Encryption and decryption and the application of OpenSSL

This article mainly introduces briefly ;

One 、 Three ways of data encryption ;

Two 、Openssl Basic application and creation of CA Certificates and certificates ;

One 、 Three ways of data encryption ;

1、 Symmetric encryption ; The encryption and decryption parties use the same algorithm , Cut the data into data blocks and encrypt them step by step , And there is an association between the front and back blocks , It is called a block quantity , Decryption is to get the block quantity for operation , To decrypt .

The commonly used symmetric encryption algorithms are ：

DES（56bits）, 3DES, AES(128bits), Blowfish

Twofish, IDEA, RC6, CAST5, Serpent

characteristic ; Encryption and decryption use the same password

      Divide the original text into fixed size data blocks , Encrypt these data blocks

      Fast encryption

shortcoming ; Password transmission , Low security

      Too many passwords , Not easy to remember

2、 Public key encryption （ Also known as asymmetric encryption ); The main difference with symmetric encryption algorithm is , The encryption and decryption keys are different , A public （ Public key ）, A secret （ Private key ）. The key distribution management problem of symmetric encryption algorithm is solved , Improved algorithm security .

Asymmetric algorithms have ;RSA、EIGamal、DSA

characteristic ; The sender encrypts the data with the public key of the receiver , The receiver decrypts with its own private key .

      Identity authentication is that the sender encrypts with its own private key , The receiver decrypts the other party's public key to ensure data security .

shortcoming ; Encryption of asymmetric encryption algorithm 、 The efficiency of decryption is relatively low .

3、 One way encryption , Generate feature codes for data according to a certain sum algorithm , It is irreversible .

The algorithms for extracting data signatures are ;MD5, SHA1, SHA512, CRC-32

Message authentication algorithm ;CBC-MAC、HMAC

characteristic ;

Message authentication ; Only used to validate the message itself , Encryption signature is required .

Avalanche effect ; Small changes in input data , Will lead to big changes in the results .

Fixed length output ; No matter how long the input data is , Just use the same one-way encryption algorithm , The length of the output results is the same .

Combine the above three encryption methods ： As shown in the figure below ;

The picture above , Combine the three encryption algorithms , Symmetric encryption realizes the confidentiality of data , Public key encryption realizes identity authentication , One way encryption realizes the integrity of data .

Two 、Openssl Basic application and creation of CA Certificates and certificates ;

1）、Openss It's a set for SSL( Secure socket layer )/TLS( Transport layer security ) Protocol encryption tool , It consists of the following three components ;

    1、libcrypto; General function encryption library ;

    2、libssl; Used to implement SSL/TLS The function of

    3、 Multi function command tool

Its function can also generate keys 、 Create a digital certificate 、 Calculate the summary of information 、 Manually encrypt and decrypt data .

2）、 Symmetric encryption and decryption methods ;

Common algorithms are :DES,3DES,AES,Blowfish,Twofish,RC6,CAST5

encryption ; openssl enc -des3 -a -salt -in /etc/issue -out /tmp/issue_cipher [[email protected] ~]# cat /etc/issue  No content before encryption CentOS release 6.5 (Final) Kernel \r on an \m [[email protected] ~]# openssl enc -des3 -a -salt -in /etc/issue -out /tmp/issue_cipher enter des-ede3-cbc encryption password:    Input password Verifying - enter des-ede3-cbc encryption password:  Input again [[email protected] ~]# cd /tmp/ [[email protected] tmp]# ls issue_cipher  yum.log [[email protected] tmp]# cat issue_cipher      View the encrypted file contents U2FsdGVkX1+A3cLqRI09pTWDT6BhqierBK69evESmUcH9SOHUaA+0nw87hM5sDCT 2/PlBNgiqTMiiKelkoAyBw== Decrypt ;openssl enc -d -des3 -a -salt -in /tmp/issue_cipher -out /mnt/issue [[email protected] ~]# openssl enc -d -des3 -a -salt -in /tmp/issue_cipher -out /mnt/issue enter des-ede3-cbc decryption password:    Enter decryption password [[email protected] ~]# cat /mnt/issue    Look at the decrypted content CentOS release 6.5 (Final) Kernel \r on an \m     User authentication ; Public key encryption , Private key decryption

    digital signature ; Private key encryption , Public key decryption

3）、 Certificate format of digital certificate (x509);

    Public key and expiration date ;

    The holder's personally identifiable information ;

    How certificates are used ;

    Information about the certification authority ;

    verification CA Is your digital signature legal ;

4）、 be based on openssl Generate private CA certificate ;

    Experimental environment ;Server,172.16.34.200

              Client, 172.16.34.2

1,server Mr. Duan forms a key pair ; [[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .....................................................................................................................+++ ......+++ e is 65537 (0x10001) 2、server Complete self signed certificate ;

3、 Create the required files ; [[email protected] CA]# touch index.txt serial crlnumber [[email protected] CA]# ls cacert.pem  certs  crl  crlnumber  index.txt  newcerts  private  serial [[email protected] CA]# echo 1 > serial [[email protected] CA]# cat serial 1 [[email protected] CA]# 4、 client Realize certificate application ;

  Generate the key on the host , Save to the configuration file directory of the service to which this certificate is applied ; mkdir /etc/httpd/ssl cd /etc/httpd/ssl [[email protected] ssl]# (umask 077; openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ........++++++ e is 65537 (0x10001) [[email protected] ssl]# ls httpd.key [[email protected] ssl]# 5、 Generate the certificate signing request ：

[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:Ouyang Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:ca.ouyang.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:RedHat An optional company name []:redhat     （Client The information filled in at the end should be consistent with The server Agreement ）

6、Clientc The client sends the request file to Server End ;

  scp httpd.csr 172.16.34.200:/tmp

7、CA signed Client Certificate application sent ;

  openssl ca -in /tmp/httpd.csr -out /tmp/httpd.csr -days 3655

8、 Send the certificate back to the applicant after signing ; 

  scp httpd.crt 172.16.34.20:/etc/httpd/ssl 9、 Revocation of certificate ; The certificate will be revoked until Server End ;

  openssl ca -revoke /tmp/httpd.crt