加密解密概述及openssl应用及其创建CA和签发证书的实现

数据非常重要，这是大家的共识，为了保证数据的安全，就会涉及到加密及其解密，本文主要介绍加密
解密相关概念及其在Linux平台下加密解密的具体实现openssl基础，及openssl创建CA和签发证书：
一：加密解密框架
二：openssl的基础
三 : openssl的应用：创建CA和发证

一：A 加密解密

分类：对称加密，非对称加密，单向加密

a对称加密:才用单钥密码系统的加密方法,同一密钥可以同时加密和解密,这种方式也叫对称加密.加密的安全
性不仅取决于算法,也取决于密钥的传递,因此对称加密的密钥的传递也会影响加密.
优点是这种加密速度快,缺点是密钥难于管理(一对一的关系)和传递
常见的加密对称加密有:DES(56bits),3DES,AES(128bits),Blowfish,Twofish,IDEA,RC6,CAST5,Serpent
b非对称加密:非对称加密需要公钥和私钥,公开密钥与私有密钥是一对
优点:安全 缺点:加密速度较慢
用途:密钥的交换

c单向加密:生存数据的特征码,不可逆,可验证数据的完整性
常见的单向加密算法有:MD5,SHA1,SHA512,CRC-32
特征:雪崩效应
定长输出

三者相互关系:用公钥加密实现身份认证,单向加密实现数据完整性,对称加密实现数据机密性

B:PKI:PKI(public key infranstructure) 即"公钥基础设施" ,简单来说,PKI就是利用公钥理论和技术建立的提供
安全服务的基础设施.

X509:证书格式
公钥及其有效期限
证书的合法拥有者
证书该如何被使用
CA的信息
CA签名的校验码

C通信过程加密机制:
A发送方:
1.计算数据的特征码(单向加密);
2.用自己的私密加密特征码,并附加在数据后面
3.生成一个临时对称密钥
4.用此密钥结合某算法加密数据及加密后的特征码;
5.对接收方的公钥机密此对称密钥,并附加加密后的数据后面;
6.发送至接收方;

B接收方:
1 用自己的私钥解密加密的对称密码
2 用对称密钥解密数据;
3 用对方的公钥解密加密的特征码
4 用同样的算法计算数据的特征码,并与解密而来的特征码进行比较

二:openssl基础
为网络通信提供安全及数据完整性的一种安全协议,包含了主要的密码算法,常用的密钥和证书封装管理
功能以及SSL协议,并提供了丰富的应用程序供测试或者其它目的使用
libecrypto: 通用功能的加密库
libssl:用于实现TLS/SSL的功能
openssl:多功能命令行工具
生成密钥.创建数字证书,手动加密解密数据
加密: openssl enc -des3 -a -salt -in /etc/fastab -out /tmp/fstab.cipher
解密: openssl enc -d -dec3 -a -salt -in /tmp/fstab.cipher -out /tmp/fstab
enc 为对称密 -des3表示已des3的方式进行加密，-salt表示密码中加入一些盐
openssl dgst [-md5|-md4|-md2|-sha1|-sha1|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile

dgst 为才用单向加密， 后面为接的算法 -out 为输出文件 /path/to/somefile 为源文件

三：CA的创建及签发证书
数字证书是互联网通讯中标识通讯2各方身份信息的一串数字，提供了一种在internet上验证通信实体身份的方式，一般用CA签发，人们
可以利用通过数字证书来验证对方的身份，面以apache为例来说明CA的创建和签发及其吊销数字证书
server 签发CA端 （192.168.2.3）端操作：

[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
...................................................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:ca.limeizhi.com
Email Address []:8@qq.com
[root@localhost CA]#
[root@localhost CA]#
[root@localhost CA]# touch index.txt serial crlnumber
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# cp /root/httpd.csr .
[root@localhost CA]# ls
cacert.pem  crl        httpd.csr  newcerts  serial
certs       crlnumber  index.txt  private
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar  9 08:11:01 2014 GMT
Not After : Mar  9 08:11:01 2015 GMT
Subject:
countryName               = cn
stateOrProvinceName       = hn
organizationName          = ma
organizationalUnitName    = linux
commonName                = www.limeizhi.com
emailAddress              = 8@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F6:71:9B:1D:97:F6:87:09:E7:36:41:60:8D:6B:4D:59:3C:8C:E3:B1
X509v3 Authority Key Identifier:
keyid:8C:E4:19:25:B4:F4:46:74:64:F5:90:7F:A6:71:A4:6B:E2:74:B5:F3
Certificate is to be certified until Mar  9 08:11:01 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]#
[root@localhost CA]#
[root@localhost CA]# cp httpd.crt 192.168.2.4:/etc/httpd/ssl
cp: cannot create regular file `192.168.2.4:/etc/httpd/ssl': No such file or directory
[root@localhost CA]# scp httpd.crt 192.168.2.4:/etc/httpd/ssl
httpd.crt                            100% 3780     3.7KB/s   00:00
[root@localhost CA]# openssl ca -revoke httpd.crt

client端操作 192.168.2.4

[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# ls
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
...++++++
...............++++++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:vn^C
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.k^C
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:ma
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.limeizhi.com
Email Address []:8@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# scp httpd.csr httpd.
httpd.csr  httpd.key
[root@localhost ssl]# scp httpd.csr httpd.
httpd.csr  httpd.key
[root@localhost ssl]# scp httpd.csr server:/root/
The authenticity of host 'server (172.16.0.1)' can't be established.
RSA key fingerprint is 11:fc:5f:c3:95:fe:9f:c8:62:ac:a5:5b:80:ec:ae:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,172.16.0.1' (RSA) to the list of known hosts.
root@server's password: [root@localhost ssl]# ^C
[root@localhost ssl]# scp httpd.csr 192.168.2.3:/root
The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established.
RSA key fingerprint is 61:70:80:57:75:96:07:e8:cc:66:67:b0:06:fc:f0:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.3' (RSA) to the list of known hosts.
httpd.csr                                                100%  672     0.7KB/s   00:00
[root@localhost ssl]# pwd
/etc/httpd/ssl