linux加密认证全面分析
基礎(chǔ)了解篇:
(1)對(duì)稱(chēng)加密
在對(duì)稱(chēng)加密算法中,數(shù)據(jù)發(fā)信方將明文(未加密前的數(shù)據(jù))和加密密鑰一起經(jīng)過(guò)特殊加密算法處理后,使其變成復(fù)雜的加密密文(加密后的數(shù)據(jù))發(fā)送出去。收信方收到密文后,若想解讀原文,則需要使用加密用過(guò)的密鑰及相同算法的逆算法對(duì)密文進(jìn)行解密,才能使其恢復(fù)成可讀明文。也就是說(shuō)加密和解密使用相同的密碼,對(duì)稱(chēng)加密解密的特點(diǎn)是運(yùn)算相對(duì)非對(duì)稱(chēng)加密解密簡(jiǎn)單、速度塊。具有代表性的有DES、AES 3DES。
? NAST:DES(Data Encryption Standard)數(shù)據(jù)加密標(biāo)準(zhǔn),使用56位的密鑰實(shí)現(xiàn)8輪置換進(jìn)行加密。
AES(Advanced):高級(jí)加密標(biāo)準(zhǔn),使用的是128位,192位,256位長(zhǎng)度的密鑰,可以隨意選擇。
(2)非對(duì)稱(chēng)加密/解密
非對(duì)稱(chēng)加密算法在加密和解密時(shí)使用不同的密碼。如果使用公鑰(是從私鑰中提取出來(lái)的)對(duì)數(shù)據(jù)進(jìn)行加密,使用與之配對(duì)的私鑰解密;如果用私鑰對(duì)數(shù)據(jù)進(jìn)行加密,那么只有用配對(duì)的公鑰才能解密。非對(duì)稱(chēng)加密的安全性是基于數(shù)學(xué)函數(shù),特點(diǎn)是運(yùn)算復(fù)雜、速度慢;所以很少有人拿來(lái)為大量數(shù)據(jù)加密。具有代表性的有RSA、DSS、ECC。
解析:
私鑰公鑰適于做身份驗(yàn)證不適于做網(wǎng)絡(luò)加密
公鑰私鑰能保障數(shù)據(jù)的機(jī)密性適于加密認(rèn)證
(3)單向加密
特點(diǎn):不管加密的數(shù)據(jù)多長(zhǎng)都會(huì)定長(zhǎng)輸出;不可逆轉(zhuǎn)即無(wú)法將得到的數(shù)據(jù)在逆著解密;但是會(huì)形成只要數(shù)據(jù)微小的變化就會(huì)導(dǎo)致結(jié)果的巨大變化也就是雪崩效應(yīng)。
單項(xiàng)加密也可以實(shí)現(xiàn)數(shù)據(jù)完整性和實(shí)現(xiàn)身份的驗(yàn)證。關(guān)于實(shí)現(xiàn)的過(guò)程筆者懂但是無(wú)法描述清晰只好借助某大神表述:
完整性驗(yàn)證:
? ?A先用單向加密數(shù)據(jù)將得到的數(shù)據(jù)再用自己的私鑰加密附在數(shù)據(jù)之后發(fā)給B;B收到數(shù)據(jù)后若能用A的公鑰解密出加過(guò)密的特征碼則說(shuō)明這就是A發(fā)來(lái)的數(shù)據(jù),若用單向加密數(shù)據(jù)能得到和A發(fā)來(lái)的一模一樣的特征碼說(shuō)明此數(shù)據(jù)沒(méi)被別人篡改過(guò)這樣就保證了數(shù)據(jù)的完整性
身份驗(yàn)證:
? ?A用單向加密要發(fā)給B的數(shù)據(jù)得到特征碼,再用自己的私鑰加密此特征碼,將加過(guò)密的特征碼附加在數(shù)據(jù)之后A會(huì)用自己生成的對(duì)稱(chēng)密鑰加密這兩段數(shù)據(jù)再用A的公鑰加密生成的密鑰再次附件在加過(guò)密的兩段數(shù)據(jù)之后發(fā)給B;B收到數(shù)據(jù)后用自己的私鑰解密出密碼然后用此密碼解密出數(shù)據(jù),若B能用A的公鑰解出附加在數(shù)據(jù)之后的特征碼就說(shuō)明這就是A發(fā)來(lái)的數(shù)據(jù),若B用單向加密得到的數(shù)據(jù)特征碼和A發(fā)來(lái)的一模一樣則說(shuō)明此數(shù)據(jù)未被篡改過(guò)如此一來(lái)身份驗(yàn)證,數(shù)據(jù)完整性和數(shù)據(jù)加密便都可實(shí)現(xiàn)了但此過(guò)程也會(huì)遇到無(wú)法保證得到的公鑰就是要通信的一方的公鑰。
說(shuō)實(shí)話這位大神的表述我暈了,望各位看客能夠清晰對(duì)待啊!!
