Security and encryption of data transmission under Linux

Overview : Two computers when communicating on the Internet, the information sent between them without special processing, that is, the encryption mechanism, it is easy to be obtained by other people, if it is ordinary information, it does not matter, but if it involves the private information of individuals, it is not very bad, This article is about this security and encryption mechanism.

Cryptographic algorithms and protocols:

Symmetric encryption: Data encryption (confidentiality) (3des,aes)

Public Key cryptography: Identity authentication, key exchange, data encryption (less commonly used, 3 orders of magnitude slower than symmetric encryption) (RSA,DSA)

Single Encryption: Data integrity (Md5,sha)

Key exchange: RSA, DH (Deffee-Herman), ECDH (Elliptic curve dh), ECDHE (Temporary elliptic curve dh)

****************************************************************************************************

Symmetric encryption: Encryption and decryption using the same key
Des:data Encryption Standard,56bits
3DES:
Aes:advanced (192, 256bits)
Blowfish,twofish
Idea,rc6,cast5
Characteristics:
1, encryption, decryption using the same key, high efficiency
2. partition raw data into fixed-size blocks and encrypt them individually
Defects:
1. Too many keys
2. Key Distribution
3. Data sources cannot be confirmed

Asymmetric encryption algorithm: Public Key cryptography

Public key cryptography: keys are paired
Public key: publicly available to everyone; public key
Private key: Keep it for yourself, must ensure its privacy; secret key
Feature: Encrypt data with public key, only use the private key that is paired with it to decrypt;
Function:
Digital signature: The main purpose is to let the receiver confirm the sender identity
Symmetric key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party
Data encryption: Ideal for encrypting smaller data
Cons: Long key, low encryption and decryption efficiency
Algorithm:
RSA (encryption, digital signature), DSA (digital signature), ELGamal

Specific implementation:

▲ based on a pair of public key/key pairs
One encryption in the key pair, and the other decryption

▲ Implement encryption

Receiver
Generate public key/key pair: P and S
Public public key p, encryption key s
Sent by
Use the recipient's public key to encrypt the message m
Send P (M) to Recipient
Receiver
Use key S to decrypt: M=s (P (M))

Individual encryption

Reduce any data to a fixed-size "fingerprint"
Any length input
Fixed-length output
If you modify the data, the fingerprint will change ("no conflict")
Unable to regenerate data from fingerprint ("one-way")
Features: Data integrity
Common formulas
Md5:128bits, Sha1:160bits, sha224
SHA256, sha384, sha512
Common tools
md5sum | sha1sum [--check] File
OpenSSL, GPG
Rpm-v

Key exchange

Key exchange: IKE (Internet key Exchange)
Public Key cryptography:
DH (Deffie-hellman):
Dh:
1. A:a,p negotiation generates public integer A, large prime number p
B:a,p
2, A: Generate Privacy data: X (x<p), calculate a^x%p, send to B
B: Generate privacy data: Y, calculate a^y%p, send to a
3, A: Calculated (a^y%p) ^x = a^xy%p, born into a key
B: Calculated (a^x%p) ^y = a^xy%p, born as a key

At this point, a and B generate an identical key, note that the key exchange protocol algorithm can only be used for key exchange, but not for the encryption processing of the message, when the two sides determine the key to use, to use other symmetric encryption operation to actually encrypt and decrypt the data

****************************************************************************************************

Note that the encryption algorithms and protocols described above, while enabling encrypted communication between the two computers, do not guarantee the intervention messages of other computers.

For example: A and B are two hosts on the internet, A has its own private key, B has its own private key, if a to send a message to B, but the first time it does not know who is B, if there is another machine C told a said I was B, and then send their public key to a,a at this time also thought and it is really b , but it is a and C in communication.

So the question is, how to determine the identity of B? If there is a third party trust at this time, it will confirm the identity of B, then the problem can be solved, and then who will determine the identity of the third party, if it is a fake institution? So it needs the authority of this institution to determine it and to know the top floor. Of course, this top level is the one we all know and understand by default.

