加密和安全

常见的加密算法有和协议有对称加密,公钥加密,单向加密和认证协议

对称加密

对称加密,在加密和解密时使用的是同一个密钥
常见的对称加密有:DES,3DES,AES,Blowfish,Twofish,IDEA,RC6,CAST5

对称密钥加密和解密的过程:

数据发送方A和数据接收方B在发送数据前先通过某种渠道约定好密钥,然后A将明文的数据使用对称密钥进行加密,然后将加密后的数据发送给B,B接受到数据后使用相同的密钥对数据进行解密然后获取相应的数据

通过上述的加密和解密过程可以了解到这种加密的方法有以以下这些特点:

1.数据加密和解密时使用同一组密钥
2.数据加密和机密时使用时间短效率高
3.将原始数据分割成固定大小的块,逐个进行加密

不难看出对称加密的缺点也是非常的明显:

1.密钥过多:每一个数据对应的都需要使用一个不同的密钥进行加密,产生过多的密钥
2.密钥分发:密钥在分发的过程种存在安全性问题
3.数据的来源无法确认:由于谁都能对数据加同一密钥所以数据的来源性无法确认

非对称加密

非对称加密的密钥是成对的出现的,其分为公钥和私钥
公钥(Public key):公开给所有人
私钥(Secret key):自己留存,必须保证其私密性
常见的非对称加密的算法有:RSA(加密,数字签名),DSA(数字签名),ELGaml

非对称加密的加解密和实现数字签名的过程:

数据的发送方A和接收方B各生成一队密钥:A方公钥Pa、私钥Sa,B方公钥Pb、私钥Sb
A方在传送明文数据前先使用自己的私钥(Sa)对数据进行加密,再使用B方的公钥(Pb)对加密后的数据再次加密,然后将数据传送给B,B方接受到数据后,先使用自己的私钥(Sb)对加密的数据进行解密,然后再使用A的公钥(Pa)再次对数据进行解密以此来确认数据确实是由A发送而来。

通过该流程可以发现非对称加密有以下特点:

用公钥加密的数据,只能由与之相对应的私钥进行解密,反之亦然。
通过其特性可以实现以下功能:
1.可以实现数字签名,让接受可以确认数据发送方的身份
2.可以实现对称密钥的交换,发送方可以使用对方的公钥加密一个对称密钥然后发送给对方
3.由于非对称加密的解密的时间比较长,所以只适合较小数据的加密

由此可见其缺点是非常明显的:

1.非对称密钥的长度非常的长。
2.非对称加密在解密时的效率非常的低下

单向散列(hash算法)

hash算法又叫数据摘要,这种算法无法被逆推,可以确保数据的完整性,确保数据没有被篡改,用来做完整性校验。hash算法类似于指纹。
常见算法: md5: 128bits、sha1: 160bits、sha224、sha256、sha384、sha512
示例:
将一窜字符定向给file1,然后对file1进行一系列操作并用md5sum进行提取指纹信息查看。

[root@centos7 ~]# echo abcdefg > file1
[root@centos7 ~]# md5sum file1                  
020861c8c3fe177da19a7e9539a5dbac  file1     #对刚创建的file1文件提取数据摘要
[root@centos7 ~]# cp file1 file2
[root@centos7 ~]# md5sum file2
020861c8c3fe177da19a7e9539a5dbac  file2     #复制file1命名为file2再提取数据摘要与file1做比较
[root@centos7 ~]# echo 1 >> file2
[root@centos7 ~]# md5sum file2
7f01eb26bac5f3a716b77cb702d85184  file2     #给file2添加点数据然后提取数据摘要再次和上一次的file2的数据摘要作比较

通过上述示例可以发现,文件名的改变对数据的摘要信息毫无影响,但当数据的内容发生改变时,所提取出来的数据摘要将发生天翻地覆的变法。数据的完整性校验就是通过此种方法来实现的。

所以单向散列有以下的特点:

1.任意长度输入,固定长度输出
2.若修改数据,指纹也会改变
3.无法从指纹中重新生成数据
根据其特点可以实现数据完整性这一功能。

数字签名

通过上述3种加密方法的特点,我们可以实现出一种既能进行加密又能确保解密高效性,并且缺保数据的完整性的方法,这种方法称为数字签名。

数字签名的实现方法:

发送数据发送方用hash算法从数据中生成数据摘要,然后用自己的私人密钥对这个摘要进行加密,这个加密后的摘要将作为数据数字签名和报文一起发送给接收方,接收方首先用与发送方一样的hash算法从接收到的原始数据中计算出数据摘要,接着再用发送方的公用密钥来对数据附加的数字签名进行解密,如果这两个摘要相同、那么接收方就能确认该数字签名是发送方的。

数字签名有两种功效:

