL://172.18.10.249:9194,CONTROLLER://0.0.0.0:9193
43 #listeners=PLAINTEXT://172.18.10.249:9192,CONTROLLER://:9193
44 #listeners=PLAINTEXT://172.18.10.249:9092,SSL://172.18.10.249:9192
45 #listeners=PLAINTEXT://172.18.10.249:9092
46 inter.broker.listener.name=PLAINTEXT
47 #listeners=SSL://172.18.10.249:9092
48 #inter.broker.listener.name=SSL
49
50
51 # Hostname and port the broker will advertise to producers and consumers. If not set,
52 # it uses the value for "listeners" if configured. Otherwise, it will use the value
53 # returned from java.net.InetAddress.getCanonicalHostName().
54 #advertised.listeners=PLAINTEXT://172.18.10.249:9192
55 advertised.listeners=PLAINTEXT://172.18.10.249:9192,SSL://172.18.10.249:9194
56 #advertised.listeners=SSL://172.18.10.249:9194
57 ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
58
59 #security.inter.broker.protocol=PLAINTEXT
60 ssl.endpoint.identification.algorithm= #Don't verify host name
61 #ssl.endpoint.identification.algorithm=HTTPS
62
63 #old#ssl.keystore.location=/usr/kafka_2.12-3.1.0/config/kraft/server/server.keystore.jks
64 ssl.keystore.location=/root/tls/server/server_ext.keystore.jks
65 ssl.keystore.password=123456
66 ssl.keystore.type=PKCS12
67 ssl.key.password=123456
68 #old#ssl.truststore.location=/usr/kafka_2.12-3.1.0/config/kraft/server/server.truststore.jks
69 ssl.truststore.location=/root/tls/server/kafka_trustchain.jks
70 ssl.truststore.password=123456
71 ssl.truststore.type=PKCS12
72 ssl.client.auth=none #Don't do the client certificate check
3. Filebeat端配置
Filebeat端需要在/etc/hosts
中增加FQDN 与IPAdress对应关系.
filebeat.yml 部分配置如下:
output.kafka:
77 #----------------------------- kafka output --------------------------------
78 enable: true
79 hosts: ["kafka.pml.com.cn:9194"]
80 topic: '%{[topic]}'
81 partition.round_robin:
82 reachable_only: false
83
84 required_acks: 1
85 compression: gzip
86 max_message_bytes: 1000000
87
88 ssl.enabled: true
89 ssl.certificate_authorities: ["/root/tls/filebeat.cert.pem"]
90 ssl.certificate: "/root/tls/client/client.crt.pem"
91 ssl.key: "/root/tls/client/client.key"
92 #ssl.verification_mode: none
总结
Japan's speculative realized through this articleFilebeat 到 Kafka (Kraft模式)The log data encryption transmission,Deepened to the digital certificate、证书签名、证书验证、tlsProtocol such as understanding of the concept of.
参考资料
openssl: https://www.openssl.org/source/
[2]Java: http://lib.csdn.net/base/java
[3]私钥: https://so.csdn.net/so/search?q=私钥&spm=1001.2101.3001.7020
[4]openssl.cnf: https://blog.csdn.net/wzfgd/article/details/109805158
[5]“SSL/TLSProtocol interaction process analysis”: https://blog.csdn.net/chasonli666/article/details/89278600
边栏推荐
- R语言计算时间序列数据的逐次差分(successive differences):使用diff函数计算时间序列数据的逐次差分值
- 如何让 JS 代码不可断点
- 对象实例化之后一定会存放在堆内存中?
- 基于大学生内卷行为的调查研究
- clickhouse online and offline table
- To eliminate asynchronous callbacks, it has to be async-await
- 下一代 AutoAI:从模型为中心,到数据为中心
- 离散化求前缀和
- 【日记】mysql数据库连接池
- Cholesterol-PEG-Maleimide,CLS-PEG-MAL,胆固醇-聚乙二醇-马来酰亚胺一种修饰性PEG
猜你喜欢
随机推荐
2022年五一数学建模C题讲解
力扣学习---0804
RecyclerView 缓存与复用机制
Error when using sourcemap for reporting an error: Can‘t resolve original location of error.
Interval greedy (interval merge)
微信jsApi调用失效的相关问题
arm交叉编译
基于clipboard.js对复制组件的封装
OpenInfra Days China 2022|SelectDB与你共享 Apache Doris 在互联网广告业务中的实践
对象实例化之后一定会存放在堆内存中?
dotnet core 使用 CoreRT 将程序编译为 Native 程序
localstorage本地存储的方法
2018读书记
小程序学习目标
"Involution" Index Analysis Based on AHP
Investigation and Research Based on the Involution Behavior of College Students
荣耀发布开发者服务平台,智慧生态合作提速
flink-cdc支持并行读取一张mysql表的binlog不?
R语言计算时间序列数据的逐次差分(successive differences):使用diff函数计算时间序列数据的逐次差分值
基于 eBPF 的 Kubernetes 可观测实践