數字簽名
用自己的私鑰給數據加密就叫數字簽名
公鑰傳輸威脅
在A和B的通信中,C可以把自己的公鑰發給A,讓A把C的公鑰當成B的公鑰,這樣的話.B拿到加密數據反而無法解密,而C卻可以解密出數據.從而實現C截獲AB之間的數據
所以在兩者的通信中必須要對公鑰的來源進行確認
A和B如果想安全交換公鑰,就必須通過CA(證書頒發機構) 證書的通信過程 A和B首先都內置了CA的公鑰
根CA的證書是自己給自己簽名的(自簽名)
CA和證書
PKI: Public Key Infrastructure
簽證機構:CA(Certificate Authority)
注冊機構:RA
證書吊銷列表:CRL
證書存取庫: X.509:定義了證書的結構以及認證協議標准
版本號 序列號 簽名算法 頒發者 有效期限 主體名稱 主體公鑰 CRL分發點 擴展信息 發行者簽名
SSL
SSL(Secure Socket Layer)和TLS(Transport Layer Security )本身是一個東西
實現功能: 機密性 認證 完整性 重放保護(正確同樣的數據不能重復發送)
兩階段協議,分為握手階段和應用階段
握手階段(協商階段):
客戶端和服務器端認證對方身份(依賴於PKI體系,利用數字證書進行 身份認證),並協商通信中使用的安全參數、密碼套件以及主密鑰.
后續通信使用的所有密鑰都是 通過MasterSecret生成。
應用階段:
在握手階段完成后進入,在應用階段通信雙方使用握手階段協商好的密鑰進行安全通信
taobao 證書 https的通信過程
taobao 證書內容包含 SCA(Ptaobao) CA密鑰加密簽名過的taobao公鑰 + CA證書描述+過期時間+證書其它信息 taobao網站把證書發給客戶端
客戶端由於信任CA並且拿到了CA的公鑰,就可以解密SCA(Ptaobao) 獲得taobao的公鑰 Ptaobao
客戶端(瀏覽器)會在本地生成一個對稱密鑰(key)用taobao的公鑰加密發送給taobao Ptaobao(key) sendto taobao
taobao通過自己的私鑰解密得到客戶端發送過來的key Staobao(Ptaobao(key)) = key 這樣在客戶端和服務端都存在相同的對稱密鑰key
客戶端和服務端就可以通過key(data)對大量的網頁數據進行對稱加密,實現通信雙方的安全通信
OpenSSL 開源實現證書申請和頒發
base64編碼 是6bit編碼 包含字符a-z,A-Z,/,+ 總共64個符號
生成私鑰
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS (umask 077; openssl genrsa –out test.key –des 2048) -des表示對密鑰對稱稱加密
openssl rsa -in test.key –out test2.key 將加密key解密
從私鑰中提取出公鑰
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE openssl rsa –in test.key –pubout –out test.key.pub
實驗:向CA申請證書
建立Root CA
1. 創建CA重要的配置文件openssl的配置文件:/etc/pki/tls/openssl.cnf
2. 默認CA的工作目錄在 /etc/pki/CA
1 [root@centos7 ~]# cd /etc/pki/CA 2 #創建CA服務器的私鑰 3 [root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096) 4 Generating RSA private key, 4096 bit long modulus 5 ...................................................++ 6 ..............................................................................................................................................................................................................................................................................................++ 7 e is 65537 (0x10001) 8 [root@centos7 CA]# ls private 9 cakey.pem 10 11 #根CA給自己的私鑰簽名證書 12 [root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 13 You are about to be asked to enter information that will be incorporated 14 into your certificate request. 15 What you are about to enter is what is called a Distinguished Name or a DN. 16 There are quite a few fields but you can leave some blank 17 For some fields there will be a default value, 18 If you enter '.', the field will be left blank. 