Shulou(Shulou.com)06/01 Report--

Encryption and decryption technology:

Symmetrical encryption

The encryption party and the secret party use the same key, and the speed of encryption and decryption is very fast. First, the data is plaintext.

Divided into data blocks, generally speaking, the same size, if in the end the rest of the data can not be the same as other data blocks

If it's the same size, add some filler to it, and then encrypt each block one by one.

Then send the encrypted data blocks to each other and manage them one at a time.

However, how to deal with the encrypted blocks, because each block is processed separately, and when the other party cracked the data

Each piece is cracked independently, that is to say, this encryption process is not helpful to anti-cracking.

There are two ways to deal with encrypted data blocks

ECB: each block is encrypted separately, and one is encrypted and one is passed.

CBC: a chain of encrypted or ciphertext blocks, realized by computation or computation, in which each block of data is sent to the other party

Before, it will be realized to do or operate this data block with the previous data block, and send the result to each other.

So if you don't get the first block, it's no use getting anything else, even if it's the first block, it will be with a random number.

To perform or operate.

The biggest advantage is that the data can be restored after two operations or operations.

Algorithm: DES: data encryption standard, using a key length of 56 bits

AES: advanced encryption standard, which can use keys of 128,192,256 lengths.

3DES: encrypt the original 3 times

Blowfish

Twofish

RC6

IDEA

CAST5

Defects: 1. A person needs to remember too many passwords when communicating with many objects.

2. The difficulty of key distribution is the biggest problem, and there is no reliable means to send the key to a

An object that has never met.

Asymmetric encryption

Public key encryption algorithm: DSA,RSA,EIGamal

The encryption party and the decryption party use different keys.

Function: encryption and decryption

User authentication can be achieved by RSA, while DSA can only encrypt data

Public key, private key

The public key is a feature extracted from the private key, and the public key is hidden in the private key.

Now the mainstream key length is 2048.

Defects: 1. The encryption speed is slow, which is 1000 times slower than symmetrical encryption by 3 orders of magnitude and 10 times by one order of magnitude.

2. Public key encryption is not generally used to encrypt data, but is mainly used to achieve user authentication and data encryption.

It is mainly realized through symmetric encryption.

How to achieve user authentication:

Now suppose that there are two objects to communicate, one is smaller black, the other is smaller white, and now Xiaohei has given it to small white hair.

An email, but Xiaobai doesn't want the content of his email to be tampered with when accepting it.

At this time, Blackie encrypts the content of the email and says that he is Blackie, and generates a public key and a private key.

The private key Xiao Hei will take it with him.

And can not leak, the public key is sent to Xiaobai together with the mail. This is Xiaobai holding Xiao Hei's public key if he can.

Decryption means that Blackie is Blackie. This enables authentication, but if Blackie encrypts a large amount of data, plus

Public key encryption takes a long time, and when it is encrypted, Blackie is speechless, so it is not data that Blackie encrypts.

But the eigenvalues of this piece of data. Speaking of eigenvalues, let's talk about one-way encryption.

One-way encryption

Avalanche effect: the input data is slightly different, the results will be very different, the main purpose is to prevent brute force cracking

One-way encryption is to calculate the eigenvalues of a section of data, the encryption process is irreversible, is to calculate the signature of a section of data, is unique, used for

Verification of data integrity

No matter how long the data you enter, the output is the same length.

MD5:message digest, output result fixed length 128bit

SHA1:secure hash algorithm secure hash algorithm, output result fixed length 160bit

Authentication:

One-way encryption does not encrypt the entire piece of data when realizing user authentication, but first calculates the eigenvalues of the data.

Encrypt its characteristic value with a private key, then attach it to the back of the data, send it to the other party together, and after the other party receives it, the other party

Two aspects of content can be verified, the identity of the first user and the integrity of the second data, and the receiver first decrypts it with the sender's public key.

If the identity of the other party is verified by decryption, the receiver will get the eigenvalues of the data, and then the receiver will use the same

The algorithm is calculated to get the eigenvalue of a data. if the two eigenvalues are the same, the data is intact in the sending process.

If it is different, it means that the data has changed.

Assuming that Xiaohei and Xiaobai communicate, both sides hope that user authentication can be realized in the process of sending data.

Can also achieve data encryption, but also achieve data integrity, then how to do?

Now, before sending the data, Blackie encrypts the data with one way, calculates the eigenvalues, and then encrypts the eigenvalues with private key decryption.

Next, we will use it to generate an one-time password, encrypt it with Xiaobai's public key, then put it behind the data, and finally use symmetrical encryption.

Encrypt it all, and then it's the ciphertext. When you get to Xiaobai, Xiaobai first uses his private key to get the password, and then uses that one.

