Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of security and encryption in the Internet, the article is very detailed, has a certain reference value, interested friends must read it!

Security and encryption security mechanism Information security protection target confidentiality Confidentiality integrity Integrity availability Usability controllability Controlability non-repudiation Non-repudiation security protection link physical security: various devices / hosts, computer room environment system security: host or device operating system application security: various network services, application network security: network access control, Firewall rules data security: backup and recovery of information, encryption and decryption management security: various guaranteed specifications, processes, methods security: STRIDESpoofing fake e-mail pretending to be telnet 127.0.0.1 25 port as mail work port The connected software is Postfix, listening to ESMTP, corresponding to 25-port helo magedu.com mail from (to whom to send): mayun@alibaba.com rcpt to (to whom): wang data (content) to. End the dig command to do name resolution-t can find the address of the mail server The type of e-mail address is mx example: dig-t mx 163.com telnet 163mx00.mxmail.netease.com 25 can connect NetEase mailbox Tampering tamper Repudiation deny Information Disclosure information disclosure (password disclosure) Denial of Service denial of service Elevation of Privilege enhance the basic principles of security design so that the use of mature security systems to enter data with petty heart external systems are insecure minimum authorization to reduce external interface defaults Using security mode is not plausible from the perspective of STRIDE check your system security algorithm from management common security technology authentication authorization audit secure communication encryption algorithm and protocol symmetrical encryption public key encryption one-way encryption authentication algorithm symmetrical encryption: encryption and decryption using the same key key1==key2data Ming Text-> encryption (key1)-> data' ciphertext-> (key2)-- > data DES:Data Encryption Standard 56bits (key length 56 bits, 7 bytes, phased out, not quite. 3DES: encrypt DES three times AES:Advanced (128,192, 256bits) Blowfish,Twofish commercial IDEA,RC6,CAST5 features: 1, encrypt and decrypt using the same key, efficient 2, divide the original data into fixed-size blocks One by one encryption defects: 1, too many keys 2, key distribution 3, data source can not confirm asymmetric encryption algorithm key1! = key2 public key encryption: key is paired public key: open to everyone Public key private key: keep it by yourself, you must keep it private; secret key features: encrypt data with public key, and can only decrypt it with paired private key And vice versa: digital signature: mainly to let the receiver confirm the identity of the sender symmetric key exchange: the sender encrypts a symmetric key with the other party's public key and then sends it to the other party for data encryption: suitable for encrypting smaller data shortcomings: key length, encryption and decryption inefficient algorithm: RSA (encryption) Digital signature) DSA (digital signature) ELGamal asymmetric encryption public key public key: public secret (private) key private key: private based on a pair of public key / key pairs encrypted with one of the key pairs, the other decrypted to achieve encryption: the receiver generates a public key / key pair: P and S public key P The secret key S sender uses the receiver's public key to encrypt the message M sends P (M) to the receiver and uses the key S to decrypt: masks (P (M)) alice (Pa,Sa)-- > bob (Pb,Sb) the public key and private key are used in pairs, the public key and private key of alice are used in pairs, and the public and private keys of bob are encrypted with a corresponding public key in pairs. It must be decrypted with the corresponding pair of private keys. Conversely, if it is encrypted with the corresponding private key, it must be decrypted with a pair of public keys. Understand: if it is encrypted with the public key of alice (Pa), it must be decrypted with the private key of alice (Sa). If it is encrypted with the private key of alice (Sa). You must use alice's public key (Pa) to decrypt asymmetric encryption to achieve digital signature: private key encryption = digital signature (confirm data source) the sender generates a public key / key pair: P and S public key P The secret key S uses the key S to encrypt the message M to the receiver S (M) the receiver uses the sender's public key to decrypt rpm P (S (M)) combined with signature and encryption separation signature rpm-K / misc/cd/Packages/tree-1.6.0-10.e17.x86.64.rpm checks whether the data source is secure and each company publishes the package with a digital signature. Private key encryption is performed. If you want to determine the data source of the package, you must use the public key to decrypt and verify which company issued the package. The system does not have a public key by default. Need to import rpm-- import / misc/cd/RPM-GPG-KEY-CentOS-7 after importing the public key to obtain the public key, you can verify the digital signature of the package / when gpgcheck=1 installs a package in the etc/yum.repos.d/base.repo yum source configuration file, verify the number of subsignatures of the package. If 0, the path of the key is not checked to be written into the configuration file. When you install the package for the first time, There are two ways to import the public key: 1. Rpm-- import import the public key 2. In the gpgkey source configuration file, add gpgkey path RSA and DSARSA: the public key encryption algorithm was developed by Ron Rivest, Adi Shamirh and LenAdleman (Massachusetts Institute of Technology) in 1977. RSA was named after the development of their names, and later established RSA data Security Co., Ltd. RSA is the most influential public key encryption algorithm, which can resist all the known passwords so far, and has been recommended as the public key data encryption standard by ISO. The RSA algorithm is based on a very simple number theory fact: it is very easy to multiply two large primes, but it is extremely difficult to decompose the product at that time, so the product can be disclosed as the encryption key DSA (DigitalSignature Algorithm): submitted on July 26th, 1991, and belongs to the former NSA employee of David W. Kravitz. DSA is a variant of the Schnorr and ElGamal signature algorithms and is regarded as SS (DigitalSignature Standard) by NIST in the United States. DSA is based on the discrete logarithm problem of integer finite fields, and its security is similar to that of RSA. DSA is just an algorithm, which is different from RSA in that it can not be used for encryption and decryption, nor can it exchange keys, but only for signatures. It is much faster than RSA. DSA can only achieve digital signatures, but can not achieve data encryption one-way hash (one-way hash algorithm) to reduce arbitrary data to a fixed size "fingerprint" any length input fixed length output if you modify the data. Fingerprint can also change ("no conflict") unable to regenerate data from fingerprint ("one-way") function: common algorithms for data integrity md5: 128bits, sha1: 160bits, sha224, sha256, sha384, sha512 common tools md5sum | sha1sum [--check] file md5sum fstab > fstab.md5 md5sum-checkfstab.md5 detect MD5 value openssl, Gpg rpm-V check whether the packet has been modified hash (data) = > digest digest summary obtained by hash algorithm Irreversible push back data, if the one-way data is unchanged, the summary digest obtained through hash is also fixed. If the data changes, the summary will change the conclusion: the data is different, the summary must be the same, the summary must be the same fixed hash algorithm, the summary is also fixed size (length) md5 128bit data different 128bit values different hash algorithms are often used to check data integrity Check whether the data has been changed for digital signature