19 ----- 20 Country Name (2 letter code) [XX]:CN 21 State or Province Name (full name) []:beijing 22 Locality Name (eg, city) [Default City]:beijing 23 Organization Name (eg, company) [Default Company Ltd]:mage 24 Organizational Unit Name (eg, section) []:M30 25 Common Name (eg, your name or your server's hostname) []:www.yxh.com 26 Email Address []: 27 #以可讀的文本格式顯示證書內容 28 [root@centos7 CA]# openssl x509 -in cacert.pem -noout -text 29 Certificate: 30 Data: 31 Version: 3 (0x2) 32 Serial Number: 33 f9:72:0f:e1:6c:80:e3:aa 34 Signature Algorithm: sha256WithRSAEncryption 35 Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com 36 Validity 37 Not Before: May 19 08:58:14 2018 GMT 38 Not After : May 16 08:58:14 2028 GMT 39 Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com 40 Subject Public Key Info: 41 Public Key Algorithm: rsaEncryption 42 Public-Key: (4096 bit) 43 Modulus: 44 00:e4:70:ef:fe:9a:43:87:41:ca:05:3d:a6:98:df: 45 89:19:64:ac:fb:24:04:42:be:bc:87:7a:e9:b5:be: 46 9d:21:40:cf:c7:08:a1:ab:8e:03:92:29:e9:50:ed: 47 dd:8d:06:3c:5f:fa:23:9f:96:04:76:b9:be:56:43: 48 58:f8:43:db:24:cf:79:87:be:cc:bd:c0:af:41:04: 49 d4:e1:6b:78:fb:b1:74:8e:25:93:22:9e:f1:22:98: 50 97:7e:dd:dc:af:45:97:93:16:93:8a:89:5c:b0:00: 51 62:a5:2f:72:ec:54:aa:3a:ec:0b:24:72:34:4a:c0: 52 70:ab:02:d8:36:53:93:d1:cc:98:43:a9:a8:f2:3b: 53 b7:fb:be:44:64:9d:c6:bb:7d:16:b5:39:d1:1f:6d: 54 e2:89:c7:9f:b7:e6:10:87:37:01:41:25:af:61:b5: 55 7c:93:3c:bd:75:cb:46:ff:0e:e2:58:92:aa:25:2b: 56 06:b1:25:27:e5:7d:76:02:d8:c5:63:db:d0:e6:ab: 57 ef:ce:69:37:7e:eb:b1:f3:59:05:e1:bf:47:b7:d1: 58 4c:59:45:c9:d6:f0:35:dd:95:b0:c2:69:5b:7e:83: 59 3e:64:8e:66:28:ba:06:f4:99:30:00:4d:76:72:a3: 60 16:d7:7e:f1:9e:9d:fe:15:88:d0:b8:e4:8f:cd:56: 61 c3:89:5c:cf:40:a5:2b:9d:38:56:e2:30:09:85:22: 62 b2:f6:58:20:c2:c0:65:b9:0e:61:f0:b3:a2:94:ea: 63 57:72:77:90:26:7d:90:11:98:18:52:ab:dc:a1:78: 64 68:0d:f0:d8:6b:01:c5:5d:e5:ca:a5:36:68:81:ba: 65 ca:4c:b9:98:fd:f4:54:e3:eb:7f:3d:30:50:34:a6: 66 5e:38:1c:82:93:9b:91:76:34:ab:df:e8:95:dd:2e: 67 d0:c6:98:c5:77:a6:67:13:aa:96:3f:7c:70:7e:54: 68 50:77:cc:5c:d0:70:34:93:90:4a:83:25:d8:1e:1d: 69 6c:17:3c:84:20:df:ee:78:28:e7:63:7f:d5:44:9c: 70 c3:cb:ec:78:a7:2f:05:dc:e7:e9:20:32:34:38:66: 71 fc:1f:54:79:64:bc:92:e9:59:c5:bf:35:4c:aa:1f: 72 93:7a:e7:8c:29:b2:58:03:bf:4f:19:36:da:2f:bd: 73 00:e0:0e:cd:32:09:0b:c7:1d:6c:12:19:b4:fa:4c: 74 a2:b0:24:be:d3:1e:47:55:17:c3:14:ce:cd:af:01: 75 ca:d8:48:44:12:40:99:f2:9f:87:1e:ea:2f:cb:0f: 76 a7:0d:b7:99:d5:e1:3b:68:50:00:80:6f:59:7c:19: 77 96:72:51:bb:9d:6b:02:01:c1:7b:88:d9:20:57:64: 78 1f:86:95 79 Exponent: 65537 (0x10001) 80 X509v3 extensions: 81 X509v3 Subject Key Identifier: 82 C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 83 X509v3 Authority Key Identifier: 84 keyid:C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 85 86 X509v3 Basic Constraints: 87 CA:TRUE 88 Signature Algorithm: sha256WithRSAEncryption 89 a0:df:1a:b4:22:69:a7:8f:92:8b:c0:67:91:66:df:5f:0f:47: 90 2d:2e:6a:fd:d7:21:48:29:46:e7:7e:9b:6a:46:32:04:39:c2: 91 fb:06:2e:eb:d2:f5:25:16:f7:03:f9:d1:e5:d1:d8:1d:96:8e: 92 22:fc:37:d7:22:97:36:4c:2c:f2:8f:09:24:5b:61:a2:29:13: 93 