Password decryption, get the eigenvalue of the data, and then use one-way decryption to calculate an eigenvalue. If the two values are the same, it means

When the data is intact, the above process realizes triple verification.

The combination of these three items is now the basis of e-commerce.

You can implement the whole tool:

Opssh

Gpg

But there are still problems in these two processes. How can Xiaobai get Xiao Hei's public key? It is also possible to transmit the public key.

How to solve the problem of cheating?

IKE: Internet key exchange, which enables both parties to wink to exchange keys, and the keys themselves are not on the Internet.

Spread

PKI: public key infrastructure, or public key infrastructure, CA certificate authority. The certificate contains the public key information of the communicator.

How to communicate based on certificates:

Both parties present their documents when communicating with each other, which is issued by some authoritative organization, as long as the valid information in the documents is verified.

You can verify the identity of the other party, but how to prevent cheating in the middle when issuing the certificate?

This is another problem of chicken laying eggs and laying eggs. Think about how to solve it.

So some operating systems have already put the certificates of some authoritative issuing agencies on your computer when they are installed, so to a certain extent

Some problems can be solved on the

Certificate format: X509 PKCS

Certificate revocation list: CRL

The most common "man in the middle" is that the identities of both parties cannot be verified.

Session hijacking

Data insertion

Data tampering

These are common threats.

Encryption and decryption are used to:

1. User password / data sniffing password/data sniffing

2. Data manipulation, data manipulation

3. Authentication manipulation authentication

4 、 equivalent to mailing on postcards

These aspects

The basic rule of encryption algorithm: kerckhoff's principle

1. Generally speaking, encryption itself does not depend on the algorithm, which is of course very important to turn plaintext into ciphertext.

But in a real encryption process, whether your data will be cracked or not can not be too strongly dependent on the algorithm itself.

Depending on the password, the research cycle of the algorithm is very long, and it is easy to change a password, but it is troublesome to change an algorithm.

The algorithm takes a lot of energy, and as long as the algorithm is not public, there is no way to crack it.

2. in the process of e-commerce, we should not only ensure that the data is encrypted, but also ensure that it will not be seen by others.

Algorithm:

1. The source of random number is reliable.

# openssl#l

Many common encryption algorithms are implemented in C language:

Three components:

1. Libcrypto library files are specially used for encryption and decryption.

2. Libssl library files, mainly to implement protocols like https.

3. Openssl multi-purpose encryption tool, and you can also make a CA.

Generally speaking, openssl will be installed, and you can see its use by using an openssl plus the wrong option.

Option

Usage of single encryption:

Openssl enc-des3-salt-a-in inittab-out inittab.des3

Implementation for a file encryption enc is encrypted-des3 is an encryption algorithm-salt adds impurities

-in followed by file name-which file is encrypted with out?

Openssl enc-d-des3-salt-a-in inittab.des3-out inittab

-d means decryption

Openssl dgst-sha inittab represents the eigenvalues of the calculated inittab file

The use of passwd during user authentication, how to help you generate a password similar to that saved in the / etc/shadow file

Openssl passwd-1-1 means to use the MD5 algorithm

[root@server46 ~] # openssl passwd-1

Password:

Verifying-Password:

$1 $7HW0kv8y$IntkyNppqtTQ2fHAJ1FMk1

Openssl passwd-1-salt impurities so the calculation result is the same.

[root@server46 ~] # openssl passwd-1

Password:

Verifying-Password:

$1 $7HW0kv8y$IntkyNppqtTQ2fHAJ1FMk1

[root@server46] # openssl passwd-1-salt 7HW0kv8y

Password:

$1 $7HW0kv8y$IntkyNppqtTQ2fHAJ1FMk1

Man sslpasswd can view usage

Asymmetric encryption:

How to issue certificates for openssl:

Change directory to / etc/pki/tls/certs

Make * .key can generate a key

Make *. Cert can generate a certificate, mainly by looking at the file suffix to generate files, which is a convenient way provided by redhat

Make my.key can generate a key.

(umask 66optionenssl genrsa 1024 > my.key)

Generate private key file

This is done in a sub-shell. Umask is only valid for the latter command. After the umask is executed, it will be restored to the original.

