安全-数据加密 GPG,Openssl,CA
gpg 数据加密
根据密钥的不同,分为两种加密体系
加密和解密使用的同一把密钥
加密
- GPG
准备两个机器, 每台机器各创建一个用户并设置密码
node1 172.16.0.61
node2 172.16.0.62
[root@node1 ~]# useradd user1
[root@node1 ~]# passwd user1
[root@node2 ~]# useradd user2
[root@node2 ~]# passwd user2
[c:~]$ ssh [email protected]
[c:~]$ ssh [email protected]
(1)对称加密
加密和解密使用同一把密钥。
优点:效率高,加密速度快,可以加密大量的数据,几G到几十G;
缺点:密钥的传递问题,特别是多个人同时通信。
创建一个带内容的文件
[user1@node1 ~]$ echo "hello user2" > file1
用gpg -c 给文件加密
[user1@node1 ~]$ gpg -c file1
输入加密密码
密码确认
[user1@node1 ~]$ ls
file1 file1.gpg
发送给对方node2
[user1@node1 ~]$ scp file1.gpg [email protected]:/home/user2
node2通过使用对方的密码打开加密文件
[user2@node2 ~]$ gpg -d file1.gpg
输入加密密码后 显示文件内容和警告信息
[user2@node2 ~]$ gpg -d file1.gpg > file1 # 转换为普通文件,可以使用cat file1查看
[user2@node02 ~]$ cat file1
hello user2
gpg: WARNING: message was not integrity protected ---> 警告:消息未受到完整保护
-->那么问题来了,node怎么知道文件的密码的? (不安全)
(2)非对称加密
加密和解密使用不同的密钥,是公钥加密,私钥解密
优点:解决了密钥传递的问题
缺点:效率低,加密速度慢,比对称加密速度慢1000倍,只能加密少量数据
node1 使用gpg --gen-key生成公钥和私钥
[user1@node1 ~]$ gpg --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 ##加密算法
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) ##密钥长度
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0 ##密钥的有效期
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: user1-node1 ##唯一标识
Email address: [email protected] ##邮箱
Comment: user1-key ##描述,可以不写
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O ##确认
生成的公钥和私钥的目录
[user1@node1 ~]$ cd .gnupg/
[user1@node1 ~/.gnupg]$ ls
gpg.conf pubring.gpg random_seed S.gpg-agent
private-keys-v1.d pubring.gpg~ secring.gpg trustdb.gpg
查看公钥:
[user1@node1 ~]$ gpg --list-key
/home/user1/.gnupg/pubring.gpg
------------------------------
pub 2048R/D350DEFD 2019-12-13
uid user1-node1 (user1-key) <[email protected]>
sub 2048R/CF07BFDD 2019-12-13
查看私钥:
[user1@node1 ~]$ gpg --list-secret-key
/home/user1/.gnupg/secring.gpg
------------------------------
sec 2048R/D350DEFD 2019-12-13
uid user1-node1 (user1-key) <[email protected]>
ssb 2048R/CF07BFDD 2019-12-13
user1给user2发送文件:
user2导出公钥:
[user2@node2 ~]$ gpg --export user2-node2 ##乱数形式
[user2@node2 ~]$ gpg --export --armor user2-node2 ##二进制形式
[user2@node2 ~]$ gpg --export --armor user2-node2 > user2.pub
[user2@node2 ~]$ scp user2.pub [email protected]:/home/user1
user1导入user2的公钥:
[user1@node1 ~]$ gpg --import user2.pub
[user1@node1 ~]$ gpg --list-key
/home/user1/.gnupg/pubring.gpg
------------------------------
pub 2048R/D350DEFD 2019-12-13
uid user1-node1 (user1-key) <[email protected]>
sub 2048R/CF07BFDD 2019-12-13
pub 2048R/9D8A14E8 2019-12-13
uid user2-node2 (user2-key) <[email protected]>
sub 2048R/F6F7ED5B 2019-12-13
[user1@node1 ~]$ cp /etc/passwd .
加密文件:
[user1@node1 ~]$ gpg --encrypt --recipient user2-node2 --armor passwd
Use this key anyway? (y/N) y
# --recipient 收件人
# --armor 文件
passwd.asc 加密后的文件
将加密后的文件发送给user2
[user1@node1 ~]$ scp passwd.asc [email protected]:/home/user2
user2解密:
[user2@node2 ~]$ gpg --decrypt --armor passwd.asc
输入自己的私钥密码
# --decrypt 解密
对公钥签名
导入的公钥是不被信任的,需要对公钥进行签名操作:
[user1@node1 ~]$ gpg --fingerprint user2-node2
查看user2的公钥的指纹信息
[user1@node1 ~]$ gpg --sign-key user2-node2
对user2的公钥进行签名操作
输入自己的私钥密码 (对别人的文件签名,需要输入自己的私钥密码)
Really sign? (y/N) y
[user1@node1 ~]$ cp /etc/group .