48:21:c9:db:1e:1e:24:18:d0:02:2f:ff:35:fd:21:4c:b6:af: 94 36:33:8a:d0:2f:22:75:f4:89:8b:99:4f:32:69:55:35:13:35: 95 00:d4:f3:82:44:5f:25:a8:82:1c:51:01:31:e2:7b:c0:72:0a: 96 5d:a8:a8:37:30:a7:64:e5:2b:86:e4:92:57:59:ae:0b:a9:7b: 97 fa:be:64:be:7a:d4:f1:6a:1d:9e:07:d4:79:7d:9c:d9:c5:98: 98 ec:fc:d0:0d:55:45:41:81:c9:5a:d1:0e:ba:f1:14:c1:43:ea: 99 26:62:a3:c2:8f:fe:54:fe:03:9d:8c:ca:96:48:66:9f:83:88: 100 c3:e7:d8:6b:e9:43:34:3c:77:b6:2f:97:54:65:39:74:09:a5: 101 a3:c6:d1:aa:52:7b:d3:91:44:32:ee:1a:45:40:ff:1e:46:b9: 102 47:06:68:6e:91:a6:88:77:4a:df:07:bd:81:ae:6e:a0:2d:67: 103 39:15:b6:9b:28:e3:0a:34:bf:0d:f0:01:af:8a:f2:2b:8b:3f: 104 12:a7:8b:cf:c4:eb:c5:bc:58:58:10:6a:84:85:26:01:39:9a: 105 fa:aa:1a:dc:83:46:61:1b:12:90:ad:5a:d7:67:78:68:a9:8c: 106 72:71:f0:64:b7:bf:08:85:9b:71:4a:3f:00:94:43:a7:73:3b: 107 c3:95:da:07:1f:8b:ca:f4:d7:a4:af:34:95:42:a5:e0:46:e8: 108 18:22:29:c4:b7:b0:a0:9a:7b:e8:e5:b1:11:67:07:f3:7d:bd: 109 f7:2f:5f:65:5e:32:5d:0c:65:a1:70:ad:50:6c:02:5c:a5:e6: 110 0c:41:c9:26:9d:95:c4:1b:df:26:a2:43:4f:b6:e0:98:6f:ba: 111 cb:83:e6:1c:00:ba:d6:48:cc:a4:2e:8d:cc:6c:f4:9d:5a:ee: 112 62:0e:57:e2:2e:1f:8c:6c:cd:a3:2d:63:4b:0f:6b:11:bd:18: 113 47:23:0b:b7:7c:fc:d5:45:01:6e:72:a0:7c:43:29:6b:ef:dd: 114 33:d1:39:2a:14:cd:c3:2e:91:4f:78:3d:e2:08:a5:dd:bd:00: 115 aa:18:19:48:03:3a:a1:9d:1c:e7:c3:87:51:a4:42:7a:fd:7f: 116 90:40:c6:bb:ba:8e:22:be:63:5a:10:bb:a4:fd:ef:21:4f:d1: 117 84:a9:fb:2e:61:cc:b0:76 118 119 [root@centos7 CA]# openssl x509 -in cacert.pem -noout -issuer 120 issuer= /C=CN/ST=beijing/L=beijing/O=mage/OU=M30/CN=www.yxh.com
用戶或者服務器申請證書
1.生成私鑰文件 [root@yxh6 data]# (umask 077;openssl genrsa -out app.key 1024) Generating RSA private key, 1024 bit long modulus ..............................++++++ .....................++++++ e is 65537 (0x10001) [root@yxh6 data]# ls app.key 2.利用私鑰文件生成申請文件 [root@yxh6 data]# openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:mage Organizational Unit Name (eg, section) []:M30 Common Name (eg, your name or your server's hostname) []:www.yxh.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@yxh6 data]# ls app.csr app.key 3.將申請文件發送給CA scp app.csr 192.168.33.130:/etc/pki/CA 4.CA頒發證書 回到CA服務器執行頒發證書 touch index.txt echo 0F > serial [root@centos7 CA]# openssl ca -in app.csr -out certs/app.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: May 19 09:35:37 2018 GMT Not After : Aug 27 09:35:37 2018 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = mage organizationalUnitName = M30 commonName = www.yxh.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 71:DC:D4:AE:8A:5A:16:A4:13:62:D7:3A:C9:C7:DD:A7:9C:95:B0:4F X509v3 Authority Key Identifier: keyid:C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 Certificate is to be certified until Aug 27 09:35:37 2018 GMT (100 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos7 certs]# ls app.crt 5.證書發送客戶端 scp app.csr 192.168.33.129:/data 客戶端可以拿着這個證書在應用程序中使用