Said so much, this so-called third-party organization is called the CA, when the CA every confirmation of a machine, it will be issued a certificate, as follows:

CAs and certificates

Pki:public Key Infrastructure
Visa agency: CA (Certificate authority)
Registration Authority: RA
Certificate Revocation list: CRL
Certificate Access Library:

The structure of the certificate and the standard of the authentication protocol are defined
Version number
Serial number
Signature Algorithm
Issued by
Validity period
Principal Name
Principal public key
CRL Distribution Points
Extended information
Issuer Signature

Certificate Type:
Certificate of the Certification authority
Server
User Certificate

There are two ways to obtain a certificate:
Using a certificate Authority
Generate a signing request (CSR)
Send CSR to CA
Receive signatures from CA
Self-signed certificate
Self-issued own public key

Certificate issuance process: as shown

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/88/02/wKiom1fnX_2jSqXhAABParnao-Y809.png "title=" 2016-09-25_132400.png "alt=" Wkiom1fnx_2jsqxhaabparnao-y809.png "/>

1. A send its own public key to the CA

2, the CA after determining the identity of a, the certificate will be issued to a, wherein the process is as follows

1) The CA will consolidate the content to the certificate, the content structure of the certificate is as above.

2) Then use this content to generate signatures using a one-way encryption algorithm (for verifying certificate integrity)

3) Finally, the CA uses its own private key to encrypt this feature, generate a digital signature (to verify that the certificate is signed by the CA), and then issue a

3) b The process is the same as a

When b verifies the identity of a, it is verified by the certificate, the steps are as follows

1) Use the CA's public key to decrypt the digital signature and, if successful, verify the identity of the CA

2) using the same single encryption algorithm to calculate the certificate content structure of the signature, compared with the original signature, if the same, it guarantees the integrity of the certificate

3) Remove the public key of a from the contents of the certificate

An explanation of the encrypted communication process:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/88/02/wKiom1fnY2_C8q-BAAE40YGRdGo366.png "title=" 2016-09-25_130648.png "alt=" Wkiom1fny2_c8q-baae40ygrdgo366.png "/>

1)

Phase one: ClientHello: client requests for encrypted communication to the server side

Send your own supported version of the protocol to the server, such as tls1.2

The client generates a random number and later the user generates a "session key"

The various cryptographic algorithms that are supported by themselves, such as Aes,rsa;

The supported compression algorithms;

Phase II: Serverhello (response)

Confirm the version of the encrypted communication protocol used, such as tls1.2; (if the version is not the same, then reject the communication)

Server-side generates a random number that is mainly generated later by the user generating a "session key"

Confirm the encryption method used

Sending a server certificate

Request a client certificate (although the client is not verified on the general server side)

Phase III:

Verify the server certificate, confirm the error, remove its public key; (Verify the issuing authority, certificate signature, certificate integrity, certificate holder, certificate validity period, revocation list)

Send a message to the server side

A random number: For server public Key cryptography

Encoding Change Notification: Indicates that subsequent information will be sent using both mutually agreed encryption methods and keys

Client Handshake End Notification

Stage four:

After receiving the third random number-pre-master-kty from the client, compute the session key used to generate the session

Send the following message to the client:

Code change notification: Same as above

Server-side handshake end Notification

At this point the two sides have confirmed each other's identity, and establish a secure channel, the next can be transmitted information. This process is shown in

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/87/FF/wKioL1fnciaRUIAAAAA5Hck80zM617.png "title=" 2016-09-25_134644.png "alt=" Wkiol1fnciaruiaaaaa5hck80zm617.png "/>

(1) a-->b

1) Use a one-way encryption algorithm to calculate the signature of the data to be transferred (and not encrypt the original data content)

2) Use your own private key to encrypt this signature to generate a digital signature

3) Encrypt all data above (including original data, signature, digital signature) using symmetric encryption algorithm, append the generated symmetric encrypted password to the encrypted data

4) Use the public key of B to encrypt this symmetric encrypted password and send all of the above data to B

(2) b after receiving the data sent by a

1) Use B to decrypt the symmetric encrypted password (if it can be decrypted, ensure that the receive is B)

2) Decrypt this data with a decrypted symmetric encryption cipher

3) Decrypt the digital signature after decryption by using the public key of a (if possible, ensure that the data is from a )

4) At this time, there are two things presented in B, one is the original data, and the other is the signature code. And the original data is not encrypted. At this point, B needs to use the same single encryption algorithm for the original data at this time to calculate the signature, and a sent over the signature of the comparison, if equal, the integrity of the original data is guaranteed.

So far. The encryption and decryption process of the information is completed.

Summarize:

in the process described above, the individual believes that there are a few points to emphasize:

1) Individual encryption does not encrypt the original data, just to calculate the signature of the original data. Integrity Check for data

2) Symmetric encryption algorithms are encrypted and decrypted using the same key. Used to encrypt data

3) Public key cryptography is the signature . Used to generate digital signatures

4) Certificate issuance and verification process and data transfer process is two processes

This article is from the "Endless Learning" blog, please be sure to keep this source http://dashui.blog.51cto.com/11254923/1856324

Security and encryption of data transmission under Linux