ArticleDirectory
- Private Key Encryption
- Public key encryption
- Digital Signature
-
- Hash Value
- Random Number Generation
Msdn:
Http://msdn.microsoft.com/zh-cn/library/93bskf9z (vs.80). aspx
Encryption helps protect data from being viewed and modified, and provides secure communication methods on insecure channels. For example, you can use encryptionAlgorithmEncrypt the data, transmit the data in the encrypted state, and decrypt the data by the specified receiver. If a third party intercepts encrypted data, it is very difficult to decrypt the data.
In a typical scenario where encryption is used, both parties (Xiaohong and Xiaoming) communicate over insecure channels. Xiao Hong and Xiao Ming want to ensure that anyone who may be listening cannot understand the communication between them. In addition, because Xiaohong is far away from Xiaoming, XiaoHong must ensure that the information she received from her childhood was not modified by anyone during transmission. In addition, she must make sure that the information is indeed sent from James rather than someone imitating james.
Encryption is used for the following purposes:
Confidentiality: helps protect user identities or data from being read.
Data Integrity: helps protect data from changes.
Authentication: ensure that data is sent from a specific party.
To achieve this, you can use a combination of algorithms and conventions (called encryption elements) to create an encryption scheme. The following table lists encryption elements and their usage.
Private Key Encryption (symmetric encryption)
Convert the data so that the third party cannot read the data. This type of encryption uses a single shared secret key to encrypt and decrypt data.
Public key encryption (asymmetric encryption)
Convert the data so that the third party cannot read the data. This type of encryption uses a public/private key pair to encrypt and decrypt data.
Encrypted Signature
You can create a unique digital signature for a specific party to verify whether the data is sent from a specific party. This process also uses the hash function.
Encrypted hash
Map data from any length to a sequence of fixed-length bytes. Hash is statistically unique. Different dubyte sequences do not hash to the same value.
Private Key Encryption
The private key encryption algorithm uses a single private key to encrypt and decrypt data. Any Party with a key can use this key to decrypt data. Therefore, you must protect the key from being obtained by an unauthorized proxy. Private Key Encryption is also called symmetric encryption because the same key is used for both encryption and decryption. The private key encryption algorithm is very fast (compared with the public key algorithm), especially suitable for performing encryption and conversion on large data streams.
Generally, the private key algorithm (called block password) is used to encrypt a data block at a time. Block passwords (such as RC2, Des, tripledes, and Rijndael)NThe input block of the byte is converted into the output block of the encrypted byte. If you want to encrypt or decrypt the byte sequence, it must be performed one by one. BecauseNSmall (for RC2, Des, and tripledes,N= 8 bytes;N= 16 [default value];N= 24; For Rijndael,N= 32), so you mustNTo encrypt a block at a time.
The block cipher classes provided in the base class library use the chain mode called the cryptographic block chain (CBC). It uses a key and an initialization vector (iv) to encrypt and convert the data. For a given private keyKA simple block password that does not use the initialization vector will encrypt the same plaintext input block into the same ciphertext output block. If duplicate blocks exist in the plaintext stream, duplicate blocks exist in the ciphertext stream. If unauthorized users know any information about the structure of the plaintext block, they can use this information to decrypt the known ciphertext block and possibly find your key. To overcome this problem, you can mix the information in the previous block to encrypt the next block. In this way, the output of two identical plaintext blocks will be different. Because the technology uses the previous block to encrypt the next block, an IV is used to encrypt the first block of data. With this system, unauthorized users may know that public message headers cannot be used for reverse engineering of keys.
One way to compromise the data encrypted with this type of password is to perform a exhaustive search for each possible key. Based on the size of the key used to perform encryption, it is extremely time-consuming, and therefore difficult to implement, even if you use the fastest computer to perform such a search. Using a large key size makes decryption more difficult. Although theoretically, encryption won't make the opponent unable to retrieve the encrypted data, it does increase the cost. If it takes three months to perform a thorough search to retrieve meaningful data within just a few days, the search method is not practical.
The disadvantage of private key encryption is that it assumes that both parties have reached an agreement on the key and IV, and the key and IV values are communicated to each other. In addition, the key must be kept confidential to unauthorized users. Due to these problems, private key encryption is usually used together with public key encryption to secretly convey the key and IV values.
Assume that Xiaohong and James want to communicate on insecure channels, and they may use private key encryption as follows. Both Xiaohong and Xiaoming agree to use a specific algorithm (such as Rijndael) with a specific key and IV ). Xiaohong writes a message and creates a network stream on which the message will be sent. Next, she uses the key and IV to encrypt the text and sends it over the Internet. She did not send the key and IV to James. James received the encrypted text and used the pre-agreed key and IV to decrypt it. If the transmitted content is intercepted, the interceptor cannot recover the original message because the interceptor does not know the key or IV. In this scheme, keys must be kept confidential, but IV does not need to be kept confidential. In an actual solution, the private key is generated by Xiao Hong or Xiao Ming, and the private key (symmetric) is transmitted to the other party using public key (asymmetric) encryption. For more information, see the section on public key encryption after this topic.