小加密認(rèn)證結(jié):利用以上三種加密機(jī)制完成一次完整意義上的加密通信:
? ? ? ? 1、發(fā)送方使用選定的單向加密算法計(jì)算原始數(shù)據(jù)的特征碼;
? ? ? ? 2、發(fā)送方使用自己的私鑰加密特征碼,附加于原始數(shù)據(jù)后面;
? ? ? ? 3、發(fā)送方生成一次性對(duì)稱(chēng)密鑰,并使用此密鑰加密數(shù)據(jù)(原始數(shù)據(jù)+加密后的特征碼);
? ? ? ? 4、發(fā)送方使用接收方的公鑰加密一次性對(duì)稱(chēng)密鑰,附加于加密數(shù)據(jù)后面
? ? ? ? 5、發(fā)送;
? ? ? ? 1、接收方使用自己的私鑰解密加密的一次性對(duì)稱(chēng)密鑰;
? ? ? ? 2、使用對(duì)稱(chēng)密鑰解密數(shù)據(jù),得到加密的特征碼和原始數(shù)據(jù);
? ? ? ? 3、使用發(fā)送方的公鑰解密加密的特征碼;
? ? ? ? 4、使用與發(fā)送方相同的單向加密算法重新計(jì)算數(shù)據(jù)的特征碼,并與解密出的特征做比較;
? ?PKI是Public KeyInfrastructure的縮寫(xiě),是指用公鑰概念和技術(shù)來(lái)實(shí)施和提供安全服務(wù)的具有普適性的安全基礎(chǔ)設(shè)施。
一個(gè)典型、完整、有效的PKI應(yīng)用系統(tǒng)至少應(yīng)具有以下部分:
? ?端實(shí)體(申請(qǐng)者)、注冊(cè)機(jī)構(gòu)(RC)、簽證機(jī)構(gòu)(CA)、證書(shū)撤消列表(CRL)發(fā)布機(jī)構(gòu)、證書(shū)存取庫(kù)。
操作實(shí)踐篇:
OpenSSL工具的使用:
? ?OpenSSL 為網(wǎng)絡(luò)通信提供安全及數(shù)據(jù)完整性的一種安全協(xié)議,囊括了主要的密碼算法、常用的密鑰和證書(shū)封裝管理功能以及SSL協(xié)議,并提供了豐富的應(yīng)用程序供測(cè)試或其它目的使用。
? ?Openssl主要有三部分組成:
? ? ? libcrypto:加密解密程序庫(kù)
? ? ? libssl:實(shí)現(xiàn)ssl功能
? ? ? openssl:多功能多用途的命令行程序
1)顯示版本信息:使用命令openssl version
| 1 2 | [root@localhost ~]# openssl version OpenSSL 1.0.0-fips 29 Mar 2010 |
2)加密測(cè)試:使用命令openssl enc加密:
| 1 2 3 4 5 6 7 8 9 | [root@localhost ~]# cp /etc/fstab ./??????? #復(fù)制一個(gè)文件進(jìn)行加密測(cè)試 [root@localhost ~]# ls anaconda-ks.cfg? fstab????????install.log.syslog? zsh-4.3.10-5.el6.x86_64.rpm File?????????????install.log? xx.sh [root@localhost ~]# openssl enc -des3 -in fstab -e -out fstab.des3?? #加密 enter des-ede3-cbc encryption password:?????????????????#輸入密碼 Verifying - enter des-ede3-cbc encryption password:????#再次輸入密碼,確認(rèn) [root@localhost ~]# cat fstab.des3????????????????????? #查看加密結(jié)果 Salted__(? ).q?.?.Os |
? 解析:openssl enc指定加密的類(lèi)型,-in指定要加密的文件,-e表示加密,-out表示指定加密后要保存的位置
3)解密測(cè)試:也是使用openssl enc:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@localhost ~]# rm -rf fstab?????????????? #將文件刪除 [root@localhost ~]# openssl enc -des3 -d -in fstab.des3 -out fstab.txt?????? #解密文件 enter des-ede3-cbc decryption password:?????????????????????????????#輸入加密的密碼 [root@localhost ~]# cat fstab.txt???????????????????????????????????? #查看結(jié)果 # # /etc/fstab # Created by anaconda on Fri Jul 12 18:24:30 2013 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/vg0-root????/?????????????????????? ext4??? defaults??????? 1 1 UUID=b60d1298-6614-4daa-89d2-1af13f7e9a66?/boot???????????????????ext4??? defaults??????? 1 2 /dev/mapper/vg0-usr?????/usr????????????????????ext4??? defaults??????? 1 2 /dev/mapper/vg0-var?????/var????????????????????ext4??? defaults??????? 1 2 |
