Shulou(Shulou.com)06/01 Report--

In a network communication or process communication, if the transmission data is in plaintext, it is easy to be "eavesdropped" by a third party, and the security is difficult to guarantee.

The so-called encryption is to change the data from plaintext to ciphertext, ciphertext during transmission, and ciphertext received by the other party after transmission. It can be understood that ciphertext is garbled code, and no inherent meaning can be seen. It is usually bit-by-bit corresponding.

After receiving the ciphertext, the receiver can only understand what the other party is saying by restoring it to its original appearance. This process is called decryption.

The so-called system security goals should include: Confidentiality-confidentiality, integrity-integrity and availability-availability; in communication threats to the above three ** behavior are:

1.*** Behavior that threatens confidentiality: eavesdropping, sniffing, scanning, traffic analysis

2.*** Behavior that threatens integrity: change, disguise, replay, denial

3.*** Behavior that threatens availability: Denial of Service (DoS)

For various threat security ** behaviors, we have different solutions from the technical level and the service level.

Technology: encryption and decryption of data; services: security services;

Today we'll explore what encryption and decryption are all about in the Linux world.

Encryption requires two things, algorithm + key;

Encryption algorithms fall into four categories:

Symmetric encryption algorithm-popular that is, what key encryption with the same key to decrypt;

The advantage is that the encryption speed is faster; but the disadvantages are also very obvious:

Symmetric encryption does not guarantee integrity. Intercepted, along with crack can not come out what is the cipher text inside, but the interceptor inserted some characters to tamper with the content, and then sent to the receiver; the receiver after receiving the tampered cipher text, decrypted, found that the content seems to have no meaning, at this time, how to determine that this cipher text is their trust sent by the other party? Integrity cannot be guaranteed.

The mainstream algorithms of this algorithm are DES, AES, 3DES, etc.

Public-key encryption algorithm-using public key encryption, private key decryption;

Public-key encryption is also called asymmetric encryption, encryption and decryption use the same set of public and private keys.

Let's first explain what a public key is:

private key| private key): is created by a specific tool; retained by the user himself. Be sure to keep it private;

Public key: extracted from the private key, can be made public for everyone to use;

This way of encrypting data security level is high, the cost is that the key is very long, from 512 bits, 768 bits, 1024 bits, 2048 bits, 4096 bits, 8192 bits; thus also put forward higher requirements for the performance of the system, such as the development of RSA encryption technology seems to have encountered bottlenecks. Therefore, public-key encryption algorithms are rarely used to encrypt large quantities of data;

Single encryption algorithm-extraction of data signature code, can only be calculated from the plaintext ciphertext, that is, only encryption can not decrypt;

Therefore, the function of this algorithm is to ensure the integrity of data and prevent tampering;

Common algorithms: md5, SHA1(security hash algorithm), SHA2, SHA256, SHA512, SHA3(currently the latest)

Key Encryption Algorithm-IKE

IKE:

IPsec uses IKE to complete authentication and key generation and exchange between peers

Negotiate and maintain security association (SA) parameters

SA is a collection that contains encryption algorithms, authentication methods, etc.

4. Pass authentication to prevent disguise ***

5, automatically generate keys, and automatically update keys

Dynamic, secure key exchange

In practical applications, the following steps are performed for data encryption on both sides of communication:

1. The communication parties exchange certificates and verify certificates with trusted CA.

2. The sender encrypts the data with a symmetric encryption algorithm, calculates the eigenvalues of the encrypted data with one-way encryption, encrypts the eigenvalues with its own private key to prove the reliability of the data source, encrypts the symmetric key with the certificate of the receiver.

3. After receiving the data, the receiver first decrypts the secret key with its own private key, then uses the public key characteristic value of the sender, and then uses the same one-way encryption algorithm.

HTTP communication without SSL/TLS is unencrypted communication. All information is transmitted in plain text, which brings three major risks.

1) Eaves dropping: Third parties can learn about communications.

Tampering risk: Third parties can modify communications.

(3) Pretending risk: A third party can impersonate another person to participate in communications.

SSL/TLS is designed to address these three risks:

(1) All information is encrypted and transmitted, and third parties cannot eavesdrop.

(2) It has a verification mechanism, and once it is tampered with, both sides of the communication will immediately discover it.

(3) Provide ×× books to prevent identity from being impersonated.

The basic idea of SSL/TLS protocol is to use public key encryption method, that is, the client first asks the server for the public key, and then encrypts the information with the public key. After receiving the ciphertext, the server decrypts it with its own private key.

It places the public key in a digital certificate. As long as the certificate is trusted, the public key is trusted. This ensures that the public key cannot be tampered with;

Content included in the digital certificate:

Name of owner

Public key submitted by owner

validity period

Version number of certificate

Serial number of certificate

Issuing Algorithm ID

Name of issuing CA

principal name

Issuer Unique Identification

Digital signature of the issuer

extension information

Therefore, the basic process of SSL/TLS protocol is as follows:

(1) The client requests and verifies the public key from the server.

(2) Both parties negotiate to generate a "dialogue key."

(3) Both parties use "session key" for encrypted communication.

The first two steps are also called handshake.

There are four stages of SSL/TSL handshake:

1. The client asks the server for a certificate and verifies it;

The message sent by client_hello:

Supported protocol versions such as TLS V1.2...

A random number generated by the client, which may later serve as the encryption key;

Supported encryption algorithms such as AES, sha...

Negotiate the compression algorithms they support. not necessarily

2. Both parties negotiate to generate session key; dh-algorithm exchange key

Server_hello:

Confirm the version number of the encryption protocol used.

The server generates a random number that is later used to generate the session key

Confirm encryption algorithm and compression algorithm;

3. the two parties adopt the generated session key to carry out secure encrypted communication;

Client verifies server certificate and takes out public key after confirmation;

Validating server certificates requires verifying the following:

Certification Authority CA;

Verify the integrity of the certificate;

information of the holder of the authentication certificate;

Validity period of certification

Verify the revocation list of certificates;

The client sends a message to the server:

1. A random number used for public key encryption on the server

2. Notification of change in encoding format, indicating that subsequent messages will be encrypted and sent using the encryption algorithm and key that have been agreed upon by both parties;

client handshake ends;

4. Both parties notify each other of the end of the handshake information;

The server receives the third random number Pre-Master_key from the client during the handshake phase.

calculating a session key used in the session, and sending related information to the client;

Code change notification, indicating that subsequent messages will be encrypted and sent using the encryption algorithm and key that have been agreed upon by both parties;

The server-side handshake ends;

Next, the client enters encrypted communication with the server, using the normal HTTP protocol only to encrypt the content with a "session key."

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.