GPG/PGP PKI 非对称加密
非对称意味着使用公钥和私钥来检查身份验证,其中两个密钥不同。
GPG 对通过网络发送到某个客户端的数据和邮件进行加密。
因此,如果我们计划通过网络发送一些重要或者关键数据以使其免受黑客攻击,它可以提高安全级别。
首先,我们需要生成 PKI 对(公钥/私钥对)公钥必须通过安全会话发送到客户端位置,因此使用该公钥客户端将能够解密发送给他们的用私钥加密的数据或者邮件服务器计算机上的密钥。
例如,这里我有两台 RHEL 5 机器。
我将在 server1 和 server 2 之间传输数据。
所以我们需要在两台机器上生成 gpg 密钥。
重要说明:来自服务器 1 的公钥将被发送到服务器 2,反之亦然,以解密发送给其中任何一个的数据。
在服务器 1
# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? [Hit Enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: testing
Email address: test@example.com
Comment:
You selected this USER-ID:
"testing <test@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.[Hit Enter for blank passphrase]
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++.++++++++++++++++++++++++++++++..++++++++++++++++++++++++++ +++++++++++++++++++.+++++++++++++++++++++++++++++++++++>++++++++++.............. ..............................+++++
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6F433F3D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/6F433F3D 2013-01-31
Key fingerprint = 1ED5 CCDA FDC1 BBBA 4A6B 7224 09CA CABC 6F43 3F3D
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
我们可以在服务器 2 上按照相同的步骤生成密钥。
完成生成密钥后,我们可以使用我在下面显示的命令检查指纹。
在服务器 1
[root@server1]# gpg --list-keys /root/.gnupg/pubring.gpg ----------------------- pub 1024D/6F433F3D 2013-01-31 uid testing <test@example.com> sub 1024g/BF74F2FB 2013-01-31
在服务器 2 上
[root@server2]# gpg --list-keys /root/.gnupg/pubring.gpg ----------------------- pub 1024R/78AC92D1 2013-01-30 uid jack Prasad <jack@example.com> sub 1024R/2698ECBD 2013-01-30
注意:生成 gpg 密钥时可能会出现错误,例如
gpg: can't create '/root/.gnupg/random_seed': No such file or directory
解决方案:我们可以通过手动创建 .gnupg 目录来克服这个问题。
确保将其创建为隐藏目录。
这里“gnupg”代表gnu隐私保护“
现在,当我们完成在两台机器上创建 gpg 密钥时。
- 我们需要一个要传输的数据文件。
- 使用 gpg 加密数据文件
- 导出数据文件,以便将其发送到客户端进行解密
- 使用标准的 .pub 扩展名更改数据文件的名称。
[root@server1]# echo 这是一个秘密文件 > test.txt
现在我们将加密文件。
这里“6F433F3D”是为我们在服务器 1 上生成的密钥提供的 USERID,我们可以在上面检查,然后是文件名。
[root@server1]# gpg -e --armor -r 6F433F3D test.txt [root@server1]# ls -l -rw-r--r-- 1 root root 9 Jan 31 16:28 test.txt -rw-r--r-- 1 root root 571 Jan 31 16:29 test.txt.asc [root@server1]# cat test.txt.asc -----BEGIN PGP MESSAGE---- Version: GnuPG v1.4.5 (GNU/Linux) hQEOA0yfFJC/dPL7EAP+LBNNlS/OnyO8NDhEViMK3TIVuFjrte0GWIQoWh9eumukXH/ceiIWjXMp3vFpxeU16mFtXFmqy7O90/w7wmYaEprXY5Cg+sg0J6EvXbCBUEQ0VKeWpY+ymkix/iSzboK+V5zhHI94l+ihpg+xs3CsjFH9KAkfADeSCUh/jbkbQPMD/W+lILQ52B8vlO5nV7SoA0M2u7gFp3ODitEDJoVUKKcRnc0ecu0Zp3mDxpqKih/CpPrqUiHRsqOfhIMGkD5pFGpsgWSqiU3WqY8PbjyJk2Kj9jy4OwdO/BRUqd5TUz8 zJWbpdwTw6lRE+z8F/6R4aUK49sz3PuRp076c498LyXc0kwBaxfSyTLEuTOgvLHw hz040371wx59Xci+wjR1KjdxgcsMqopchZvwCe5usCYoMH7ppW/ggMOczQM/KS29 jnExaebzeAPONIfgke6 =EDpQ -----END PGP MESSAGE----
如我们所见,数据文件已被加密,现在可以安全地发送到客户端计算机,但要解密该文件,客户端需要公钥。
因此,让我们为此目的创建一个公钥。
[root@server1]# gpg --export --armor -o server1.asc
这里“server1.asc”是解密我们加密的数据文件所需的公钥。
