加密和安全
常见的加密算法有和协议有对称加密, 公钥加密, 单向加密和认证协议
对称加密
对称加密, 在加密和解密时使用的是同一个密钥
常见的对称加密有: DES,3DES,AES,Blowfish,Twofish,IDEA,RC6,CAST5
对称密钥加密和解密的过程:
数据发送方 A 和数据接收方 B 在发送数据前先通过某种渠道约定好密钥, 然后 A 将明文的数据使用对称密钥进行加密, 然后将加密后的数据发送给 B,B 接受到数据后使用相同的密钥对数据进行解密然后获取相应的数据
通过上述的加密和解密过程可以了解到这种加密的方法有以以下这些特点:
1. 数据加密和解密时使用同一组密钥
2. 数据加密和机密时使用时间短效率高
3. 将原始数据分割成固定大小的块, 逐个进行加密
不难看出对称加密的缺点也是非常的明显:
1. 密钥过多: 每一个数据对应的都需要使用一个不同的密钥进行加密, 产生过多的密钥
2. 密钥分发: 密钥在分发的过程种存在安全性问题
3. 数据的来源无法确认: 由于谁都能对数据加同一密钥所以数据的来源性无法确认
非对称加密
非对称加密的密钥是成对的出现的, 其分为公钥和私钥
公钥(Public key): 公开给所有人
私钥(Secret key): 自己留存, 必须保证其私密性
常见的非对称加密的算法有: RSA(加密, 数字签名),DSA(数字签名),ELGaml
非对称加密的加解密和实现数字签名的过程:
数据的发送方 A 和接收方 B 各生成一队密钥: A 方公钥 Pa, 私钥 Sa,B 方公钥 Pb, 私钥 Sb
A 方在传送明文数据前先使用自己的私钥 (Sa) 对数据进行加密, 再使用 B 方的公钥 (Pb) 对加密后的数据再次加密, 然后将数据传送给 B,B 方接受到数据后, 先使用自己的私钥 (Sb) 对加密的数据进行解密, 然后再使用 A 的公钥 (Pa) 再次对数据进行解密以此来确认数据确实是由 A 发送而来.
通过该流程可以发现非对称加密有以下特点:
用公钥加密的数据, 只能由与之相对应的私钥进行解密, 反之亦然.
通过其特性可以实现以下功能:
1. 可以实现数字签名, 让接受可以确认数据发送方的身份
2. 可以实现对称密钥的交换, 发送方可以使用对方的公钥加密一个对称密钥然后发送给对方
3. 由于非对称加密的解密的时间比较长, 所以只适合较小数据的加密
由此可见其缺点是非常明显的:
1. 非对称密钥的长度非常的长.
2. 非对称加密在解密时的效率非常的低下
单向散列(hash 算法)
hash 算法又叫数据摘要, 这种算法无法被逆推, 可以确保数据的完整性, 确保数据没有被篡改, 用来做完整性校验. hash 算法类似于指纹.
常见算法: md5: 128bits,sha1: 160bits,sha224,sha256,sha384,sha512
示例:
将一窜字符定向给 file1, 然后对 file1 进行一系列操作并用 md5sum 进行提取指纹信息查看.
- [root@centos7 ~]# echo abcdefg> file1
- [root@centos7 ~]# md5sum file1
- 020861c8c3fe177da19a7e9539a5dbac file1 #对刚创建的 file1 文件提取数据摘要
- [root@centos7 ~]# cp file1 file2
- [root@centos7 ~]# md5sum file2
- 020861c8c3fe177da19a7e9539a5dbac file2 #复制 file1 命名为 file2 再提取数据摘要与 file1 做比较
- [root@centos7 ~]# echo 1>> file2
- [root@centos7 ~]# md5sum file2
- 7f01eb26bac5f3a716b77cb702d85184 file2 #给 file2 添加点数据然后提取数据摘要再次和上一次的 file2 的数据摘要作比较
通过上述示例可以发现, 文件名的改变对数据的摘要信息毫无影响, 但当数据的内容发生改变时, 所提取出来的数据摘要将发生天翻地覆的变法. 数据的完整性校验就是通过此种方法来实现的.
