CA证书和TLS介绍

数字签名

用自己的私钥给数据加密就叫数字签名

公钥传输威胁

在A和B的通信中,C可以把自己的公钥发给A,让A把C的公钥当成B的公钥,这样的话.B拿到加密数据反而无法解密,而C却可以解密出数据.从而实现C截获AB之间的数据

所以在两者的通信中必须要对公钥的来源进行确认

CA证书和TLS介绍

A和B如果想安全交换公钥,就必须通过CA(证书颁发机构)  证书的通信过程        A和B首先都内置了CA的公钥

根CA的证书是自己给自己签名的(自签名)

CA证书和TLS介绍

CA和证书

PKI: Public Key Infrastructure

签证机构:CA(Certificate Authority)

注册机构:RA

证书吊销列表:CRL

证书存取库:  X.509:定义了证书的结构以及认证协议标准

版本号   序列号   签名算法   颁发者   有效期限   主体名称    主体公钥   CRL分发点     扩展信息    发行者签名

SSL

SSL(Secure    Socket    Layer)和TLS(Transport    Layer  Security )本身是一个东西

实现功能:  机密性     认证    完整性     重放保护(正确同样的数据不能重复发送)

两阶段协议,分为握手阶段和应用阶段

握手阶段(协商阶段):

客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行 身份认证),并协商通信中使用的安全参数、密码套件以及主密钥.

后续通信使用的所有密钥都是 通过MasterSecret生成。

应用阶段:

在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信

taobao  证书   https的通信过程

taobao 证书内容包含  SCA(Ptaobao) CA密钥加密签名过的taobao公钥 + CA证书描述+过期时间+证书其它信息  taobao网站把证书发给客户端

客户端由于信任CA并且拿到了CA的公钥,就可以解密SCA(Ptaobao)  获得taobao的公钥  Ptaobao

客户端(浏览器)会在本地生成一个对称密钥(key)用taobao的公钥加密发送给taobao  Ptaobao(key)   sendto  taobao

taobao通过自己的私钥解密得到客户端发送过来的key   Staobao(Ptaobao(key)) = key  这样在客户端和服务端都存在相同的对称密钥key

客户端和服务端就可以通过key(data)对大量的网页数据进行对称加密,实现通信双方的安全通信

OpenSSL 开源实现证书申请和颁发

base64编码      是6bit编码        包含字符a-z,A-Z,/,+  总共64个符号

生成私钥

openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS   (umask 077; openssl genrsa –out  test.key  –des 2048)    -des表示对密钥对称称加密

openssl rsa -in test.key –out test2.key          将加密key解密

从私钥中提取出公钥

openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE  openssl rsa –in test.key –pubout –out test.key.pub

