**加密解密基础、PKI及SSL、创建私有CA**

进程间通信

socket通信

客户端-->请求--> 路由转发 --> 服务端，取出资源 --> 封装为可响应给客户端的请求报文从接收请求端口发出

SSL/TLS协议的实现 OpenSSL

OpenSSL程序组件

 [root@localhost CA]# rpm -ql openssl 
 /usr/lib/libcrypto.so.10  //加密解密库 (C，C++程序员调用的库) 
 /usr/lib/libssl.so.10    //ssl/tls实现 (C,C++程序员调用的库) HTTP --> HTTPS 
 /usr/bin/openssl        //命令行工具 

SSL Secure Socket Layer 安全的套接字层

TLS Transfer Layer Secure 传输层安全

SSL分层

 用组件拼装而成的密码学协议软件(TLS, SSL)
标准算法组合成半成品
 算法实现：AES-128-CBC-PKCS7 
算法原语：AES(对称加密)，RSA(非对称加密),MD5(单向加密)

NIST制定的安全标准:保密性、完整性、可用性

SOCKET通信模型中面临的风险:窃听、伪装、重放、消息篡改、拒绝服务

保证安全的手段(安全机制)：加密、身份认证、访问控制、完整性校验、路由控制、公证

提供安全机制的服务：认证、访问控制、保密性、完整性、不可否认性

保证服务的安全(算法和协议)：对称、非对称、单向、密钥交换

加密解密的基础原理

对称加密、非对称加密、单向加密、密钥交换

证书颁发机构CA、证书的作用

PKI

证书的规范

  # openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -text -subject -serial 
Certificate:
     Data: 
         Version: 3 (0x2)    //版本号 
         Serial Number: 1 (0x1) //序列号（每个从的惟一标识) 
     Signature Algorithm: sha1WithRSAEncryption   //签名算法ID 
         Issuer: C=CD, ST=CD, L=ChengDu           //CA名称 
                                                  //证书有效期 
             Not Before: Sep 21 07:16:20 2017 GMT 
             Not After : Sep 21 07:16:20 2018 GMT 
         Subject: C=CD, ST=CD, O=MageEdu,        //主体名称(主机名) 
         Subject Public Key Info:                //主体公钥 
                 Modulus: 
                     00:eb:bd:58:2d:05:54:49:6d:ac:42:98:ee:cb:fb: 
                     ec:62:20:e1:1e:e4:64:ef:a3:0f:23:17:5b:fb:66: 
                     6d:a9:ce:81:c3:53:b5:f8:d9:87:da:c5:f3:2d:77: 
                     f2:de:3b:ed:92:81:a5:6c:73:f6:83:3c:c2:e5:71: 
                     49:02:02:ae:45:d0:e0:45:f2:41:34:f8:25:87:41: 
                     82:aa:27:e2:17:ca:fc:74:f3:50:98:b0:6c:b0:26: 
                     8b:a5:0d:a7:ca:4b:f5:72:f9:44:87:8b:15:51:ea: 
                     9a:84:6d:22:aa:fe:84:62:5a:59:33:c3:ff:29:51: 
                     a9:1a:56:c3:63:22:9a:6d:2c:65:10:a0:57:78:c2: 
                     aa:70:3d:32:eb:59:dc:f7:a9:0c:ea:e5:8e:29:1c: 
                     2f:27:0d:53:87:e1:2b:eb:fe:f8:8f:61:8f:86:ab: 
                     f1:9c:ee:29:11:c1:71:ca:41:24:3e:1d:e1:3c:84: 
                     60:8a:d8:4d:ad:4c:b2:ca:8f:25:29:8a:11:1a:6f: 
                     1c:03:88:4a:66:99:73:34:7d:76:da:85:77:da:65: 
                     3a:e5:d3:ca:58:9f:8c:3a:3b:d5:e2:9e:77:1e:b2: 
                     f3:c8:5a:b6:2d:2b:68:71:20:9f:94:41:0c:4b:2f: 
                     93:f5:11:4c:89:9e:d9:48:ac:de:62:d9:5e:16:73: 
                     5d:39 
                 Exponent: 65537 (0x10001) 
