Linux加密和安全
墨菲定律:一種心理學效應,是由愛德華·墨菲(Edward A. Murphy)提出的,原話:如果有兩種或兩種以上的方式去做某件事情,而其中一種選擇方式將導致災難,則必定有人會做出這種選擇
主要內容:
任何事都沒有表面看起來那麽簡單
所有的事都會比你預計的時間長
會出錯的事總會出錯
如果你擔心某種情況發生,那麽它就更有可能發生
安全機制
1、信息安全防護的目標:
保密性 Confidentiality
完整性 Integrity
數據不能被串改,要保證數據的完整性
可用性 Usability
讓系統一直處於穩定可用狀態
可控制性 Controlability
系統要處於可控制的範圍內不可否認性 Non-repudiation
否定事情的正確性
2、安全防護環節:
物理安全:各種設備/主機、機房環境
系統安全:主機或設備的操作系統
應用安全:各種網絡服務、應用程序
網絡安全:對網絡訪問的控制、防火墻規則
數據安全:信息的備份與恢復、加密解密管理安全:各種保障性的規範、流程、方法
安全防護
安全×××: STRIDE
Spoofing 假冒
Tampering 篡改
Repudiation 否認
Information Disclosure 信息泄漏
Denial of Service 拒絕服務
Elevation of Privilege 提升權限
安全設計基本原則:
使用成熟的安全系統
以小人之心度輸入數據
外部系統是不安全的
最小授權
減少外部接口
缺省使用安全模式
安全不是似是而非
從STRIDE思考
在入口處檢查
從管理上保護好你的系統
安全算法
常用安全技術
認證
授權
審計
安全通信
在通信的過程中,要保證信息的安全
密碼算法和協議
對稱加密
公鑰加密
單向加密
認證協議
最早的加密算法
凱撒密碼
加密思想是在當前字母往後移三位,比如說:LOVE,ORYH,如果最後一位是Z的話繼續轉圈回來從A開始繼續往下走
對稱加密算法
對稱加密:加密和解密使用同一個密鑰
DES:Data Encryption Standard,56bits
3DES:相對於DES的三倍加密方式
AES:Advanced (128, 192, 256bits)
Blowfish,Twofish
IDEA,RC6,CAST5
特性:
1、加密、解密使用同一個密鑰,效率高
2、將原始數據分割成固定大小的塊,逐個進行加密
缺陷:
1、密鑰過多
2、密鑰分發
3、數據來源無法確認
算法的幾個要求:
1、公鑰可以公開
2、key
算法和密鑰配合起來一塊使用,密鑰不公開,保證用不同的密鑰結合相同算法加密出來的結果是破解不了的
非對稱加密算法
公鑰加密:密鑰是成對出現
公鑰:公開給所有人;public key
私鑰:自己留存,必須保證其私密性;secret key
特點:
用公鑰加密數據,只能使用與之配對的私鑰解密;反之亦然
功能:
數字簽名:主要在於讓接收方確認發送方身份
對稱密鑰交換:發送方用對方的公鑰加密一個對稱密鑰後發送給對方
數據加密:適合加密較小數據
缺點:
密鑰長,加密解密效率低下
算法:
RSA(加密,數字簽名)
DSA(數字簽名)
ELGamal
基於一對公鑰/密鑰對
用密鑰對中的一個加密,另一個解密
實現加密:
接收者
生成公鑰/密鑰對:P和S
公開公鑰P,保密密鑰S
發送者
使用接收者的公鑰來加密消息M
將P(M)發送給接收者
接收者
使用密鑰S來解密:M=S(P(M))
結合簽名和加密
分離簽名
單向散列
將任意數據縮小成固定大小的“指紋”
任意長度輸入
固定長度輸出
若修改數據,指紋也會改變(“不會產生沖突”)
無法從指紋中重新生成數據(“單向”)
功能:
數據完整性
常見算法
md5: 128bits、sha1: 160bits、sha224 、sha256、sha384、sha512
常用工具
md5sum | sha1sum [ --check ] file
openssl、gpg
rpm -V
數字簽名
密鑰交換
密鑰交換: IKE( Internet Key Exchange )
公鑰加密:
DH (Deffie-Hellman):生成會話密鑰,由惠特菲爾德·迪菲(Bailey Whitfield Diffie)和馬丁·赫爾曼(Martin Edward Hellman)在1976年發表
參看:https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
DH:
A: g,p 協商生成公開的整數g, 大素數p
B: g,p
A:生成隱私數據 :a (a<p ),計算得出 g^a%p,發送給B
B:生成隱私數據 :b,計算得出 g^b%p,發送給A
A:計算得出 [(g^b%p)^a] %p = g^ab%p,生成為密鑰
B:計算得出 [(g^a%p)^b] %p = g^ab%p,生成為密鑰
應用程序:RPM
文件完整性的兩種實施方式
被安裝的文件
MD5單向散列
rpm --verify package_name (or -V)
發行的軟件包文件
GPG公鑰簽名
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*
rpm --checksig pakage_file_name (or -K)
使用gpg實現對稱加密
對稱加密file文件
gpg -c file
ls file.gpg
[root@node1 /data]#gpg -c fstab
在另一臺主機上解密file
gpg -o file -d file.gpg
[root@node2 /app]#gpg -o f1 -d fstab.gpg
使用gpg工具實現公鑰加密
在hostB主機上用公鑰加密,在hostA主機上解密
在hostA主機上生成公鑰/私鑰對
gpg --gen-key
在hostA主機上查看公鑰
gpg --list-keys
在hostA主機上導出公鑰到cobbler.pubkey
gpg -a --export -o cobbler.pubkey
從hostA主機上復制公鑰文件到需加密的B主機上
scp cobbler.pubkey hostB:
在需加密數據的hostB主機上生成公鑰/私鑰對
gpg --list-keys
gpg --gen-key
在hostB主機上導入公鑰
gpg --import cobbler.pubkey
gpg --list-keys
用從hostA主機導入的公鑰,加密hostB主機的文件file,生成file.gpg
gpg -e -r cobbler file
file file.gpg
復制加密文件到hostA主機
scp fstab.gpg hostA:
在hostA主機解密文件
gpg -d file.gpg
gpg -o file -d file.gpg
刪除公鑰和私鑰
gpg --delete-keys cobbler
gpg --delete-secret-keys cobbler
gpg加密實驗
[root@node1 /data]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/root/.gnupg/secring.gpg‘ created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: cobbler
Email address: [email protected]
Comment: test
You selected this USER-ID:
"cobbler (test) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FD4CFEF9 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/FD4CFEF9 2018-09-12
Key fingerprint = 3D2D 3674 D945 1271 919B 2671 9229 A6E0 FD4C FEF9
uid cobbler (test) <[email protected]>
