Network security encryption types and Examples

Data Encryption type
Symmetric encryption (traditional encryption algorithms)
First, the data to be encrypted and the keys used during encryption must be provided to the encryption algorithm for encryption, and the encrypted content becomes a pile of unreadable data; when reading the data, you must provide the encrypted data and the key required for decryption to the decryption algorithm to restore the data.
Advantages:
The encryption speed is fast and the CPU computing resources occupied are small.
Disadvantages:
The biggest disadvantage of symmetric encryption is the inconvenience in key transmission. If the encryptor and the data recipient are in different geographic locations, the transmission of the key is likely to be intercepted by others.
 
Asymmetric encryption (public key encryption algorithm)
In the Public Key system, the recipient of the file must have a pair of keys, namely, the Public Key and the Private Key ). One important feature of these two keys is that they can be used to encrypt data, and only the other half can be used to decrypt the decrypted data. For example, only the private key can decrypt the data encrypted with the public key. However, only the public key can decrypt the data encrypted on January 1, October. Therefore, from the literal meaning of the public key, it should be easily accessible to others, but the private key should be kept strictly.
Advantages:
Asymmetric encryption is more secure than symmetric encryption because there is no key transfer problem.
Disadvantages:
The CPU resources consumed are large.
 
The following describes how to use the encryption method in the SSL handshake process.
 
SSL (Secure Sockets Layer) and its successor Transport Layer Security (TLS) are a Security protocol that provides Security and data integrity for network communication. TLS and SSL encrypt network connections at the transport layer.
 
SSL provides the following services:
1. authenticate users and servers to ensure that data is sent to the correct client and server
2. encrypt data to prevent data theft
3. maintain data integrity and ensure that data is not changed during transmission
 
Handshake process of the SSL protocol
 
To better understand and understand the SSL protocol, we will introduce the handshake protocol of the SSL protocol. SSL uses both public key encryption and symmetric encryption. Although symmetric encryption is faster than public key encryption, public key encryption provides better identity authentication. The SSL handshake protocol is very effective for customers and servers to complete identity authentication. The main process is as follows:
① The client browser sends the version number of the client SSL protocol, the type of encryption algorithm, the random number generated, and various information required for communication between other servers and clients to the server.
② The server sends the version number, type of encryption algorithm, random number, and other related information of the SSL protocol to the client, and the server also sends its own certificate to the client. (Notes are provided below)
③ The client uses the information sent from the server to verify the server's legitimacy. The server's legitimacy includes: whether the certificate expires, and whether the CA that issues the server certificate is reliable, whether the public key of the issuer certificate can properly unbind the "digital signature of the issuer" of the server certificate, and whether the domain name on the server certificate matches the actual Domain Name of the server. If the legality verification fails, the communication will be disconnected. If the legality verification passes, the fourth step will continue.
④ The user end generates a random "symmetric password" for subsequent communication, and then encrypts it with the server's public key (the server's public key is obtained from the server certificate in step 2, then, pass the encrypted "pre-master password" to the server.
 
The client uses the public key of the asymmetric encryption (public key encryption) algorithm to encrypt the key used for the symmetric encryption algorithm (traditional encryption) (that is, the "symmetric password") and then transmit it to the server.
 
⑤ If the server requires the customer's identity authentication (optional during the handshake), the user can create a random number and then sign the data, send the random number containing the signature together with the customer's own certificate and the encrypted "pre-master password" to the server.
⑥ If the server requires the customer's identity authentication, the server must check the validity of the customer's certificate and signature random number. The specific validity verification process includes: whether the customer's certificate is valid on the date of use, whether the CA that provides the certificate is reliable, whether the public key of the CA can properly unbind the digital signature of the CA that issues the certificate, and check whether the certificate is in the Certificate Revocation List (CRL. If the verification fails, the communication will be interrupted immediately. If the verification passes, the server will unbind the encrypted "pre-master password" with its own private key ", then, execute a series of steps to generate the master communication password (the client will generate the same master communication password in the same way ).
 
The server uses the private key of the asymmetric encryption algorithm (only available on the server) for decryption to obtain the key of the symmetric encryption algorithm ("symmetric password ").
 
7. The server and client use the same master password as the "Communication password". A symmetric key is used for encryption and decryption of secure data communication over the SSL protocol. At the same time, data communication integrity must be completed during SSL communication to prevent any changes in data communication.
The producer client sends a message to the server, indicating that the master password in Step 7 will be used for subsequent data communication as a symmetric key, and notifying the Server client that the handshake process is complete.
The slave server sends a message to the client, indicating that the master password in Step 7 will be used for subsequent data communication as a symmetric key, and notifying the client server end of the handshake process.
The handshake part of the SSL protocol ends, and the data communication of the SSL Secure Channel begins. The customer and the server start to use the same symmetric key for data communication, and the communication integrity is verified.
 
The client server finally reached an agreement, and both parties used symmetric keys and symmetric encryption algorithms (traditional encryption) for data communication.
Note:
② Content of the certificate transmitted by the server
The certificate contains the public key and real identity information, including individuals, servers, and other entities. As shown in table 1, topic information includes the ID Recognition Information (DN) and public key. It also includes the validity period of the certificate issued by the certification and CA, and may have some other information (or extended information), which is generally defined by the CA, such as the serial number.
 
Certificate Information
Subject (certificate owner) Recognition name, Public Key
Issuer's Identification name and signature
The validity period is not earlier than or later
Manage Information versions and serial numbers
Basic restrictions on extended information, and Netscape tags
 
(6) client certificate content (take China Construction Bank website yundun as an example)
Before signing the contract with an online bank customer, CCB has prepared and downloaded the "Digital Certificate" to the USB Key.
At present, the USB Key issued by most banks to customers has not saved the digital certificate in advance.
The client certificate is similar to the user name/password and a CA-authenticated identity when it represents personal information. Because the personal certificate is generally not simulated by others, so that you can further confirm your identity.