1、简述常见加密算法及常见加密算法原理,最好使用图例解说
密钥算法和协议
openssl
- 分为三部分
- 加密解密库 libencrypt
- 安全通信库 libssl
- 命令行工具 openssl
加密系统和协议
对称加密
- DES Data Encryption Standard 64位,已经破解
- 3DES
- AES Advanced Encryption Standard 128 192 256 384位
- 其他:blowfish twofish idea rc6 casts
- 特点:
- 缺陷:
公钥加密
- 公钥:从私钥中提取
- 私钥:使用者留存
- 特点:用公钥加密,配对私钥解密
- 用途:数字签名,身份确认,密钥交换,数据加密
- 过程:
- 1.加密方利用单向加密提取数据特征码
- 2.加密方使用自己的私钥加密附在后面
- 3.加密方生成临时的对称密钥,加密整段数据
- 4.加密方获取解密方的公钥并加密后附在后面
- 5.发送给解密方
- 6.解密方用自己的私钥解密
- 7.解密方使用对称密钥解密
- 8.解密方获取加密方的公钥解密,完成身份认证
- 9.解密方单向加密提取数据特征码比对,查看完整性
- 缺陷:中间人攻击
- 解决:双方通过CA证书颁发机构获取对方的公钥,此CA可以吊销
- 算法:RSA 可以签名和加解密,DSA只能签名
单向加密
- 只能加密,不能解密,用来提取数据特征码进行完整性认证
- 定长输出,雪崩效应
- 算法:md5,sha160,sha224,sha256,sha384,sha512
密钥交换
2、搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
+ 1.CA服务器生成私钥
[root@center ~]# cd /etc/pki/CA/
[root@center CA]# (umask 077; openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
.....................................................................................................++++++
......++++++
e is 65537 (0x10001)
[root@center CA]# ll private/
total 4
-rw------- 1 root root 891 Jul 29 22:54 cakey.pem
+ 2.CA服务器生成自签证书
[root@center CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.xlc.com
Email Address []:
[root@center CA]# ll
total 4
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
+ 3.CA服务器生成目录和文件
[root@center CA]# touch index.txt
[root@center CA]# ll
total 8
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
-rw-r--r-- 1 root root 0 Jul 29 23:00 index.txt
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
-rw-r--r-- 1 root root 3 Jul 29 23:00 serial
+ 4.httpd服务器创建私钥
[root@web1 httpd]# cd /etc/httpd/
[root@web1 httpd]# mkdir ssl
[root@web1 httpd]# ll
total 0
drwxr-xr-x 2 root root 37 Jul 29 22:16 conf
drwxr-xr-x 2 root root 255 Jul 29 22:46 conf.d
drwxr-xr-x 2 root root 165 Jul 29 22:43 conf.modules.d
lrwxrwxrwx 1 root root 19 Jul 28 11:49 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Jul 28 11:49 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 10 Jul 28 11:49 run -> /run/httpd
drwxr-xr-x 2 root root 6 Jul 29 23:02 ssl
[root@web1 httpd]# (umask 077; openssl genrsa 1024 > /etc/httpd/ssl/httpd_key.pem)
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)
[root@web1 httpd]# ll ssl
total 4
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 5.httpd服务器生成请求证书
[root@web1 httpd]# openssl req -new -key /etc/httpd/ssl/httpd_key.pem -out /etc/httpd/ssl/httpd_csr.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.xlc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@web1 httpd]# ll ssl
total 8
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 6.http服务器将csr请求发送给ca主机
[root@web1 httpd]# scp -P 37777 ssl/httpd_csr.pem xlc@192.168.1.9:~/
xlc@192.168.1.9's password:
httpd_csr.pem 100% 655 275.9KB/s 00:00
[root@center CA]# mv /home/xlc/httpd_csr.pem /etc/pki/CA/certs/
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 xlc xlc 655 Jul 29 23:11 httpd_csr.pem
[root@center CA]# chown root:root /etc/pki/CA/certs/httpd_csr.pem
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem
+ 7.CA主机上将csr签证为crt
[root@center CA]# openssl ca -in /etc/pki/CA/certs/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 29 15:16:20 2018 GMT
Not After : Jul 29 15:16:20 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = GUANGDONG
organizationName = xlc
organizationalUnitName = devops
commonName = www.xlc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:23:F3:AA:82:30:85:DF:33:CB:FB:8B:99:40:FE:97:77:27:35:19
X509v3 Authority Key Identifier:
keyid:1D:46:AF:3A:D4:63:84:11:CC:40:B1:E2:D1:B1:93:C4:3C:6A:6B:B4
Certificate is to be certified until Jul 29 15:16:20 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@center CA]# ll certs/
total 8
-rw-r--r-- 1 root root 3078 Jul 29 23:16 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem
+ 8.CA主机将crt签证颁发给httpd服务器
[root@center CA]# scp -P 37777 certs/httpd_crt.pem xlc@192.168.1.11:~/
The authenticity of host '[192.168.1.11]:37777 ([192.168.1.11]:37777)' can't be established.