windows下查看生成的證書信息和安裝證書
可以把證書cacert.pem下載到windows中進行可視化查看證書信息
需要.pem(cacert.pem)后綴名改成windows能識別的.cer(cacert.cer)或者.crt 點擊安裝證書可以把此證書安裝到可信任的證書路徑中
證書管理
查看證書中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定編號的證書狀態
吊銷證書
在客戶端獲取要吊銷的證書的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根據客戶提交的serial與subject信息,對比檢驗是否與index.txt文件中的信息一致,吊 銷證書:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一個吊銷證書的編號,注意:第一次更新證書吊銷列表前,才需要執行 echo 01 > /etc/pki/CA/crlnumber
更新證書吊銷列表 openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件: openssl crl -in /etc/pki/CA/crl.pem -noout -text
SSH安全服務
ssh: secure shell, protocol, 22/tcp, 安全的遠程登錄
兩種方式的用戶登錄認證:
1.基於password
1.客戶端向服務端發送SSH請求
2.服務端收到請求,發送公鑰給客戶端
3.客戶端輸入用戶名和密碼通過公鑰加密回傳給服務端
4.服務端通過私鑰解密得到用戶名和密碼和本地的用戶名密碼進行驗證匹配
2.基於key
1.首先在客戶端生成一對密鑰對
2.客戶端將公鑰拷貝給服務端並重命名為 authorized_keys
3.客戶端向服務端發送一個連接請求,信息包括ip,用戶名
4.服務端得到客戶端消息后,會到authorized_keys查找是否有對應信息並且隨機生成一個字符串
5.服務端把隨機生成的字符串用客戶端公鑰加密發送給客戶端
6.客戶端接收到加密字符串后用自己的私鑰對字符串進行解密,並且把解密后的字符串發送給服務端
7.服務端會把接收到的字符串和原來自己生成的隨機字符串進行驗證匹配
ssh客戶端:
1.客戶端配置文件 /etc/ssh/ssh_config ssh服務端的配置文件 /etc/ssh/sshd_config
ssh客戶端會在第一次連接的時候把遠程主機的公鑰下載到本機,如果需要冒充其它已經連接過的主機,需要把對方的私鑰拷貝到本地來
實現基於ssh key的認證
實現指定用戶無密碼連接,默認是root用戶 在ssh-copy-id命令中指定特定的用戶名就會把公鑰文件拷貝到指定用戶的家目錄下
ssh-copy-id yxh@192.168.33.130
1.在客戶端生成密鑰對 [root@yxh6 data]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 84:69:ce:6b:19:1d:09:c4:94:66:06:2e:76:57:8b:0b root@yxh6.localdomain The key's randomart image is: +--[ RSA 2048]----+ | .=+.. | | . ** o | | o E+* = | | . o * + . | | = S | | + | | + | | . | | | +-----------------+ [root@yxh6 data]# cd /root/.ssh [root@yxh6 .ssh]# ls id_rsa id_rsa.pub known_hosts 2.把公鑰復制到服務端主機 [root@yxh6 .ssh]# ssh-copy-id 192.168.33.130 root@192.168.33.130's password: Now try logging into the machine, with "ssh '192.168.33.130'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. 3.直接連接遠程主機 [root@yxh6 .ssh]# ssh 192.168.33.130 Last login: Sat May 19 17:31:50 2018 from 192.168.33.1 this is etc/motd,welcome.... [root@centos7 ~]#
多台主機之間實現相互key認證登錄
1.在一台主機A上生成一對密鑰對所有主機使用同一密鑰
2.ssh-copy-id A
3.scp -rp /root/.ssh B:/root
4.scp -rp /root/.ssh C:/root
ssh key認證腳本自動化
expect匹配輸出規則:
#Are you sure you want to continue connecting (yes/no)?
#root@192.168.33.129's password:
1 生成ip列表文件 2 [root@centos7 .ssh]# cat ip.txt 3 192.168.33.129 4 192.168.33.130 5 6 #!/bin/bash 7 rpm -q expect &> /dev/null || yum install -y expect 8 ssh-keygen -P "" -f "/root/.ssh/id_rsa" 9 password=root 10 while read ipaddr;do 11 echo $ipaddr 12 expect <<EOF 13 spawn ssh-copy-id $ipaddr 14 expect { 15 "yes/no" { send "yes\n";exp_continue } 16 "password:" { send "$password\n" } 17 } 18 expect eof 19 EOF 20 done < ip.txt 21 22 給腳本文件設置執行權限 23 chmod +x ssh_key.sh 24 25 執行腳本 26 ./ssh_key.sh