**加密解密基礎、PKI及SSL、創建私有CA**

進程間通信

socket通信

客戶端-->請求--> 路由轉發 --> 服務端，取出資源 --> 封裝為可響應給客戶端的請求報文從接收請求端口發出

SSL/TLS協議的實現 OpenSSL

OpenSSL程序組件

 [root@localhost?CA]#?rpm?-ql?openssl?
 /usr/lib/libcrypto.so.10??//加密解密庫?(C，C++程序員調用的庫) 
 /usr/lib/libssl.so.10????//ssl/tls實現?(C,C++程序員調用的庫)?HTTP?-->?HTTPS 
 /usr/bin/openssl????????//命令行工具 

SSL Secure Socket Layer 安全的套接字層

TLS Transfer Layer Secure ?傳輸層安全

SSL分層

 用組件拼裝而成的密碼學協議軟件(TLS,?SSL)
標準算法組合成半成品
 算法實現：AES-128-CBC-PKCS7 
算法原語：AES(對稱加密)，RSA(非對稱加密),MD5(單向加密)

NIST制定的安全標準:保密性、完整性、可用性

SOCKET通信模型中面臨的風險:竊聽、偽裝、重放、消息篡改、拒絕服務

保證安全的手段(安全機制)：加密、身份認證、訪問控制、完整性校驗、路由控制、公證

提供安全機制的服務：認證、訪問控制、保密性、完整性、不可否認性

保證服務的安全(算法和協議)：對稱、非對稱、單向、密鑰交換

加密解密的基礎原理

對稱加密、非對稱加密、單向加密、密鑰交換

證書頒發機構CA、證書的作用

PKI

證書的規范

  #?openssl?x509?-in?/etc/pki/CA/certs/httpd.crt?-noout?-text?-subject?-serial 
Certificate:
 ????Data: 
 ????????Version:?3?(0x2)????//版本號 
 ????????Serial?Number:?1?(0x1)?//序列號（每個從的惟一標識) 
 ????Signature?Algorithm:?sha1WithRSAEncryption???//簽名算法ID 
 ????????Issuer:?C=CD,?ST=CD,?L=ChengDu???????????//CA名稱 
 ?????????????????????????????????????????????????//證書有效期 
 ????????????Not?Before:?Sep?21?07:16:20?2017?GMT 
 ????????????Not?After?:?Sep?21?07:16:20?2018?GMT 
 ????????Subject:?C=CD,?ST=CD,?O=MageEdu,????????//主體名稱(主機名) 
 ????????Subject?Public?Key?Info:????????????????//主體公鑰 
 ????????????????Modulus: 
 ????????????????????00:eb:bd:58:2d:05:54:49:6d:ac:42:98:ee:cb:fb: 
 ????????????????????ec:62:20:e1:1e:e4:64:ef:a3:0f:23:17:5b:fb:66: 
 ????????????????????6d:a9:ce:81:c3:53:b5:f8:d9:87:da:c5:f3:2d:77: 
 ????????????????????f2:de:3b:ed:92:81:a5:6c:73:f6:83:3c:c2:e5:71: 
 ????????????????????49:02:02:ae:45:d0:e0:45:f2:41:34:f8:25:87:41: 
 ????????????????????82:aa:27:e2:17:ca:fc:74:f3:50:98:b0:6c:b0:26: 
 ????????????????????8b:a5:0d:a7:ca:4b:f5:72:f9:44:87:8b:15:51:ea: 
 ????????????????????9a:84:6d:22:aa:fe:84:62:5a:59:33:c3:ff:29:51: 
 ????????????????????a9:1a:56:c3:63:22:9a:6d:2c:65:10:a0:57:78:c2: 
 ????????????????????aa:70:3d:32:eb:59:dc:f7:a9:0c:ea:e5:8e:29:1c: 
 ????????????????????2f:27:0d:53:87:e1:2b:eb:fe:f8:8f:61:8f:86:ab: 
 ????????????????????f1:9c:ee:29:11:c1:71:ca:41:24:3e:1d:e1:3c:84: 
 ????????????????????60:8a:d8:4d:ad:4c:b2:ca:8f:25:29:8a:11:1a:6f: 
 ????????????????????1c:03:88:4a:66:99:73:34:7d:76:da:85:77:da:65: 
 ????????????????????3a:e5:d3:ca:58:9f:8c:3a:3b:d5:e2:9e:77:1e:b2: 
 ????????????????????f3:c8:5a:b6:2d:2b:68:71:20:9f:94:41:0c:4b:2f: 
 ????????????????????93:f5:11:4c:89:9e:d9:48:ac:de:62:d9:5e:16:73: 
 ????????????????????5d:39 
 ????????????????Exponent:?65537?(0x10001) 
 ????????X509v3?extensions:??????????//擴展信息 
 ????????????X509v3?Subject?Key?Identifier:???//發行者的惟一標識 
 ????????????????C5:AE:93:32:58:BC:DC:F4:97:E5:D7:52:15:37:11:4D:ED:4C:B1:8E 
 ????????????X509v3?Authority?Key?Identifier:??//主體的惟一標識 
 ????????????????keyid:D4:F7:60:6F:E8:F4:2D:A6:F7:5D:09:55:D2:5D:56:DE:1F:93:91:33 
 ????Signature?Algorithm:?sha1WithRSAEncryption?????//發行者簽名，簽名算法 
 ?????????3c:90:f8:cf:d6:91:36:ab:4b:12:27:22:78:85:7f:32:15:4e: 
 ?????????ac:60:30:63:65:fe:91:be:1b:e5:22:65:34:4d:f0:b2:2c:d9: 
 ?????????43:38:b9:76:1e:10:ca:27:ab:e9:db:00:bd:d9:87:96:b5:a9: 
 ?????????ee:34:34:01:05:88:fc:59:ef:1d:9b:3f:8e:49:fa:e8:c9:54: 
 ?????????15:d0:63:14:7d:51:e9:c8:8c:50:77:81:5c:f2:56:f8:c2:ba: 
 ?????????16:46:cc:7f:e2:72:27:56:4e:a7:c4:2c:b4:64:44:9a:84:bc: 
 ?????????b2:19:5e:dd:3c:20:1c:a9:8c:93:ae:94:e4:8d:8e:d1:b7:47: 
 ?????????3a:c5:f6:df:42:6f:d9:66:d8:25:97:03:94:01:60:f5:a7:60: 
 ?????????c3:33:55:c3:cb:12:f8:14:1e:df:17:00:26:49:ce:74:fc:8f: 
 ?????????56:16:10:b3:16:6e:09:06:8c:8f:84:e9:ec:e2:84:06:82:ac: 
 ?????????27:8d:c5:f6:83:d8:3d:8d:de:d9:3e:e7:ae:15:41:a9:8d:42: 
 ?????????e9:9d:8d:b8:d7:29:47:21:45:3c:39:49:7a:96:31:bb:95:93: 
 ?????????7b:1b:29:07:dc:fe:ad:7c:f0:28:c5:cb:b5:65:8f:1f:7e:60: 
 ?????????a3:86:50:9f:c3:da:53:1f:6b:ec:ab:7c:1a:7e:39:40:37:23: 
 ?????????83:17:39:54 
subject=?/C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com
 serial=01 
 1、找到CA名，和簽名算法? 
 2、找到信任機構的CA證書 
 3、用證書中的公鑰解密加密的數字簽名?????//身份認證 
 4、用相同的簽名算法對證書提取特征碼?????//完整性檢驗 
 5、比對特征碼是否相同 

