非对称密钥实验

非对称密钥实验

实验目的

对文件进行非对称加解密

实验准备

主机:A和B
OS: CentOS7
IP :192.168.172.134

一、分别在2台主机上生成公钥和私钥

1.在主机A上生成公私钥

[[email protected] ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg‘ created
gpg: new configuration file `/root/.gnupg/gpg.conf‘ created
gpg: WARNING: options in `/root/.gnupg/gpg.conf‘ are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg‘ created
gpg: keyring `/root/.gnupg/pubring.gpg‘ created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1                                   #选择所要生成的非对称密钥类型
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024               #先择密钥的长度
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)                               #指定密钥的有效期限
Key does not expire at all
Is this correct? (y/N) y                            #确认密钥有效期为永久有效

GnuPG needs to construct a user ID to identify your key.

Real name: hostA                                    #输入非对称密钥所对应的主机名
Email address:
Comment:
You selected this USER-ID:
    "hostA"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   #确认密钥信息
You need a Passphrase to protect your secret key.

You don‘t want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/4B9A0B62 2019-04-12
      Key fingerprint = E128 AD1F E1D5 5B0D C66C  FD45 4786 0C63 4B9A 0B62
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

#非对称密生成完毕
[[email protected] ~]# cd .gnupg/
[[email protected] .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg        #公钥文件
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg~       #公钥的备份
-rw------- 1 root root  600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg        #私钥文件
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.B主机上生成公私钥

[[email protected] ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg‘ created
gpg: new configuration file `/root/.gnupg/gpg.conf‘ created
gpg: WARNING: options in `/root/.gnupg/gpg.conf‘ are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg‘ created
gpg: keyring `/root/.gnupg/pubring.gpg‘ created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: hostB
Email address:
Comment:
You selected this USER-ID:
    "hostB"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

You don‘t want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/77A790ED 2019-04-12
      Key fingerprint = 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
uid                  hostB
sub   1024R/3108F051 2019-04-12

[[email protected] ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root    6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root  600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私钥文件已生成

二、主机A、B互换公钥文件

1.导出主机A公钥发送给B

[[email protected] .gnupg]# gpg -a --export -o hostA.pubkey        #导出公钥文件。
[[email protected] .gnupg]# cat hostA.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
rkRjxcSdDrQgIYZgH84hXZU=
=4MIm
-----END PGP PUBLIC KEY BLOCK-----
[[email protected] .gnupg]# scp hostA.pubkey [email protected]:/root/.gnupg
The authenticity of host ‘192.168.172.138 (192.168.172.138)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.172.138‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
hostA.pubkey                                         100%  984   808.9KB/s   00:00

2.导出主机B公钥发送给A

[[email protected] ~]# gpg -a --export -o hostB.pubkey
[[email protected] ~]# cat hostB.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
tt+3WYpY9rNUVeuLcHVd7vQ=
=/T8O
-----END PGP PUBLIC KEY BLOCK-----
[[email protected] ~]# scp hostB.pubkey [email protected]:/root/.gnupg/
The authenticity of host ‘192.168.172.134 (192.168.172.134)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.172.134‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
hostB.pubkey                                         100%  984   861.8KB/s   00:00

三、主机A、B分别导入公钥

1.主机A导入公钥

[[email protected] .gnupg]# gpg --import hostB.pubkey           #导入hostB的公钥
gpg: key 77A790ED: public key "hostB" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[[email protected] .gnupg]# gpg --list-key                      #查看公钥列表
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

2.主机B导入公钥

[[email protected] ~]# cd .gnupg/
[[email protected] .gnupg]# gpg --import hostA.pubkey
gpg: key 4B9A0B62: public key "hostA" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[[email protected] .gnupg]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

四、测试

1.使用主机A对文件进行非对称加密,发送给主机B

[[email protected] data]# echo "hello,i am hostA" > file1
[[email protected] data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user

pub  1024R/3108F051 2019-04-12 hostB
 Primary key fingerprint: 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
      Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA  74A5 2091 0199 3108 F051

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[[email protected] data]# scp file1.gpg [email protected]:/data
[email protected]‘s password:
file1.gpg                                            100%  225    87.2KB/s   00:00

2.解密查看其中内容

[[email protected] data]# gpg -o file1 file1.gpg
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
      "hostB"
[[email protected] data]# cat file1
hello,i am hostA

五、关于清除密钥

1.清除公钥

[[email protected] data]# gpg --delete-key hostB             #删除hostB的公钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/77A790ED 2019-04-12 hostB

Delete this key from the keyring? (y/N) y

[[email protected] data]# gpg --list-key                     #查看密钥列表此时已经没有hostB了
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

[[email protected] ~]# ll .gnupg/
total 40
-rw------- 1 root root  649 Apr 13 05:48 192.168.172.138
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
-rw-r--r-- 1 root root  984 Apr 13 06:02 hostA.pubkey
-rw-r--r-- 1 root root  984 Apr 13 06:06 hostB.pubkey
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 06:32 pubring.gpg
-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~             #hostB的密钥虽然被清除但是仍可以用此文件恢复
-rw------- 1 root root  600 Apr 13 06:15 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.删除自己的公钥和私钥
要删除自己的公钥必须先清除私钥

[[email protected] ~]# gpg --delete-secret-key hostA                  #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[[email protected] ~]# gpg --delete-key hostA                         #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
[[email protected] ~]# rm -rf .gnupg/                                 #将/root/.gnupg目录删除

