Shulou(Shulou.com)06/01 Report--

Plaintext: plaintxt or cleartext, that is, content that is not encrypted and can be read directly. Ciphertext is the content that has been dealt with in a special way and cannot be read directly.

Common encryption methods:

Symmetrical encryption

Public key encryption

One-way encryption

Encryption principle: the original text is cut into data blocks according to a fixed size and encrypted block by block, because the speed of character-by-character encryption is too slow. In encryption, the first block is usually encrypted, and then the second block is encrypted, and the output of the second block is not the second block after encryption. instead, the result of the encryption of the first block and the encrypted result of the second block are used as the output of the second block, so every time you get a block, if you want to restore it, you must get the previous block to do the XOR operation.

Secret key Exchange (IKE): DH algorithm. That is, no password was sent in the process of secret key exchange. After calculation, A generated some data to BMagee B and regenerated some data to A Magi An and B. An and B took the data given by each other and got the export command after calculation, and the password was the same.

Symmetric encryption:

Encryption algorithm + password, the data to be converted, that is, plaintext data, through the encryption algorithm to convert plaintext into ciphertext. This algorithm may be public, but only you know the password. In order to be more secure, the encryption itself can not rely too much on the algorithm, because the algorithm is fixed and once the algorithm is cracked, then all the ciphertext based on this algorithm can be cracked, so the algorithm is important, but the most important thing is the password, the password can be changed, even if the algorithm is cracked, it is useless if the password is not known. Symmetric encryption uses the same password for both encryption and decryption. For example, DES (56bits), AES (128bits), AES (192bits), AES (256bits), 3DES.

There is a problem with symmetric encryption, the other side of the algorithm can get it, but what about the password? So this is its biggest problem. If the communication involves multiple aspects and the password cannot be used in the same way, then you need to record a lot of passwords. So symmetric encryption can not solve the problem of secret key exchange, and how I give you the password to ensure that you receive the password is you, that is, the authentication problem. in addition, someone intercepts the ciphertext and then modifies the received person to decrypt the information is incorrect, but he does not know that this is a problem of data integrity.

Public key encryption (asymmetric encryption):

Compared with symmetric encryption, public key encryption is asymmetric encryption, it generates public key and private key, the public key can be public to anyone, A uses B's public key to encrypt, B uses its own private key to decrypt. It solves the problem that many passwords need to be recorded in symmetric encryption. However, the password length of public key encryption is very long, from 512 bits in the early stage to 2048 bits now, so the encryption speed is very slow, so public key encryption is generally not used to encrypt data, but to encrypt passwords, and the data is still encrypted symmetrically. A generates a password to encrypt the data, then encrypts the password with the public key of B, and then passes the encrypted password and data to A Magi A to decrypt the password with the private key, and then uses the password to decrypt the data. Common public key encryption algorithms: RSA, DSA, DES, AES

This process also realizes the process of secret key exchange. at the same time, it can also realize the authentication of the user's identity, and the person who sends the message is the person it claims to be. It is implemented like this. An encrypts with its own private key, and if you want to decrypt it, you can only use the public key of A. although anyone can get the public key, once you decrypt the message with A's public key, you prove that it is encrypted with A's private key. Only A has A's own private key, so it proves that the person who sent the message is A. At this point, you will think that encrypting data with your own private key is the same as not encrypting it, because the public key can be obtained by anyone. In addition, the speed of public key encryption algorithm is slow, and so is encryption with private key. So another method, one-way encryption, is usually introduced.

One-way encryption:

One-way encryption can ensure data integrity, how to ensure that encrypted data will not be tampered with, it is not an encryption technology but an irreversible fingerprint extraction technology, such as MD5, SHA1, SHA512, CRC32 and so on. So how do you find out if you tamper with it? An extract a segment of data using one-way encryption to obtain a signature, also known as fingerprint information. But how to ensure that the fingerprint information will not be tampered with and regenerated? This is the combination of public key encryption and public key encryption. An extracts a segment of data for one-way encryption, generates a signature, then encrypts the signature with his own private key and sends it to B. at this time, C intercepts the data, then uses A's public key to decrypt the signature, and then tampers with the data. at this time, C wants to encrypt the signature and he does not have A's private key, so C can only encrypt the signature with his own private key. When B receives the data, C can only encrypt the signature with his own private key. B uses one-way encryption to obtain the signature of the data, and then uses the public key of A to decrypt the encrypted signature sent, which is obviously unsuccessful. Assuming that C does not tamper with the signature but modifies the data, then B uses one-way encryption to obtain the data signature, and then uses A's public key to decrypt the encrypted signature. The comparison between the two must be different. Although the above process does not take into account the encryption of the data itself, due to the combination of asymmetric encryption, secret key exchange, authentication and data integrity are realized, but the data privacy can not be guaranteed. So how to achieve data encryption, data integrity and identity authentication at the same time?

So how to achieve data encryption, data integrity and identity authentication at the same time?

The three methods are integrated.

A generates the original data, calculates the data signature using one-way encryption (ensures data integrity), and then encrypts the signature with A's own private key (ensures authentication)

A find another password and use the symmetric encryption algorithm to encrypt the data and signature as a whole (realize the encryption of the data, because the symmetric encryption algorithm is fast)

A then uses the public key of B, and the second does not use the password in the symmetric encryption algorithm to encrypt.

After the above three steps are completed, send it to B.

If the third party intercepts the data, it does not have the private key of B, so it cannot get the password to decrypt the data, so it cannot decrypt the data. Here are the steps after B gets the data:

B use your own private key to decrypt and obtain the password (because only your own private key can be decrypted, prove that it is sent to yourself, and realize the secret key exchange)

B uses the obtained symmetric encryption password to decrypt data (raw data and data signature), (data encryption and decryption)

B uses A's public key to decrypt the signature, and then uses an one-way encryption algorithm to calculate the data signature (authentication is implemented, because only A's public key can decrypt A's private key encrypted data)

Compare the decrypted signature with the calculated signature, if it consistently indicates that the data has not been tampered with (data integrity is achieved)

The above process seems perfect, but in fact, there is still a big loophole. A must ask B for the public key before sending it to B, and A must believe that the public key belongs to B. but if C intercepts the information, C gives its public key to An and claims to be B, then A cannot be verified, and C can still pretend to be A. So the weakest link in the whole process is the exchange of public keys. In order to solve this problem, we need a third party, that is, CA. Then the application submits the information to the CA for review, the most important of which is the public key. After the approval, the CA will generate a certificate, and then send the certificate to the applicant. In order to avoid forgery in the process of sending the certificate, CA calculates the signature of the information submitted by the applicant, encrypts it with its own private key (CA's own certificate is issued to itself) and sends it to the applicant. The applicant decrypts it with the public key of CA, and if successful, it proves that it is sent by CA. CA encrypts the signature code is an electronic signature.

At this time, A wants to communicate to B, An asks B for a certificate (the certificate contains the public key of B, of course, it can also contain both the public key and the private key), and then A goes to CA to obtain the public key of CA, and then uses the digital signature of the public key decryption certificate to get the signature. If successful, it proves that the certificate is issued by CA and has not been tampered with. But here comes the above problem. An asks CA for the public key. What if someone pretends to be CA? This is the public key of the world-famous CA built into the operating system. As long as you obtain the legitimate system through formal channels, then the public keys contained are real and reliable.

PKI (Public Key Infrastucture): public key infrastructure, public key issuance and revocation mechanisms.

The above are all concepts, and the software that implements these concepts is commonly used by openssl and gpg.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.