基于公鑰加密通信機制

SSL Hand shark：?一個IP地址只能建立一個SSL會話

openssl工具使用

對稱加密

使用示例

 使用示例：
1、創建臨時文件
#?mktemp?-p?/tmp?lcc.XXXX
 /tmp/lcc.hFdo 
2、加密
 ????#?openssl?enc?-e?-seed-cfb?-a?-salt?-in?lcc.hFdo?-out?lcc.ciphertext 
3、解密
 ????#?openssl?enc?-d?-seed-cfb?-a?-salt?-in?lcc.ciphertext?-out?lcc.txt 

單向加密

使用示例

 #?sha1sum?lcc.txt?
5448d7dc19288c6ee87a25d4e2e990f72d786971??lcc.txt
#?openssl?dgst?-sha1?-hex?lcc.txt?
SHA1(lcc.txt)=?5448d7dc19288c6ee87a25d4e2e990f72d786971

生成用戶密碼

使用示例

  #?openssl?passwd?-1?-salt?$(openssl?rand?-hex?4)? 
 #?openssl?passwd?-1?-salt?$(openssl?rand?-hex?4)?123 

生成隨機數

使用示例

  #?openssl?rand?-hex?4??????(8位) 
 #?openssl?rand?-base64?16?|?tr?-d?'=' 

生成密鑰對

使用示例

# openssl genrsa ?-out lcc.private 1024

# openssl ?rsa ?-in lcc.private -out lcc.pubkey -pubout

私有網絡安全通信的實現方案

構建私有CA

  #??echo?"01"?>?/etc/pki/CA/serial????????//必須為01，否則簽發不了 
#??touch?/etc/pki/CA/index.txt
#?cd?/etc/pki/CA
 #?(umask?077;openssl?genrsa?-out?private/cakey.pem?1024) 
 #?openssl?req?-new?-x509?-key??private/cakey.pem?-out?cacert.pem?-days?7300 