原文地址:https://blog.51cto.com/14234291/2449750

时间: 2024-08-06 21:44:48

非对称密钥实验的相关文章

对称密钥与非对称密钥算法

对称密钥算法和非对称密钥算法 密码学中两种常见的密码算法为对称密码算法(单钥密码算法)和非对称密码算法(公钥密码算法). 所谓对称密钥算法是指如果一个加密算法的加密密钥和解密密钥相同,或者虽然不相同,但是可由其中的任意一个很容易的推导出另一个,即密钥是双方共享的. 非对称密钥算法是指一个加密算法的加密密钥和解密密钥是不一样的,或者说不能由其中一个密钥推导出另一个密钥.这两个密钥其中一个称为公钥,用于加密,是公开的,另一个称为私钥,用于解密,是保密的.其中由公钥计算私钥是计算上不可行的. 这两种密

sftp,putty使用非对称密钥RSA无需密码登录远程主机

参考链接 SCP和SFTP不用输入密码的信任公钥方法攻略 1.在本地主机(Ubuntu)产生RSA密钥 cd ~/.ssh/ ssh-keygen -t rsa 均Enter采用默认方式,则产生两个文件 id_rsa id_rsa.pub 2.将公钥id_rsa.pub添加到远程主机~/.ssh/authorized_keys 文件 cat id_rsa.pub >> .ssh/authorized_keys 3.再次使用sftp链接远程主机无需密码 sftp -o port=XXX [ema

ssl证书的对称密钥与非对称密钥

(一)对称加密(Symmetric Cryptography) 对称密钥加密,又称私钥加密,即信息的发送方和接收方用一个密钥去加密和解密数据.它的最大优势是加/解密速度快,适合于对大数据量进行加密,对称 加密的一大缺点是密钥的管理与分配,换句话说,如何把密钥发送到需要解密你的消息的人的手里是一个问题.在发送密钥的过程中,密钥有很大的风险会被黑客们 拦截.现实中通常的做法是将对称加密的密钥进行非对称加密,然后传送给需要它的人. 对称加密通常使用的是相对较小的密钥,一般小于256 bit.因为密钥越

对称密钥与非对称密钥

(一)对称加密(Symmetric Cryptography) 对称密钥加密,又称私钥加密,即信息的发送方和接收方用一个密钥去加密和解密数据.它的最大优势是加/解密速度快,适合于对大数据量进行加密,对称加密的一大缺点是密钥的管理与分配,换句话说,如何把密钥发送到需要解密你的消息的人的手里是一个问题.在发送密钥的过程中,密钥有很大的风险会被黑客们拦截.现实中通常的做法是将对称加密的密钥进行非对称加密,然后传送给需要它的人. 对称加密通常使用的是相对较小的密钥,一般小于256 bit.因为密钥越大,

对称与非对称密钥加密

公开密钥加密也称非对称密钥加密,该加密算法使用两个不同的密钥:加密密钥和解密密钥.前者公开,又称公开密钥,简称公钥:后者保密,又称私有密钥,简称私钥.这两个密钥是数学相关的,用某用户加密密钥加密后所得的信息只能用该用户的解密密钥才能解密.RSA算法(由发明者Rivest,Shmir和Adleman姓氏首字母缩写而来)是著名的公开密钥加密算法. 公钥加密的另一用途是身份验证:用私钥加密的信息,可以用公钥对其解密,接收者由此可知这条信息确实来自于拥有私钥的某人.私钥加密的过程即数字签名. 用公钥加密

SQLSERVER加密解密函数(非对称密钥 证书加密 对称密钥)

ENCRYPTBYASYMKEY() --非对称密钥 ENCRYPTBYCERT()   --证书加密 ENCRYPTBYKEY()   --对称密钥 ENCRYPTBYPASSPHRASE()  --通行短语(PassPhrase)加密 --非对称密钥包含数据库级的内部公钥和私钥,它可以用来加密和解密SQL Server数据库中的数据,它可以从外部文件或程序集中导入,也可以在SQL Server数据库中生成.它不像证书,不可以备份到文件.这意味着一旦在SQL Server中创建了它,没有非常简

非对称密钥的来源

RSA算法是最早得到广泛使用的非对称加密算法,RSA算法基于分解大素数之乘积的困难性.较新的非对称加密算法是ECC,ECC基于离散对数难题.它能够以较少的计算资源消耗达到与RSA相当的安全性.目前,大多的数字证书仍然基于RSA算法.如果数学上发现了一种快速计算素数乘积或者离散对数的方法,就意味着相应的非对称加密算法被彻底破解.在这样一个数学天才出现之前,我们还能够无忧地使用这些算法. 对称加密算法本身对密钥的值没有约束,虽然我们会有意避开一些太有规律的密钥值.与对称密钥不同,非对称加密算法不能使

Java中RSA非对称密钥加解密使用示例

一.简介: RSA加密算法是最常用的非对称加密算法,CFCA在证书服务中离不了它.RSA是第一个比较完善的公开密钥算法,它既能用于加密,也能用于数字签名.这个算法经受住了多年深入的密码分析,虽然密码分析者既不能证明也不能否定RSA的安全性,但这恰恰说明该算法有一定的可信性,目前它已经成为最流行的公开密钥算法. 二.RSA的公钥.私钥的组成,以及加密.解密的公式可见于下表 三.使用方式: ①  假设A.B机器进行通信,已A机器为主: ②  A首先需要用自己的私钥为发送请求数据签名,并将公钥一同发送

openssl生成RSA非对称密钥

操作完后会在D盘符下生成一对公钥和私钥: 原文地址:https://www.cnblogs.com/i-hard-working/p/10321713.html