非对称密钥实验

非对称密钥实验

实验目的

对文件进行非对称加解密

实验准备

主机：A和BOS: CentOS7IP ：192.168.172.134

一、分别在2台主机上生成公钥和私钥

1.在主机A上生成公私钥

[root@hostA ~]# gpg --gen-keygpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.gpg: directory `/root/.gnupg' createdgpg: new configuration file `/root/.gnupg/gpg.conf' createdgpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this rungpg: keyring `/root/.gnupg/secring.gpg' createdgpg: keyring `/root/.gnupg/pubring.gpg' createdPlease select what kind of key you want:   (1) RSA and RSA (default)   (2) DSA and Elgamal   (3) DSA (sign only)   (4) RSA (sign only)Your selection? 1                                   #选择所要生成的非对称密钥类型RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 1024               #先择密钥的长度Requested keysize is 1024 bitsPlease specify how long the key should be valid.         0 = key does not expire        = key expires in n days      w = key expires in n weeks      m = key expires in n months      y = key expires in n yearsKey is valid for? (0)                               #指定密钥的有效期限Key does not expire at allIs this correct? (y/N) y                            #确认密钥有效期为永久有效GnuPG needs to construct a user ID to identify your key.Real name: hostA                                    #输入非对称密钥所对应的主机名Email address: Comment: You selected this USER-ID:    "hostA"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   #确认密钥信息You need a Passphrase to protect your secret key.You don't want a passphrase - this is probably a *bad* idea!I will do it anyway.  You can change your passphrase at any time,using this program with the option "--edit-key".We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.gpg: /root/.gnupg/trustdb.gpg: trustdb createdgpg: key 4B9A0B62 marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1upub   1024R/4B9A0B62 2019-04-12      Key fingerprint = E128 AD1F E1D5 5B0D C66C  FD45 4786 0C63 4B9A 0B62uid                  hostAsub   1024R/DD37BA59 2019-04-12#非对称密生成完毕[root@hostA ~]# cd .gnupg/[root@hostA .gnupg]# lltotal 28-rw------- 1 root root 7680 Apr 13 05:36 gpg.confdrwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg        #公钥文件-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg~       #公钥的备份-rw------- 1 root root  600 Apr 13 05:37 random_seed-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg        #私钥文件srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.B主机上生成公私钥

[root@hostB ~]# gpg --gen-keygpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.gpg: directory `/root/.gnupg' createdgpg: new configuration file `/root/.gnupg/gpg.conf' createdgpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this rungpg: keyring `/root/.gnupg/secring.gpg' createdgpg: keyring `/root/.gnupg/pubring.gpg' createdPlease select what kind of key you want:   (1) RSA and RSA (default)   (2) DSA and Elgamal   (3) DSA (sign only)   (4) RSA (sign only)Your selection? 1RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 1024Requested keysize is 1024 bitsPlease specify how long the key should be valid.         0 = key does not expire        = key expires in n days      w = key expires in n weeks      m = key expires in n months      y = key expires in n yearsKey is valid for? (0) Key does not expire at allIs this correct? (y/N) yGnuPG needs to construct a user ID to identify your key.Real name: hostBEmail address: Comment: You selected this USER-ID:    "hostB"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? oYou need a Passphrase to protect your secret key.You don't want a passphrase - this is probably a *bad* idea!I will do it anyway.  You can change your passphrase at any time,using this program with the option "--edit-key".We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.gpg: /root/.gnupg/trustdb.gpg: trustdb createdgpg: key 77A790ED marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1upub   1024R/77A790ED 2019-04-12      Key fingerprint = 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90EDuid                  hostBsub   1024R/3108F051 2019-04-12[root@hostB ~]# ll .gnupg/total 28-rw------- 1 root root 7680 Apr 13 05:50 gpg.confdrwx------ 2 root root    6 Apr 13 05:50 private-keys-v1.d-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg~-rw------- 1 root root  600 Apr 13 05:51 random_seed-rw------- 1 root root 1313 Apr 13 05:51 secring.gpgsrwxr-xr-x 1 root root    0 Apr 13 05:50 S.gpg-agent-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg公私钥文件已生成

二、主机A、B互换公钥文件

1.导出主机A公钥发送给B

[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey        #导出公钥文件。[root@hostA .gnupg]# cat hostA.pubkey -----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v2.0.22 (GNU/Linux)mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqSckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F82lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSoLB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAGJ2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZpbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyGRcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqkQPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQABiJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqDltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVqwWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmjrkRjxcSdDrQgIYZgH84hXZU==4MIm-----END PGP PUBLIC KEY BLOCK-----[root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupgThe authenticity of host '192.168.172.138 (192.168.172.138)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts.root@192.168.172.138's password: hostA.pubkey                                         100%  984   808.9KB/s   00:00    

