加密和安全
常見的加密算法有和協議有對稱加密,公鑰加密,單向加密和認證協議
對稱加密
對稱加密,在加密和解密時使用的是同一個密鑰
常見的對稱加密有:DES,3DES,AES,Blowfish,Twofish,IDEA,RC6,CAST5
對稱密鑰加密和解密的過程:
數據發送方A和數據接收方B在發送數據前先通過某種渠道約定好密鑰,然後A將明文的數據使用對稱密鑰進行加密,然後將加密後的數據發送給B,B接受到數據後使用相同的密鑰對數據進行解密然後獲取相應的數據
通過上述的加密和解密過程可以瞭解到這種加密的方法有以以下這些特點:
1.數據加密和解密時使用同一組密鑰
2.數據加密和機密時使用時間短效率高
3.將原始數據分割成固定大小的塊,逐個進行加密
不難看出對稱加密的缺點也是非常的明顯:
1.密鑰過多:每一個數據對應的都需要使用一個不同的密鑰進行加密,產生過多的密鑰
2.密鑰分發:密鑰在分發的過程種存在安全性問題
3.數據的來源無法確認:由於誰都能對數據加同一密鑰所以數據的來源性無法確認
非對稱加密
非對稱加密的密鑰是成對的出現的,其分爲公鑰和私鑰
公鑰(Public key):公開給所有人
私鑰(Secret key):自己留存,必須保證其私密性
常見的非對稱加密的算法有:RSA(加密,數字簽名),DSA(數字簽名),ELGaml
非對稱加密的加解密和實現數字簽名的過程:
數據的發送方A和接收方B各生成一隊密鑰:A方公鑰Pa、私鑰Sa,B方公鑰Pb、私鑰Sb
A方在傳送明文數據前先使用自己的私鑰(Sa)對數據進行加密,再使用B方的公鑰(Pb)對加密後的數據再次加密,然後將數據傳送給B,B方接受到數據後,先使用自己的私鑰(Sb)對加密的數據進行解密,然後再使用A的公鑰(Pa)再次對數據進行解密以此來確認數據確實是由A發送而來。
通過該流程可以發現非對稱加密有以下特點:
用公鑰加密的數據,只能由與之相對應的私鑰進行解密,反之亦然。
通過其特性可以實現以下功能:
1.可以實現數字簽名,讓接受可以確認數據發送方的身份
2.可以實現對稱密鑰的交換,發送方可以使用對方的公鑰加密一個對稱密鑰然後發送給對方
3.由於非對稱加密的解密的時間比較長,所以只適合較小數據的加密
由此可見其缺點是非常明顯的:
1.非對稱密鑰的長度非常的長。
2.非對稱加密在解密時的效率非常的低下
單向散列(hash算法)
hash算法又叫數據摘要,這種算法無法被逆推,可以確保數據的完整性,確保數據沒有被篡改,用來做完整性校驗。hash算法類似於指紋。
常見算法: md5: 128bits、sha1: 160bits、sha224、sha256、sha384、sha512
示例:
將一竄字符定向給file1,然後對file1進行一系列操作並用md5sum進行提取指紋信息查看。[root@centos7 ~]# echo abcdefg > file1 [root@centos7 ~]# md5sum file1 020861c8c3fe177da19a7e9539a5dbac file1 #對剛創建的file1文件提取數據摘要 [root@centos7 ~]# cp file1 file2 [root@centos7 ~]# md5sum file2 020861c8c3fe177da19a7e9539a5dbac file2 #複製file1命名爲file2再提取數據摘要與file1做比較 [root@centos7 ~]# echo 1 >> file2 [root@centos7 ~]# md5sum file2 7f01eb26bac5f3a716b77cb702d85184 file2 #給file2添加點數據然後提取數據摘要再次和上一次的file2的數據摘要作比較通過上述示例可以發現,文件名的改變對數據的摘要信息毫無影響,但當數據的內容發生改變時,所提取出來的數據摘要將發生天翻地覆的變法。數據的完整性校驗就是通過此種方法來實現的。
所以單向散列有以下的特點:
1.任意長度輸入,固定長度輸出
2.若修改數據,指紋也會改變
3.無法從指紋中重新生成數據
根據其特點可以實現數據完整性這一功能。
數字簽名
通過上述3種加密方法的特點,我們可以實現出一種既能進行加密又能確保解密高效性,並且缺保數據的完整性的方法,這種方法稱爲數字簽名。
數字簽名的實現方法:
發送數據發送方用hash算法從數據中生成數據摘要,然後用自己的私人密鑰對這個摘要進行加密,這個加密後的摘要將作爲數據數字簽名和報文一起發送給接收方,接收方首先用與發送方一樣的hash算法從接收到的原始數據中計算出數據摘要,接着再用發送方的公用密鑰來對數據附加的數字簽名進行解密,如果這兩個摘要相同、那麼接收方就能確認該數字簽名是發送方的。
數字簽名有兩種功效:
1.能確定數據確實是由發送方簽名並發出來的,因爲別人假冒不了發送方的簽名。
2.數字簽名能確定數據的完整性。因爲數字簽名的特點是它代表了數據的特徵,數據如果發生改變,數字摘要的值也將發生變化。不同的數據將得到不同的數字摘要。 一次數字簽名涉及到一個hash算法、發送者的公鑰、發送者的私鑰。
非對稱密鑰實驗
| 實驗目的: 對文件進行非對稱加解密 實驗準備: |
主機 | OS | IP |
|---|---|---|---|
| A | CentOS7 | 192.168.172.134 | |
| B | CentOS7 | 192.168.172.134 |
一、分別在2臺主機上生成公鑰和私鑰
1.在主機A上生成公私鑰
[root@hostA ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 #選擇所要生成的非對稱密鑰類型
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024 #先擇密鑰的長度
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) #指定密鑰的有效期限
Key does not expire at all
Is this correct? (y/N) y #確認密鑰有效期爲永久有效
GnuPG needs to construct a user ID to identify your key.