实验:向CA申请证书

建立Root CA

1. 创建CA重要的配置文件openssl的配置文件:/etc/pki/tls/openssl.cnf

2. 默认CA的工作目录在      /etc/pki/CA

 [root@centos7 ~]# cd /etc/pki/CA
#创建CA服务器的私钥
[root@centos7 CA]# (umask ;openssl genrsa -out private/cakey.pem )
Generating RSA private key, bit long modulus
...................................................++
..............................................................................................................................................................................................................................................................................................++
e is (0x10001)
[root@centos7 CA]# ls private
cakey.pem #根CA给自己的私钥签名证书
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:M30
Common Name (eg, your name or your server's hostname) []:www.yxh.com
Email Address []:
#以可读的文本格式显示证书内容
[root@centos7 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: (0x2)
Serial Number:
f9::0f:e1:6c::e3:aa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com
Validity
Not Before: May :: GMT
Not After : May :: GMT
Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: ( bit)
Modulus:
:e4::ef:fe:9a::::ca::3d:a6::df:
:::ac:fb::::be:bc::7a:e9:b5:be:
9d:::cf:c7::a1:ab:8e::::e9::ed:
dd:8d::3c:5f:fa::9f::::b9:be:::
:f8::db::cf:::be:cc:bd:c0:af:::
d4:e1:6b::fb:b1::8e::::9e:f1:::
:7e:dd:dc:af::::::8a::5c:b0::
:a5:2f::ec::aa:3a:ec:0b::::4a:c0:
:ab::d8::::d1:cc:::a9:a8:f2:3b:
b7:fb:be:::9d:c6:bb:7d::b5::d1:1f:6d:
e2::c7:9f:b7:e6:::::::af::b5:
7c::3c:bd::cb::ff:0e:e2:::aa::2b:
:b1:::e5:7d:::d8:c5::db:d0:e6:ab:
ef:ce:::7e:eb:b1:f3:::e1:bf::b7:d1:
4c:::c9:d6:f0::dd::b0:c2::5b:7e::
3e::8e:::ba::f4::::4d:::a3:
:d7:7e:f1:9e:9d:fe:::d0:b8:e4:8f:cd::
c3::5c:cf::a5:2b:9d:::e2:::::
b2:f6:::c2:c0::b9:0e::f0:b3:a2::ea:
:::::7d::::::ab:dc:a1::
:0d:f0:d8:6b::c5:5d:e5:ca:a5::::ba:
ca:4c:b9::fd:f4::e3:eb:7f:3d::::a6:
5e::1c:::9b::::ab:df:e8::dd:2e:
d0:c6::c5::a6:::aa::3f:7c::7e::
::cc:5c:d0:::::4a:::d8:1e:1d:
6c::3c:::df:ee:::e7::7f:d5::9c:
c3:cb:ec::a7:2f::dc:e7:e9::::::
fc:1f::::bc::e9::c5:bf::4c:aa:1f:
:7a:e7:8c::b2:::bf:4f:::da:2f:bd:
:e0:0e:cd:::0b:c7:1d:6c:::b4:fa:4c:
a2:b0::be:d3:1e::::c3::ce:cd:af::
ca:d8::::::f2:9f::1e:ea:2f:cb:0f:
a7:0d:b7::d5:e1:3b:::::6f::7c::
:::bb:9d:6b:::c1:7b::d9::::
1f::
Exponent: (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD:
X509v3 Authority Key Identifier:
keyid:C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD: X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a0:df:1a:b4:::a7:8f::8b:c0::::df:5f:0f::
2d:2e:6a:fd:d7:::::e7:7e:9b:6a:::::c2:
fb::2e:eb:d2:f5:::f7::f9:d1:e5:d1:d8:1d::8e:
:fc::d7::::4c:2c:f2:8f:::5b::a2:::
::c9:db:1e:1e:::d0::2f:ff::fd::4c:b6:af:
::8a:d0:2f:::f4::8b::4f:::::::
:d4:f3:::5f::a8::1c::::e2:7b:c0::0a:
5d:a8:a8:::a7::e5:2b::e4::::ae:0b:a9:7b:
fa:be::be:7a:d4:f1:6a:1d:9e::d4::7d:9c:d9:c5::
ec:fc:d0:0d:::::c9:5a:d1:0e:ba:f1::c1::ea:
::a3:c2:8f:fe::fe::9d:8c:ca::::9f:::
c3:e7:d8:6b:e9:::3c::b6:2f:::::::a5:
a3:c6:d1:aa::7b:d3::::ee:1a:::ff:1e::b9:
:::6e::a6:::4a:df::bd::ae:6e:a0:2d::
::b6:9b::e3:0a::bf:0d:f0::af:8a:f2:2b:8b:3f:
:a7:8b:cf:c4:eb:c5:bc::::6a::::::9a:
fa:aa:1a:dc::::1b:::ad:5a:d7::::a9:8c:
::f0::b7:bf:::9b::4a:3f::::a7::3b:
c3::da::1f:8b:ca:f4:d7:a4:af::::a5:e0::e8:
:::c4:b7:b0:a0:9a:7b:e8:e5:b1::::f3:7d:bd:
f7:2f:5f::5e::5d:0c::a1::ad::6c::5c:a5:e6:
0c::c9::9d::c4:1b:df::a2::4f:b6:e0::6f:ba:
cb::e6:1c::ba:d6::cc:a4:2e:8d:cc:6c:f4:9d:5a:ee:
:0e::e2:2e:1f:8c:6c:cd:a3:2d::4b:0f:6b::bd::
::0b:b7:7c:fc:d5:::6e::a0:7c:::6b:ef:dd:
:d1::2a::cd:c3:2e::4f::3d:e2::a5:dd:bd::
aa:::::3a:a1:9d:1c:e7:c3:::a4::7a:fd:7f:
::c6:bb:ba:8e::be::5a::bb:a4:fd:ef::4f:d1:
:a9:fb:2e::cc:b0: [root@centos7 CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=mage/OU=M30/CN=www.yxh.com

创建CA服务器

用户或者服务器申请证书
.生成私钥文件
[root@yxh6 data]# (umask ;openssl genrsa -out app.key )
Generating RSA private key, bit long modulus
..............................++++++
.....................++++++
e is (0x10001)
[root@yxh6 data]# ls
app.key .利用私钥文件生成申请文件
[root@yxh6 data]# openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:M30
Common Name (eg, your name or your server's hostname) []:www.yxh.com
Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@yxh6 data]# ls
app.csr app.key .将申请文件发送给CA
scp app.csr 192.168.33.130:/etc/pki/CA .CA颁发证书
回到CA服务器执行颁发证书
touch index.txt
echo 0F > serial
[root@centos7 CA]# openssl ca -in app.csr -out certs/app.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0xf)
Validity
Not Before: May :: GMT
Not After : Aug :: GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = mage
organizationalUnitName = M30
commonName = www.yxh.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
:DC:D4:AE:8A:5A::A4:::D7:3A:C9:C7:DD:A7:9C::B0:4F
X509v3 Authority Key Identifier:
keyid:C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD: Certificate is to be certified until Aug :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated
[root@centos7 certs]# ls
app.crt .证书发送客户端
scp app.csr 192.168.33.129:/data
客户端可以拿着这个证书在应用程序中使用