. NET Framework provides the following classes for implementing the private key encryption algorithm:
Public key encryption
Public key encryption uses a private key that must be kept confidential to unauthorized users and a public key that can be made public to anyone. Both the public key and the private key are connected in mathematics. Data Encrypted with the public key can only be decrypted with the private key, while data signed with the private key can only be verified with the public key. The public key can be provided to anyone. The public key is used to encrypt the data to be sent to the Private Key Holder. The two keys are unique for communication sessions. Public key encryption algorithms are also called asymmetric algorithms because one key is used to encrypt data and another key is used to decrypt data.
The public key encryption algorithm uses a fixed buffer size, while the private key encryption algorithm uses a variable-length buffer. The Public Key algorithm cannot link data as a stream as the Private Key algorithm, because it can only encrypt a small amount of data. Therefore, asymmetric operations do not use the same stream model as symmetric operations.
Both parties (Xiao Hong and Xiao Ming) can use public key encryption in the following ways. First, XiaoHong generates a public/private key pair. If James wants to send an encrypted message to Xiaohong, he will ask her for her public key. Xiao Hong sends her public key to Xiao Ming through an insecure network. Xiao Ming then uses this key to encrypt the message. (If James receives a red key on an insecure channel, such as a public network, James must verify that he has a correct copy of her public key .) James sends the encrypted message to Xiaohong, and Xiaohong uses her private key to decrypt the message.
However, an unauthorized proxy may intercept the key during the transmission of a small red public key. In addition, the same proxy may intercept encrypted messages from James. However, the proxy cannot use the public key to decrypt the message. The message can only be decrypted with a small red private key, but the private key is not transmitted. Xiaohong does not use her private key to encrypt the reply message sent to James because anyone with a public key can decrypt the message. If Xiao Hong wants to send the message back to Xiao Ming, she will ask Xiao Ming for his public key and use it to encrypt her message. Then, James uses the private key associated with him to decrypt the message.
In an actual solution, Xiao Hong and Xiao Ming use public key (asymmetric) encryption to transmit the private (symmetric) Key, while the rest of their sessions use private key encryption.
Public key encryption has a larger key space (or the possible value range of the Key), so it is not easy to be attacked by trying every possible key. It is easy to distribute because it does not have to protect the public key. The Public Key algorithm can be used to create a digital signature to verify the identity of the Data sender. However, the Public Key algorithm is very slow (compared with the private key algorithm) and is not suitable for encrypting a large amount of data. The Public Key algorithm is only useful for transmitting a small amount of data. Public key encryption is usually used to encrypt the key and IV to be used by a private key algorithm. After the key and IV are transmitted, the rest of the session is encrypted with the private key.
. NET Framework provides the following classes to implement public key encryption algorithms:
Dsacryptoserviceprovider
Rsacryptoserviceprovider
Digital Signature
The Public Key algorithm can also be used to form digital signatures. Digital signatures verify the sender's identity (if you trust the sender's public key) and help protect data integrity. Using the Public Key generated by Xiaohong, the receiver of Xiaohong's data can verify whether the data is sent by comparing the digital signature with Xiaohong's data with Xiaohong's public key.
To use public key encryption to digitally sign a message, Xiaohong First applies the hash algorithm to the message to create a message digest. The message digest is a compact and unique representation of data. Then, XiaoHong uses her private key to encrypt the message digest to create her personal signature. When receiving the message and signature, James uses Xiaohong's public key to decrypt the signature to restore the message digest, and uses the same hash algorithm as Xiaohong to hash the message. If the message digest calculated by James is exactly the same as the message digest received from Xiaohong, James can determine the holder of the message's private key and the data has not been modified. If James believes that Xiaohong is the holder of the private key, he knows that the message comes from Xiaohong.
Note that because the sender's public key is issued by everyone and is usually included in the digital signature format, anyone can verify the signature. This method does not keep the message confidential. To keep the message confidential, you must also encrypt the message.
. NET Framework provides the following classes for implementing digital signature algorithms:
Dsacryptoserviceprovider
Rsacryptoserviceprovider
Hash Value
The hash algorithm maps binary values of any length to smaller binary values of a fixed length. This smaller binary value is called a hash value. A hash value is a unique and extremely compact numeric representation of a piece of data. If a piece of plain text is hashed and only one letter of the paragraph is modified, the subsequent hash calculation produces different values. It is impossible to calculate two different inputs with the same value as the hash column.
Message AuthenticationCode(Mac) hash functions are usually used together with digital signatures to sign data, while message detection code (MDC) hash functions are used for data integrity.
Both parties (Xiao Hong and Xiao Ming) can use the hash function as follows to ensure data integrity. If Xiao Hong writes a message to Xiao Ming and creates a hash of the message, Xiao Ming can hash the message and compare it with the original hash later. If the two hash values are the same, the message is not changed. If the values are different, the message has been changed after being compiled in red. In order for this system to play a role, Xiao Hong must keep the original hash value secret for all people except Xiao Ming.
. NET Framework provides the following classes for implementing digital signature algorithms:
Hmacsha1
Mactripledes
Md5cryptoserviceprovider
Sha1managed
Sha256managed
Sha384managed
Sha512managed
Random Number Generation
Random Number Generation is an integral part of many encryption operations. For example, encryption keys must be as random as possible to make the generated keys difficult to reproduce. The encrypted random number generator must be generated and cannot be calculated using the calculation method (lessP<. 05 probability), that is, any method to calculate the next output bit must have a higher probability of success than random prediction .. The classes in the. NET Framework use the random number generator to generate the encryption key.
The rngcryptoserviceprovider class is the implementation of the random number generator algorithm.