[root@server1]# less server1.asc Version: GnuPG v1.4.5 (GNU/Linux) mQGiBFEKRWURBADN00ldTrjOJ5JsyZZkKyttRI+YR8lIQBqWt6yzh7W3St/hALhUcfo1QIDdNUqGw9LTe+ECVxG4lYAH22penNDCAkefJP77J6RoqTUzMwOLZV417sOhm2MloKa1elWV8Be0nRutSPmDt7chOIPAu0QbMWkhX0QDSJk/D3GmVefYuwCgiclM9DmiF9vUA+RAaRXdmX8oJRcD/jnM0+8G3BjtFZanaVKsfPWNls117KlMOXSXOWLfNL614F/woFzgHfIMxvBiHZBfAPaKjcEmEOrjaFBwuThA+HXZWQdg2NMVQ1XxwIS9m3ZDDlqav0Bc/dgfquqMj9b5TlNcxkRuz0bX9PE4cKDFMFCM1Y+RhSKtgOHJHWRU6r8A/9D3mL3E9aopuq82x5aAPuxve12l4NcaxDW8+qzgxtXsk/gN+DcHaReGrFG0ji4c757e66wuhKDKefosu0OPNbpGrO3QGu4drEmkxGaiaR7YpJcwERP2EpkoKtqYMP91BnXKa46Iew1oKaJrHS4KekfB1iOstIdXfT4qs9MYJxOjLQadGVzdGluZyA8dGVzdEBlc3R1YXRlLmNvbT6IYAQTEQIAIAUCUQpFZQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEAnKyrxvQz89cQUAnApryznbDFgWpe80I6xqIdPTVBLSAJ9Pvnih55RneWQ2elBk0xUSdbq9RrkBDQRRCkVnEAQAzs0MNQp/5kN5Puf4YSJ2igjJdd6Vc8gKiASfVufYEYh8Wg4zT8/HC69zflT8b4SKmE+7MM0k/zk+yJJ72Kb+7tRCPB9EMh54D5RN32243fClkqJZn9kCf0njwfkj2Pq5l4IswFrBUELYzO4hZxX4xSWJ4BcPQH5Cl0AmRwwhGkMAAwUEALyzl7ni4dFZPl+TvIaOnnAvMoj+LJU4de7Li7FVu7UAvtRuWLfaaH5WxFXqmB751pfyMuzoVi0U0xczVOj+eyYk6zxYoWueMklzoWBaD3HVUmD2ffyVNXMoVfvf3bAv1nQ8vZvyz86gMMXSSA4BcuZqoRR9y9gklyBdRIxFKq4BiEkEGBECAAkFAlEKRWcCGwwACgkQCcrKvG9DPz2G5QCfZGsa6LUQ3kGPrLoSz4tS1fVsEgEAn2mcFv/q+uIUU+RR3rc7O5qlwGFk=risQ -----END PGP PUBLIC KEY BLOCK----
[root@server1]# mv server1.asc server1.asc.pub
现在我们将公钥复制到客户端位置,在我们的例子中是 server2
[root@server1]# scp server1.asc.pub server2:/
同样,我们需要在服务器 2 上为服务器 1 创建一个公钥。
在服务器 2 上
[root@server2]# gpg --export --armor -o server2.asc.pub [root@server2]# scp server2.asc.pub server1:/
现在导入从服务器 1 发送的公钥
[root@server2]# gpg --import server1.test.asc.pub gpg: key 6F433F3D: public key "testing <test@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1
[root@server2]# gpg --list-keys /root/.gnupg/pubring.gpg ----------------------- pub 1024R/78AC92D1 2013-01-30 uid jack Prasad <jack@example.com> sub 1024R/2698ECBD 2013-01-30 pub 1024D/6F433F3D 2013-01-31 uid testing <test@example.com> sub 1024g/BF74F2FB 2013-01-31
如我们所见,我们现在在 server2 机器上有两个密钥。
1.本地私钥jack Prasad
2.从server1“测试”导入的公钥
必须在另一台机器 server1 上做同样的事情
在服务器 1 上
[root@server1]# gpg --import server2.asc.pub
[root@server1]# gpg --list-keys /root/.gnupg/pubring.gpg ----------------------- pub 1024D/6F433F3D 2013-01-31 uid testing <test@example.com> sub 1024g/BF74F2FB 2013-01-31 pub 1024R/78AC92D1 2013-01-30 uid jack Prasad <jack@example.com> sub 1024R/2698ECBD 2013-01-30
正如我们可以看到 server1 和 server2 上的两个键。
所以我们可以测试数据的加密。
现在我们需要使用刚刚在 server1 上导入的 server2 的公钥对数据进行加密。
这样只有 server2 才能解密数据文件。
在 server1 上(78AC92D1 是 server2 用户的 ID,例如:jack)
[root@server1]# gpg -e -r 78AC92D1 --armor -o test.txt.server2.asc test.txt gpg: 2698ECBD: There is no assurance this key belongs to the named user pub 1024R/2698ECBD 2013-01-30 jack Prasad <jack@example.com> Primary key fingerprint: 1F50 F1FE B6DD 9909 B673 F187 DB55 88DC 78AC 92D1 Subkey fingerprint: 9201 1452 8E80 1050 36C8 F668 AA0D 4697 2698 ECBD It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y File `test.txt.server2.asc' exists. Overwrite? (y/N) y
[root@server1] scp test.txt.server2.asc server2:/
在 server2 上通过解密来验证数据。
这仅在使用公钥加密数据时才有效。
[root@server2] # gpg --decrypt test.txt.server2.asc gpg: encrypted with 1024-bit RSA key, ID 2698ECBD, created 2013-01-30 "jack Prasad <jack@example.com>" This is a secret file
如我们所见,数据文件已成功解密。
日期:2020-06-02 22:17:23 来源:oir作者:oir