非對(duì)稱密鑰實(shí)驗(yàn)

非對(duì)稱密鑰實(shí)驗(yàn)

實(shí)驗(yàn)?zāi)康?/h4>

對(duì)文件進(jìn)行非對(duì)稱加解密

實(shí)驗(yàn)準(zhǔn)備

主機(jī)：A和B
OS: CentOS7
IP ：192.168.172.134

一、分別在2臺(tái)主機(jī)上生成公鑰和私鑰

1.在主機(jī)A上生成公私鑰

[root@hostA ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1                                   #選擇所要生成的非對(duì)稱密鑰類型
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024               #先擇密鑰的長(zhǎng)度
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)                               #指定密鑰的有效期限
Key does not expire at all
Is this correct? (y/N) y                            #確認(rèn)密鑰有效期為永久有效

GnuPG needs to construct a user ID to identify your key.

Real name: hostA                                    #輸入非對(duì)稱密鑰所對(duì)應(yīng)的主機(jī)名
Email address: 
Comment: 
You selected this USER-ID:
    "hostA"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   #確認(rèn)密鑰信息
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/4B9A0B62 2019-04-12
      Key fingerprint = E128 AD1F E1D5 5B0D C66C  FD45 4786 0C63 4B9A 0B62
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

#非對(duì)稱密生成完畢
[root@hostA ~]# cd .gnupg/
[root@hostA .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg        #公鑰文件
-rw------- 1 root root  649 Apr 13 05:37 pubring.gpg~       #公鑰的備份
-rw------- 1 root root  600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg        #私鑰文件
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.B主機(jī)上生成公私鑰

[root@hostB ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: hostB
Email address: 
Comment: 
You selected this USER-ID:
    "hostB"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/77A790ED 2019-04-12
      Key fingerprint = 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
uid                  hostB
sub   1024R/3108F051 2019-04-12

[root@hostB ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root    6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root  649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root  600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私鑰文件已生成

二、主機(jī)A、B互換公鑰文件

1.導(dǎo)出主機(jī)A公鑰發(fā)送給B

[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey        #導(dǎo)出公鑰文件。
[root@hostA .gnupg]# cat hostA.pubkey 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
rkRjxcSdDrQgIYZgH84hXZU=
=4MIm
-----END PGP PUBLIC KEY BLOCK-----
[root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupg
The authenticity of host '192.168.172.138 (192.168.172.138)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts.
root@192.168.172.138's password: 
hostA.pubkey                                         100%  984   808.9KB/s   00:00    

2.導(dǎo)出主機(jī)B公鑰發(fā)送給A

[root@hostB ~]# gpg -a --export -o hostB.pubkey
[root@hostB ~]# cat hostB.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
tt+3WYpY9rNUVeuLcHVd7vQ=
=/T8O
-----END PGP PUBLIC KEY BLOCK-----     
[root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/
The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts.
root@192.168.172.134's password: 
hostB.pubkey                                         100%  984   861.8KB/s   00:00  

三、主機(jī)A、B分別導(dǎo)入公鑰

1.主機(jī)A導(dǎo)入公鑰

[root@hostA .gnupg]# gpg --import hostB.pubkey           #導(dǎo)入hostB的公鑰
gpg: key 77A790ED: public key "hostB" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@hostA .gnupg]# gpg --list-key                      #查看公鑰列表
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

2.主機(jī)B導(dǎo)入公鑰

[root@hostB ~]# cd .gnupg/
[root@hostB .gnupg]# gpg --import hostA.pubkey 
gpg: key 4B9A0B62: public key "hostA" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@hostB .gnupg]# gpg --list-key 
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/77A790ED 2019-04-12
uid                  hostB
sub   1024R/3108F051 2019-04-12

pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

四、測(cè)試

1.使用主機(jī)A對(duì)文件進(jìn)行非對(duì)稱加密，發(fā)送給主機(jī)B

[root@hostA data]# echo "hello,i am hostA" > file1
[root@hostA data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user

pub  1024R/3108F051 2019-04-12 hostB
 Primary key fingerprint: 34E9 51E2 0720 1186 FC26  6BED 5FDF ABE5 77A7 90ED
      Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA  74A5 2091 0199 3108 F051

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[root@hostA data]# scp file1.gpg root@192.168.172.138:/data
root@192.168.172.138's password: 
file1.gpg                                            100%  225    87.2KB/s   00:00    

2.解密查看其中內(nèi)容

[root@hostB data]# gpg -o file1 file1.gpg 
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
      "hostB"
[root@hostB data]# cat file1
hello,i am hostA

五、關(guān)于清除密鑰

1.清除公鑰

[root@hostA data]# gpg --delete-key hostB             #刪除hostB的公鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/77A790ED 2019-04-12 hostB

Delete this key from the keyring? (y/N) y

[root@hostA data]# gpg --list-key                     #查看密鑰列表此時(shí)已經(jīng)沒(méi)有hostB了
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4B9A0B62 2019-04-12
uid                  hostA
sub   1024R/DD37BA59 2019-04-12

[root@hostA ~]# ll .gnupg/
total 40
-rw------- 1 root root  649 Apr 13 05:48 192.168.172.138
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
-rw-r--r-- 1 root root  984 Apr 13 06:02 hostA.pubkey
-rw-r--r-- 1 root root  984 Apr 13 06:06 hostB.pubkey
drwx------ 2 root root    6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root  649 Apr 13 06:32 pubring.gpg
-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~             #hostB的密鑰雖然被清除但是仍可以用此文件恢復(fù)
-rw------- 1 root root  600 Apr 13 06:15 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
srwxr-xr-x 1 root root    0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg

2.刪除自己的公鑰和私鑰
要?jiǎng)h除自己的公鑰必須先清除私鑰

[root@hostA ~]# gpg --delete-secret-key hostA                  #刪除自己的私鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@hostA ~]# gpg --delete-key hostA                         #刪除自己的私鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/4B9A0B62 2019-04-12 hostA

Delete this key from the keyring? (y/N) y
[root@hostA ~]# rm -rf .gnupg/                                 #將/root/.gnupg目錄刪除