Shulou(Shulou.com)06/01 Report--

In the early days of the birth of the Internet, the number of hosts connected to the Internet was small, and there were few applications. Therefore, the early designed protocols do not take into account the data security, the data are transmitted in clear text on the network, which is very insecure. Due to the rapid development of the Internet, more and more hosts are connected to the Internet. Network security problems also emerge one after another. So how to transmit data securely on the Internet? Encryption technology plays an important role in it.

In this way, ISO (International Organization for Standards) defines the x.800 security framework, the basic structure of which is as follows:

Security *:

Passive *: eavesdropping on data

Active *: camouflage, modify messages, delete messages, replay messages

Security service mechanism:

Authentication: verify that the sender of the message is who the sender claims to be

Access control: only users are allowed to access authorized user resources

Data confidentiality:

Connection confidentiality: data flow secrecy (tcp connection)

Connectionless confidentiality: packet encryption (udp)

Select domain secrecy: encrypt some data in a data stream or packet

Traffic secrecy: encrypts the traffic volume of real data sent to the Internet

Data integrity: ensure that the data is not subject to unauthorized changes from the sender to the receiver of the message

Non-repudiation: once the communication occurs, neither side of the communication can deny it

Since most encryption algorithms are public, it is not secure to encrypt data purely with algorithms. Therefore, the current encryption algorithm will enter a key at the same time when encrypting the data to ensure the security of the data.

Data encryption process:

Data decryption process:

The implementation of the above security service mechanism requires the participation of algorithms, and the main types of algorithms are as follows:

Symmetric encryption:

Feature: the same key is used for encryption and decryption.

Advantages: fast encryption speed

Disadvantage: when a user needs to communicate securely with a large number of users, many keys need to be maintained.

Public key encryption (asymmetric encryption):

Features: encryption and decryption uses a pair of keys (public key, private key), and the public key is extracted from the private key

Data encrypted with a public key can only be decrypted with a paired private key.

Encrypted data encrypted with a private key can only be decrypted with a paired public key.

The public key is public and can be obtained by anyone and used

The private key is not public, and only the private key holder can use it.

Common algorithms: rsa, dsa

Advantages: you only need to maintain a pair of keys to communicate securely with many users.

Disadvantages: the encryption speed is slow, one will not use it for large

One-way encryption:

Features: only encryption, no decryption. Extract data signature

Fixed length output: no matter how large the input data is, the length of the output signature is fixed.

Butterfly effect: small changes in input data will cause huge changes in the output signature.

Md5 (128bit), sha1 (160bit), sha192, sha256, sha384, sha512

The security communication model commonly used on the Internet today:

The steps performed by the sender when sending data are as follows (corresponding to 1, 2 and 3 of the sender in the figure above, respectively):

1. The sender uses an one-way encryption algorithm to extract the signature of the data that needs to be safely transmitted on the Internet, and then encrypts the signature with its own private key and puts it at the end of the data.

2. The sender generates the secret key of an one-time symmetric encryption algorithm, and then uses the symmetric encryption algorithm and the generated secret key to encrypt the data and the encrypted signature into ciphertext.

3. Use the public key of the receiver to encrypt the key used in the previous step of symmetric encryption and put it at the back of the ciphertext; then the data can be transmitted on the Internet.

The steps performed by the receiver after receiving the data are as follows (corresponding to 1, 2, 3 of the receiver in the above figure, respectively):

1. After receiving the data, the receiver decrypts the secret key of the encrypted symmetric encryption algorithm with its own private key. (if it can be decrypted, the confidentiality of the data can be verified.)

2. After using the secret key of the decrypted symmetric encryption algorithm, the receiver uses the same symmetric encryption algorithm as the sender to decrypt the encrypted data and the signature of the encrypted data.

3. The receiver uses the same one-way encryption algorithm as the sender to extract the signature of the decrypted data, and then uses the sender's public key to the signature of the encrypted data obtained from the previous step of decryption (if it can be decrypted, the identity of the receiver can be verified), and compare the two signatures to see if they are consistent. (if consistent, you can verify the integrity of the data.)

The above mentioned one-way encryption, symmetric encryption, asymmetric encryption and other algorithms. So how to implement these types of algorithms? Do you have any reliable tools? There is a very easy to use on linux, and can implement the above issued open source software openssl, I will introduce openssl below:

Components of openssl:

/ usr/bin/openssl:openssl versatile command line tool

/ usr/lib64/libcrypto.so.10: library file for third-party software to realize data encryption function with the help of openssl

/ usr/lib64/libssl.so.10: library file for third-party software to realize ssl function with openssl

The concrete Application of openssl

Get help with the openssl tool:

[root@localhost ~] # openssl help openssl:Error: 'help' is an invalid command. # Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine can be ignored in this line error Errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req Rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 Message Digest commands (see the `dgst' command for more details) md2 Md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 Bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb Des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx Idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2- 40-cbc rc2- 64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed Seed-cbc seed-cfb seed-ecb seed-ofb zlib

One-way encryption (extracting file signature):

Usage: openssl dgst [- md5 |-md4 |-md2 |-sha1 |-sha] [file...] Example: [root@localhost ~] # openssl dgst-md5 / etc/passwd MD5 (/ etc/passwd) = cde0b986a93a765834fe7183e53dc16d # dgst: specify to use openssl tool to extract file signature, #-md5: specify to use MD5 algorithm to extract file signature

Symmetric encryption:

Usage: openssl enc-ciphername [- in filename] [- out filename] example: [root@localhost ~] # openssl enc-des3-in / etc/passwd-out / tmp/passwd.enc enter des-ede3-cbc encryption password: Verifying-enter des-ede3-cbc encryption password: # enter a password to encrypt the file [root@localhost ~] # file / etc/passwd / etc/passwd: ASCII text # plaintext [root@localhost ~] # file / tmp/passwd.enc / tmp/passwd.enc: data # ciphertext [root@localhost] # openssl enc-des3-in / tmp/passwd.enc-out / tmp/passwd.2-d enter des-ede3-cbc decryption password: # enter the password used for encryption to decrypt the file [root@localhost ~] # file / tmp/passwd.2 / tmp/passwd.2: ASCII text # plaintext

Generate a private key in an asymmetric key (since asymmetric keys are not usually used for data encryption, how to encrypt data with asymmetric keys is not described here)

Usage: openssl genrsa [- out filename] [numbits] example: [root@localhost ~] # openssl genrsa-out / tmp/key.pri 2048 Generating RSA private key, 2048 bit long modulus. + +. + e is 65537 (0x10001)

Extract the corresponding public key from the private key

Usage: openssl rsa [- in filename] [- pubout] [- out filename] example: [root@localhost ~] # openssl rsa-in / tmp/key.pri-pubout-out / tmp/key.pub writing RSA key

Generate random number

Usage: openssl rand [- hex] num-hex: generate random numbers based on hexadecimal example: [root@localhost tmp] # openssl rand-hex 6 d13a62e6cdb0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.