         X509v3 extensions:          //扩展信息 
             X509v3 Subject Key Identifier:   //发行者的惟一标识 
                 C5:AE:93:32:58:BC:DC:F4:97:E5:D7:52:15:37:11:4D:ED:4C:B1:8E 
             X509v3 Authority Key Identifier:  //主体的惟一标识 
                 keyid:D4:F7:60:6F:E8:F4:2D:A6:F7:5D:09:55:D2:5D:56:DE:1F:93:91:33 
     Signature Algorithm: sha1WithRSAEncryption     //发行者签名，签名算法 
          3c:90:f8:cf:d6:91:36:ab:4b:12:27:22:78:85:7f:32:15:4e: 
          ac:60:30:63:65:fe:91:be:1b:e5:22:65:34:4d:f0:b2:2c:d9: 
          43:38:b9:76:1e:10:ca:27:ab:e9:db:00:bd:d9:87:96:b5:a9: 
          ee:34:34:01:05:88:fc:59:ef:1d:9b:3f:8e:49:fa:e8:c9:54: 
          15:d0:63:14:7d:51:e9:c8:8c:50:77:81:5c:f2:56:f8:c2:ba: 
          16:46:cc:7f:e2:72:27:56:4e:a7:c4:2c:b4:64:44:9a:84:bc: 
          b2:19:5e:dd:3c:20:1c:a9:8c:93:ae:94:e4:8d:8e:d1:b7:47: 
          3a:c5:f6:df:42:6f:d9:66:d8:25:97:03:94:01:60:f5:a7:60: 
          c3:33:55:c3:cb:12:f8:14:1e:df:17:00:26:49:ce:74:fc:8f: 
          56:16:10:b3:16:6e:09:06:8c:8f:84:e9:ec:e2:84:06:82:ac: 
          27:8d:c5:f6:83:d8:3d:8d:de:d9:3e:e7:ae:15:41:a9:8d:42: 
          e9:9d:8d:b8:d7:29:47:21:45:3c:39:49:7a:96:31:bb:95:93: 
          7b:1b:29:07:dc:fe:ad:7c:f0:28:c5:cb:b5:65:8f:1f:7e:60: 
          a3:86:50:9f:c3:da:53:1f:6b:ec:ab:7c:1a:7e:39:40:37:23: 
          83:17:39:54 
subject= /C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com
 serial=01 
 1、找到CA名，和签名算法  
 2、找到信任机构的CA证书 
 3、用证书中的公钥解密加密的数字签名     //身份认证 
 4、用相同的签名算法对证书提取特征码     //完整性检验 
 5、比对特征码是否相同 

基于公钥加密通信机制

SSL Hand shark：一个IP地址只能建立一个SSL会话

openssl工具使用

对称加密

使用示例

 使用示例：
1、创建临时文件
# mktemp -p /tmp lcc.XXXX
 /tmp/lcc.hFdo 
2、加密
     # openssl enc -e -seed-cfb -a -salt -in lcc.hFdo -out lcc.ciphertext 
3、解密
     # openssl enc -d -seed-cfb -a -salt -in lcc.ciphertext -out lcc.txt 

单向加密

使用示例

 # sha1sum lcc.txt 
5448d7dc19288c6ee87a25d4e2e990f72d786971  lcc.txt
# openssl dgst -sha1 -hex lcc.txt 
SHA1(lcc.txt)= 5448d7dc19288c6ee87a25d4e2e990f72d786971

生成用户密码

使用示例

  # openssl passwd -1 -salt $(openssl rand -hex 4)  
 # openssl passwd -1 -salt $(openssl rand -hex 4) 123 

生成随机数

使用示例

  # openssl rand -hex 4      (8位) 
 # openssl rand -base64 16 | tr -d '=' 

生成密钥对

使用示例

# openssl genrsa -out lcc.private 1024

# openssl rsa -in lcc.private -out lcc.pubkey -pubout

私有网络安全通信的实现方案

构建私有CA

  #  echo "01" > /etc/pki/CA/serial        //必须为01，否则签发不了 
#  touch /etc/pki/CA/index.txt
# cd /etc/pki/CA
 # (umask 077;openssl genrsa -out private/cakey.pem 1024) 
 # openssl req -new -x509 -key  private/cakey.pem -out cacert.pem -days 7300 

