安全機制概述
信息安全防護的目標
- 保密性 Confidentiality
- 完整性 Integrity
- 可用性 Usability
- 可控制性Controlability
- 不可否認性 Non-repudiation
安全防護環節
- 物理安全:各種設備/主機、機房環境
- 系統安全:主機或設備的操作系統
- 應用安全:各種網絡服務、應用程序
- 網絡安全:對網絡訪問的控制、防火牆規則
- 數據安全:信息的備份與恢復、加密解密
- 管理安全:各種保障性的規范、流程、方法安全
安全攻擊: STRIDE
- Spoofing 假冒
- Tampering 篡改
- Repudiation 否認
- Information Disclosure 信息泄漏
- Denial of Service 拒絕服務
- Elevation of Privilege 提升權限
5安全設計基本原則
- 使用成熟的安全系統
- 以小人之心度輸入數據
- 外部系統是不安全的
- 最小授權
- 減少外部接口
- 缺省使用安全模式
- 安全不是似是而非
- 從STRIDE思考
- 在入口處檢查
- 從管理上保護好你的系統
安全算法
常用安全技術
- 認證
- 授權
- 審計
- 安全通信
密碼算法和協議:
- 對稱加密
- 公鑰加密
- 單向加密
- 認證協議
Linux系統:OpenSSL, gpg(pgp協議的實現)
加密需要
不加密流量的易受攻擊性
- 密碼/數據嗅探
- 數據操作
- 驗證操作
- 相當於郵寄明信片
不安全的傳統協議
- telnet、FTP、POP3等等;不安全密碼
- http、smtp、NFS等等;不安全信息
- Ldap、NIS、rsh等等;不安全驗證
對稱加密算法
對稱加密:加密和解密使用同一個密鑰
DES:Data Encryption Standard,56bits
3DES:
AES:Advanced (128, 192, 256bits)
Blowfish,Twofish
IDEA,RC6,CAST5
特性:
- 加密、解密使用同一個密鑰,效率高
- 將原始數據分割成固定大小的塊,逐個進行加密
缺陷:
- 密鑰過多
- 密鑰分發
- 數據來源無法確認10
非對稱加密算法
公鑰加密:密鑰是成對出現
公鑰:公開給所有人;public key
私鑰:自己留存,必須保證其私密性;secret key
特點:
- 用公鑰加密數據,只能使用與之配對的私鑰解密;反之亦然
功能:
- 數字簽名:主要在於讓接收方確認發送方身份
- 對稱密鑰交換:發送方用對方的公鑰加密一個對稱密鑰后發送給對方
- 數據加密:適合加密較小數據
缺點:
- 密鑰長,加密解密效率低下
算法:
- RSA(加密,數字簽名),DSA(數字簽名),ELGamal
非對稱加密
基於一對公鑰/密鑰對
用密鑰對中的一個加密,另一個解密
實現加密:
接收者
- 生成公鑰/密鑰對:P和S
- 公開公鑰P,保密密鑰S
發送者
- 使用接收者的公鑰來加密消息M
- 將P(M)發送給接收者
接收者
- 使用密鑰S來解密:M=S(P(M))
實現數字簽名:
發送者
- 生成公鑰/密鑰對:P和S
- 公開公鑰P,保密密鑰S
- 使用密鑰S來加密消息M
- 發送給接收者S(M)
接收者
- 使用發送者的公鑰來解密M=P(S(M))
- 結合簽名和加密
- 分離簽名
CA和證書
PKI: Public Key Infrastructure
- 簽證機構:CA(Certificate Authority)
- 注冊機構:RA
- 證書吊銷列表:CRL
- 證書存取庫
X.509:定義了證書的結構以及認證協議標准
- 版本號
- 序列號
- 簽名算法
- 頒發者
- 有效期限
- 主體名稱
- 主體公鑰
- CRL分發點
- 擴展信息
- 發行者簽名
證書獲取
證書類型:
- 證書授權機構的證書
- 服務器
- 用戶證書
獲取證書兩種方法:
- 使用證書授權機構
- 生成簽名請求(csr)
- 將csr發送給CA
- 從CA處接收簽名
自簽名的證書
- 自已簽發自己的公鑰
安全協議
- SSL: Secure Socket Layer
- TLS: Transport Layer Security
-
- 1995:SSL 2.0 Netscape
- 1996: SSL 3.0
- 1999: TLS 1.0
- 2006: TLS 1.1 IETF(Internet工程任務組) RFC 4346
- 2008:TLS 1.2 當前使用
- 2015: TLS 1.3
功能:
- 機密性,認證,完整性,重放保護
兩階段協議,分為握手階段和應用階段
- 握手階段(協商階段):客戶端和服務器端認證對方身份(依賴於PKI體系,利用數字證書進行身份認證),並協商通信中使用的安全參數、密碼套件以及主密鑰。后續通信使用的所有密鑰都是通過MasterSecret生成。
- 應用階段:在握手階段完成后進入,在應用階段通信雙方使用握手階段協商好的密鑰進行安全通信
SSL/TLS
- Handshake協議:包括協商安全參數和密碼套件、服務器身份認證(客戶端身份認證可選)、密鑰交換
- ChangeCipherSpec 協議:一條消息表明握手協議已經完成
- Alert 協議:對握手協議中一些異常的錯誤提醒,分為fatal和warning兩個級別,fatal類型錯誤會直接中斷SSL鏈接,而warning級別的錯誤SSL鏈接仍可繼續,只是會給出錯誤警告
- Record 協議:包括對消息的分段、壓縮、消息認證和完整性保護、加密等
- HTTPS 協議:就是“HTTP 協議”和“SSL/TLS 協議”的組合。HTTP over SSL”或“HTTP over TLS”,對http協議的文本數據進行加密處理后,成為二進制形式傳輸
OpenSSL
OpenSSL:開源項目
三個組件:
- openssl: 多用途的命令行工具,包openssl
- libcrypto: 加密算法庫,包openssl-libs
- libssl:加密模塊應用庫,實現了ssl及tls,包nss
SSH
ssh: secure shell, protocol, 22/tcp, 安全的遠程登錄
具體的軟件實現:
- OpenSSH: ssh協議的開源實現,CentOS默認安裝
- dropbear:另一個開源實現
SSH協議版本
- v1: 基於CRC-32做MAC,不安全;man-in-middle
- v2:雙方主機協議選擇安全的MAC方式
- 基於DH算法做密鑰交換,基於RSA或DSA實現身份認證
兩種方式的用戶登錄認證:
- 基於password
- 基於key
openssl命令:
兩種運行模式:交互模式和批處理模式
openssl version:程序版本號
