Shulou(Shulou.com)06/01 Report--

I still remember the scene of online purchase and payment after signing up for my taobao account for the first time. After choosing and buying the goods, click on the payment, and the browser will jump to the web link starting with "https" and enter the payment password of the bank card to complete the payment for the goods. At that time, I only knew that the link that began with https was an encrypted secure link, and the password I entered in this page was encrypted and transmitted in ciphertext, so the password could not be peeped.

Today, we also have a certain understanding of the computing knowledge and working principle involved in the secure link of https, but it has never been systematically sorted out. Now we can comb through the knowledge of this aspect by the way of learning and recording.

I. the goal of a secure network

1.1 confidentiality of data

Confidentiality is to prevent data from being read without authorization. Therefore, the sender and receiver of the data have to encrypt the data with some kind of encryption mechanism, and the data transmitted by both sides is the processed ciphertext.

1.2 data integrity

Integrity is to prevent unauthorized modification of the data, or at least a mechanism to detect that the data has been modified.

1.3 availability of data

Availability is mainly aimed at the service provider. When the server is denied service (dos), the availability of the resources used is reduced or information is not available at all.

II. Security protocols

2.1 SSL

SSL (Secure SocketLayer) secure Sockets layer protocol is a protocol for the secure exchange of data between web browsers and servers. There are three versions of V1, V2 and V3, and V3 is commonly used at present.

2.2 TLS

TLS (Transport LayerSecurity) Transport layer Security Protocol. There is a V1 version, which is similar to SSL V3.

In the Internet model, the SSL/TLS protocol works between the application layer and the TCP layer, and the data in the application layer is no longer sent directly to the transport layer, but to the SSL layer, which is encrypted by SSL and then processed in the next step.

Third, encryption method

3.1 symmetric encryption (ensuring the confidentiality of data, that is, converting plaintext into ciphertext that is not easy to read)

Encryption and decryption uses the same password, that is, the encryption key is the same as the decryption key, and if you get the encryption key, you get the decryption key. It is mainly used to ensure the confidentiality of data. The security of the key becomes the key of this kind of encryption.

3.1.1 DES (Data Encryption Standard) data encryption standard, also known as data encryption algorithm, the principle of this encryption algorithm is derived from the idea of cyclic shift.

3.1.2 3DES Triple DES is a variant of DES, an enhanced version of DES, which increases the length of the encryption key from 56 bits of DES to 168 bits.

3.1.3 AES (Advanced Encryption Standard) Advanced encryption Standard, which is also an advanced encryption algorithm

3.2 asymmetric encryption (asymmetric encryption algorithm encrypts the symmetric key with the public key to ensure the security of the key during key exchange)

An asymmetric encryption system involves a set of key pairs, a public key called publickey, and a private key called private key (privatekey). The public key is publicly available, while the private key is private and cannot be accessed by unauthorized users. The public key is extracted from the private key, and the data encrypted with the private key can only be decrypted with the paired public key, which realizes the purpose of identity verification; the data encrypted with the public key can only be decrypted with the paired private key, which realizes the confidentiality of the data. Because asymmetric encryption is realized based on digital function, the algorithm is complex, compared with symmetric encryption, the speed of asymmetric encryption is slower, and it is not suitable for encrypting a large amount of data exchanged. Its main purpose is to exchange keys of symmetric encryption algorithms. After key exchange, both parties can exchange data in symmetrical encryption mode, and the key is encrypted by asymmetric encryption algorithm when transmitted to each other, and the security is guaranteed.

3.2.1 asymmetric encryption algorithm

RSA

DSA

DSS

ECC

3.3 one-way encryption (ensuring data integrity)

One-way encryption can only be encrypted from plaintext to ciphertext, not from ciphertext into plaintext.

3.3.1 encryption algorithm

MD5

SHA1 、 SHA256 、 SHA512 、 SHA3

HMAC

3.3.2 one-way encryption feature

Fixed-length output: no matter how large the encrypted data is, the encrypted output is a fixed-length data.

Avalanche effect: even if there is a slight change in the original source data, the encrypted output will change greatly.

In practical application, these three encryption methods are often not used alone, but are generally combined to achieve secure data transmission. What is a complete data communication process in the network? A brief description is as follows:

Sender:

1. The sender uses the selected one-way encryption algorithm to calculate the signature of the source data.

2. The sender encrypts the signature with its own private key and appends the encrypted ciphertext data to the source data.

3. The sender generates an one-time symmetric key and uses this key to encrypt the data (source data + encrypted signature data)

4. The sender uses the receiver's public key to encrypt the one-time symmetric key and appends it to the encrypted data

5. The data is ready and starts to send data.

Recipient:

1. The receiver decrypts the data with the private key paired with the public key, and an one-time symmetric key can be obtained.

2. By decrypting the data with an one-time symmetric key, the source data and encrypted signature data can be obtained.

3. Decrypt the data with the sender's public key to get the source data and the signature of the source data.

4. The signature of the source data is recalculated using the same one-way encryption algorithm as the sender, and compared with the decrypted signature. If the signature is the same, the source data is credible, otherwise, the source data is not trusted.

PS: literal things are always hard to remember. Now upload the notes made with xmind, see attachment!

Attachment: http://down.51cto.com/data/2365219

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.