Shulou(Shulou.com)06/01 Report--

In today's network era, how to ensure the security of data transmission? The following describes the implementation process in principle.

I. Safety standards

Network information security standards are formulated by the National Institute of Standards and Technology (National Institute of Standards and Technology,NIST). The standards include:

Confidentiality (Confidenciality)

Ensure that information is not leaked to unauthorized users or entities during storage, use, and transmission.

Integrity (Integrity)

To ensure that the information will not be tampered with by unauthorized users in the process of storage, use and transmission, but also prevent authorized users from improperly tampering with the system and information, and maintain the consistency of internal and external representation of the information.

Availability (Availability)

Ensure that the normal use of information and resources by authorized users or entities will not be abnormally denied, allowing them to access information and resources in a reliable and timely manner.

These are what we usually call the three principles of information security.

Authenticity and traceability are often needed now.

Type of cryptographic algorithm

1. Symmetric encryption

Symmetric encryption uses the same secret key for encryption and decryption. The details are as follows:

Keyword description:

Plaintext: text before encryption

Secret key: it is actually a string of strings, which is encrypted and decrypted by combining the cryptographic algorithm with encryption and decryption.

Ciphertext: encrypted and followed by string

Encryption and decryption algorithm: DES,3DES,AES,Blowfish,Twofish,IDEA

Features of symmetric encryption:

Use the same secret key for encryption and decryption

Divide the plaintext into fixed-size blocks and encrypt them one by one

Defect:

A host and many machines need to obtain the secret key of each host when many machines are passing, which will lead to too many keys, resulting in insecure key transmission, authentication and data integrity.

2. Public key encryption

Different keys used for encryption and decryption usually appear in pairs. They are called secret keys and public keys, respectively. Public key: the length is too long, now it is usually more than 2048.

Commonly used encryption algorithms:

RSA: can be encrypted or authenticated

DSA: can only do identity authentication

ELGamal: commercial version of symmetric encryption algorithm

Encryption in this way is slow. And it can not guarantee the integrity of the data, that is, after B receives the data of A, it can not guarantee whether the data has been tampered with.

Therefore, its application is reflected in the following two aspects:

1. Identity authentication

Encrypt your own private key signature (fingerprint) and the other party's public key to verify your identity.

2. IKE (Internet Key Exchange, secret key exchange)

Using the other party's public key encryption to send to the other party may be violently cracked. Therefore, it will be implemented by DH algorithm, which is similar to the electronic password card of the bank. For a detailed introduction to DH, please refer to: http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

3. One-way encryption

One-way encryption (data integrity algorithm): extract data fingerprint, with irreversible characteristics.

Commonly used one-way encryption algorithms are: MD5,SHA1,SHA384,SHA512

The characteristics of the algorithm:

Fixed length output: the encrypted fingerprint is of fixed length.

Avalanche effect: small changes in the original file will cause great changes in fingerprint information.

Third, the encryption process of data transmitted on the network

The real data transmitted on the network is realized by taking the advantages of each encryption algorithm. The basic model is as follows:

Suppose host A wants to transfer data to host B. in order to ensure the security of the data, the transfer process is roughly as follows:

Host A uses the one-way encryption algorithm to extract the fingerprint of the plaintext data, uses the private key of A to encrypt the fingerprint information, and appends the encrypted private key to the plaintext. This kind of information is defined as the first encrypted information. At this time, a series of secret keys (symmetric encryption keys) are generated by using some algorithm, and the first encryption information is combined with the generated secret key to generate the second encryption information using the symmetric encryption algorithm. then the secret key is added to the second encryption information using the public key information of B to generate the final encryption information. After receiving the encrypted information from host A, host B tries to decrypt the received information with its own private key. If it can be decrypted, it will get the secret key of symmetrical encryption, and then extract the secret key to decrypt the remaining information and get the symmetrically decrypted data. After completing this step, using the public key of A to verify that the identity is A, the plaintext and fingerprint information will be obtained, and the same one-way encryption algorithm will be used to compare the extracted fingerprint information with the fingerprint information decrypted by the public key to achieve the integrity of the data.

However, the most important part of the above implementation is how can A reliably obtain the public key of B?

So the emergence of a third-party organization CA, usually CA is a recognized, trustworthy organization. It provides the corresponding public key information. The general process is as follows:

The implementation of the most important link is shown in the figure above. The general process is as follows: if A wants to obtain the public key information of B, B first applies for registration with the CA institution; after the application is successful, CA will return a certificate to B, which includes information such as the public key information and combination provided by B or each name, the period of validity, and finally the CA signature and other information. When A wants to transfer data to B, A first requests B to obtain a certificate. After B agrees, the certificate will be transmitted to Abot A to verify the identity and integrity of CA. At this time, it will also ask CA whether the certificate is revoked. When all conditions are met, A can start transmitting data to B.

IV. PKI

PKI (public key infrastructure, Public key Infrastructure): an infrastructure consisting of hardware, software, participants, management policies and processes designed to create, manage, distribute, use, store, and revoke digital credentials (from Wikipedia). It is an important specification-based specification for modern e-commerce and network security.

The above data transmission process on the network and CA authentication can be realized by PKI.

The composition of PKI includes:

Visa authority: CA

Registered institution: RA

Certificate revocation list: CRL

Certificate access library: user interface

For more information, please refer to: http://en.wikipedia.org/wiki/Public_key_infrastructure

Summary: this paper mainly introduces the types and implementation process of encryption algorithms, and how to obtain certificates through CA.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.