Chen Tao said encryption and decryption

What is encryption?

Encryption technology is the most common security means, using technical means to turn important data into garbled (encrypted) transmission, to the destination and then use the same or different means to restore (decryption).

Encryption technology consists of two elements: Algorithms and keys. The algorithm is to combine ordinary information or understandable information with a string of numbers (keys) to produce an incomprehensible cipher, which is an algorithm used to encode and decrypt data. In the security secrecy, the information communication security of the network can be ensured by proper key encryption technology and management mechanism, so that unauthorized users will not know the content of the information, even if they obtain the encrypted information .

Why encrypt?

With the gradual step of human society into the information Age, information security has been paid more and more attention. For the computer, the information is represented by a variety of data, whether the appropriate method is used to encrypt the data, has become the primary method to ensure data security. In order to keep secret, the most important data files transmitted on the network can be encrypted, but the data encryption is not necessarily to transfer files between the networks, but to ensure that the confidential documents will not disclose the important information even after the theft.

With the development of network technology, large amount of data needs to be transmitted on the network. Data transmitted on the network is unsafe and dangerous, and the danger is inherent in the TCP/IP protocol, and some TCP/IP-based services (FTP,HTTP,SMTP,TELNET) are transmitted in plaintext, and their confidentiality is not guaranteed.

The role of data encryption on the network is to prevent important information from being intercepted and stolen on the network, a simple example is the transmission of computer passwords.

Computer password is very important, many security system is based on password, password leakage related to the overall security system collapse. When logging on through the network, the password typed is transmitted to the server in clear text, and eavesdropping on the network is a very easy thing, so it is very likely that hackers sniff and steal the user's password, if the user is the root user or administrator user, the consequences will be extremely serious.

The solution to this problem is encryption, encrypted password even if the hacker is not readable, unless the encryption key or encryption method is very fragile, it is easy to hack. In any case, the role of encryption makes it easy for hackers to get passwords.

Encryption Type:

Symmetric encryption: Encrypt and decrypt using the same key

Des:data encrption Standard,56bit

3DES: Three encryption of data using 3 56-bit key

aes:advanced encrption standard,128bit (default)

AES192, AES256, AES512

Blowfish: A 64-bit packet and variable key-length symmetric key block cipher algorithm that can be used to encrypt a 64-bit length string.

Public Key cryptography: Also known as asymmetric encryption. There is a pair of keys, a public key (P), and a private key (s). The public key is implied in the private key and can be extracted and published. Public-key cryptography is rarely used to encrypt data because encryption is too slow and 1000 times times slower than symmetric encryption. Often used for authentication

Confidentiality: The sender encrypts the other party's public key

Authentication: The sender encrypts it with its own private key (digital signature)

Public key cryptography enables encryption and signature functions

RSA: Enables both encryption and signing

DSA: Signing is only possible

ElGamal: Commercial Cryptographic algorithms

One-way encryption: Also known as hash encryption, extract data signatures, can be encrypted cannot be decrypted, often used to do data integrity check

MD4, MD5, SHA1, SHA192, SHA256, SHA384, SHA512, CRC-32 (cyclic redundancy check code)

Features of one-way encryption:

< Span style= "background-color:inherit;font-family: ' Microsoft Jas Black '; >       &NBSP;&NBSP,     1, Avalanche effect: Small changes in input will cause a huge change in results

< Span style= "background-color:inherit;font-family: ' Microsoft Jas Black '; >       &NBSP;&NBSP,     2, Fixed-length output: Regardless of how large the original data is, the length of the result is the same

< Span style= "background-color:inherit;font-family: ' Microsoft Jas Black '; >       &NBSP;&NBSP,          md5:message digest,128 bit fixed-length output

< Span style= "background-color:inherit;font-family: ' Microsoft Jas Black '; >       &NBSP;&NBSP,          sha1:secure Hash algorithm,160 bit fixed-length output

3, irreversible: Unable to restore the original data from the signature code

The process of negotiating a generated password is called key exchange (Internet key Exchange,ike)

Diffie-hellman Protocol:

A-and B

P,g (large prime, number of generators), transmitted over a network, public

A: Take a random number by yourself X

B: Take a random number for yourself y

A:g^x%p-B

B:g^y%p-A

A: (g^y%p) ^x=g^yx%p

B: (g^x%p) ^y=g^xy%p

The final g^xy%p is the final key.