Extract the public key:

Openssl rsa-in my.key-pubout-out myr.pubkey

[root@server46 certs] # (umask 66; openssl genrsa 1024 > my.key)

Generating RSA private key, 1024 bit long modulus

... +

. +

E is 65537 (0x10001)

[root@server46 certs] # cat my.key

-BEGIN RSA PRIVATE KEY-

MIICXQIBAAKBgQDRSlvZZ7p7sRbczdGhcw/8z5mzEKIjDZw63ffsxCDC9XWKO0vE

FaxbPrgwZYF+iu8QHUKVzuJoqO8MmfY7p9aGz2WT2GQ/wUTnjsbL8mNbSclV/2m8

K0XZqSLsKzuhaBOFC+sylQvnZiXP23slNWZIuV0EVh9k2ULSV4f8B5QtywIDAQAB

AoGATNkA4NM1pjVgL7NjReT5+dpAlX+GCVj2BKd8YXOik/ONNTSQnW9X2ikteJfM

9KoPHdugl2FfwQ5GuFnQEBeQrUV5SnR09k2OZTsdOMVNXqamf4V/rXidOs+L3RVK

Q4X6vpasS1CJ1/q/fCcsi1Nl0nLcV9stLXbmEzYqE6+hwAECQQDqxrbF5W9j5vVM

ZkKmvx1ViojwTJovlkOtl6RSkqHMR3msnHhizbc+iGrGiP/vH9H+AvDK7AJPNVng

KHAa5YGbAkEA5DXX0dIajPoAdLvmNG1kNY1fp6IJjfR8UJRWeOwjhVjul1yp47hP

BM/f55OmowdsQamfNVwk4P5iYIcZ8uwfkQJBAJoXToLYsaF6Rumb/IcAzLoGMRa2

0EQHdegLrVhc0UEIcH2wPPtsVab/VkV0SbaixerX9z7YZDOkqpbPdiTRGZ0CQBWv

2DakVMmY6HovcQ0CaEd+i9yOVYIb/cRalG0hY67EaMgRkkOFvGaGyqxjJ67Ogccr

Q2mSvB51jjvGGv0u20ECQQCHvgJkF3xHkQnahqCTTgym0CNocHhVfyo6KveIfBAk

Vz69+zsGK2kKBOseSbgRKqVmM21Iqu0aZatjEevHwZIo

-END RSA PRIVATE KEY-

[root@server46 certs] # openssl rsa-in my.key-pubout-out my.pubkey

Writing RSA key

[root@server46 certs] # cat my.pubkey

-BEGIN PUBLIC KEY-

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRSlvZZ7p7sRbczdGhcw/8z5mz

EKIjDZw63ffsxCDC9XWKO0vEFaxbPrgwZYF+iu8QHUKVzuJoqO8MmfY7p9aGz2WT

2GQ/wUTnjsbL8mNbSclV/2m8K0XZqSLsKzuhaBOFC+sylQvnZiXP23slNWZIuV0E

Vh9k2ULSV4f8B5QtywIDAQAB

-END PUBLIC KEY-

Steps for issuing certificates:

1. First generate a pair of keys (Spool P key)

2. Then put the public key in a request called certificate issuance (including your public key, name, address, etc.)

Send to certification authority

3. The CRT certificate is generated.

Become CA yourself:

1 、 cd / etc/pki/CA

There is a private file that contains the private key file of CA

2. Generate a key for yourself

(umask 66; openssl genrsa 2048 > private/cakey.pem [only cakey.pem here])

Ll private

Issue yourself a certificate:

Openssl req-new-x509-key private/cake.pem-out cacert.pem

Openssl req-new-x509-key private/cake.pem-out cacert.pem

Then you will be prompted to enter some information.

After writing it, there is a self-signed certificate.

Then you can issue certificates to others.

View plaincopy to clipboardprint?

Openssl req-new-x509-key private/cake.pem-out cacert.pem-days3655

Openssl req-new-x509-key private/cake.pem-out cacert.pem-days3655

3. Edit the configuration file of cA

View plaincopy to clipboardprint?

Vim / etc/pki/tls/openssl.cnf is defined here

Vim / etc/pki/tls/openssl.cnf is defined here

Find the [CA_default] field

Change dir to absolute path

There are some directories that we don't need to set up manually, which we can find in this configuration file.

Then you can modify the default information.

Only here can be regarded as a complete CA

4. Next, make a certificate to the web server:

View plaincopy to clipboardprint?

Cd / etc/httpd

Mkdir ssl

Cd ssl

(umask 66optionenssl genrsa 2048 > web.key)

Cd / etc/pki/CA

Mkdir certs crl newcerts

Touch index.txt serial

Echo 01 > serial

Openssl req-new-key wed.key-out wed.csr this is a certificate issuance request

Opssl ca-in wed.csr-out web.crt issues certificates

Cd / etc/httpd

Mkdir ssl

Cd ssl

(umask 66optionenssl genrsa 2048 > web.key)

Cd / etc/pki/CA

Mkdir certs crl newcerts

Touch index.txt serial

Echo 01 > serial

Openssl req-new-key wed.key-out wed.csr this is a certificate issuance request

Opssl ca-in wed.csr-out web.crt issues certificates

Then hit enter twice and ok.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.