標准命令、消息摘要命令、加密命令
標准命令:enc, ca, req, ...
對稱加密:
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:
幫助:
man enc
加密:
openssl enc -e -des3 -a -salt -in testfile -out test.cipher
解密: openssl enc -d -des3 -a -salt –in test.cipher -out testfile
單向加密
工具:md5sum, sha1sum, sha224sum,sha256sum…openssl dgst
dgst命令:
幫助:
man dgst
openssl dgst -md5 [-hex默認] /PATH/SOMEFILE openssl dgst -md5 testfile md5sum /PATH/TO/SOMEFILE
MAC: Message Authentication Code,單向加密的一種延伸應用,用於實現網絡通信中保證所傳輸數據的完整性機制CBC-MAC
HMAC:使用md5或sha1算法31
生成用戶密碼
passwd命令:
幫助:
man sslpasswd
openssl passwd -1 -salt SALT(最多8位) openssl passwd -1 –salt centos
生成隨機數
幫助:
man sslrand
openssl rand -base64|-hex NUM
NUM: 表示字節數;-hex時,每個字符為十六進制,相當於4位二進制,出現的字符數為NUM*232
生成密鑰對
公鑰加密
算法:RSA, ELGamal
工具:gpg, openssl rsautl(man rsautl)
數字簽名:
算法:RSA, DSA, ELGamal
密鑰交換:
算法:dh
DSA: Digital Signature Algorithm
DSS:Digital Signature Standard
RSA:33
生成私鑰
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS (umask 077; openssl genrsa –out test.key –des 2048) openssl rsa -in test.key –out test2.key 將加密key解密
從私鑰中提取出公鑰
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE Openssl rsa –in test.key –pubout –out test.key.pub
OpenSSL證書服務器搭建
PKI:Public Key Infrastructure
- CA
- RA
- CRL
- 證書存取庫
證書申請及簽署步驟:
- 生成申請請求
- RA核驗
- CA簽署
- 獲取證書35
創建CA
openssl的配置文件:
/etc/pki/tls/openssl.cnf
HOME = . oid_section = new_oids openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ ca ] # 語句塊 default_ca = CA_default # The default ca section [ CA_default ] # 語句塊 dir = /etc/pki/CA # ca 相關的具體路徑 證書 certs = $dir/certs # 存放證書的目錄 crl_dir = $dir/crl # 證書兌換列表 database = $dir/index.txt # 數據庫 存放所有證書的信息 自動更新 # several certs with same subject. new_certs_dir = $dir/newcerts #新證書存放的路徑 certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # 編號 存放下一個要頒發的編號 crlnumber = $dir/crlnumber # 吊銷列表的標號 # must be commented out to leave a V1 CRL crl = $dir/crl.pem # 證書吊銷列表文件名 private_key = $dir/private/cakey.pem# 私鑰文件 x509_extensions = usr_cert # The extensions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # 默認有效期 default_crl_days= 30 # 30天發布一次私鑰信息 default_md = sha256 # 默認加密算法 preserve = no # policy = policy_match # 策略匹配 [ policy_match ] countryName = match # 必須有的信息 國家 stateOrProvinceName = match # 省市 organizationName = match # 公司 organizationalUnitName = optional commonName = supplied # 通用名 域名 emailAddress = optional # [ policy_anything ] # 策略可以不一樣 countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = XX countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) localityName_default = Default City 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Default Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] dir = /etc/pki/CA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) ess_cert_id_alg = sha1 # algorithm to compute certificate # identifier (optional, default: sha1)
創建所需要的文件
mkdir /etc/pki/CA/
mkdir /etc/pki/CA/{certs,crl,newcerts,private}