The original file uses hash operation (md5) to get the digital digest (hash value) of 128bit, uses the hash value encrypted by Sa to form a digital signature, appends the original text to the back, gets the complete new file generated by Pb encryption, gets the ciphertext, sends it to the other party to ensure that it cannot be intercepted by a third party, and confirms that the data source uses Sb to decrypt the received ciphertext. Get the digital signature and the original file to do the hash operation (md5) on the original file, get the digital digest of 128bit and decrypt the digital signature using Pa, and get the digital digest sent to see if the two digests are consistent, so that the original text is not tampered with, that is, the secure transmission of the data, and the confirmation of the data source is realized with three algorithms: symmetrical encryption, asymmetric encryption, and one-way hashing. Implement encryption key {data + Sa [hash (data)]} + Pb (key) = = > do the hash operation to get the digital digest (digest) # one-way hash hash algorithm uses the private key of a to digest (digest) as the digital signature # asymmetric encryption algorithm encrypts the original data and digital signature using symmetric encryption algorithm Using the public key of b for encryption, the other party can use Sb to unlock the symmetric key. Get data applications in symmetric keys: two implementations of RPM file integrity installed files MD5 one-way hash rpm--verify package_name (or-V) software package file GPG public key signature rpm--import / etc/pki/rpm-gpg/RPM-GPG-KEY-redhat* rpm--checksig pakage_file_name (or-K) key exchange key Exchange: IKE (Internet Key Exchange) Public key encryption: DH (Deffie-Hellman): generate session key Published by Whitfield Diffy (Bailey Whitfield Diffie) and Martin Herman (Martin Edward Hellman) in 1976, see: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchangeDH https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchangeDH 1 > A: GMagne p negotiates to generate open integers g, large prime p B: G dome p2 > A: generate private data: a (aA: calculate [(g ^ b% p) ^ a]% p = g ^ AB% p Generate a key B: calculate [(g ^ a% p) ^ b]% p = g ^ AB% p, generate it as a key, use gpg to achieve symmetrical encryption, symmetrically encrypt file files, gpg-c file, encrypt files, ls file.gpg generate encrypted files, decrypt file gpg-o file-d file.gpg on another host, use gpg tools to achieve public key encryption on hostB hosts. Decrypt on hostA host generate public / private key pair gpg on hostA host-- gen-key view public key gpg on hostA host-- list-keys export public key on hostA host to wang.pubkey gpg-a-- export-o wang.pubkey copy public key file from hostA host to host B that needs to be encrypted scp wang.pubkey hostB: use gpg tool to implement public key encryption on hostB host that needs to encrypt data Generate a public key / private key pair gpg-- list-keys gpg-- gen-key import the public key gpg-- import wang.pubkey gpg-- list-keys on the hostB host using the public key imported from the hostA host Encrypt the file file of the hostB host, generate file.gpg gpg-e-r wangxiaochun file file file.gpg, use the gpg tool to realize the public key encryption, copy the encrypted file to the hostA host scp fstab.gpg hostA: decrypt the file gpg-d file.gpg gpg-o file-d file.gpg in the hostA host, delete the public key and private key gpg-- delete-keys wangxiaochun gpg-- delete-secret-keys wangxiaochun middleman

CA and Certificate PKI:Public Key Infrastructure Visa Authority: CA (Certificate Authority) Registration Authority: RAc intermediary He will help you submit the requested certificate to the real CA certificate revocation list: CRL certificate access library: X.509: defines the structure of the certificate and the authentication protocol standard version number, principal public key serial number, CRL distribution point signature algorithm to extend the issuer signature validity period Certificate type limited to principal name: certificate server of certificate authority user certificate two ways to obtain certificate: use certificate authority to generate certificate request (csr) send certificate request csr to CA CA to sign and issue certificate self-signed certificate has issued its own public key

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.