當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

加密解密概述及openssl应用及其创建CA和签发证书的实现

發(fā)布時(shí)間：2025/3/15 编程问答 26 豆豆

生活随笔收集整理的這篇文章主要介紹了加密解密概述及openssl应用及其创建CA和签发证书的实现小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

? ? ? 數(shù)據(jù)非常重要，這是大家的共識(shí)，為了保證數(shù)據(jù)的安全，就會(huì)涉及到加密及其解密，本文主要介紹加密

解密相關(guān)概念及其在Linux平臺(tái)下加密解密的具體實(shí)現(xiàn)openssl基礎(chǔ)，及openssl創(chuàng)建CA和簽發(fā)證書：

? ? ?一：加密解密框架

? ? ?二：openssl的基礎(chǔ)

? ? ?三 : openssl的應(yīng)用：創(chuàng)建CA和發(fā)證

一：A 加密解密

? ?分類：對(duì)稱加密，非對(duì)稱加密，單向加密

? ? ? a對(duì)稱加密:才用單鑰密碼系統(tǒng)的加密方法,同一密鑰可以同時(shí)加密和解密,這種方式也叫對(duì)稱加密.加密的安全

性不僅取決于算法,也取決于密鑰的傳遞,因此對(duì)稱加密的密鑰的傳遞也會(huì)影響加密.

? ? ? ? ?優(yōu)點(diǎn)是這種加密速度快,缺點(diǎn)是密鑰難于管理(一對(duì)一的關(guān)系)和傳遞

? ? ? ? ?常見的加密對(duì)稱加密有:DES(56bits),3DES,AES(128bits),Blowfish,Twofish,IDEA,RC6,CAST5,Serpent

? ? ? b非對(duì)稱加密:非對(duì)稱加密需要公鑰和私鑰,公開密鑰與私有密鑰是一對(duì)

? ? ? ? ? 優(yōu)點(diǎn):安全缺點(diǎn):加密速度較慢

? ? ? ? ? 用途:密鑰的交換

? ? ? c單向加密:生存數(shù)據(jù)的特征碼,不可逆,可驗(yàn)證數(shù)據(jù)的完整性

? ? ? ? ?常見的單向加密算法有:MD5,SHA1,SHA512,CRC-32

? ? ? ? ? 特征:雪崩效應(yīng)

? ? ? ? ? ? ? ? ?定長(zhǎng)輸出

? ? ? ? 三者相互關(guān)系:用公鑰加密實(shí)現(xiàn)身份認(rèn)證,單向加密實(shí)現(xiàn)數(shù)據(jù)完整性,對(duì)稱加密實(shí)現(xiàn)數(shù)據(jù)機(jī)密性

? ? B:PKI:PKI(public key infranstructure) ?即"公鑰基礎(chǔ)設(shè)施" ,簡(jiǎn)單來(lái)說(shuō),PKI就是利用公鑰理論和技術(shù)建立的提供

? ? ?安全服務(wù)的基礎(chǔ)設(shè)施. ?

? ? ? ? ? X509:證書格式

? ? ? ? ? 公鑰及其有效期限

? ? ? ? ? 證書的合法擁有者

? ? ? ? ? 證書該如何被使用

? ? ? ? ? CA的信息

? ? ? ? ? CA簽名的校驗(yàn)碼

? ? ?C通信過(guò)程加密機(jī)制:

? ? ? ? ? ?A發(fā)送方: ?

? ? ? ? ? ?1.計(jì)算數(shù)據(jù)的特征碼(單向加密);

? ? ? ? ? ?2.用自己的私密加密特征碼,并附加在數(shù)據(jù)后面

? ? ? ? ? ?3.生成一個(gè)臨時(shí)對(duì)稱密鑰

? ? ? ? ? ?4.用此密鑰結(jié)合某算法加密數(shù)據(jù)及加密后的特征碼;

? ? ? ? ? ?5.對(duì)接收方的公鑰機(jī)密此對(duì)稱密鑰,并附加加密后的數(shù)據(jù)后面;

? ? ? ? ? ?6.發(fā)送至接收方;

? ? ? ? ? ?B接收方:

? ? ? ? ? ?1 用自己的私鑰解密加密的對(duì)稱密碼

? ? ? ? ? ?2 用對(duì)稱密鑰解密數(shù)據(jù);

? ? ? ? ? ?3 用對(duì)方的公鑰解密加密的特征碼

? ? ? ? ? ?4 用同樣的算法計(jì)算數(shù)據(jù)的特征碼,并與解密而來(lái)的特征碼進(jìn)行比較

二:openssl基礎(chǔ)