[root@djcy-200 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
mkdir /etc/pki/CA/crlnumber
touch /etc/pki/CA/index.txt 生成證書索引數據庫文件
echo 01 > /etc/pki/CA/serial 指定第一個頒發證書的序列號
CA生成私鑰
# 輸入密碼 每次簽發證書都需認證
[root@djcy-200 CA]# (umask 066; openssl genrsa -out private/cakey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..................................+++++
e is 65537 (0x010001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
[root@djcy-200 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
CA自簽證書
參數說明:
-new: 生成新證書簽署請求
-x509: 專用於CA生成自簽證書
-key: 生成請求時用到的私鑰文件
-days n:證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的保存路徑
[root@djcy-200 CA]# openssl req -new -x509 -key private/cakey.pem -days 18250 -out /etc/pki/CA/cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:devops
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.devops.com
Email Address []:admin@devops.com
[root@djcy-200 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files查看
查看證書信息
[root@djcy-200 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:10:a5:ca:51:77:cb:43:06:61:42:27:9d:ec:5e:35:d7:9b:61:17
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
Validity
Not Before: Aug 2 13:34:53 2020 GMT
Not After : Jul 21 13:34:53 2070 GMT
Subject: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
'''''''' 省略
# 只查看某些內容
[root@djcy-200 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Aug 2 13:34:53 2020 GMT
notAfter=Jul 21 13:34:53 2070 GMT
客戶端請求頒發證書
生成私鑰
[root@djcy-62 ~]# mkdir ca [root@djcy-62 ~]# cd ca/ [root@djcy-62 ca]# (umask 066;openssl genrsa -out app.key 1024) Generating RSA private key, 1024 bit long modulus (2 primes) ............+++++ ......................+++++ e is 65537 (0x010001) [root@djcy-62 ca]# ll total 4 -rw------- 1 root root 891 Aug 2 21:43 app.key
使用私鑰生成請求
[root@djcy-62 ca]# openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN # 必須跟CA服務器一致 State or Province Name (full name) []:BeiJing # 必須跟CA服務器一致 Locality Name (eg, city) [Default City]:ChaoYang Organization Name (eg, company) [Default Company Ltd]:devops # 必須跟CA服務器一致 Organizational Unit Name (eg, section) []:webdev Common Name (eg, your name or your server's hostname) []:www.devops.com # 頒發的域名 Email Address []:dev@devops.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@djcy-62 ca]# ll total 8 -rw-r--r-- 1 root root 700 Aug 2 21:47 app.csr -rw------- 1 root root 891 Aug 2 21:43 app.key
發送請求秘鑰到CA服務器
[root@djcy-62 ca]# scp app.csr bjcy-200.host.io:/etc/pki/CA/
查看服務器頒發的密碼
[root@djcy-62 ca]# openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
Validity
Not Before: Aug 2 14:01:05 2020 GMT
Not After : Jul 31 14:01:05 2030 GMT
Subject: C = CN, ST = BeiJing, O = devops, OU = webdev, CN = www.devops.com, emailAddress = dev@devops.com
Subject Public Key Info:
''''''' 省略'
CA授權客戶端
[root@djcy-200 CA]# touch index.txt # 數據庫文件存放着所有的申請授權信息