CA签发证书(客户端)

windows下查看生成的证书信息和安装证书

可以把证书cacert.pem下载到windows中进行可视化查看证书信息
需要.pem(cacert.pem)后缀名改成windows能识别的.cer(cacert.cer)或者.crt      点击安装证书可以把此证书安装到可信任的证书路径中

CA证书和TLS介绍

证书管理

查看证书中的信息:

openssl x509 -in /PATH/FROM/CERT_FILE -noout     -text|issuer|subject|serial|dates

openssl  ca -status SERIAL    查看指定编号的证书状态

吊销证书

在客户端获取要吊销的证书的serial

openssl x509 -in /PATH/FROM/CERT_FILE -noout  -serial -subject

在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊 销证书:

openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行  echo 01 > /etc/pki/CA/crlnumber

更新证书吊销列表  openssl ca -gencrl -out /etc/pki/CA/crl.pem

查看crl文件:  openssl crl -in /etc/pki/CA/crl.pem -noout -text

SSH安全服务

ssh: secure shell, protocol, 22/tcp, 安全的远程登录

两种方式的用户登录认证:

1.基于password

1.客户端向服务端发送SSH请求

2.服务端收到请求,发送公钥给客户端

3.客户端输入用户名和密码通过公钥加密回传给服务端

4.服务端通过私钥解密得到用户名和密码和本地的用户名密码进行验证匹配

2.基于key

1.首先在客户端生成一对密钥对

2.客户端将公钥拷贝给服务端并重命名为 authorized_keys

3.客户端向服务端发送一个连接请求,信息包括ip,用户名

4.服务端得到客户端消息后,会到authorized_keys查找是否有对应信息并且随机生成一个字符串

5.服务端把随机生成的字符串用客户端公钥加密发送给客户端

6.客户端接收到加密字符串后用自己的私钥对字符串进行解密,并且把解密后的字符串发送给服务端

7.服务端会把接收到的字符串和原来自己生成的随机字符串进行验证匹配

ssh客户端:

1.客户端配置文件  /etc/ssh/ssh_config              ssh服务端的配置文件   /etc/ssh/sshd_config

ssh客户端会在第一次连接的时候把远程主机的公钥下载到本机,如果需要冒充其它已经连接过的主机,需要把对方的私钥拷贝到本地来

实现基于ssh key的认证

实现指定用户无密码连接,默认是root用户  在ssh-copy-id命令中指定特定的用户名就会把公钥文件拷贝到指定用户的家目录下

ssh-copy-id   yxh@192.168.33.130

.在客户端生成密钥对
[root@yxh6 data]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
::ce:6b::1d::c4::::2e:::8b:0b root@yxh6.localdomain
The key's randomart image is:
+--[ RSA ]----+
| .=+.. |
| . ** o |
| o E+* = |
| . o * + . |
| = S |
| + |
| + |
| . |
| |
+-----------------+
[root@yxh6 data]# cd /root/.ssh
[root@yxh6 .ssh]# ls
id_rsa id_rsa.pub known_hosts .把公钥复制到服务端主机
[root@yxh6 .ssh]# ssh-copy-id 192.168.33.130
root@192.168.33.130's password:
Now try logging into the machine, with "ssh '192.168.33.130'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. .直接连接远程主机
[root@yxh6 .ssh]# ssh 192.168.33.130
Last login: Sat May :: from 192.168.33.1
this is etc/motd,welcome....
[root@centos7 ~]#

多台主机之间实现相互key认证登录

1.在一台主机A上生成一对密钥对所有主机使用同一密钥

2.ssh-copy-id A

    3.scp   -rp      /root/.ssh B:/root

    4.scp   -rp     /root/.ssh C:/root

ssh key认证脚本自动化

expect匹配输出规则:

#Are you sure you want to continue connecting (yes/no)?
     #root@192.168.33.129's password:

 生成ip列表文件
[root@centos7 .ssh]# cat ip.txt
192.168.33.129
192.168.33.130 #!/bin/bash
rpm -q expect &> /dev/null || yum install -y expect
ssh-keygen -P "" -f "/root/.ssh/id_rsa"
password=root
while read ipaddr;do
echo $ipaddr
expect <<EOF
spawn ssh-copy-id $ipaddr
expect {
"yes/no" { send "yes\n";exp_continue }
"password:" { send "$password\n" }
}
expect eof
EOF
done < ip.txt 给脚本文件设置执行权限
chmod +x ssh_key.sh 执行脚本
./ssh_key.sh
上一篇:rank,dense_rank,row_number使用和区别


下一篇:Scheme Implementations对比