Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to encrypt and decrypt IM system server messages". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to encrypt and decrypt IM system server messages".

Information in IM system may involve privacy or secrets, security is particularly important, how to ensure the security of information?

End-to-end encryption is the most secure, only the chat parties know what the message is, and neither the transmission link nor the message server knows the content of the message. However, end-to-end encryption is not applicable in some scenarios, such as large-scale group chat. In addition, end-to-end encryption is not appropriate based on some compliance requirements.

If end-to-end encryption is not used, message encryption can be divided into two parts: network transmission encryption and server-side storage encryption.

During the transmission process, the tcp persistent connection can use the ssl protocol (of course, you can also encrypt it by yourself. "Why is the content sent after each encryption of the same message Wechat different? Websocket adopts wss protocol.

The difficulty becomes the security problem of message testing on the server side. How to encrypt the routing process of messages on the server side and how to encrypt the storage?

The background logic of IM system is very complex, involving many modules, including message bus, cache, database and other middleware. The message of each link needs to be presented in ciphertext, otherwise it is easy to leak.

The first reaction is to simply write an encryption algorithm such as AES to encrypt and decrypt the data. But there is a very big hidden danger. How do I keep the password?

If you guard against day and night, it is hard to guard against domestic thieves. The programmer who writes the code and the operator who deploys the system may get the password. If the password is written in the configuration file, it will get the password with more people, such as those who can access the git warehouse. In short, this approach is very unsafe.

Therefore, a set of perfect encryption system is particularly important.

The structure of the encryption and decryption system is shown in the following figure, which mainly consists of four parts. 1, encryption and decryption service, 2, encryption and decryption management service, 3, encryption server, 4, secret key repository.

1. Encryption and decryption service.

Provide encryption, decryption, re-encryption and other services to the business system by means of HTTP,TCP, and provide the load balancing ability of the encryption server. At the same time, it provides SDK which can be used directly by the business system. The encryption and decryption service provides access authorization in a combination of IP whitelist and App_Key/App_Secret to ensure that only authorized systems can access it.

2. Encryption and decryption management service.

The core is to provide password generation, management and other services (passwords are displayed in the form of encryption, and only encrypted servers can decrypt them). And some functions such as management configuration

3. Encryption server

Provide the ability of encryption and decryption. A variety of encryption algorithms are built into the encryption server to realize the encryption and decryption of the encryption and decryption key (business key) through the super secret key (root key), and the encryption and decryption of the business data through the encryption and decryption key (business key). The Super key (root key) is split into three parts and stored in a key card or USB disk.

4. Secret key repository

The encryption and decryption key (business key) generated by the encryption machine is stored in ciphertext, and only the encryption and decryption server can decrypt the key.

The whole encryption scheme involves several main processes.

1. Initialization of encryption and decryption server (or configuration parameters)

(1) start the encryption and decryption server and insert 3 key cards (U disk)

(2) the built-in algorithm (encryption chip) of the encryption and decryption server encrypts the root key, caches it to memory, and saves the machine storage medium at the same time. Therefore, the data on memory and storage is in a ciphertext state.

(3) initialize business key encryption and decryption service according to root key

(4) initialize business data encryption and decryption service

2. Generate encryption and decryption key (business key)

(1) through the encryption and decryption management service, name the key to be generated (name and key index number), and issue a command to the encryption and decryption server to generate the secret key.

(2) the encryption and decryption server randomly generates business key and encrypts it through root key. Return the encrypted business key, associate the key index number, and save it to the key repository.

3. Encrypt and decrypt business data

(1) the business system calls the encryption and decryption service, passing in the key index number, algorithm and business data

(2) the encryption and decryption service calls the encryption server and inputs the encrypted business key, algorithm and business data

(3) encryption server completes encryption and returns results

The core points of the encryption system are: business data and encryption service isolation, algorithm and secret key isolation.

Thank you for reading, the above is the content of "how to encrypt and decrypt IM system server messages". After the study of this article, I believe you have a deeper understanding of how to encrypt and decrypt IM system server messages, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.