Shulou(Shulou.com)06/02 Report--

I. background

SSL (secure Sockets layer) is a standard security technology used to establish encrypted links between servers and clients, usually for encrypting information on Web servers (websites) and browsers, or mail servers and mail clients. The website can securely transmit sensitive information such as ID card number and mobile phone number by installing SSL certificate.

So to establish a secure connection, browsers and servers need SSL certificates. So how does SSL implement data encryption? That no one can crack it? Next, let's explore the technology behind SSL encryption.

SSL covers asymmetric and symmetric keys and how they work together to create SSL encrypted connections. SSL uses different types of algorithms to form mathematical equations that are almost impossible to crack.

2. Asymmetric encryption

Asymmetric encryption algorithms require two keys: a public key and a private key. The public key and the private key are a pair. If the data is encrypted with the public key, it can be decrypted only with the corresponding private key; if the data is encrypted with the private key, the data can be decrypted only with the corresponding public key. Encryption and decryption use different asymmetric encryption (or public key encryption) to encrypt and decrypt separately. Anyone can use the encryption key (public key) to encrypt the message, but the decryption key (private key) is confidential. In this way, only the intended recipient can decrypt the message, and the most common asymmetric encryption algorithm is RSA. What is RSA? I'll explain later.

Asymmetric keys are usually 1024 or 2048 bits. However, keys less than 2048 bits are no longer considered secure. A 2048-bit key is the only sufficient encryption code, and although you can create a larger key, it adds to the computational burden, so keys larger than 2048 bits are rarely used. From a cracking point of view, it takes more than 14 billion years for an ordinary computer to crack a 2048-bit SSL certificate.

III. Symmetric encryption

Symmetric encryption (or pre-shared key encryption) uses a single key to encrypt and decrypt data. Both the sender and the receiver need the same key to communicate.

The symmetric key size is usually 128 or 256 bits (the larger the key size, the harder it is to crack). For example, a 128-bit key has the possibility of a 3402823669209384663374607431768211456 encryption code. As you can imagine, a "brute force attack" (where an attacker tries every possible key until the correct key is found) will take a considerable amount of time to crack.

Whether to use a 128-bit or 256-bit key depends on the encryption capabilities of the server and client software. The SSL certificate does not specify the key size to use.

Which is stronger, asymmetric key or symmetric key?

Because the asymmetric key is larger than the symmetric key, the asymmetric encrypted data is more difficult to crack than the symmetrically encrypted data. However, this does not mean that asymmetric keys are better. These keys should not be compared by their size, but by the Computational burden and easy to distribute properties.

Symmetric keys are smaller than asymmetric keys, so they require less computational burden. However, symmetric keys also have a major drawback, especially when they are used to protect data transmission. Because the same key is used for symmetric encryption and decryption, both you and the recipient need a key. If you tell the recipient the key, the problem does not exist. However, if you send the key to users around the world, data security will not be guaranteed.

Asymmetric encryption does not have this problem, as long as you keep your private key secret, no one can decrypt your email. You can distribute the corresponding public key without worrying about who gets it. Anyone with a public key can encrypt the data, but only the person with the private key can decrypt it.

How do SSL certificates use asymmetric and symmetric encryption?

Public key Infrastructure (PKI) is a set of hardware required to create, manage, distribute, use, store, and revoke digital certificates. The SSL Certificate Authority (CA) binds the key to the user's identity through PKI, PKI uses a hybrid cryptosystem, and can use both types of encryption. For example, the server's SSL certificate contains an asymmetric public key and a symmetric private key, and the session key created by the server and browser during the SSL handshake is symmetrical. As shown in the figure:

1. The server sends a copy of its asymmetric public key.

two。 The browser creates a symmetric session key and encrypts it using the server's asymmetric public key. Then send it to the server.

3. The server uses its asymmetric private key to decrypt the encrypted session key to obtain the symmetric session key.

4. Servers and browsers use symmetric session keys to encrypt and decrypt all transmitted data. This is a secure channel that is allowed because only the browser and server know the symmetric session key, and the session key is used only for that session. If the browser connects to the same server the next day, a new session key is created.

IV. Public key encryption algorithm

Public key encryption (asymmetric) uses encryption algorithms such as RSA and Elliptic Curve Cryptography (ECC) to create public and private keys.

With asymmetric encryption, you can easily generate public and private keys, encrypt messages with public keys, and decrypt messages with private keys. However, it is difficult (or impossible) for anyone to derive a private key based solely on the public key.

RSA

RSA is based on the assumption that it is greater than integer factorization (integer decomposition). Under the assumption that there is no effective algorithm for integer decomposition, it is considered that the complete decryption of RSA ciphertext is not feasible.

The user of RSA creates and publishes two products greater than prime numbers and auxiliary values as their public keys. Anyone can use the public key to encrypt the message, but only those who know the main factors can decode it.

RSA represents the people who first publicly described the algorithm by Ron Rivest,Adi Shamir and Leonard Adleman-- in 1977.

ECC

Elliptic curve cryptography (ECC) depends on the algebraic structure of elliptic curves over finite fields. In 1985, Neal Koblitz and Victor S. Miller independently proposed the use of elliptic curves in cryptography; ECC algorithm was put into use in 2004.

The advantage of ECC over RSA is that the key can be smaller, thus improving the speed and security. The disadvantage is that not all services and applications can use ECC-based SSL certificates.

5. Pre-shared key encryption algorithm

Pre-shared key encryption (symmetric) uses algorithms such as Twofish,AES or Blowfish to create the most popular key-AES. All of these encryption algorithms fall into two types: stream ciphers and block ciphers. Stream ciphers apply encryption keys and algorithms to each binary number in the data stream, one bit at a time. Block ciphers apply encryption keys and algorithms as a group to data blocks (for example, 64 consecutive bits), and block ciphers are the most commonly used symmetric encryption algorithms.

By exploring the background of SSL cryptography, we can basically see how powerful the encryption system of SSL certificates is. Installing SSL certificates for websites will become a trend of the Internet in the future.

Article source: Anxin SSL Certificate (www.anxinssl.com)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.