2.导出主机B公钥发送给A

[root@hostB ~]# gpg -a --export -o hostB.pubkey[root@hostB ~]# cat hostB.pubkey-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v2.0.22 (GNU/Linux)mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4Ldcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gjL9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQKFXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntjYLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38VGmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnWZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQABiJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqLc38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3CguJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4ctt+3WYpY9rNUVeuLcHVd7vQ==/T8O-----END PGP PUBLIC KEY BLOCK-----     [root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts.root@192.168.172.134's password: hostB.pubkey                                         100%  984   861.8KB/s   00:00  

三、主机A、B分别导入公钥

1.主机A导入公钥

[root@hostA .gnupg]# gpg --import hostB.pubkey           #导入hostB的公钥gpg: key 77A790ED: public key "hostB" importedgpg: Total number processed: 1gpg:               imported: 1  (RSA: 1)[root@hostA .gnupg]# gpg --list-key                      #查看公钥列表/root/.gnupg/pubring.gpg------------------------pub   1024R/4B9A0B62 2019-04-12uid                  hostAsub   1024R/DD37BA59 2019-04-12pub   1024R/77A790ED 2019-04-12uid                  hostBsub   1024R/3108F051 2019-04-12

2.主机B导入公钥

[root@hostB ~]# cd .gnupg/[root@hostB .gnupg]# gpg --import hostA.pubkey gpg: key 4B9A0B62: public key "hostA" importedgpg: Total number processed: 1gpg:               imported: 1  (RSA: 1)[root@hostB .gnupg]# gpg --list-key /root/.gnupg/pubring.gpg------------------------pub   1024R/77A790ED 2019-04-12uid                  hostBsub   1024R/3108F051 2019-04-12pub   1024R/4B9A0B62 2019-04-12uid                  hostAsub   1024R/DD37BA59 2019-04-12

四、测试

1.使用主机A对文件进行非对称加密，发送给主机B

[root@hostA data]# echo "hello,i am hostA" > file1[root@hostA data]# gpg -e -r hostB file1gpg: 3108F051: There is no assurance this key belongs to the named userpub  1024R/3108F051 2019-04-12 hostB Primary key fingerprint: 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED      Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA  74A5 2091 0199 3108 F051It is NOT certain that the key belongs to the person namedin the user ID.  If you *really* know what you are doing,you may answer the next question with yes.Use this key anyway? (y/N) y[root@hostA data]# scp file1.gpg root@192.168.172.138:/dataroot@192.168.172.138's password: file1.gpg                                            100%  225    87.2KB/s   00:00    

2.解密查看其中内容

[root@hostB data]# gpg -o file1 file1.gpg gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12      "hostB"[root@hostB data]# cat file1hello,i am hostA

五、关于清除密钥

1.清除公钥

[root@hostA data]# gpg --delete-key hostB             #删除hostB的公钥gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.pub  1024R/77A790ED 2019-04-12 hostBDelete this key from the keyring? (y/N) y[root@hostA data]# gpg --list-key                     #查看密钥列表此时已经没有hostB了/root/.gnupg/pubring.gpg------------------------pub   1024R/4B9A0B62 2019-04-12uid                  hostAsub   1024R/DD37BA59 2019-04-12[root@hostA ~]# ll .gnupg/total 40-rw------- 1 root root  649 Apr 13 05:48 192.168.172.138-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf-rw-r--r-- 1 root root  984 Apr 13 06:02 hostA.pubkey-rw-r--r-- 1 root root  984 Apr 13 06:06 hostB.pubkeydrwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d-rw------- 1 root root  649 Apr 13 06:32 pubring.gpg-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~             #hostB的密钥虽然被清除但是仍可以用此文件恢复-rw------- 1 root root  600 Apr 13 06:15 random_seed-rw------- 1 root root 1313 Apr 13 05:37 secring.gpgsrwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.删除自己的公钥和私钥
要删除自己的公钥必须先清除私钥

[root@hostA ~]# gpg --delete-secret-key hostA                  #删除自己的私钥gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.sec  1024R/4B9A0B62 2019-04-12 hostADelete this key from the keyring? (y/N) yThis is a secret key! - really delete? (y/N) y[root@hostA ~]# gpg --delete-key hostA                         #删除自己的私钥gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.pub  1024R/4B9A0B62 2019-04-12 hostADelete this key from the keyring? (y/N) y[root@hostA ~]# rm -rf .gnupg/                                 #将/root/.gnupg目录删除