Shulou(Shulou.com)06/01 Report--

In the OSI model and the tcp/ip model, the application sends some data to the server, which takes many paths to reach the server. On the way of sending, because the data is plaintext and anyone can view it, it brings risk to the data. Therefore, encryption is necessary.

Common key algorithms and protocols

Symmetric encryption (encryption and decryption using the same key)

Public key encryption (asymmetric encryption, public and private keys)

One-way encryption (can only be encrypted, not decrypted)

Authentication protocol

Symmetrical encryption

Symmetric encryption uses symmetric cryptographic coding technology, which is characterized by the use of the same key for file encryption and decryption, that is, the encryption key can also be used as a decryption key. This method is called symmetric encryption algorithm in cryptography. Symmetric encryption algorithm is simple and fast to use, key is short, and difficult to decipher. In addition to the data encryption Standard (DES), another symmetric key encryption system is the International data encryption algorithm (IDEA). It is more encrypted than DES, and it doesn't require so much computer functionality. The IDEA encryption standard is used by PGP (Pretty Good Privacy) systems.

Working process

Let's give an example to briefly illustrate the working process of symmetric encryption. An and B are business partners. They live in different cities. Due to business needs, they often mail important goods to each other. In order to ensure the safety of the goods, they agreed to make a safe box and put the goods into it. They made two identical keys to keep separately so that they could use this key to open the safe box when they received the package and to lock the safe box before mailing the goods.

The above is a traditional way to safely deliver important resources to the destination, as long as An and B take good care of the key, then even if someone gets the safe box, it will not be able to open it. This idea is used in the information encryption of modern computer communication. In symmetric encryption, the data sender transmits plaintext (original data) and encryption key into complex encrypted ciphertext after being processed by a special encryption algorithm. After receiving the ciphertext, if the receiver wants to interpret the original text, it needs to use the encryption key and the inverse algorithm of the same algorithm to decrypt the ciphertext in order to restore it to readable plaintext. In the symmetric encryption algorithm, only one key is used, which is used by both sender and receiver to encrypt and decrypt the data.

Common algorithms for symmetric encryption:

DES:Data Encryption Standard

3DES:Triple DES

AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)

Blowfish

Twofish

IDEA

RC6

CAST5

Properties:

1. Use the same key for encryption and decryption

2. Divide the original data into fixed-size blocks and encrypt them one by one.

Defect:

1. Too many keys

2. Difficulty in key distribution

Public key encryption

Unlike symmetric encryption algorithms, asymmetric encryption algorithms require two keys: public key (publickey) and private key (privatekey). The public key and the private key are a pair. If the data is encrypted with the public key, it can be decrypted only with the corresponding private key; if the data is encrypted with the private key, it can be decrypted only with the corresponding public key. Because encryption and decryption use two different keys, this algorithm is called asymmetric encryption algorithm.

Working process

1.A to send information to B, both An and B generate a pair of public and private keys for encrypting asymmetric encryption algorithms and decryption.

2. The private key of An is kept secret (keep it by yourself), the public key of A tells B that the private key of B is kept secret (keep it by yourself), and the public key of B tells A.

3.When A wants to send a message to B, An encrypts the message with B's public key because A knows B's public key.

4.A sends this message to B (the message has been encrypted with B's public key).

5.B after receiving this message, B decrypts A's message with its own private key. No one else who received this message can decrypt it, because only B has B's private key.

Properties:

Public key: extracted from the private key; can be made public to all; pubkey

Private key: created by the tool and kept by the user, its privacy must be guaranteed; private key

Features:

Data encrypted with a public key can only be decrypted using the private key of the partner, and vice versa

Purpose:

Digital signature: mainly to let the receiver confirm the identity of the sender

Key exchange: the sender encrypts a symmetric key with the other party's public key and sends it to the other party

Data encryption

Algorithm: RSA, DSA, ELGamal

DSS: Digital Signature Standard

DSA:Digital Signature Algorithm

One-way encryption

Also known as one-way hash algorithm, also known as hash function, Hash function (also known as hash function or hash algorithm) is a function that changes an arbitrarily long input message string into a fixed-length output string. This output string is called the hash value of the message. It is generally used to generate message digest, key encryption, etc. That is, the fingerprint of the data can be extracted; it can only be encrypted, not decrypted.

