Shulou(Shulou.com)06/01 Report--

In modern network communication, network security is very important. Of course, the most basic security is encryption and decryption. Today, I would like to share with you the basis of encryption and decryption.

The goal of security:

Confidentiality: confidentiality

Integrity: integrity

Availability: availability

* Type:

Threats to confidentiality: eavesdropping, traffic analysis

Threat to integrity *: change, camouflage, replay, denial

Threat to availability: denial of Service (DoS)

Solution:

Technical aspects: encryption and decryption

Traditional encryption methods: alternative encryption method, replacement encryption method

Modern encryption method: modern block encryption

Services: services used to defend against * *, that is, security services specially designed for the above security objectives

Authentication mechanism

Access control mechanism

Encryption algorithms and protocols:

1. One-way encryption: that is, data fingerprinting is proposed.

Characteristics: fixed length output, avalanche effect

Function: integrity verification

Defect: can only be encrypted, not decrypted

Common algorithms: MD5 (128bits), sha1 (160bits), sha224, sha256, sha384, sha512...

2. Symmetric encryption: encryption and decryption use the same key

Features: (1) use the same key for encryption and decryption; (2) divide the original data into fixed-size blocks and encrypt them one by one

Function: good encryption, fast encryption

Defects: (1) too many keys; (2) difficulty in key distribution

Common algorithms: 3DES (Triple DES), AES (128bits, 192bits, 256bits, 384bits), Blowfish, RC6...

3. Public key encryption: keys are divided into public keys and private keys.

Private key: secret key, created by the tool and kept by the user, must be kept private

Public key: pubkey, extracted from the private key and made public to everyone

Features: data encrypted with a public key can only be decrypted using the partner's private key, and vice versa

Features:

Digital signature: mainly to let the receiver confirm the identity of the sender

Key exchange: the sender encrypts a symmetric key with the other party's public key and sends it to the other party

Data encryption: not commonly used, 3 orders of magnitude slower than symmetric encryption

Common algorithms: RSA (can be signed, can also be encrypted and decrypted), DSA (can only be signed, not encrypted and decrypted), ELGamal...

The above three encryption algorithms are introduced. Let's talk about the process of encryption and decryption.

Encryption process:

1. Digital signature:

(1) the sender uses one-way encryption technology to extract the original data signature.

(2) the sender encrypts the signature with his own private key and appends it to the original data.

2. Key exchange:

(1) the sender uses symmetric encryption technology to encrypt the data with digital signature and generate a temporary symmetric key.

(2) the sender encrypts the temporary symmetric key generated by the receiver's public key and appends it to the encrypted data.

Decryption process:

1. Key exchange:

(1) the receiver decrypts the encrypted symmetric key with his own private key to get the temporary key.

(2) the receiver uses the temporary symmetric key to decrypt the data and get the data with digital signature.

2. Identity authentication: the receiver uses the sender's public key to decrypt the digital signature, verify the sender's identity, and get the original signature.

3. Data integrity verification: the receiver uses one-way encryption technology to extract the data signature and compare it with the original signature to verify the data integrity.

This process of encryption and decryption can not only ensure the security and integrity of data, but also ensure the identity authentication of both sides of the communication. However, because the public key is available to everyone, all such security mechanisms still have security risks, that is, man-in-the-middle deception. But don't worry, there is a CA organization that can solve this problem, and the CA agency will explain it in more detail later. Let's move on to the last encryption protocol: key exchange.

4. Key exchange: IKE:Internet Key Exchange

There are two ways to do this:

(1) Public key encryption. We have already talked about the process of public key encryption, encryption and decryption.

(2) DH:Deffie-Hellman

The two sides of the communication do not need to transmit the public key on the network, but generate random numbers through negotiation and transmit random numbers on the network.

Generate a key by calculating a random number. The following examples are given:

(1) An and B are both sides of the communication, and the two parties first negotiate to generate two random numbers m and n, which are transmitted on the network.

Current state: an and B have two random numbers m and n at the same time

(2) An and B each generate a private random number, which is not transmitted on the network, but only they know their own private random number.

For example, A generates x random numbers, B generates y random numbers, and only you know your own private random numbers.

The current state: a has three random numbers: M, n, x, in which x is known only by itself, and m and n are shared with B.

B has three random numbers: M, n, y, in which y is known only by itself, and m and n are shared with B.

(3) calculate the random number and send the result to each other.

A:-- > m ^ x% n = > B

B:-- > m ^ y% n = = > A

(4) receive the result of the other party, and then calculate it with your own private random number and result, and get the same key.

A: (m ^ y% n) ^ x = m ^ x% n

B: (m ^ x% n) ^ y = m ^ x% n

M ^ xyn is the key calculated by both parties after negotiation, which improves the security, even if someone else gets the values m and n.

Nor can we calculate the values of x and y.

Next, we introduce the basic guarantee mechanism to prevent the middleman from deceiving the CA mechanism, which is a third-party trusted organization that issues certificates to the communicator and enables the communicator to obtain each other's public key reliably. It is accomplished by a set of architecture system of PKI.

PKI:Public Key Infrastructure

Public key infrastructure, a set of architecture generated with CA as the core, provides certificate services to ensure the legitimacy of certificates. The components are as follows:

Visa authority: CA

Registered institution: RA

Certificate revocation list: CRL

Certificate access Library: CB

The structure of certificate and the standard of authentication protocol are defined by X.509v3. The structure and standard are as follows:

Version number

serial number

Signature algorithm ID

Publisher name

Validity period

Principal name

Principal public key

Unique identity of the publisher

Unique identification of the subject

Expansion

Signature of the issuer

So how does CA ensure the legitimacy of the certificates of both sides of the communication and the reliable access to each other's public key? CA has worked as follows:

1. Self-signed certificate: CA first issues a certificate to itself, the content of which is as stipulated by X.509v3, and sends the certificate to the communication party in need. Gain the trust of the communicator in CA, and the communicator can obtain the public key of CA from the certificate

2. CA issues certificate: the communication applies for the registration certificate from CA. CA will sign the certificate and add a digital signature after the certificate, and then issue the certificate to the applicant.

3. The communicator acquires and verifies the certificate:

(1) after the communicating party has obtained its own certificate or the other party's certificate, it can use the CA public key to decrypt the digital signature behind the certificate to confirm that the certificate is indeed issued by its trusted CA.

(2) calculate the certificate signature with the same one-way encryption algorithm, compare the original signature, and verify the integrity of the certificate.

(3) check the validity period of the certificate to see if the certificate is within the validity period.

(4) verify whether the principal name in the certificate is the name of the communicating party.

(5) check whether the certificate has been revoked.

At this point, let's summarize the communication process of both sides of the communication:

1. The communicator obtains the CA certificate and applies for its own certificate.

2. Both sides of the communication negotiate each encryption algorithm.

3. Both parties negotiate to obtain each other's public key and verify the certificate.

4. The sender encrypts the data and sends

5. The receiver receives the data and decrypts and verifies it.

The specific process has been described above, and I will not elaborate on it here.

At this point, the content about the basis of secure encryption and decryption is over. Just a personal summary, hope to learn from each other!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.