解析:openssl enc指定加密的類(lèi)型,-d表示解密,-in指定加密后的文件,-out表示指定解密后要保存的位置
4)獲取文件特征碼:使用命令openssl dgst
| 1 2 3 4 5 6 7 | [root@localhost ~]# openssl dgst -md5 fstab.txt?????????? #獲取特征碼 MD5(fstab.txt)= 6e4fe954c8b3e71a44b6c19f4a735453 [root@localhost ~]# openssl dgst -md5 -hex fstab.txt?????? #獲取16進(jìn)制特征碼,默認(rèn)是可省略 MD5(fstab.txt)= 6e4fe954c8b3e71a44b6c19f4a735453 [root@localhost ~]# vim fstab.txt?????????????????????? #編輯一下此文檔 [root@localhost ~]# openssl dgst -md5 -hex fstab.txt?????? #重新獲取特征碼 MD5(fstab.txt)= b85044cee63d32fa77dcc2e0c79b90bd?????#幾乎都不同,這就是雪崩效應(yīng) |
小拓展:使用md5sum同樣可以獲取文件特征碼
| 1 2 | [root@localhost ~]# md5sum fstab.txt b85044cee63d32fa77dcc2e0c79b90bd? fstab.txt?????????????#獲取結(jié)果是相同的 |
5)測(cè)試當(dāng)前主機(jī)支持加密算法的速度:使用命令openssl speed
| 1 2 3 4 5 6 7 8 9 10 11 12 13 | [root@localhost ~]# openssl speed des-ede3?????????????? #測(cè)試des3的加密算法速度(不加參數(shù)會(huì)將所有算法都測(cè)試一遍) Doing des ede3?for?3s on 16 size blocks: 1838583 des ede3's?in?2.99s Doing des ede3?for?3s on 64 size blocks: 461948 des ede3's?in?3.00s Doing des ede3?for?3s on 256 size blocks: 108654 des ede3's?in?2.99s Doing des ede3?for?3s on 1024 size blocks: 28366 des ede3's?in?3.00s Doing des ede3?for?3s on 8192 size blocks: 3671 des ede3's?in?2.99s OpenSSL 1.0.0-fips 29 Mar 2010 built on: Thu Feb 21 23:42:57 UTC 2013 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM The?'numbers'?are?in?1000s of bytes per second processed. type?????????????16 bytes???? 64 bytes??? 256 bytes?? 1024 bytes?? 8192 bytes des ede3????????? 9838.57k???? 9854.89k???? 9302.82k???? 9682.26k??? 10057.80k |
6)隨機(jī)生成隨機(jī)數(shù) openssl rand:
| 1 2 | [root@localhost ~]# openssl rand -hex 4?????????? #隨機(jī)生成8位的隨機(jī)數(shù) 5e3acc9c |
7)計(jì)算密碼值 openssl passwd:
| 1 2 3 | [root@localhost ~]# openssl passwd -1 -salt 12345678???? #通過(guò)salt后加密計(jì)算密碼值 Password:?????????????????????????????????????????#輸入密碼 $1$12345678$0ME5N6oDyoEAwUp7b5UDM/????????????#生成的值 |
?解析:其中-1表示基于MD5的加密算法;-sart添加一些額外數(shù)(一般為8位)盡量使用無(wú)規(guī)律的隨機(jī)數(shù)。更多請(qǐng)參考man sslpasswd
| 1 2 3 | [root@localhost ~]# openssl passwd -1 -salt `openssl rand -hex 4`??? #使用salt為隨機(jī)數(shù)計(jì)算密碼值 Password: $1$c4d7ecb7$FUfRyYSh0OHTCp0D4paqr. |
8)生成RSA算法的私鑰:openssl genrsa:
| 1 2 3 4 5 6 7 8 9 10 11 | [root@localhost ~]# openssl genrsa 1024 > mykey.rs? #也可用openssl genrsa -out mykey.rs 1024 Generating RSA private key, 1024 bit long modulus ............++++++ .............++++++ e is 65537 (0x10001) [root@localhost ~]# cat mykey.rs??????????? -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCfSs+B4SngclkdU32dpsEurEQQhmmKg5EbCGD6mqcxhcZQpBAh oG2O60/9js1NOcqjUug58HvEeVOY6khnD7XyLoNrCjYm2DnPaRRcATa70ijUTmqk 1hzwLZAp81L22mf4C4tkBuayc1sCS/F+hZVxnKXd3AtIuVE0DczCK8NkmQIDAQAB AoGAf24Nis1h/tf7SmacOx5HtNrCqKWekNynnISbcF+AGTH3cFOPRBdfDdJZb3Jp |