ECDSA key fingerprint is SHA256:wzY0qfeE6RuadsJGxl4+808KAv7mKRR8sbdXEFIYZOc.
ECDSA key fingerprint is MD5:78:f2:b3:f9:e7:4c:1e:5e:06:46:c6:64:35:37:97:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.11]:37777' (ECDSA) to the list of known hosts.
xlc@192.168.1.11's password:
httpd_crt.pem 100% 3078 919.8KB/s 00:00
[root@web1 httpd]# mv /home/xlc/httpd_crt.pem ssl/
[root@web1 httpd]# ll ssl/
total 12
-rw-r--r-- 1 xlc xlc 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
[root@web1 httpd]# chown root:root ssl/httpd_crt.pem
[root@web1 httpd]# ll ssl
total 12
-rw-r--r-- 1 root root 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 9.修改ssl.conf
DocumentRoot "/home/www"
ServerName www.xlc.com:443
DirectoryIndex index.html
<Directory "/home/www">
Options None
AllowOverride None
Require all granted
</Directory>
<location /server-status>
SetHandler server-status
<RequireAll>
Require ip 192.168.1.3
</RequireAll>
</location>
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd_key.pem
+ 10.重启服务
[root@web1 conf.d]# httpd -t
Syntax OK
[root@web1 conf.d]# !sys
systemctl restart httpd.service
[root@web1 conf.d]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.1.11:37777 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::443 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 100 ::1:25 :::*
+ 11.浏览器从授权中心导入CA证书
+ 将cacert.pem导入受信任的根证书颁发机构
3、简述DNS服务器原理,并搭建主-辅服务器
域名解析原理
- 客户机先查找本地的host文件
- 客户机查找本地的dns缓存记录
- 客户机根据指定的dns运营商地址,将解析请求发送给对方
- dns运营商以递归的方式向上转发请求
- dns运营商将请求发送给根服务器
- 根将请求发送给一级域名服务器,以迭代的方式向下查询
- 一级域名服务器发送给二级域名服务器
- 最终的域名服务器找到结果发送给运营商dns
- 运营商dns记录在自己的数据库中,并将结果返给客户端
正向解析和反向解析
- 名称到ip是正向解析,为A记录
- ip到名称是反向解析,为PTR记录
域名服务商
主副dns服务器
- 主dns可以随时改变
- 副dns根据主dns随时同步
- 主从可以负载
- 序列号:数据库版本号 serial
- 刷新时间间隔:refresh
- 重试时间间隔:retry
- 过期时长:expire
- 主服务器也可以通知从服务器随时同步数据
- 同步方式:全量,增量
其他概念
- 区域zone
- 域名domain 有正向区域和反向区域
区域数据库文件
- 资源记录:rr
- A:address
- AAAA:address ipv6
- PTR:反向解析
- SOA:起始授权
- NS:name service 域名解析
- CNAME:canonical name 别名
- MX: mail exchange 邮件交换 0-99 数字越小优先级越小
语法格式
- name [ttl] IN RR_TYPE value
- SOA必须要有,且放第一条
- SOA的value 包括
- 区域名称
- 管理员邮箱地址,不能@,点代替
- (serial;refresh;retry;expire;negtive answer ttl) HMWD
- ttl 可以继承
- 最后要加.
- @表示区域
- 相邻name,相同记录可以省略name
配置从dns
[root@python ~]# tail -6 /etc/named.rfc1912.zones
zone "xlc.com" IN {
type slave;
file "slaves/xlc.com.zone";
masters { 192.168.1.9; };
};
- 主服务器:
- 确保从服务器有ns记录,并a记录
- 修改后serial +1并重载配置
- 手工传送:dig -t axfr 域名
- 保证时间相同ntpdate
[root@center ~]# cat /var/named/xlc.com.zone
$TTL 3600
$ORIGIN xlc.com.
@ IN SOA ns1.xlc.com. admin.xlc.com. (
20180727
1H
10M
3D
1D
)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 10 mx2
ns1 IN A 192.168.1.9
ns2 IN A 192.168.1.10
www IN A 192.168.1.9
www IN A 192.168.1.10
web IN CNAME www
mx1 IN A 192.168.1.9
mx2 IN A 192.168.1.10
4、搭建并实现智能DNS
view "internal" {
match-clients { 10.0.0.0/25; };
zone "" {
type
file
};
};