申请请求

 # install -d /etc/httpd/ssl
# cd /etc/httpd/ssl
 # (umask 077;openssl genrsa -out httpd.key 1024) 
 # openssl req -new -key httpd.key -out httpd.csr -days 365 

传给CA

CA所在的主机必须有软件能得以实现SSH协议<dropbear, telnet, openssh-server>，才能使用客户端工具<scp, sftp, ssh>

  # scp -P 9999 /etc/httpd/ssl/httpd.csr root@192.168.80.129 

CA验证

CA签发

  # openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365 

从证书存取库中获取证书

  # scp -P 9999 root@192.168.80.129:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/ 

验证证书

  # openssl x509 -in certs/httpd.crt -noout -serial -subject 
 serial=01 
subject= /C=CD/ST=CD/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=lccnx.foxmail.com

在客户端进行吊销证书

1、获取serial

  # openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject 

2、在CA，index.txt中查看serial与客户端是否相同

吊销

  # openssl ca -revoke newcerts/01.pem  
Using configuration from /etc/pki/tls/openssl.cnf
 Revoking Certificate 01. 
Data Base Updated

3、生成吊销证书编号

  # echo "01" > /etc/pki/CA/crlnumber 

4、更新吊销列表

 # openssl ca -gencrl -out thisca.crl
Using configuration from /etc/pki/tls/openssl.cnf

5、查看crl文件

  # openssl crl -in thisca.crl -noout -text 
Certificate Revocation List (CRL):
         Version 2 (0x1)        //版本号 
     Signature Algorithm: sha1WithRSAEncryption       //签名算法 
         Issuer: /C=CD/ST=CD/L=ChengDu/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=lccnx@foxmail.com 
         Last Update: Sep 21 08:14:35 2017 GMT 有效期 
         Next Update: Oct 21 08:14:35 2017 GMT 
         CRL extensions:    扩展信息 
             X509v3 CRL Number:  吊销号码 
                 1 
Revoked Certificates:
     Serial Number: 01 
         Revocation Date: Sep 21 08:12:49 2017 GMT 
     Signature Algorithm: sha1WithRSAEncryption 
          5d:9e:a2:60:e3:78:9d:24:42:92:b6:72:81:92:43:d7:02:12: 
          54:f0:8e:08:21:d8:55:34:1c:70:53:8d:ac:bd:44:15:37:30: 
          ba:ef:d2:79:24:52:83:a1:bb:39:70:af:93:10:64:06:b6:e6: 
          76:fd:12:cf:b5:f7:07:16:c6:cd:08:a9:46:d3:76:64:24:93: 
          7d:b4:5a:6d:da:38:08:31:7b:6e:76:a6:4e:5a:c2:cc:e6:24: 
          be:76:b9:38:46:ed:c7:16:61:88:8c:ac:90:bd:4e:c9:9d:e5: 
          73:8a:76:c4:57:82:80:29:06:c8:81:cd:7b:37:08:ee:81:25: 
          d6:04:8e:dd:dd:d8:1b:47:44:e4:bb:bc:3c:7f:cb:97:68:27: 
          b0:32:ea:fb:d1:84:91:7e:50:05:14:0a:1d:65:2a:5e:ba:41: 
          1d:dd:a4:39:e5:d2:b5:2b:33:b0:56:b3:78:cc:99:69:c9:89: 
          0e:a0:71:f1:5f:ca:40:57:73:72:4d:f0:3d:ea:57:d7:53:6d: 
          90:ca:59:57:65:1b:ec:b5:4d:6f:7e:41:64:c1:c6:d4:ab:b1: 
          01:b5:a3:e3:67:0c:59:c9:bc:e6:6c:d1:ae:20:05:3f:85:87: 
          32:f8:bf:3c:9a:ba:e8:c2:e9:fd:e8:b8:54:92:86:45:95:ca: 
          c3:53:13:41 