? 解析:openssl genrsa后可直接跟位數(shù),默認(rèn)為512位;也可使用重定向?qū)?nèi)容保存在某文件中,若想加密私鑰可使用openssl genrsa直接跟加密算法進(jìn)行加密;更多請(qǐng)參考man genrsa
由于是私鑰所以不應(yīng)該讓別人具有查看權(quán)限的所以要改為600或者400權(quán)限或者使用如下命令定義權(quán)限獲取私鑰:
| 1 2 3 4 5 6 7 8 9 10 11 12 | [root@localhost ~]# ls -l total 2276 -rw-------. 1 root root??? 2409 Jul 12 18:47 anaconda-ks.cfg -rw-r--r--? 1 root root???? 887 Aug? 5 23:32 mykey.rs????????#默認(rèn)所有人都有權(quán)限 [root@localhost ~]# (umask 077; openssl genrsa -out /root/mykey2.pri 2048)? #mask定義權(quán)限獲取私鑰 Generating RSA private key, 2048 bit long modulus ........................................................+++ ....................+++ e is 65537 (0x10001) [root@localhost ~]# ls -l total 2280 -rw-------? 1 root root??? 1679 Aug? 5 23:57 mykey2.pri????#文件權(quán)限 |
? 解析:謹(jǐn)記這里使用mask設(shè)置權(quán)限一定要加上括號(hào)不然后面創(chuàng)建所有的文件都會(huì)變成此權(quán)限的,因?yàn)樗且恢鄙У?#xff1b;使用括號(hào)表示此命令在一個(gè)子shell中執(zhí)行,完成子shell退出
9)生成RSA的公鑰openssl rsa
| 1 2 3 4 5 6 7 8 | [root@localhost ~]# openssl rsa -in mykey.rs -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfSs+B4SngclkdU32dpsEurEQQ hmmKg5EbCGD6mqcxhcZQpBAhoG2O60/9js1NOcqjUug58HvEeVOY6khnD7XyLoNr CjYm2DnPaRRcATa70ijUTmqk1hzwLZAp81L22mf4C4tkBuayc1sCS/F+hZVxnKXd 3AtIuVE0DczCK8NkmQIDAQAB -----END PUBLIC KEY----- |
?解析:使用openssl rsa –in?指定私鑰文件使用-pubout顯示公鑰信息
10)證書(shū)簽署請(qǐng)求openssl req
? 數(shù)字證書(shū)主要包含以下部分:版本號(hào)(version);序列號(hào)(證書(shū)本身在CA中惟一標(biāo)識(shí));簽名算法標(biāo)志;發(fā)行者名稱(chēng);有效期;證書(shū)主體名稱(chēng):(組織(主機(jī)),個(gè)人);證書(shū)主體公鑰信息;發(fā)行商惟一標(biāo)志;證書(shū)主體的惟一標(biāo)志;擴(kuò)展;簽名。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | [root@localhost ~]# openssl req -new -key /root/mykey.pri -out /root/myreq.csr??????? #證書(shū)簽署請(qǐng)求 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter?'.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN???????????????????#國(guó)家名 State or Province Name (full name) []:Henan?????????????#省份名稱(chēng) Locality Name (eg, city) [Default City]:Zhengzhou??????????#城市名稱(chēng) Organization Name (eg, company) [Default Company Ltd]:Magedu??????#單位名稱(chēng) Organizational Unit Name (eg, section) []:Tech????????????#部門(mén)名稱(chēng) Common Name (eg, your name or your server's?hostname) []:www.magedu.com?????#證書(shū)擁有者名稱(chēng),若在必須為用戶訪問(wèn)時(shí)的名稱(chēng),若使用域名訪問(wèn)這里是域名,若是IP地址這里一定是IP地址 Email Address []:admin@magedu.com?????????????#郵箱地址(可省略不寫(xiě)) Please enter the following?'extra'?attributes to be sent with your certificate request A challenge password []:???????????????????????#將請(qǐng)求加密起來(lái)輸入密碼,不想直接回車(chē)即可 An optional company name []: #這些要輸入的組織信息可以在[root@localhost ~]vim /etc/pki/tls/ openssl.cnf進(jìn)行更改默認(rèn)選項(xiàng)設(shè)置,這里就不予以說(shuō)明了;需要注意的是Common Name一定不能使用默認(rèn)選項(xiàng)啊!! #這樣證書(shū)申請(qǐng)就結(jié)束了。 |