[user1@node1 ~]$ gpg --encrypt --recipient user2-node2 --armor group
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
[user1@node01 ~]$ ls
group group.asc ---> 加密成功.asc文件就是
openssl
[user1@node1 ~]$ openssl
OpenSSL> ? ---> 输入完可以查看openssl所有的算法命令
openssl:Error: '?' is an invalid command.
Standard commands ##命令
Message Digest commands (see the `dgst' command for more details
##用于签名的加密算法
Cipher commands (see the `enc' command for more details)
##用于加密的加密算法
(1)对称加密
[user1@node1 ~]$ tail /etc/passwd > p10
[user1@node1 ~]$ ls
p10
加密文件:
[user1@node1 ~]$ openssl enc -e -bf -in p10 -out p10.ssl
enter bf-cbc encryption password:输入对称加密的密码
Verifying - enter bf-cbc encryption password:
enc 加密操作
-e 加密
-bf 加密算法
-in 准备加密的文件
-out 加密后的文件
[user1@node1 ~]$ scp p10.ssl [email protected]:/home/user2
解密文件:
[user2@node2 ~]$ openssl enc -d -bf -in p10.ssl -out p10
enter bf-cbc decryption password:输入加密密码
(2)非对称加密
生成公钥和私钥:
私钥可以设置密码,也可以不设置密码。(一般情况不设置密码,因为客户访问比较麻烦)
[user2@node2 ~]$ openssl genrsa 1024 > user2.pri
创建私钥,无密码
[user2@node2 ~]$ openssl genrsa -des3 1024 > user2.pas
Generating RSA private key, 1024 bit long modulus
......................................................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
创建私钥,有密码
从私钥中提取公钥:
[user2@node2 ~]$ openssl rsa -in user2.pri -pubout -out user2.pub
[user2@node2 ~]$ openssl rsa -in user2.pas -pubout -out user2.pub1
Enter pass phrase for user2.pas:输入私钥密码
writing RSA key
[user2@node2 ~]$ scp user2.pub [email protected]:/home/user1
rsautl指令能够使用RSA算法签名,验证身份,加密/解密数据
[user1@node1 ~]$ openssl rsautl -in p10 -out p10.sec -pubin -inkey user2.pub -encrypt
RSA operation error
加密大文件,报错
140633055508384:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:153:
[user1@node1 ~]$ echo "bf|123456" > key
非对称加密:
[user1@node1 ~]$ openssl rsautl -in key -out key.sec -pubin -inkey user2.pub -encrypt
[user1@node1 ~]$ scp key.sec [email protected]:/home/user2
解密:
[user2@node2 ~]$ openssl rsautl -in key.sec -out key -inkey user2.pri -decrypt
[user2@node2 ~]$ cat key
bf|123456
练习:对称加密+非对称加密
user1给user2发送大文件。
[user1@node01 ~]$ tail /etc/passwd > p20
1. 对称加密对大文件
[user1@node01 ~]$ openssl enc -e -bf -in p20 -out p20.ssl
enter bf-cbc encryption password:
Verifying - enter bf-cbc encryption password:
2. user1用user2的公钥将算法和密码文件进行二次加密
user1 对称加密加密一个大的数据文件
非对称加密加密一个小的密码和算法文件
[user1@node01 ~]$ echo "-bf | 123" > pass20
[user1@node01 ~]$ openssl rsautl -in pass20 -out pass20.sec -pubin -inkey user2.pub -encrypt
[user1@node01 ~]$ scp pass20.sec p20.ssl [email protected]:/home/user2
[email protected]'s password:
pass20.sec 100% 128 62.1KB/s 00:00
p20.ssl 100% 552 115.6KB/s 00:00
- user2先用自己的私钥解密密码和算法文件
非对称解密小文件(密码)
[user2@node02 ~]$ openssl rsautl -in pass20.sec -out pass20 -inkey user2.pri -decrypt
[user2@node02 ~]$ cat pass20
-bf | 123
有密码了再对称解密(大文件)
[user2@node02 ~]$ openssl enc -d -bf -in p20.ssl -out p20
enter bf-cbc decryption password:
[user2@node02 ~]$ cat p20
实验1:apache+https
CA 172.16.0.61
apache 172.16.0.62
1. apache
[root@apache1 ~]# yum install -y httpd
生成私钥:
apache本地先生成私钥
[root@apache1 ~]# openssl genrsa 1024 > web.key
从私钥中提取带有签名请求的公钥:
[root@apache1 ~]# openssl req -new -key web.key -days 365 -out web.csr
req 签名请求
-new 新建
-days 有效期,天
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:sgy
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:172.16.0.62 # 生产环境需要写域名,不是ip
Email Address []:[email protected]
A challenge password []: 没有密码,直接回车
An optional company name []:没有公司名,直接回车
[root@apache1 ~]# scp web.csr 172.16.0.61:/root/
2. CA
CA给apache签发证书。
开始签发:
(生产环境中,CA签发是国外的有资质的机构(如赛门铁克等)进行签发,属于收费业务。下边操作仅供实验参考,签署结果肯定是失败的。。。)
开始签发:
CA 将收到的证书进行签署 进行签署。
(操作过程会有4个报错,可以先解决报错,最后进行签署,此环节不重要)
[root@CA ~]# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
140183854000032:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/private/cakey.pem','r')
140183854000032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load CA private key
