数字签名
用自己的私钥给数据加密就叫数字签名
公钥传输威胁
在A和B的通信中,C可以把自己的公钥发给A,让A把C的公钥当成B的公钥,这样的话.B拿到加密数据反而无法解密,而C却可以解密出数据.从而实现C截获AB之间的数据
所以在两者的通信中必须要对公钥的来源进行确认
A和B如果想安全交换公钥,就必须通过CA(证书颁发机构) 证书的通信过程 A和B首先都内置了CA的公钥
根CA的证书是自己给自己签名的(自签名)
CA和证书
PKI: Public Key Infrastructure
签证机构:CA(Certificate Authority)
注册机构:RA
证书吊销列表:CRL
证书存取库: X.509:定义了证书的结构以及认证协议标准
版本号 序列号 签名算法 颁发者 有效期限 主体名称 主体公钥 CRL分发点 扩展信息 发行者签名
SSL
SSL(Secure Socket Layer)和TLS(Transport Layer Security )本身是一个东西
实现功能: 机密性 认证 完整性 重放保护(正确同样的数据不能重复发送)
两阶段协议,分为握手阶段和应用阶段
握手阶段(协商阶段):
客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行 身份认证),并协商通信中使用的安全参数、密码套件以及主密钥.
后续通信使用的所有密钥都是 通过MasterSecret生成。
应用阶段:
在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信
taobao 证书 https的通信过程
taobao 证书内容包含 SCA(Ptaobao) CA密钥加密签名过的taobao公钥 + CA证书描述+过期时间+证书其它信息 taobao网站把证书发给客户端
客户端由于信任CA并且拿到了CA的公钥,就可以解密SCA(Ptaobao) 获得taobao的公钥 Ptaobao
客户端(浏览器)会在本地生成一个对称密钥(key)用taobao的公钥加密发送给taobao Ptaobao(key) sendto taobao
taobao通过自己的私钥解密得到客户端发送过来的key Staobao(Ptaobao(key)) = key 这样在客户端和服务端都存在相同的对称密钥key
客户端和服务端就可以通过key(data)对大量的网页数据进行对称加密,实现通信双方的安全通信
OpenSSL 开源实现证书申请和颁发
base64编码 是6bit编码 包含字符a-z,A-Z,/,+ 总共64个符号
生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS (umask 077; openssl genrsa –out test.key –des 2048) -des表示对密钥对称称加密
openssl rsa -in test.key –out test2.key 将加密key解密
从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE openssl rsa –in test.key –pubout –out test.key.pub
实验:向CA申请证书
建立Root CA
1. 创建CA重要的配置文件openssl的配置文件:/etc/pki/tls/openssl.cnf
2. 默认CA的工作目录在 /etc/pki/CA
[root@centos7 ~]# cd /etc/pki/CA
#创建CA服务器的私钥
[root@centos7 CA]# (umask ;openssl genrsa -out private/cakey.pem )
Generating RSA private key, bit long modulus
...................................................++
..............................................................................................................................................................................................................................................................................................++
e is (0x10001)
[root@centos7 CA]# ls private
cakey.pem #根CA给自己的私钥签名证书
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:M30
Common Name (eg, your name or your server's hostname) []:www.yxh.com
Email Address []:
#以可读的文本格式显示证书内容
[root@centos7 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: (0x2)
Serial Number:
f9::0f:e1:6c::e3:aa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com
Validity
Not Before: May :: GMT
Not After : May :: GMT
Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: ( bit)
Modulus:
:e4::ef:fe:9a::::ca::3d:a6::df:
:::ac:fb::::be:bc::7a:e9:b5:be:
9d:::cf:c7::a1:ab:8e::::e9::ed:
dd:8d::3c:5f:fa::9f::::b9:be:::
:f8::db::cf:::be:cc:bd:c0:af:::
d4:e1:6b::fb:b1::8e::::9e:f1:::
:7e:dd:dc:af::::::8a::5c:b0::
:a5:2f::ec::aa:3a:ec:0b::::4a:c0:
:ab::d8::::d1:cc:::a9:a8:f2:3b:
b7:fb:be:::9d:c6:bb:7d::b5::d1:1f:6d:
e2::c7:9f:b7:e6:::::::af::b5:
7c::3c:bd::cb::ff:0e:e2:::aa::2b:
:b1:::e5:7d:::d8:c5::db:d0:e6:ab:
ef:ce:::7e:eb:b1:f3:::e1:bf::b7:d1:
4c:::c9:d6:f0::dd::b0:c2::5b:7e::
3e::8e:::ba::f4::::4d:::a3:
:d7:7e:f1:9e:9d:fe:::d0:b8:e4:8f:cd::
c3::5c:cf::a5:2b:9d:::e2:::::
b2:f6:::c2:c0::b9:0e::f0:b3:a2::ea:
:::::7d::::::ab:dc:a1::
:0d:f0:d8:6b::c5:5d:e5:ca:a5::::ba:
ca:4c:b9::fd:f4::e3:eb:7f:3d::::a6:
5e::1c:::9b::::ab:df:e8::dd:2e:
d0:c6::c5::a6:::aa::3f:7c::7e::
::cc:5c:d0:::::4a:::d8:1e:1d:
6c::3c:::df:ee:::e7::7f:d5::9c:
c3:cb:ec::a7:2f::dc:e7:e9::::::
fc:1f::::bc::e9::c5:bf::4c:aa:1f:
:7a:e7:8c::b2:::bf:4f:::da:2f:bd:
:e0:0e:cd:::0b:c7:1d:6c:::b4:fa:4c:
a2:b0::be:d3:1e::::c3::ce:cd:af::
ca:d8::::::f2:9f::1e:ea:2f:cb:0f:
a7:0d:b7::d5:e1:3b:::::6f::7c::
:::bb:9d:6b:::c1:7b::d9::::
1f::
Exponent: (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD:
X509v3 Authority Key Identifier:
keyid:C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD: X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a0:df:1a:b4:::a7:8f::8b:c0::::df:5f:0f::
2d:2e:6a:fd:d7:::::e7:7e:9b:6a:::::c2:
fb::2e:eb:d2:f5:::f7::f9:d1:e5:d1:d8:1d::8e:
:fc::d7::::4c:2c:f2:8f:::5b::a2:::
::c9:db:1e:1e:::d0::2f:ff::fd::4c:b6:af:
::8a:d0:2f:::f4::8b::4f:::::::
:d4:f3:::5f::a8::1c::::e2:7b:c0::0a:
5d:a8:a8:::a7::e5:2b::e4::::ae:0b:a9:7b:
fa:be::be:7a:d4:f1:6a:1d:9e::d4::7d:9c:d9:c5::
ec:fc:d0:0d:::::c9:5a:d1:0e:ba:f1::c1::ea:
::a3:c2:8f:fe::fe::9d:8c:ca::::9f:::
c3:e7:d8:6b:e9:::3c::b6:2f:::::::a5:
a3:c6:d1:aa::7b:d3::::ee:1a:::ff:1e::b9:
:::6e::a6:::4a:df::bd::ae:6e:a0:2d::
::b6:9b::e3:0a::bf:0d:f0::af:8a:f2:2b:8b:3f:
:a7:8b:cf:c4:eb:c5:bc::::6a::::::9a:
fa:aa:1a:dc::::1b:::ad:5a:d7::::a9:8c:
::f0::b7:bf:::9b::4a:3f::::a7::3b:
c3::da::1f:8b:ca:f4:d7:a4:af::::a5:e0::e8:
:::c4:b7:b0:a0:9a:7b:e8:e5:b1::::f3:7d:bd:
f7:2f:5f::5e::5d:0c::a1::ad::6c::5c:a5:e6:
0c::c9::9d::c4:1b:df::a2::4f:b6:e0::6f:ba:
cb::e6:1c::ba:d6::cc:a4:2e:8d:cc:6c:f4:9d:5a:ee:
:0e::e2:2e:1f:8c:6c:cd:a3:2d::4b:0f:6b::bd::
::0b:b7:7c:fc:d5:::6e::a0:7c:::6b:ef:dd:
:d1::2a::cd:c3:2e::4f::3d:e2::a5:dd:bd::
aa:::::3a:a1:9d:1c:e7:c3:::a4::7a:fd:7f:
::c6:bb:ba:8e::be::5a::bb:a4:fd:ef::4f:d1:
:a9:fb:2e::cc:b0: [root@centos7 CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=mage/OU=M30/CN=www.yxh.com
创建CA服务器
用户或者服务器申请证书
.生成私钥文件
[root@yxh6 data]# (umask ;openssl genrsa -out app.key )
Generating RSA private key, bit long modulus
..............................++++++
.....................++++++
e is (0x10001)
[root@yxh6 data]# ls
app.key .利用私钥文件生成申请文件
[root@yxh6 data]# openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:M30
Common Name (eg, your name or your server's hostname) []:www.yxh.com
Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@yxh6 data]# ls
app.csr app.key .将申请文件发送给CA
scp app.csr 192.168.33.130:/etc/pki/CA .CA颁发证书
回到CA服务器执行颁发证书
touch index.txt
echo 0F > serial
[root@centos7 CA]# openssl ca -in app.csr -out certs/app.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0xf)
Validity
Not Before: May :: GMT
Not After : Aug :: GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = mage
