Shulou(Shulou.com)06/01 Report--

First understand the encryption algorithm

Secondly, understand the DH algorithm

Finally parse ipsec × × ×

Understand encryption algorithm

A complete encryption method consists of many factors, but the two most critical factors are the encryption algorithm and key. Encryption algorithms are usually very complex mathematical formulas that determine the operation process and rules of how to transform plaintext into ciphertext. A key is a string of random bits added to the algorithm. in order to encrypt the communication between two encryption points, the same encryption algorithm must be used. And in some cases they need to use the same key (symmetric encryption), of course, in many cases they use different keys for encryption or decryption (asymmetric encryption).

Symmetrical and asymmetric encryption algorithms are described below:

Symmetrical encryption

The same key is used to encrypt and decrypt data.

To give a simple example to illustrate this problem, it is like a lock and a key. As we all know, which lock is used when locking the door, the key used when locking the door is used to open the lock. This is the symmetric encryption algorithm. In fact, the symmetric encryption algorithm is quite simple, so let's take a look at it:

Advantages of symmetric encryption algorithm:

His encryption speed is faster than asymmetric encryption.

A session with a large number of digits of a key is difficult to break

Disadvantages of symmetric encryption algorithm:

Symmetric encryption algorithms require a secure mechanism to distribute keys. Why? Because each user needs a pair of unique keys, the number of keys will increase exponentially with the increase of users, which makes it very difficult to manage the keys.

The use of symmetric encryption can only ensure the confidentiality of the data, that is to say, it can only ensure that the data is not seen, but it can not provide authentication and non-repudiation of the data. What do you mean? After you encrypt the data with symmetric encryption, there is no guarantee that the data will be changed during transmission, nor can you be sure whether the data is encrypted by the user A you need.

Symmetrical encryption standard: des, 3despense aes

Asymmetric encryption

The asymmetric encryption algorithm uses two different keys, one is called the public key and the other is called the private key, so the two keys are different keys, but they must be used in pairs, if you encrypt the data with the public key, then you can only use the private key corresponding to the public key to decrypt the data, and if you encrypt the data with the private key, you can only use the public key corresponding to the private key to decrypt. Although they are two different keys, there is a complex mathematical relationship between them, and they are related, because we use two different keys in the process of encryption. so we call this encryption asymmetric encryption algorithm.

So how does asymmetric encryption work? What should we pay attention to in the specific process?

First of all, to explain a problem, the encryption referred to in the asymmetric encryption algorithm has a deeper meaning:

The word encryption includes providing confidentiality to the data.

The word encryption includes how to ensure the integrity and non-repudiation of data.

Here are two examples to illustrate two problems:

1. How to use asymmetric secret key to ensure the confidentiality of data

two。 How to use asymmetric keys to ensure data integrity and non-repudiation

Use asymmetric keys to ensure data confidentiality

The first step: first save the public and private keys used by user An and user B, and then they exchange each other's public keys, a process called key exchange. In fact, the public key is publicly available, so exchanging the public key does not pose any security threat. Note that private keys cannot be used for public, exchange, or network delivery.

Step 2: after the exchange of the public key (public key), user A successfully obtains the public key of user B, then uses the public key of user B to encrypt the data, and then transmits the encrypted data to user B through the network. at this time, if a third-party eavesdropper on the network intercepts the encrypted data, he will not be able to obtain the contents of the data, because the third party does not have user B's private key. Data encrypted with user B's public key can only be decrypted by user B's private key. The private key of user B is not public, so this process ensures the confidentiality of the data.

The third step: when the data reaches user B, user B uses his own private key to decrypt the file and reads the contents of the file. If user B wants to send a secret message back to user A, the public key of user An is used to encrypt the echo file.

This is a way to encrypt data using the receiver's public key, which has the following characteristics:

1. Can ensure the privacy of the message, only the recipient can read the message content, because only the receiver has the decrypted private key

two。 It is impossible to provide authentication of the reliability of the source, because the public key can be made public, and anyone can get the public key of the receiver, so how to ensure the reliability of the source?

The second example

User A wants to send a document to user B, but the document does not need to be highly confidential, but it must not be modified, and user B should be convinced that the document is sent by user A, not by Zhang Sanli Sifa. So how do you do this? User A can use his own private key to encrypt this document. Note that the private key will not be transmitted on the network if it is encrypted with a private key. In fact, this encryption process is to verify the integrity and non-repudiation of the data content, not to ensure its privacy. The data is then transferred over the network, but not the private key. If there is a middleman * * on the network, if you intercept the data, you can read this document with the public key of user A. because the public key is public, anyone may get the public key of user A. if you get the public key of user A, you can read this document. But read and read, but you can't modify the contents of the document, you can't change the fact that this document is sent by user A, and now electronic transactions need to use this feature. When user B receives the data, decrypts the document with the public key of user A, confirming that the document has not been tampered with, and that it is sent by user A.