申請請求

 #?install?-d?/etc/httpd/ssl
#?cd?/etc/httpd/ssl
 #?(umask?077;openssl?genrsa?-out?httpd.key?1024) 
 #?openssl?req?-new?-key?httpd.key?-out?httpd.csr?-days?365 

傳給CA

CA所在的主機必須有軟件能得以實現SSH協議<dropbear, telnet, openssh-server>，才能使用客戶端工具<scp, sftp, ssh>

  #?scp?-P?9999?/etc/httpd/ssl/httpd.csr?root@192.168.80.129 

CA驗證

CA簽發

  #?openssl?ca?-in?/tmp/httpd.csr?-out?/tmp/httpd.crt?-days?365 

從證書存取庫中獲取證書

  #?scp?-P?9999?root@192.168.80.129:/etc/pki/CA/certs/httpd.crt?/etc/httpd/ssl/ 

驗證證書

  #?openssl?x509?-in?certs/httpd.crt?-noout?-serial?-subject 
 serial=01 
subject=?/C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com

在客戶端進行吊銷證書

1、獲取serial

  #?openssl?x509?-in?/etc/httpd/ssl/httpd.crt?-noout?-serial?-subject 

2、在CA，index.txt中查看serial與客戶端是否相同

吊銷

  #?openssl?ca?-revoke?newcerts/01.pem? 
Using?configuration?from?/etc/pki/tls/openssl.cnf
 Revoking?Certificate?01. 
Data?Base?Updated

3、生成吊銷證書編號

  #?echo?"01"?>?/etc/pki/CA/crlnumber 

4、更新吊銷列表?

 #?openssl?ca?-gencrl?-out?thisca.crl
Using?configuration?from?/etc/pki/tls/openssl.cnf

5、查看crl文件

  #?openssl?crl?-in?thisca.crl?-noout?-text 
Certificate?Revocation?List?(CRL):
 ????????Version?2?(0x1)????????//版本號 
 ????Signature?Algorithm:?sha1WithRSAEncryption???????//簽名算法 
 ????????Issuer:?/C=CD/ST=CD/L=ChengDu/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=lccnx@foxmail.com 
 ????????Last?Update:?Sep?21?08:14:35?2017?GMT?有效期 
 ????????Next?Update:?Oct?21?08:14:35?2017?GMT 
 ????????CRL?extensions:????擴展信息 
 ????????????X509v3?CRL?Number:??吊銷號碼 
 ????????????????1 
Revoked?Certificates:
 ????Serial?Number:?01 
 ????????Revocation?Date:?Sep?21?08:12:49?2017?GMT 
 ????Signature?Algorithm:?sha1WithRSAEncryption 
 ?????????5d:9e:a2:60:e3:78:9d:24:42:92:b6:72:81:92:43:d7:02:12: 
 ?????????54:f0:8e:08:21:d8:55:34:1c:70:53:8d:ac:bd:44:15:37:30: 
 ?????????ba:ef:d2:79:24:52:83:a1:bb:39:70:af:93:10:64:06:b6:e6: 
 ?????????76:fd:12:cf:b5:f7:07:16:c6:cd:08:a9:46:d3:76:64:24:93: 
 ?????????7d:b4:5a:6d:da:38:08:31:7b:6e:76:a6:4e:5a:c2:cc:e6:24: 
 ?????????be:76:b9:38:46:ed:c7:16:61:88:8c:ac:90:bd:4e:c9:9d:e5: 
 ?????????73:8a:76:c4:57:82:80:29:06:c8:81:cd:7b:37:08:ee:81:25: 
 ?????????d6:04:8e:dd:dd:d8:1b:47:44:e4:bb:bc:3c:7f:cb:97:68:27: 
 ?????????b0:32:ea:fb:d1:84:91:7e:50:05:14:0a:1d:65:2a:5e:ba:41: 
 ?????????1d:dd:a4:39:e5:d2:b5:2b:33:b0:56:b3:78:cc:99:69:c9:89: 
 ?????????0e:a0:71:f1:5f:ca:40:57:73:72:4d:f0:3d:ea:57:d7:53:6d: 
 ?????????90:ca:59:57:65:1b:ec:b5:4d:6f:7e:41:64:c1:c6:d4:ab:b1: 
 ?????????01:b5:a3:e3:67:0c:59:c9:bc:e6:6c:d1:ae:20:05:3f:85:87: 
 ?????????32:f8:bf:3c:9a:ba:e8:c2:e9:fd:e8:b8:54:92:86:45:95:ca: 
 ?????????c3:53:13:41 