[root@djcy-200 CA]# echo 01 > /etc/pki/CA/serial # 開始申請的編號 每次都會增加
[root@djcy-200 CA]# openssl ca -in app.csr -out certs/app.crt -days 3650 # 開始授權
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 2 14:01:05 2020 GMT
Not After : Jul 31 14:01:05 2030 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = devops
organizationalUnitName = webdev
commonName = www.devops.com
emailAddress = dev@devops.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BF:F7:D0:7A:0B:B8:11:6E:27:64:69:C2:7D:3D:38:62:69:E7:4A:10
X509v3 Authority Key Identifier:
keyid:31:BC:8B:B0:A6:F8:FF:B7:6E:F9:B2:E5:7C:80:B8:47:6C:AA:AB:1D
Certificate is to be certified until Jul 31 14:01:05 2030 GMT (3650 days)
Sign the certificate? [y/n]:y # 是否授權
1 out of 1 certificate requests certified, commit? [y/n]y # 確認
Write out database with 1 new entries
Data Base Updated
[root@djcy-200 CA]# tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt # 生產的私鑰文件
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem # 和 certs下的 app.crt 是同一個文件
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@djcy-200 CA]# cat index.txt # 數據庫文件
V 300731140105Z 01 unknown /C=CN/ST=BeiJing/O=devops/OU=webdev/CN=www.devops.com/emailAddress=dev@devops.com
[root@djcy-200 CA]# cat serial # 下次申請的編號
02
CA吊銷證書
[root@djcy-200 CA]# echo 01 > /etc/pki/CA/crlnumber
[root@djcy-200 CA]# openssl ca -revoke newcerts/01.pem 指定吊銷證書
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
[root@djcy-200 CA]# tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── crlnumber
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[root@djcy-200 CA]# openssl ca -gencrl -out crl.pem # 生成證書吊銷列表
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@djcy-200 CA]# tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[root@djcy-200 CA]# # 查看吊銷列表文件
[root@djcy-200 CA]# openssl crl -in crl
crl/ crlnumber crlnumber.old crl.pem
[root@djcy-200 CA]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
Last Update: Aug 2 14:21:56 2020 GMT
Next Update: Sep 1 14:21:56 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Aug 2 14:20:37 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
29:af:64:35:f5:aa:48:dd:7b:9d:0e:2c:a0:73:95:a1:e3:9a:
fc:16:a9:e0:51:7d:a8:ee:f1:c4:f1:83:f9:b3:88:f2:f5:12:
06:27:f7:f0:92:19:91:7b:f6:bc:30:ed:c6:34:ed:26:2d:ae:
a7:2b:a2:7f:c2:60:9b:e1:24:2d:23:34:7b:7c:5e:ee:66:07:
da:2f:c5:8e:35:e8:65:aa:89:da:d7:1f:df:53:9b:c6:4a:78:
a8:09:fe:f3:0d:f4:0d:d6:65:48:0b:3d:75:73:19:26:db:ba:
d0:0d:74:0c:c2:89:30:e5:33:f4:db:fd:73:e8:1e:07:30:1c:
05:03:47:df:b3:82:26:e7:73:64:14:07:b9:f3:70:eb:8d:c0:
fb:74:07:d8:22:ad:ce:3c:2e:ad:4a:00:cb:6c:9e:60:6c:dd:
8c:14:ea:95:69:4a:be:ab:57:25:2d:ed:54:5a:45:04:13:4c:
3a:90:23:96:d8:1b:01:c3:c6:a3:55:cf:8e:8b:c7:85:08:9b:
44:ab:e8:eb:0f:c5:7c:8d:05:ef:d8:db:45:2c:36:32:f9:0c:
56:db:6b:aa:72:1d:68:a8:4c:3f:7a:58:fc:26:cf:0c:53:d1:
d2:57:33:4a:22:44:89:49:74:7a:1b:4f:91:0d:0f:59:5d:b0:
83:28:66:02