Real name: hostA #輸入非對稱密鑰所對應的主機名
Email address:
Comment:
You selected this USER-ID:
"hostA"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o #確認密鑰信息
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/4B9A0B62 2019-04-12
Key fingerprint = E128 AD1F E1D5 5B0D C66C FD45 4786 0C63 4B9A 0B62
uid hostA
sub 1024R/DD37BA59 2019-04-12
#非對稱密生成完畢
[root@hostA ~]# cd .gnupg/
[root@hostA .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg #公鑰文件
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg~ #公鑰的備份
-rw------- 1 root root 600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg #私鑰文件
srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg2.B主機上生成公私鑰
[root@hostB ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: hostB
Email address:
Comment:
You selected this USER-ID:
"hostB"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/77A790ED 2019-04-12
Key fingerprint = 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
uid hostB
sub 1024R/3108F051 2019-04-12
[root@hostB ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root 6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root 600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root 0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私鑰文件已生成3.主機A、B互換公鑰文件
3.1導出主機A公鑰發送給B
[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey #導出公鑰文件。
[root@hostA .gnupg]# cat hostA.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
rkRjxcSdDrQgIYZgH84hXZU=
=4MIm
-----END PGP PUBLIC KEY BLOCK-----
[root@hostA .gnupg]# scp hostA.pubkey [email protected]:/root/.gnupg
The authenticity of host '192.168.172.138 (192.168.172.138)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts.
[email protected]'s password:
hostA.pubkey 100% 984 808.9KB/s 00:00 3.2導出主機B公鑰發送給A
[root@hostB ~]# gpg -a --export -o hostB.pubkey
[root@hostB ~]# cat hostB.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
tt+3WYpY9rNUVeuLcHVd7vQ=
=/T8O
-----END PGP PUBLIC KEY BLOCK-----
[root@hostB ~]# scp hostB.pubkey [email protected]:/root/.gnupg/
The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts.
[email protected]'s password:
hostB.pubkey 100% 984 861.8KB/s 00:00 3.3主機A、B分別導入公鑰
主機A導入公鑰
[root@hostA .gnupg]# gpg --import hostB.pubkey #導入hostB的公鑰
gpg: key 77A790ED: public key "hostB" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@hostA .gnupg]# gpg --list-key #查看公鑰列表
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-12
pub 1024R/77A790ED 2019-04-12
uid hostB
sub 1024R/3108F051 2019-04-12主機B導入公鑰
[root@hostB ~]# cd .gnupg/
[root@hostB .gnupg]# gpg --import hostA.pubkey
gpg: key 4B9A0B62: public key "hostA" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@hostB .gnupg]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/77A790ED 2019-04-12
uid hostB
sub 1024R/3108F051 2019-04-12
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-124.測試
4.1使用主機A對文件進行非對稱加密,發送給主機B
[root@hostA data]# echo "hello,i am hostA" > file1
[root@hostA data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user
pub 1024R/3108F051 2019-04-12 hostB
Primary key fingerprint: 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA 74A5 2091 0199 3108 F051
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@hostA data]# scp file1.gpg [email protected]:/data
[email protected]'s password:
file1.gpg 100% 225 87.2KB/s 00:00 4.2解密查看其中內容
[root@hostB data]# gpg -o file1 file1.gpg
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
"hostB"
[root@hostB data]# cat file1
hello,i am hostA5.關於清除密鑰
1.清除公鑰
[root@hostA data]# gpg --delete-key hostB #刪除hostB的公鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/77A790ED 2019-04-12 hostB
Delete this key from the keyring? (y/N) y
[root@hostA data]# gpg --list-key #查看密鑰列表此時已經沒有hostB了
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-12
[root@hostA ~]# ll .gnupg/
total 40
-rw------- 1 root root 649 Apr 13 05:48 192.168.172.138
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
-rw-r--r-- 1 root root 984 Apr 13 06:02 hostA.pubkey
-rw-r--r-- 1 root root 984 Apr 13 06:06 hostB.pubkey
drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 06:32 pubring.gpg
-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~ #hostB的密鑰雖然被清除但是仍可以用此文件恢復
-rw------- 1 root root 600 Apr 13 06:15 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2.刪除自己的公鑰和私鑰
要刪除自己的公鑰必須先清除私鑰
[root@hostA ~]# gpg --delete-secret-key hostA #刪除自己的私鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 1024R/4B9A0B62 2019-04-12 hostA
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@hostA ~]# gpg --delete-key hostA #刪除自己的私鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/4B9A0B62 2019-04-12 hostA
Delete this key from the keyring? (y/N) y
[root@hostA ~]# rm -rf .gnupg/ #將/root/.gnupg目錄刪除