This is a way to encrypt data using the sender's private key, which has the following characteristics:

1, the privacy of the message cannot be guaranteed, which is called the public message format. Why? Because everyone with the public key can decrypt the message.

2, the reliability authentication function of the message source can be guaranteed, because the sender uses the private key encryption, and the private key is only available to the sender himself. And the middleman cannot tamper with the message because he does not have the sender's private key.

Note: in the process of asymmetric encryption, each key type can be used for encryption and decryption, so do not mistakenly think that public keys can only be used for encryption and private keys can only be used for decryption. In fact, they all have the ability to encrypt and decrypt. The choice depends on whether you need confidentiality or integrity.

Advantages of asymmetric encryption

1. Compared with symmetric encryption, it has better function of key distribution. Why? As long as there is a certificate server architecture, there can be a dedicated server to manage the public key, distribution and registration, authentication, and so on.

two。 More scalable than symmetric encryption

3. Ability to provide source authentication and non-repudiation

Of course, it can also provide some privacy, but there are some minor problems.

Disadvantages of asymmetric encryption:

1. Asymmetric encryption is slower than symmetric encryption.

There is a problem, whether it is encrypted with user An or user B's public key, is it not slower to use asymmetric encryption in the face of huge amounts of data? What are we going to do? The efficiency will be very low, since the efficiency is very low, why use asymmetric encryption? Because the asymmetry is more secure, it is more manageable and scalable, it has source authentication, non-repudiation, and can support third-party certification bodies. So how to solve this problem? Use a hybrid encryption scheme to solve this problem.

two。 The mathematical model of asymmetric encryption algorithm is complicated.

Asymmetric encryption standards: RSA,ECC,DH,EIGANAL, DSA, etc.

Mixed encryption scheme: because symmetric key and asymmetric key have their own advantages and disadvantages, the best solution is to use hybrid encryption scheme, which is actually quite simple, that is, symmetric key is used to encrypt data. Symmetric keys are used to encrypt symmetric keys, which ensures not only the speed of data encryption, but also the security of encryption. Both symmetric and asymmetric keys are used at the same time.

Understand the DH algorithm:

We have just mentioned that the advantages of symmetric encryption are: speed block, even if there are many disadvantages, when people combine encryption algorithms directly with data, they first choose symmetric encryption, and then use asymmetric encryption to solve the three major defects of symmetric encryption: security services, scalability, and secure key transmission. So how do you understand all this? First of all, let's recall that the hybrid encryption algorithm: first, there is an A user, a B user, and the A user uses a symmetric encryption to encrypt our data. then, after using asymmetric encryption (both using B's public key to encrypt the symmetric key), the file is transmitted to user B, and user B uses his own private key to decrypt the symmetric key encrypted by his own public key. Then the symmetric key is used to decrypt the data. So why encrypt data with a symmetric key? Don't use the public key in the asymmetric key? The reason is very simple, the speed of asymmetric encryption is slow, and the speed of symmetric encryption is fast. In the actual solution, a simple encryption solution is no longer used, but a hybrid encryption scheme is used. Hybrid solutions are used to consider the speed of encryption and key management, as well as to achieve higher security. In the hybrid solution, how does A get the public key of B, because the public key can be made public, and B can pass its own public key to A, but in the hybrid solution, the symmetric key is used for data encryption and decryption. This key is the same, so how does B get this symmetric key? How do you ensure that the keys of encrypted and decrypted data are the same? Have you thought about that? Is it to pass this symmetric key to the other party? This is definitely not going to work.

A long time ago, the transmission of symmetric keys was a big problem, because he needed confidential intelligence personnel to send the keys to the target, so when we watched the espionage movies, we all heard of such a thing, that is, the codebook. The peer also has to use the same codebook to decrypt the data, in case the intelligence personnel are captured, how can the security be guaranteed? It would be a mistake to apply this idea to today's network and transmit the password book directly on the network. If you put a protocol analyzer in the middle, you will be able to decrypt the data, so this symmetric key must not be transmitted on the network, so we have to calculate the symmetric key acting on the data in a secure way. this secure way is the Diffie-Herman algorithm, what exactly is this algorithm? What problem does it solve? It solves the problem of secure transmission of symmetric keys in the process of using symmetric key encryption, so why is it called Diffie-Herman? An asymmetric algorithm developed by two brothers

DH is a method to ensure that symmetric keys pass safely through insecure networks. Is to use the DH algorithm to ensure the transmission of secure keys.