1.能确定数据确实是由发送方签名并发出来的,因为别人假冒不了发送方的签名。
2.数字签名能确定数据的完整性。因为数字签名的特点是它代表了数据的特征,数据如果发生改变,数字摘要的值也将发生变化。不同的数据将得到不同的数字摘要。 一次数字签名涉及到一个hash算法、发送者的公钥、发送者的私钥。


非对称密钥实验

实验目的:

对文件进行非对称加解密

实验准备:

主机 OS IP
A CentOS7 192.168.172.134
B CentOS7 192.168.172.134

一、分别在2台主机上生成公钥和私钥

1.在主机A上生成公私钥

[root@hostA ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1                                   #选择所要生成的非对称密钥类型
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024               #先择密钥的长度
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)                               #指定密钥的有效期限
Key does not expire at all
Is this correct? (y/N) y                            #确认密钥有效期为永久有效

GnuPG needs to construct a user ID to identify your key.

Real name: hostA                                    #输入非对称密钥所对应的主机名
Email address: 
Comment: 
You selected this USER-ID:
    "hostA"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   #确认密钥信息
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/4B9A0B62 2019-04-12
      Key fingerprint = E128 AD1F E1D5 5B0D C66C  FD45 4786 0C63 4B9A 0B62
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

#非对称密生成完毕
[root@hostA ~]# cd .gnupg/
[root@hostA .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg        #公钥文件
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg~       #公钥的备份
-rw------- 1 root root  600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg        #私钥文件
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.B主机上生成公私钥

[root@hostB ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: hostB
Email address: 
Comment: 
You selected this USER-ID:
    "hostB"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/77A790ED 2019-04-12
      Key fingerprint = 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
uid                  hostB
sub   1024R/3108F051 2019-04-12

[root@hostB ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root    6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root  600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私钥文件已生成

二、主机A、B互换公钥文件

1导出主机A公钥发送给B

[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey        #导出公钥文件。
[root@hostA .gnupg]# cat hostA.pubkey 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
rkRjxcSdDrQgIYZgH84hXZU=
=4MIm
-----END PGP PUBLIC KEY BLOCK-----
[root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupg
The authenticity of host '192.168.172.138 (192.168.172.138)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts.
root@192.168.172.138's password: 
hostA.pubkey                                         100%  984   808.9KB/s   00:00    

2导出主机B公钥发送给A

[root@hostB ~]# gpg -a --export -o hostB.pubkey
[root@hostB ~]# cat hostB.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
tt+3WYpY9rNUVeuLcHVd7vQ=
=/T8O
-----END PGP PUBLIC KEY BLOCK-----     
[root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/
The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts.
root@192.168.172.134's password: 
hostB.pubkey                                         100%  984   861.8KB/s   00:00  

三、主机A、B分别导入公钥

1.主机A导入公钥

[root@hostA .gnupg]# gpg --import hostB.pubkey           #导入hostB的公钥
gpg: key 77A790ED: public key "hostB" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@hostA .gnupg]# gpg --list-key                      #查看公钥列表
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

2.主机B导入公钥

[root@hostB ~]# cd .gnupg/
[root@hostB .gnupg]# gpg --import hostA.pubkey 
gpg: key 4B9A0B62: public key "hostA" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@hostB .gnupg]# gpg --list-key 
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

四、测试

1.使用主机A对文件进行非对称加密,发送给主机B

[root@hostA data]# echo "hello,i am hostA" > file1
[root@hostA data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user

pub  1024R/3108F051 2019-04-12 hostB
 Primary key fingerprint: 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
      Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA  74A5 2091 0199 3108 F051

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[root@hostA data]# scp file1.gpg root@192.168.172.138:/data
root@192.168.172.138's password: 
file1.gpg                                            100%  225    87.2KB/s   00:00    

2.解密查看其中内容

[root@hostB data]# gpg -o file1 file1.gpg 
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
      "hostB"
[root@hostB data]# cat file1
hello,i am hostA

五、关于清除密钥

1.清除公钥

[root@hostA data]# gpg --delete-key hostB             #删除hostB的公钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/77A790ED 2019-04-12 hostB

Delete this key from the keyring? (y/N) y

[root@hostA data]# gpg --list-key                     #查看密钥列表此时已经没有hostB了
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

[root@hostA ~]# ll .gnupg/
total 40
-rw------- 1 root root  649 Apr 13 05:48 192.168.172.138
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
-rw-r--r-- 1 root root  984 Apr 13 06:02 hostA.pubkey
-rw-r--r-- 1 root root  984 Apr 13 06:06 hostB.pubkey
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 06:32 pubring.gpg
-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~             #hostB的密钥虽然被清除但是仍可以用此文件恢复
-rw------- 1 root root  600 Apr 13 06:15 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.删除自己的公钥和私钥
要删除自己的公钥必须先清除私钥

[root@hostA ~]# gpg --delete-secret-key hostA                  #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@hostA ~]# gpg --delete-key hostA                         #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
[root@hostA ~]# rm -rf .gnupg/                                 #将/root/.gnupg目录删除