? ?解析:openssl req(證書(shū)簽署請(qǐng)求和證書(shū)生成工具)中-key指定私鑰文件的路徑(可自動(dòng)完成提取公鑰功能);-new指定證書(shū)申請(qǐng);-days明確指定證書(shū)申請(qǐng)有效使用期限;-out?將此證書(shū)保存為什么文件,通常為.csr結(jié)尾的文件;其他更多請(qǐng)man req
11)如何自建CA
-
? 查看解析配置文件
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | [root@localhost ~]# cd /etc/pki/tls/???????????????????? #openssl配置文件目錄 [root@localhost tls]# vim openssl.cnf??????????????????? #編輯配置文件 ####…前方不重要已省略…#### tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ]???????????????????????????????#子命令;更改只對(duì)子命令生效 default_ca????? = CA_default????????????# The default ca section #################################################################### [ CA_default ] dir?????????????=?/etc/pki/CA?????????# Where everything is kept??? #自建CA的工作目錄 certs?????????? = $dir/certs???????????# Where the issued certs are kept???? #指定當(dāng)前CA的證書(shū)存取庫(kù)的存放位置 crl_dir???????? = $dir/crl??????????????# Where the issued crl are kept?????? #指定證書(shū)撤銷(xiāo)列表所在工作目錄 database??????? = $dir/index.txt????????# database index file.???????? #將簽署的證書(shū)制作成索引保存下來(lái)也就是數(shù)據(jù)庫(kù)文件 #unique_subject = no????????????????? # Set to 'no' to allow creation of ????????????????????????????????????# several ctificates with same subject. new_certs_dir?? = $dir/newcerts?????????# default place for new certs.???? #新簽證書(shū)的位置 certificate???? = $dir/cacert.pem???????# The CA certificate??????????? #CA自己的證書(shū)位置 serial????????? = $dir/serial???????????# The current serial number???? #已簽證書(shū),序列號(hào) crlnumber?????? = $dir/crlnumber????????# the current crl number???? #已吊銷(xiāo)證書(shū)個(gè)數(shù) ????????????????????????????????????????# must be commented out to leave a V1 CRL crl???????????? = $dir/crl.pem??????????# The current CRL???? #當(dāng)前的證書(shū)吊銷(xiāo)文件是什么 private_key???? = $dir/private/cakey.pem# The private key?????? #證書(shū)頒發(fā)機(jī)構(gòu)自己的私鑰文件 RANDFILE??????? = $dir/private/.rand????# private random number file x509_extensions = usr_cert??????????????# The extentions to add to the cert |
-
?自建CA過(guò)程:
? 生成一個(gè)私鑰;
| 1 2 3 4 5 6 | [root@localhost tls]# cd /etc/pki/CA/ [root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ......+++ ...................+++ e is 65537 (0x10001) |
?申請(qǐng)自簽證書(shū)