? ? ? ? ?為網(wǎng)絡(luò)通信提供安全及數(shù)據(jù)完整性的一種安全協(xié)議,包含了主要的密碼算法,常用的密鑰和證書封裝管理

功能以及SSL協(xié)議,并提供了豐富的應(yīng)用程序供測(cè)試或者其它目的使用

? ? ? ? ?libecrypto: 通用功能的加密庫(kù)

? ? ? ? ?libssl:用于實(shí)現(xiàn)TLS/SSL的功能

? ? ? ? ?openssl:多功能命令行工具

? ? ? ? ? ? ? ? ? ? 生成密鑰.創(chuàng)建數(shù)字證書,手動(dòng)加密解密數(shù)據(jù)

? ? ? ? 加密: openssl enc -des3 -a -salt -in /etc/fastab -out /tmp/fstab.cipher

? ? ? ? 解密: openssl enc -d -dec3 -a -salt -in /tmp/fstab.cipher -out /tmp/fstab

? ? ? ? ? ? ? ?enc 為對(duì)稱密 -des3表示已des3的方式進(jìn)行加密，-salt表示密碼中加入一些鹽

? ? ? ? ? ? openssl dgst [-md5|-md4|-md2|-sha1|-sha1|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile

? ? ? ? ? ? ? ?dgst 為才用單向加密，后面為接的算法 -out 為輸出文件 /path/to/somefile 為源文件

三：CA的創(chuàng)建及簽發(fā)證書

? ? ? ? ? ? ? 數(shù)字證書是互聯(lián)網(wǎng)通訊中標(biāo)識(shí)通訊2各方身份信息的一串?dāng)?shù)字，提供了一種在internet上驗(yàn)證通信實(shí)體身份的方式，一般用CA簽發(fā)，人們

可以利用通過(guò)數(shù)字證書來(lái)驗(yàn)證對(duì)方的身份，面以apache為例來(lái)說(shuō)明CA的創(chuàng)建和簽發(fā)及其吊銷數(shù)字證書

? ? ? ? ? ? server 簽發(fā)CA端（192.168.2.3）端操作：

[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............+++ ...................................................+++ e is 65537 (0x10001) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:ca.limeizhi.com Email Address []:8@qq.com [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# touch index.txt serial crlnumber [root@localhost CA]# echo 01 > serial [root@localhost CA]# cp /root/httpd.csr . [root@localhost CA]# ls cacert.pem crl httpd.csr newcerts serial certs crlnumber index.txt private [root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar 9 08:11:01 2014 GMTNot After : Mar 9 08:11:01 2015 GMTSubject:countryName = cnstateOrProvinceName = hnorganizationName = maorganizationalUnitName = linuxcommonName = www.limeizhi.comemailAddress = 8@qq.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:F6:71:9B:1D:97:F6:87:09:E7:36:41:60:8D:6B:4D:59:3C:8C:E3:B1X509v3 Authority Key Identifier:keyid:8C:E4:19:25:B4:F4:46:74:64:F5:90:7F:A6:71:A4:6B:E2:74:B5:F3 Certificate is to be certified until Mar 9 08:11:01 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]# [root@localhost CA]# [root@localhost CA]# cp httpd.crt 192.168.2.4:/etc/httpd/ssl cp: cannot create regular file `192.168.2.4:/etc/httpd/ssl': No such file or directory [root@localhost CA]# scp httpd.crt 192.168.2.4:/etc/httpd/ssl httpd.crt 100% 3780 3.7KB/s 00:00 [root@localhost CA]# openssl ca -revoke httpd.crt

?client端操作 192.168.2.4

[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# ls [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ...++++++ ...............++++++ e is 65537 (0x10001) [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:vn^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.k^C [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hn Locality Name (eg, city) [Default City]:zz Organization Name (eg, company) [Default Company Ltd]:ma Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:www.limeizhi.com Email Address []:8@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr httpd. httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr server:/root/ The authenticity of host 'server (172.16.0.1)' can't be established. RSA key fingerprint is 11:fc:5f:c3:95:fe:9f:c8:62:ac:a5:5b:80:ec:ae:01. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server,172.16.0.1' (RSA) to the list of known hosts. root@server's password: [root@localhost ssl]# ^C [root@localhost ssl]# scp httpd.csr 192.168.2.3:/root The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established. RSA key fingerprint is 61:70:80:57:75:96:07:e8:cc:66:67:b0:06:fc:f0:ff. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.2.3' (RSA) to the list of known hosts. httpd.csr 100% 672 0.7KB/s 00:00 [root@localhost ssl]# pwd /etc/httpd/ssl

轉(zhuǎn)載于:https://blog.51cto.com/limeizhi/1370870

總結(jié)

以上是生活随笔為你收集整理的加密解密概述及openssl应用及其创建CA和签发证书的实现的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： .net 引用Com组件的几种方案
下一篇：菜鸟创业记--第四天