所以单向散列有以下的特点:
1. 任意长度输入, 固定长度输出
2. 若修改数据, 指纹也会改变
3. 无法从指纹中重新生成数据
根据其特点可以实现数据完整性这一功能.
数字签名
通过上述 3 种加密方法的特点, 我们可以实现出一种既能进行加密又能确保解密高效性, 并且缺保数据的完整性的方法, 这种方法称为数字签名.
数字签名的实现方法:
发送数据发送方用 hash 算法从数据中生成数据摘要, 然后用自己的私人密钥对这个摘要进行加密, 这个加密后的摘要将作为数据数字签名和报文一起发送给接收方, 接收方首先用与发送方一样的 hash 算法从接收到的原始数据中计算出数据摘要, 接着再用发送方的公用密钥来对数据附加的数字签名进行解密, 如果这两个摘要相同, 那么接收方就能确认该数字签名是发送方的.
数字签名有两种功效:
1. 能确定数据确实是由发送方签名并发出来的, 因为别人假冒不了发送方的签名.
2. 数字签名能确定数据的完整性. 因为数字签名的特点是它代表了数据的特征, 数据如果发生改变, 数字摘要的值也将发生变化. 不同的数据将得到不同的数字摘要. 一次数字签名涉及到一个 hash 算法, 发送者的公钥, 发送者的私钥.
非对称密钥实验
实验目的:
对文件进行非对称加解密
实验准备:
主机 | OS | IP |
---|---|---|
A | CentOS7 | 192.168.172.134 |
B | CentOS7 | 192.168.172.134 |
一, 分别在 2 台主机上生成公钥和私钥
1. 在主机 A 上生成公私钥
- [root@hostA ~]# gpg --gen-key
- gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- gpg: directory `/root/.gnupg' created
- gpg: new configuration file `/root/.gnupg/gpg.conf' created
- gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
- gpg: keyring `/root/.gnupg/secring.gpg' created
- gpg: keyring `/root/.gnupg/pubring.gpg' created
- Please select what kind of key you want:
- (1) RSA and RSA (default)
- (2) DSA and Elgamal
- (3) DSA (sign only)
- (4) RSA (sign only)
- Your selection? 1 #选择所要生成的非对称密钥类型
- RSA keys may be between 1024 and 4096 bits long.
- What keysize do you want? (2048) 1024 #先择密钥的长度
- Requested keysize is 1024 bits
- Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
- Key is valid for? (0) #指定密钥的有效期限
- Key does not expire at all
- Is this correct? (y/N) y #确认密钥有效期为永久有效
- GnuPG needs to construct a user ID to identify your key.
- Real name: hostA #输入非对称密钥所对应的主机名
- Email address:
- Comment:
- You selected this USER-ID:
- "hostA"
- Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o #确认密钥信息
- You need a Passphrase to protect your secret key.
- You don't want a passphrase - this is probably a *bad* idea!
- I will do it anyway. You can change your passphrase at any time,
- using this program with the option "--edit-key".
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- gpg: /root/.gnupg/trustdb.gpg: trustdb created
- gpg: key 4B9A0B62 marked as ultimately trusted
- public and secret key created and signed.