organizationalUnitName = M30
commonName = www.yxh.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
:DC:D4:AE:8A:5A::A4:::D7:3A:C9:C7:DD:A7:9C::B0:4F
X509v3 Authority Key Identifier:
keyid:C6::BB:D0:7D::F4:EF:1A::CD::D3:F7:E1:3D:8A::CD: Certificate is to be certified until Aug :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated
[root@centos7 certs]# ls
app.crt .证书发送客户端
scp app.csr 192.168.33.129:/data
客户端可以拿着这个证书在应用程序中使用
CA签发证书(客户端)
windows下查看生成的证书信息和安装证书
可以把证书cacert.pem下载到windows中进行可视化查看证书信息
需要.pem(cacert.pem)后缀名改成windows能识别的.cer(cacert.cer)或者.crt 点击安装证书可以把此证书安装到可信任的证书路径中
证书管理
查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定编号的证书状态
吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊 销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行 echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表 openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件: openssl crl -in /etc/pki/CA/crl.pem -noout -text
SSH安全服务
ssh: secure shell, protocol, 22/tcp, 安全的远程登录
两种方式的用户登录认证:
1.基于password
1.客户端向服务端发送SSH请求
2.服务端收到请求,发送公钥给客户端
3.客户端输入用户名和密码通过公钥加密回传给服务端
4.服务端通过私钥解密得到用户名和密码和本地的用户名密码进行验证匹配
2.基于key
1.首先在客户端生成一对密钥对
2.客户端将公钥拷贝给服务端并重命名为 authorized_keys
3.客户端向服务端发送一个连接请求,信息包括ip,用户名
4.服务端得到客户端消息后,会到authorized_keys查找是否有对应信息并且随机生成一个字符串
5.服务端把随机生成的字符串用客户端公钥加密发送给客户端
6.客户端接收到加密字符串后用自己的私钥对字符串进行解密,并且把解密后的字符串发送给服务端
7.服务端会把接收到的字符串和原来自己生成的随机字符串进行验证匹配
ssh客户端:
1.客户端配置文件 /etc/ssh/ssh_config ssh服务端的配置文件 /etc/ssh/sshd_config
ssh客户端会在第一次连接的时候把远程主机的公钥下载到本机,如果需要冒充其它已经连接过的主机,需要把对方的私钥拷贝到本地来
实现基于ssh key的认证
实现指定用户无密码连接,默认是root用户 在ssh-copy-id命令中指定特定的用户名就会把公钥文件拷贝到指定用户的家目录下
ssh-copy-id yxh@192.168.33.130
.在客户端生成密钥对
[root@yxh6 data]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
::ce:6b::1d::c4::::2e:::8b:0b root@yxh6.localdomain
The key's randomart image is:
+--[ RSA ]----+
| .=+.. |
| . ** o |
| o E+* = |
| . o * + . |
| = S |
| + |
| + |
| . |
| |
+-----------------+
[root@yxh6 data]# cd /root/.ssh
[root@yxh6 .ssh]# ls
id_rsa id_rsa.pub known_hosts .把公钥复制到服务端主机
[root@yxh6 .ssh]# ssh-copy-id 192.168.33.130
root@192.168.33.130's password:
Now try logging into the machine, with "ssh '192.168.33.130'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. .直接连接远程主机
[root@yxh6 .ssh]# ssh 192.168.33.130
Last login: Sat May :: from 192.168.33.1
this is etc/motd,welcome....
[root@centos7 ~]#
多台主机之间实现相互key认证登录
1.在一台主机A上生成一对密钥对所有主机使用同一密钥
2.ssh-copy-id A
3.scp -rp /root/.ssh B:/root
4.scp -rp /root/.ssh C:/root
ssh key认证脚本自动化
expect匹配输出规则:
#Are you sure you want to continue connecting (yes/no)?
#root@192.168.33.129's password:
生成ip列表文件
[root@centos7 .ssh]# cat ip.txt
192.168.33.129
192.168.33.130 #!/bin/bash
rpm -q expect &> /dev/null || yum install -y expect
ssh-keygen -P "" -f "/root/.ssh/id_rsa"
password=root
while read ipaddr;do
echo $ipaddr
expect <<EOF
spawn ssh-copy-id $ipaddr
expect {
"yes/no" { send "yes\n";exp_continue }
"password:" { send "$password\n" }
}
expect eof
EOF
done < ip.txt 给脚本文件设置执行权限
chmod +x ssh_key.sh 执行脚本
./ssh_key.sh