In the DH algorithm, the symmetric key is not transmitted in the network. He initializes a large integer to generate a random number and his own private key, uses a mathematical algorithm to generate a public key, then exchanges the public key again, and then uses the calculation of the fifth part to calculate the symmetric key of K finally.

The first step: generate a large integer P on user An and send this P to user B, generate a large integer Q on user B and send Q to peer A; user An accepts Q to generate g; user B accepts P to generate g.

Step 2: user A generates private key XA, user B generates private key XB

Step 3: user A calculates and generates user A's public key YA through YA= g ^ XAmodP formula, and user B generates public key YB. At this time, users An and B have their own public and private key pairs, respectively.

Step 4: because in the asymmetric encryption system, the public key can be made public, so users An and B exchange their public keys with each other, then user A has the public key YB of user B, and user B has the public key YA of user A.

Step 5: user A will use user B's public key combined with his own private key formula to calculate the symmetric key K, user B uses the same formula to calculate the same symmetric key K as user A, and then uses the key K to encrypt the data.

The so-called symmetric key security traverses the network, not taking the symmetric key to the network for transmission, but through the above-mentioned DH algorithm, after sending a large random number to each other, the receiver calculates the symmetric key. Through this process to ensure the security of symmetric keys across the network, only to calculate the symmetric keys to complete the exchange of public keys, but the DH algorithm does not provide encryption and digital authentication functions. Then how to provide these two functions? Then we should continue to pay attention to the security of DH algorithm.

To learn the DH algorithm, you must know two things clearly:

One of the purposes of 1.DH algorithm is for key exchange, where the key refers to the exchange of public keys, and then after the exchange of public keys, combined with their own private keys in the touch operation, both sides calculate a K value, that is, we often talk about the session key, what is this session key? It works on the data, of course. Because he acts on the data most quickly, after encrypting the data with a symmetric key, the session key can be encrypted with the public key of B. finally, the transmission of the session key will be very secure. after it is transmitted to B, B uses its own private key to decrypt the session key encrypted by his public key, that is, symmetric key decryption, and then uses the symmetric key to decrypt the data. This is a simple encryption process.

Next, we will continue to pay attention to the security of the DH algorithm, which can be submitted to you as a supplement.

One of the characteristics of DH algorithm is that A must get the public key of B, and B must get the public key of A, so user A can guarantee that it is user B who sends himself the public key YB, not other illegal users? If the person who sends the public key to An is a *, then the user will calculate the symmetric key with *. This truth is easy to understand.

In fact, even if others know P or g, it is very difficult to get the symmetric key K through calculation, because it is very difficult to factorize large integers, but there is a security risk in the fourth step, that is, the process of public key exchange. when user A sends the public key to user B, it is intercepted by illegal user C, and in the same way that user B sends the public key to user An is also intercepted by illegal user C. At this point, neither user A nor user B can successfully receive each other's public key. For user A, user C forges the identity of user B and sends his public key to user A. user A mistakenly thinks that illegal user C is B, so it forms a symmetric secret key KA with user C. similarly, B also forms symmetrical secret key KB with user C, then illegal user C has symmetrical keys KA and KB of both user An and B. When the data is transferred between user An and B, user C can use the symmetric secret key to decrypt the data, which will cause great security risk.

Although it is difficult to successfully implement the above deceptive behavior about user C, it does not rule out this possibility, so we need a method to authenticate each other when exchanging public keys in the DH algorithm, such as using digital signatures, then RSA is used for digital signatures in the process of DH message exchange. That is to say, digital signature can guarantee the identity of B to An and make A believe that user B is the one who sends me the public key, not other illegal users. RSA is the way to achieve digital signature. At the same time, it also needs a framework to ensure the credibility of each other's public keys. For example, we pay Taobao, Taobao wants us to encrypt, how can I make sure that I am using Taobao's public key encryption, can't it be someone else's public key? Of course, I do use Taobao's public key to encrypt. When the data is transmitted to Taobao, Taobao can decrypt it with its own private key, but in case I encrypt someone else's public key, then your money will be paid to someone else.

Because DH only does two things: exchange keys and calculate the same symmetric keys. There is no guarantee in these two processes, and it cannot determine the identity of each other in some way. So we use RSA to guarantee the process of DH algorithm.

RSA is a standard for digital signature, secret key exchange and encryption. The advantage of RSA is that RSA can be used for both encryption and digital signature. RSA makes up for DH's inability to generate digital signatures.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.