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
- pub 1024R/4B9A0B62 2019-04-12
- Key fingerprint = E128 AD1F E1D5 5B0D C66C FD45 4786 0C63 4B9A 0B62
- uid hostA
- sub 1024R/DD37BA59 2019-04-12
- # 非对称密生成完毕
- [root@hostA ~]# cd .gnupg/
- [root@hostA .gnupg]# ll
- total 28
- -rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
- drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
- -rw------- 1 root root 649 Apr 13 05:37 pubring.gpg #公钥文件
- -rw------- 1 root root 649 Apr 13 05:37 pubring.gpg~ #公钥的备份
- -rw------- 1 root root 600 Apr 13 05:37 random_seed
- -rw------- 1 root root 1313 Apr 13 05:37 secring.gpg #私钥文件
- srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
- -rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2.B 主机上生成公私钥
- [root@hostB ~]# gpg --gen-key
- gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- gpg: directory `/root/.gnupg' created
- gpg: new configuration file `/root/.gnupg/gpg.conf' created
- gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
- gpg: keyring `/root/.gnupg/secring.gpg' created
- gpg: keyring `/root/.gnupg/pubring.gpg' created
- Please select what kind of key you want:
- (1) RSA and RSA (default)
- (2) DSA and Elgamal
- (3) DSA (sign only)
- (4) RSA (sign only)
- Your selection? 1
- RSA keys may be between 1024 and 4096 bits long.
- What keysize do you want? (2048) 1024
- Requested keysize is 1024 bits
- Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
- Key is valid for? (0)
- Key does not expire at all
- Is this correct? (y/N) y
- GnuPG needs to construct a user ID to identify your key.
- Real name: hostB
- Email address:
- Comment:
- You selected this USER-ID:
- "hostB"
- Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
- You need a Passphrase to protect your secret key.
- You don't want a passphrase - this is probably a *bad* idea!
- I will do it anyway. You can change your passphrase at any time,
- using this program with the option "--edit-key".
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- gpg: /root/.gnupg/trustdb.gpg: trustdb created
- gpg: key 77A790ED marked as ultimately trusted
- public and secret key created and signed.
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
- pub 1024R/77A790ED 2019-04-12
- Key fingerprint = 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
- uid hostB
- sub 1024R/3108F051 2019-04-12
- [root@hostB ~]# ll .gnupg/
- total 28
- -rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
- drwx------ 2 root root 6 Apr 13 05:50 private-keys-v1.d
- -rw------- 1 root root 649 Apr 13 05:51 pubring.gpg
- -rw------- 1 root root 649 Apr 13 05:51 pubring.gpg~
- -rw------- 1 root root 600 Apr 13 05:51 random_seed
- -rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
- srwxr-xr-x 1 root root 0 Apr 13 05:50 S.gpg-agent
- -rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私钥文件已生成
二, 主机 A,B 互换公钥文件
1 导出主机 A 公钥发送给 B
- [root@hostA .gnupg]# gpg -a --export -o hostA.pubkey #导出公钥文件.
- [root@hostA .gnupg]# cat hostA.pubkey
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v2.0.22 (GNU/Linux)
- mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
- ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
- 2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
- BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
- gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
- LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
- J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
- pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
- RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
- QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
- iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
- ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
- wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
- rkRjxcSdDrQgIYZgH84hXZU=
- =4MIm
- -----END PGP PUBLIC KEY BLOCK-----
- [root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupg
- The authenticity of host '192.168.172.138 (192.168.172.138)' can't be established.
- ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
- ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts.
- root@192.168.172.138's password:
- hostA.pubkey 100% 984 808.9KB/s 00:00
2 导出主机 B 公钥发送给 A
- [root@hostB ~]# gpg -a --export -o hostB.pubkey
- [root@hostB ~]# cat hostB.pubkey
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v2.0.22 (GNU/Linux)
- mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
- dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
- L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
- BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
- gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
- FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
- Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
- YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
- GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
- ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
- iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
- c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
- uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
- tt+3WYpY9rNUVeuLcHVd7vQ=
- =/T8O
- -----END PGP PUBLIC KEY BLOCK-----
- [root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/
- The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established.
- ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
- ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts.