报错1:缺少CA的私钥
解决:
[root@CA ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
[root@CA ~]# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
139803183761312:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
139803183761312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
报错2:缺少CA的自签名证书
解决:
[root@CA ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:sgy
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server is hostname) []:172.16.0.61
Email Address []:[email protected]
[root@CA ~]# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139734688642976:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139734688642976:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
报错3:缺少索引文件
解决:
[root@CA ~]# touch /etc/pki/CA/index.txt
[root@CA ~]# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140469450205088:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140469450205088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
报错4:缺少序列号文件
解决:
[root@CA ~]# echo 01 > /etc/pki/CA/serial
[root@CA ~]# openssl ca -in web.csr -out web.crt
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
ca签完了,给回apache
[root@CA ~]# scp web.crt 172.16.0.62:/root/
3. apache
[root@apache1 ~]# ls web.*
web.crt web.csr web.key
web.crt CA签署完的公钥
web.csr 准备让CA签署的公钥,已经没用了
web.key 私钥
apache端安装mod_ssl,使http支持https
[root@apache1 ~]# yum install -y mod_ssl
编辑ssl配置文件,对应签署完的crt公钥,和私钥
[root@apache1 /etc/httpd/conf.d]# vim ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/web.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/web.key
拷贝对应的公钥私钥到对应的路径
[root@apache1 ~]# cp web.crt /etc/pki/tls/certs/web.crt
[root@apache1 ~]# cp web.key /etc/pki/tls/private/web.key
重启apache服务
[root@apache1 ~]# systemctl start httpd
[root@apache1 ~]# systemctl enable httpd
[root@apache1 ~]# netstat -antp | grep httpd
tcp6 0 0 :::80 :::* LISTEN 1080/httpd
tcp6 0 0 :::443 :::* LISTEN 1080/httpd
http://172.16.0.62 -->80
https://172.16.0.62 -->443
=========================================================
实验2:nginx+https
1. nginx
nginx 生成私钥文件
[root@nginx1 ~]# openssl genrsa 1024 > web.key
从私钥抽取公钥
[root@nginx1 ~]# openssl req -new -key web.key -days 365 -out web.csr
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:sgy
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:172.16.0.63
Email Address []:[email protected]
A challenge password []: 直接回车
An optional company name []: 直接回车
[root@nginx1 ~]# scp web.csr 172.16.0.61:/root/
2. CA
给nginx签署证书
[root@CA ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
[root@CA ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:sgy
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:172.16.0.61
Email Address []:[email protected]
[root@CA ~]# touch /etc/pki/CA/index.txt
[root@CA ~]# echo 01 > /etc/pki/CA/serial
[root@CA ~]# openssl ca -in web.csr -out web.crt
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@CA ~]# scp web.crt 172.16.0.63:/root/
3. nginx
[root@nginx1 /usr/local/nginx]# vim conf/nginx.conf
user www;
worker_processes 1;
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
# HTTP Server
server {
listen 80;
server_name 172.16.0.63;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
listen 443 ssl;
server_name 172.16.0.63;
ssl_certificate /etc/pki/tls/certs/web.crt;
ssl_certificate_key /etc/pki/tls/private/web.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv2 SSLv3 TLSv1;
location / {
root html;
index index.html index.htm;
}
}
}
[root@nginx1 ~]# cp web.crt /etc/pki/tls/certs/web.crt
[root@nginx1 ~]# cp web.key /etc/pki/tls/private/web.key
[root@nginx1 /usr/local/nginx]# ./sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx1 /usr/local/nginx]# ./sbin/nginx -s reload
[root@nginx1 ~]# netstat -antp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 931/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 931/nginx: master