sub 1024R/7CD048CE 2018-09-12
在/root/.gnupg
[root@node1 ~/.gnupg]#ll
total 28
-rw------- 1 root root 7680 Sep 12 21:13 gpg.conf
drwx------ 2 root root 6 Sep 12 21:13 private-keys-v1.d
-rw------- 1 root root 1872 Sep 12 21:42 pubring.gpg
-rw------- 1 root root 1872 Sep 12 21:42 pubring.gpg~
-rw------- 1 root root 600 Sep 12 21:42 random_seed
-rw------- 1 root root 3838 Sep 12 21:42 secring.gpg
srwxr-xr-x 1 root root 0 Sep 12 21:28 S.gpg-agent
-rw------- 1 root root 1360 Sep 12 21:42 trustdb.gpg
查看生成的公鑰
[root@node1 ~/.gnupg]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/FD4CFEF9 2018-09-12
uid cobbler (test) <[email protected]>
sub 1024R/7CD048CE 2018-09-12
到處為易讀的格式傳給對方
[root@node3 ~]]#gpg -a --export -o cobbler.pubkey
導入客戶端的公鑰
[root@node1 ~/.gnupg]#gpg --import /data/cobbler.pubkey
gpg: key A24FC96C: public key "cobbler" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
查看當前機器上的所有公鑰
[root@node1 ~/.gnupg]#gpg --list-key
使用cobbler的公鑰加密
[root@node1 /data]#gpg -e -r cobbler fstab
gpg: 98C7C0F4: There is no assurance this key belongs to the named user
pub 2048R/98C7C0F4 2018-09-12 cobbler
Primary key fingerprint: 6FB7 75D3 2534 B4F8 7E1C 4FD2 DCEF 398E A24F C96C
Subkey fingerprint: EE01 7CF1 D62D A366 7C15 D36A 0043 0625 98C7 C0F4
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
查看剛加密的文件
[root@node1 /data]#ll
total 16
-rw-r--r-- 1 root root 1683 Sep 12 22:23 cobbler.pubkey
-rw-r--r-- 1 root root 541 Sep 12 21:13 fstab
-rw-r--r-- 1 root root 609 Sep 12 22:32 fstab.gpg
-rw-r--r-- 1 root root 316 Sep 12 21:13 fstab.gpg.bak
把加密好的文件傳給客戶端然後通過客戶端的私鑰解密
[root@node1 /data]#scp fstab.gpg 172.20.7.53:/data
客戶端解密的時候不用需要再輸入密碼來解密了自動解密,
[root@node3 /data]]#gpg -d fstab.gpg
gpg: encrypted with 2048-bit RSA key, ID 98C7C0F4, created 2018-09-12
"cobbler"
#
# /etc/fstab
# Created by anaconda on Wed Jul 18 20:40:37 2018
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk‘
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=3d4ae911-238f-4436-82eb-5bb4660c38c7 /boot xfs defaults 0 0
/dev/mapper/centos-data /data xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
不過-d只是在屏幕上顯示出來要想解開需要加上-o 指定新文件名稱
[root@node3 /data]]#gpg -o fs -d fstab.gpg
gpg: encrypted with 2048-bit RSA key, ID 98C7C0F4, created 2018-09-12
"cobbler"
查看文件
[root@node3 /data]]#ls
fs fstab.gpg lost+found
[root@node3 /data]]#cat fs
#
# /etc/fstab
# Created by anaconda on Wed Jul 18 20:40:37 2018
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk‘
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=3d4ae911-238f-4436-82eb-5bb4660c38c7 /boot xfs defaults 0 0
/dev/mapper/centos-data /data xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
現在所有的公鑰都不想要了,刪除它
[root@node1 /data]#gpg --delete-keys cobbler
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/A24FC96C 2018-09-12 cobbler
Delete this key from the keyring? (y/N) y
不過在刪除第二個的時候它會提示你先讓你刪除私鑰,
[root@node1 /data]#gpg --delete-keys zabbix
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: there is a secret key for public key "zabbix"!
gpg: use option "--delete-secret-keys" to delete it first.
[root@node1 /data]#gpg --delete-secret-keys zabbix
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 2048R/799524A3 2018-09-12 zabbix
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@node1 /data]#gpg --delete-keys zabbix
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/799524A3 2018-09-12 zabbix
Delete this key from the keyring? (y/N) y
[root@node1 /data]#
Linux加密和安全