Characteristics: fixed length output, avalanche effect

Function: integrity verification

Common algorithms:

Md5:Message Digest 5, 128bits

Sha1: secure hash algorithm Secure Hash Algorithm 1, 160bits

Sha224, sha256, sha384, sha512

Key Exchange:

IKE (Internet Key Exchange) is a protocol used to obtain authentication keys.

Two mechanisms for key exchange:

1. Implementation of public key encryption:

The sender encrypts his own key with the receiver's public key, and the receiver decrypts the sender's key with his own private key, and vice versa, so as to realize the key exchange.

2. Using the DH algorithm: the premise is that the sender and the receiver negotiate to use the same large prime number P and the generated number g, and the random numbers X and Y are generated respectively. The sender sends the value generated by the X-power modP of g to the receiver, and the receiver sends the value generated by the Y-power modP of g to the sender, the sender performs the X-power operation on the received result, and the receiver does the Y-power operation on the received result, the final password is formed and the key exchange is completed.

Encryption and decryption in communication phase

BOB and ALICE Communication Pha

Black box A: represents the data to be transferred

Black box B: the signature extracted from this data by single encryption, which is also encrypted by asymmetric encryption. The specific process is to encrypt it with the private key of BOB and transmit it to ALICE. As long as the ALICE can decrypt it after arrival, it shows that the other party is indeed BOB. This process plays a role in both user authentication and data integrity verification. Black box B is also called digital signature

Red box A: this stage will generate a long random number (key) and then encrypt black box An and black box B with a symmetric encryption algorithm, but how do we transmit the encrypted key to ALICE? This is about to use the red box B.

Red box B: at this stage, the random number (the key of the symmetric encryption stage) is encrypted with the public key of ALICE. After receiving the data, if ALICE can decrypt it with its own private key, it proves that the recipient is really ALICE.

Encryption process:

The first step: using one-way encryption algorithm to extract the eigenvalues of data (black box A)

Step 2: encrypt this eigenvalue with your own private key to form a black box B.

Step 3: use symmetrical encryption algorithm to encrypt black box An and black box B to get red box A.

Step 4: encrypt the key used in step 3 with the public key of ALICE to get the red box B.

Decryption process:

Step 1: ALICE decrypts the red box B with its own private key to get the symmetric encryption key

Step 2: decrypt the content of red box A with this key

Step 3: decrypt black box B with the public key of BOB. If it is successful, it means that the sender is indeed BOB, which completes the authentication (a series of eigenvalues of data will be obtained after decryption)

Step 4: use the same single encryption algorithm to extract the eigenvalues of this piece of data. if it is the same as the eigenvalues of step 3, it means that the data is complete, which completes the verification of data integrity.

Another problem is how BOB and ALICE obtain each other's public key, or how to prove that the obtained public key is the other. This requires the introduction of the other certification authority CA. Here is the explanation between the certification authority and BOB/ALICE.

Black box C: represents the public key, organization, address and other information to be issued to the BOB/ALICE

Black box D: it is a digital signature obtained from one-way encryption of black box C, then encrypted with its own private key and transmitted to BOB and ALICE. BOB and ALICE holding the public key of this certificate authority (the public keys of these certificate authorities are generally placed in windows by microsoft in advance, of course, other operating systems are the same) if they can decrypt the certificate, it shows that the certificate authority is not a fake.