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365?? #-x509指定證書(shū)格式(加這個(gè)選項(xiàng)表示自簽證書(shū)不加表示申請(qǐng)證書(shū));-days 365 使用期限一年 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter?'.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN?????????????#自簽證書(shū)要在一個(gè)組織內(nèi),不然不予理睬 State or Province Name (full name) []:Henan Locality Name (eg, city) [Default City]:Zhengzhou Organization Name (eg, company) [Default Company Ltd]:Magedu Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's?hostname) []:ca.magedu.com Email Address []:caadmin@magedu.com |
?創(chuàng)建一個(gè)序列號(hào)文件和一個(gè)數(shù)據(jù)庫(kù)文件
| 1 2 | [root@localhost CA]# touch serial index.txt [root@localhost CA]# echo 01 > serial??????? #讓此序列號(hào)文件從01開(kāi)始 |
12)使用此CA幫別人簽署證書(shū):命令 openssl ca
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [root@localhost ~]# openssl ca -in myreq.csr -out mycert.crt -days 365??? #簽署證書(shū) Using configuration from?/etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: ????????Serial Number: 1 (0x1) ????????Validity ????????????Not Before: Aug? 5 18:17:55 2013 GMT ????????????Not After : Aug? 5 18:17:55 2014 GMT ????????Subject: ????????????countryName?????????????? = CN ????????????stateOrProvinceName?????? = Henan ????????????organizationName????????? = Magedu ????????????organizationalUnitName??? = Tech ????????????commonName??????????????? = www.magedu.com ????????????emailAddress????????????? = admin@magedu.com ????????X509v3 extensions: ????????????X509v3 Basic Constraints: ????????????????CA:FALSE ????????????Netscape Comment: ????????????????OpenSSL Generated Certificate ????????????X509v3 Subject Key Identifier: ????????????????F5:21:BC:A2:8B:19:FC:41:DF:41:99:68:E7:90:4D:E5:3F:37:BF:A5 ????????????X509v3 Authority Key Identifier: ????????????????keyid:AE:3D:F8:00:7A:A0:69:C5:B1:1C:F1:9A:20:B2:F0:B0:45:51:FC:32 Certificate is to be certified?until?Aug? 5 18:17:55 2014 GMT (365 days) Sign the certificate? [y/n]:y?????????????#是否確定簽署 1 out of 1 certificate requests certified, commit? [y/n]y??????#再次驗(yàn)證 Write out database with 1 new entries Data Base Updated |
?解析:openssl ca使用CA簽署證書(shū),-in?申請(qǐng)文件;-out生成證書(shū)文件(一般證書(shū)文件都是以.crt為后綴的文件;-days簽署的天數(shù));
13)ssl專(zhuān)用的客戶端測(cè)試工具:openssls_client
| 1 | #格式:openssl s_client -connect HOST:PORT –CAfile /path/to/cacertfile |-CApath /paht/to/cacertfiles_dir/ -ssl2|-ssl3|-tls1 |
?解析:-connect后指定哪個(gè)服務(wù)器:端口號(hào);–CAfile /path/to/cacertfile?指定使用哪個(gè)CA證書(shū)去驗(yàn)證|或?-CApath/paht/to/cacertfiles_dir/使用哪個(gè)目錄下的哪個(gè)CA去驗(yàn)證?-ssl2|-ssl3|-tls1指定ssl協(xié)議的版本
續(xù)上篇博文《紅帽系列文件共享服務(wù)解析》中的CA認(rèn)證:怎么利用ssl對(duì)ftp進(jìn)行加密認(rèn)證傳輸?