Pki:public Key Infrastructure.

The core of PKI is CA and its trust relationship

CA (Certificate authority) is a digital certificate authentication Center refers to the institution of issuing, administering and abolishing digital certificates. The role of a CA is to check the legitimacy of the identity of the certificate holder and issue a certificate (signed on the certificate) to prevent the certificate from being forged or tampered with, and to manage the certificate and key.

A digital certificate is actually a record that is stored on a computer and is a statement issued by a CA that proves that the certificate principal ("certificate requester" becomes a "certificate principal" after the certificate applicant has the certificates) and a unique correspondence to the public key contained in the certificate.

What the digital certificate contains:

Name of the applicant and related information

Address information of the applicant

Requester's public key

The name of the CA that issued the certificate

Digital signature of the CA that issued the certificate (signature encrypted with the private key of the issuing authority)

Certificate Validity period

Contents of the X509 Certificate:

Public key and its validity period

Legal owner of the certificate

How the certificate is used

Information about the CA

Check code for CA signature

CRL: Certificate Revocation list. The CRL records a certificate that has been sent out and has not expired but has been revoked

The implementation architecture of PKI:

TLS/SSL: Using X509 Certificate

Opengpg

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Ssl:secure socket layer, secure socket layers. Just a library that can encapsulate application-layer protocols such as HTTP, SMTP, and FTP into HTTPS, Smtps, FTPs, and so on

Tls:transport Layer SECURITY,TLSV1 version equivalent to SSLv3

SSL Session Process:

1, TCP three-time handshake

2. The client initiates a session request to the server

3, the server and the client to negotiate the establishment of an SSL session (negotiated encryption protocol: SSLV2, SSLv3, TLS; negotiated encryption algorithm)

4. The server sends its own certificate to the client

5, the client verifies whether the certificate is issued by the root certification authority that you trust, the certificate is complete

6, the client randomly generates a session key (symmetric key), with the server's public key to encrypt, passed to the server side

7, the server side with the client-generated symmetric key to encrypt the data, transmitted to the client

The implementation tool for symmetric encryption:

Openssl

Gpg

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/78/AD/wKioL1aBHtPgvlzPAAHh_VDsUUw532.jpg "title=" 330e8f54-1354-4eaf-a1dc-72445d85e637.jpg "alt=" Wkiol1abhtpgvlzpaahh_vdsuuw532.jpg "/>

Openssl:ssl's Open source implementation, is a software that consists of three parts

Libcrypto: Encryption Library

Implementation of the LIBSSL:TLS/SSL protocol. Session-based TLS/SSL library for identity authentication, data confidentiality, and session integrity

OpenSSL: Multi-purpose command line tool. Ability to implement one-way encryption, symmetric encryption, asymmetric encryption, generation of a pair of keys, private certification authorities, etc.

OpenSSL command:

OpenSSL ENC: encryption/decryption

-E: Encryption

-D: Decryption

OpenSSL dgst: Extracting file signatures

OpenSSL passwd-1: Generating a cipher string

OpenSSL rand-base64: Generating pseudo-random numbers

OpenSSL implements a private CA:

Configuration file for CA:/etc/pki/tls/openssl.cnf

1. CA generates a pair of keys

Cd/etc/pki/ca (umask 077;openssl genrsa-out private/cakey.pem 2048) #生成密钥, the brackets must be OpenSSL rsa-in private/cakey. Pem-pubout #提取公钥

2. CA generate self-signed certificate

OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 365 #生成自签署证书openssl x509-text-in Cacert.pem #读出ca Contents of the CERT.PEM certificate mkdir certs newcerts crltouch index.txt && echo > serial

3, client (e.g. HTTPD server) generate key

CD/ETC/HTTPD && mkdir SSL && CD SSL (umask 077;openssl genrsa-out httpd.key 2048)

4. Client-generated Certificate signing request

OpenSSL Req-new-key httpd.key-out HTTPD.CSR

5. The client sends the certificate signing request file to the CA

SCP HTTPD.CSR [Email protected]:/root

6, the CA signed the certificate submitted by the client

OpenSSL ca-in/root/httpd.csr-out httpd.crt-days 365

7, the CA signed a good certificate HTTPD.CRT to the client

This article is from the "Chen Tao Blog" blog, please be sure to keep this source http://itchentao.blog.51cto.com/5168625/1729304

Chen Tao said encryption and decryption