Red box E: represents the certificate issued to BOB and ALICE

How CA works:

PKI

PKI (Public Key Infrastructure) Public key Infrastructure is a system or platform that provides public key encryption and digital signature services for the purpose of managing keys and certificates. An organization can establish a secure network environment by using PKI framework to manage keys and certificates. PKI mainly includes four parts: certificate in X.509 format (X.509 V3) and certificate revocation list CRL (X.509 V2); CA operation protocol; CA management protocol; CA policy formulation. A typical, complete and effective PKI application system should have at least the following five parts

Public key infrastructure

Visa authority: CA

Registered institution: RA

Certificate revocation list: CRL

Certificate access library

CA:

Public trusted CA, private CA

Establish a private CA:

Openssl

OpenCA

Openssl command:

Configuration file: / etc/pki/tls/openssl.cnf

Build a private CA:

Generate a self-signed certificate on the service that is configured as CA and provide CA with the required directories and files

Steps:

1. Generate a private key

2. Generate self-signed certificate

3. Provide CA with the required directories and files

Operation steps

(1) generate a private key

[root@bogon ~] # (umask 077 Openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096) Generating RSA private key 4096 bit long modulus. . +. . . + + e is 65537 (0x10001)

(2) generate self-signed certificate

[root@bogon] # openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BeijingLocality Name (eg, city) [Default City]: BeijingOrganization Name (eg, company) [Default Company Ltd]: testOrganizational Unit Name (eg, section) []: testCommon Name (eg, your name or your server's hostname) []: testEmail Address []: abc@qq.com

Option explanation:

-new: generate a new certificate signing request

-x509: generates a self-signed certificate designed to be used when creating a private CA

-key: the private file path used to generate the request

-out: the path to the generated request file; if the self-signed operation is performed, the signed certificate will be generated directly.

-days: the validity period of the certificate (in day)

(3) provide CA with the required directories and documents.

[root@bogon ~] # mkdir-pv / etc/pki/CA/ {certs,crl,newcerts} [root@bogon ~] # touch / etc/pki/CA/ {serial,index.txt} [root@bogon ~] # echo 01 > / etc/pki/CA/serial

To use a server that uses a certificate for secure communication, you need to request the CA to sign the certificate:

Step: (take httpd as an example)

(1) the host using the certificate generates the private key

[root@bogon ~] # mkdir / etc/httpd/ssl [root@bogon ~] # cd / etc/httpd/ssl [root@bogon] # (umask 077; openssl genrsa-out / etc/httpd/ssl/httpd.key 2048)

(2) generate a certificate signing request

[root@bogon] # openssl req-new-key / etc/httpd/ssl/httpd.key-out / etc/httpd/ssl/httpd.csr-days 365

(3) send the request to the CA host in a reliable way

USB disk copy or other reliable means

(4) sign the certificate on the CA host

[root@bogon] # openssl ca-in / tmp/httpd.csr-out / etc/pki/CA/certs/httpd.crt-days 365

View the information in the certificate:

[root@bogon] # openssl x509-in / etc/pki/CA/certs/httpd.crt-noout-serial-subject

Revoke the certificate:

Steps:

(1) the client obtains the serial of the certificate to be revoked (executed on the host that uses the certificate):

[root@bogon] # openssl x509-in / etc/pki/CA/certs/httpd.crt-noout-serial-subject

(2) CA host revocation certificate

First, according to the serial and subject information submitted by the customer, compare whether it is consistent with that stored in the local database index.txt.

Revocation:

[root@bogon ~] # openssl ca-revoke / etc/pki/CA/newcerts/SERIAL.pem

Note: the SERIAL should be replaced with the real serial number of the certificate.

(3) generate the revocation number of the revocation certificate (executed when the certificate is revoked for the first time)

[root@bogon ~] # echo 01 > / etc/pki/CA/crlnumber

(4) Update the certificate revocation list

[root@bogon] # openssl ca-gencrl-out thisca.crl

View the crl file:

[root@bogon] # openssl crl-in / PATH/FROM/CRL_FILE.crl-noout-text

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.