? ?思路:自建CA—>?簽署協(xié)議—> 測(cè)試驗(yàn)證
? ?過(guò)程:
自建CA,這里剛剛建立結(jié)束就不在重復(fù)了
給FTP申請(qǐng)一個(gè)證書(shū)頒發(fā)請(qǐng)求
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | [root@localhost ~]# cd /etc/vsftpd/?????????????????? #切換到Ftp目錄下來(lái) [root@localhost vsftpd]# mkdir ssl??????????????????? #創(chuàng)建一個(gè)文件夾存放私鑰 [root@localhost vsftpd]# cd ssl [root@localhost ssl]#? (umask 077; openssl genrsa -out vsftpd.key 2048)?? #生成私鑰 Generating RSA private key, 2048 bit long modulus .................................................................+++ ....................................+++ e is 65537 (0x10001) [root@localhost ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr????? #申請(qǐng)證書(shū)簽署 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter?'.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Henan Locality Name (eg, city) [Default City]:Zhengzhou Organization Name (eg, company) [Default Company Ltd]:Magedu Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's?hostname) []:ftp.magedu.com Email Address []:admin@magedu.com Please enter the following?'extra'?attributes to be sent with your certificate request A challenge password []: An optional company name []: |
CA簽署證書(shū)
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | [root@localhost ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt -days 365??? #證書(shū)簽署 Using configuration from?/etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: ????????Serial Number: 2 (0x2) ????????Validity ????????????Not Before: Aug? 5 19:02:07 2013 GMT ????????????Not After : Aug? 5 19:02:07 2014 GMT ????????Subject: ????????????countryName?????????????? = CN ????????????stateOrProvinceName?????? = Henan ????????????organizationName????????? = Magedu ????????????organizationalUnitName??? = Tech ????????????commonName??????????????? =?ftp.magedu.com ????????????emailAddress????????????? = admin@magedu.com ????????X509v3 extensions: ????????????X509v3 Basic Constraints: ????????????????CA:FALSE ????????????Netscape Comment: ????????????????OpenSSL Generated Certificate ????????????X509v3 Subject Key Identifier: ????????????????BC:AC:5D:EE:D5:F6:E4:61:58:47:9A:93:C4:B3:F8:23:AB:93:E7:63 ????????????X509v3 Authority Key Identifier: ????????????????keyid:AE:3D:F8:00:7A:A0:69:C5:B1:1C:F1:9A:20:B2:F0:B0:45:51:FC:32 Certificate is to be certified?until?Aug? 5 19:02:07 2014 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost ssl]# ls???????????????????????? #查看 vsftpd.crt? vsftpd.csr? vsftpd.key [root@localhost ssl]# |
更改配置文件,實(shí)現(xiàn)基于ssl訪問(wèn)
| 1 2 3 4 5 6 7 8 9 10 11 | [root@localhost vsftpd]# vim vsftpd.conf #SSL ssl_enable=YES??????????????????????????#是否支持ssl ssl_tlsv1=YES????????????????????????????#支持tlsv1 ssl_sslv2=YES????????????????????????????#支持sslv2 ssl_sslv3=YES????????????????????????????#支持sslv3 allow_anon_ssl=NO???????????????????????#匿名用戶無(wú)法訪問(wèn) force_local_data_ssl=YES???????????????????#本地?cái)?shù)據(jù)訪問(wèn)使用ssl force_local_logins_ssl=YES??????????????????#本地用戶登錄使用ssl rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt????????#指定ssl證書(shū) rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key?????????#指定ssl私鑰文件 |
重新啟動(dòng)服務(wù)
| 1 2 3 | [root@localhost vsftpd]# service vsftpd reload Shutting down vsftpd:???????????????????????????????????????? [? OK? ] Starting vsftpd?for?vsftpd:?????????????????????????????????? [? OK? ] |
使用基于SSl登錄系統(tǒng)
? ?解析:這里由于證書(shū)名稱(chēng)和ftp連接服務(wù)器的名稱(chēng)寫(xiě)的不一致所有會(huì)導(dǎo)致證書(shū)不匹配,所以以后我們要把證書(shū)名稱(chēng)設(shè)置一致。
? ?連接成功,這時(shí)所有的操作都是基于ssl證書(shū)進(jìn)行了。
總結(jié):加密認(rèn)證技術(shù)涵蓋所有服務(wù)器;應(yīng)認(rèn)真對(duì)待好好熟練。
本文轉(zhuǎn)自 z永 51CTO博客,原文鏈接:http://blog.51cto.com/pangge/1280171
總結(jié)
以上是生活随笔為你收集整理的linux加密认证全面分析的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: EC-Net: a Edge-aware
- 下一篇: linux 退出vi报e37,vim模式