- root@192.168.172.134's password:
- hostB.pubkey 100% 984 861.8KB/s 00:00
三, 主机 A,B 分别导入公钥
1. 主机 A 导入公钥
- [root@hostA .gnupg]# gpg --import hostB.pubkey #导入 hostB 的公钥
- gpg: key 77A790ED: public key "hostB" imported
- gpg: Total number processed: 1
- gpg: imported: 1 (RSA: 1)
- [root@hostA .gnupg]# gpg --list-key #查看公钥列表
- /root/.gnupg/pubring.gpg
- ------------------------
- pub 1024R/4B9A0B62 2019-04-12
- uid hostA
- sub 1024R/DD37BA59 2019-04-12
- pub 1024R/77A790ED 2019-04-12
- uid hostB
- sub 1024R/3108F051 2019-04-12
2. 主机 B 导入公钥
- [root@hostB ~]# cd .gnupg/
- [root@hostB .gnupg]# gpg --import hostA.pubkey
- gpg: key 4B9A0B62: public key "hostA" imported
- gpg: Total number processed: 1
- gpg: imported: 1 (RSA: 1)
- [root@hostB .gnupg]# gpg --list-key
- /root/.gnupg/pubring.gpg
- ------------------------
- pub 1024R/77A790ED 2019-04-12
- uid hostB
- sub 1024R/3108F051 2019-04-12
- pub 1024R/4B9A0B62 2019-04-12
- uid hostA
- sub 1024R/DD37BA59 2019-04-12
四, 测试
1. 使用主机 A 对文件进行非对称加密, 发送给主机 B
- [root@hostA data]# echo "hello,i am hostA"> file1
- [root@hostA data]# gpg -e -r hostB file1
- gpg: 3108F051: There is no assurance this key belongs to the named user
- pub 1024R/3108F051 2019-04-12 hostB
- Primary key fingerprint: 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
- Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA 74A5 2091 0199 3108 F051
- It is NOT certain that the key belongs to the person named
- in the user ID. If you *really* know what you are doing,
- you may answer the next question with yes.
- Use this key anyway? (y/N) y
- [root@hostA data]# scp file1.gpg root@192.168.172.138:/data
- root@192.168.172.138's password:
- file1.gpg 100% 225 87.2KB/s 00:00
2. 解密查看其中内容
- [root@hostB data]# gpg -o file1 file1.gpg
- gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
- "hostB"
- [root@hostB data]# cat file1
- hello,i am hostA
五, 关于清除密钥
1. 清除公钥
- [root@hostA data]# gpg --delete-key hostB #删除 hostB 的公钥
- gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- pub 1024R/77A790ED 2019-04-12 hostB
- Delete this key from the keyring? (y/N) y
- [root@hostA data]# gpg --list-key #查看密钥列表此时已经没有 hostB 了
- /root/.gnupg/pubring.gpg
- ------------------------
- pub 1024R/4B9A0B62 2019-04-12
- uid hostA
- sub 1024R/DD37BA59 2019-04-12
- [root@hostA ~]# ll .gnupg/
- total 40
- -rw------- 1 root root 649 Apr 13 05:48 192.168.172.138
- -rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
- -rw-r--r-- 1 root root 984 Apr 13 06:02 hostA.pubkey
- -rw-r--r-- 1 root root 984 Apr 13 06:06 hostB.pubkey
- drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
- -rw------- 1 root root 649 Apr 13 06:32 pubring.gpg
- -rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~ #hostB 的密钥虽然被清除但是仍可以用此文件恢复
- -rw------- 1 root root 600 Apr 13 06:15 random_seed
- -rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
- srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
- -rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2. 删除自己的公钥和私钥
要删除自己的公钥必须先清除私钥
- [root@hostA ~]# gpg --delete-secret-key hostA #删除自己的私钥
- gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- sec 1024R/4B9A0B62 2019-04-12 hostA
- Delete this key from the keyring? (y/N) y
- This is a secret key! - really delete? (y/N) y
- [root@hostA ~]# gpg --delete-key hostA #删除自己的私钥
- gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- pub 1024R/4B9A0B62 2019-04-12 hostA
- Delete this key from the keyring? (y/N) y
- [root@hostA ~]# rm -rf .gnupg/ #将 / root/.gnupg 目录删除
来源: http://blog.51cto.com/11886307/2378078