DES algorithms generally have two key points, the first is the encryption mode, the second is the data complement, the main meaning of the encryption mode is that the encryption algorithm is encrypted by block, such as DES, is 64Bit a block of encryption, is to encrypt 8 bytes at a time, so each input eight bytes of clear text output eight bytes ciphertext , if it is 16 bytes, then divided into two blocks in order to encrypt, the problem appears here, if the clear text is 1234567812345678, the block is encrypted separately, then the result of the encryption is similar to "c4132737962c519c c4132737962c519c", Can see the law of the clear text, this is the ECB encryption mode, ciphertext can see the law of the clear text; In order to solve this problem, there are other encryption modes: CBC encryption Mode (password Group connection), CFB encryption mode (password feedback mode), OFB encryption Mode (output feedback mode) CBC is to ask for an initialization vector, each output is then calculated with the vector, and the result of the operation is used as the initialization vector of the next cipher block, and the CFB and OFB do not need to provide an initialization vector to directly operate the cipher or the output as an initialization vector; This avoids the rule of the plaintext appearing in the ciphertext. Of course, the drawback is to decrypt the need to ensure the correctness of the ciphertext, if the network transmission of a part of the error, then the subsequent decryption result may be wrong; (ECB mode only affects the block that transmits errors.) Cipher algorithms are basically grouped (press fast) for encryption, if the length of the ciphertext is not just good can be grouped, how to do? can only be filled.
Common to cryptographic algorithms are ECB mode and CBC mode:
The first type of electronic tantra (ECB)
ECB mode: Electronic encryption This way, is the data in accordance with 8 bytes of Des encrypted or decrypted to get a paragraph of 8 bytes of ciphertext or clear text, the last paragraph less than 8 bytes, the complement of 8 bytes (Note: Here is related to the data complement) for calculation, The computed data is then connected in order, and the data between the segments is not affected. The plaintext is divided into N 64-bit groupings, and if the plaintext length is not a multiple of 64 bits, the appropriate number of specified symbols is filled at the end of the clear text. The plaintext group is encrypted separately with the given key, and the line cipher c= (c0,c1,......, Cn-1) ci=des (k,xi), i=0,1,....., n-1. This is the default mode for the Java Encapsulated des algorithm.
Second Ciphertext group link mode (CBC)
Ciphertext group link mode, in CBC mode, each plaintext group XI before encryption and a group of ciphertext after the two-digit mode plus, then sent to DES Encryption, CBC Way to overcome the ECB way of reporting the shortcomings of the group, but because the plaintext group encryption and a group of ciphertext-related, so the previous set of ciphertext errors will propagate to the next group. This is. NET encapsulates the default mode of the DES algorithm, which is cumbersome, and the encryption steps are as follows:
1, first the data in accordance with a group of 8 bytes to get d1d2 ... Dn (if the data is not an integer multiple of 8, the data complement is involved)
2, the first group of data D1 and the results of the vector I or after the DES encryption to get the first group of ciphertext C1 (note: There is a vector I, ECB mode does not use the vector i)
3, the second group of data D2 and the first group of encryption results C1 or later results des encryption, get the second group of ciphertext C2
4, after the data and so on, get CN
5, in order connected to c1c2c3 ... CN is the result of encryption.
The third type of ciphertext feedback method (CFB) can be used for sequence cipher
PlainText x= (x0,x1,......, xn-1), where Xi is composed of T bits 0 fourth output feedback method (OFB), which can be used for sequence ciphers
The only difference with CFB is that the OFB is a T-bit of the DES output, rather than a T-bit with a cipher, and the rest are the same as the CFB. But it takes the output of DES, so it overcomes the shortcoming of the wrong propagation of the cipher in the CFB.
The data complement typically has nopadding and pkcs7padding (pkcs5padding in Java) padding, pkcs7padding and pkcs5padding are actually just different protocols, According to the relevant information: Pkcs5padding clearly defined the encryption block is 8 bytes, pkcs7padding encryption can be fast between 1-255. But the encapsulated des algorithm is 8 bytes by default, so you can think of them the same. The data complement is actually a multiple of less than 8 bytes of data, which is added to the filling process of a multiple of 8 bytes.
Nopadding padding method: The algorithm itself is not populated, for example. NET padding provides a way to None,zeros, not fill and fill 0.
Pkcs7padding (pkcs5padding) Fill method: For. NET and Java default padding, for the encrypted data byte length of 8 for the remainder of R, such as r greater than 0, then the 8-r byte, byte is 8-r value, if R equals 0, then 8 bytes 8. For example:
The encrypted string is AAA, the complement is AAA55555, the encryption string is BBBBBB, the complement is BBBBBB22, and the encryption string is CCCCCCCC, then the complement is CCCCCCCC88888888.
. DES Encryption in net
For. NET, The framework provides the wrapper interface for DESCryptoServiceProvider as System.Security.Cryptography.DES encryption decryption under the System.Security.Cryptography namespace, which provides the following 4 methods:
public override ICryptoTransform CreateDecryptor (byte[] rgbkey, byte[] rgbiv)
public override ICryptoTransform CreateEncryptor (byte[] rgbkey, byte[] rgbiv)
public override void GenerateIV ()
public override void GenerateKey ()
Encapsulation of the. NET class library, encryption requires that a key and a IV vector be passed in. And the key must be 8 bytes of data, otherwise it will throw out the exception, when using ECB mode, no matter what the IV vector passed in, the encryption results are the same.