ASP. NET (C #) common data encryption and decryption methods 1

Data Encryption technology is the most basic security technology in the network. It is mainly used to encrypt the information transmitted over the network to ensure its security. This is an active security defense policy, it can provide considerable security protection for information at a very low cost.

Data Encryption technology is the most basic security technology in the network. It is mainly used to encrypt the information transmitted over the network to ensure its security. This is an active security defense policy, it can provide considerable security protection for information at a very low cost.

I. Basic concepts of Encryption

"Encryption" is a technology that limits access to data transmitted over the network. The encoded data generated by the encrypted device (hardware or software) and the key is called the ciphertext (ciphertext ). The process of restoring the ciphertext to the original plaintext is called decryption. It is a reverse encryption process, but the decrypted must use the same type of encryption device and key to decrypt the ciphertext.

The basic functions of encryption include:

1. Prevent Unauthorized users from viewing confidential data files;

2. Prevent the leakage or tampering of confidential data;

3. Prevent privileged users (such as system administrators) from viewing private data files;

4. make it difficult for intruders to find a system file.

Data Encryption is an important mechanism to ensure computer network security. Although it has not been popularized in the network due to cost, technical and management complexity, however, data encryption is indeed an important means to achieve data security in Distributed Systems and network environments.

Data Encryption is available in the network OSI Layer-7 protocol (OSI stands for Open System Interconnect, meaning Open System Interconnection. The International Standards Organization (ISO) has developed the OSI model. This model divides network communication into seven layers: physical layer, data link layer, network layer, transmission layer, Session Layer, presentation layer, and application layer .) From the logic position of the encryption technology application, there are three methods:

① Link encryption: Generally, encryption at or below the network layer is called link encryption, which is mainly used to protect data transmitted between communication nodes. encryption and decryption are implemented by the cryptographic device on the line. The data transmission modes can be divided into two types: synchronous communication encryption and asynchronous communication encryption. synchronous communication encryption also includes byte synchronous communication encryption and bit synchronous communication encryption.

② Node encryption: Improves link encryption. The Protocol transmission layer is encrypted to protect the data transmitted between the source node and the target node. the encryption is similar to link encryption.AlgorithmIt is necessary to combine the encrypted modules attached to nodes to overcome the disadvantages of link encryption that is prone to unauthorized access at nodes.

③ End-to-end encryption: encryption at or above the network layer is called end-to-end encryption. Is a network-layer entity. Encryption of data in the application layer is easy to implement using software and cost is low, but key management is difficult, it is mainly suitable for the transmission of information between multiple senders and receivers in large network systems.

Ii. Data encryption applications

1. Media encryption: DRM

2. file encryption: Text encryption, PDF, and word

3. Data Encryption: Data Encryption in ASP. NET (C #)

4. hardware encryption: dongle

Iii. Development Trend of encryption technology

① Combination of private key encryption technology and public key encryption technology: In view of the encryption characteristics of the two cryptographic systems, a compromise scheme can be adopted in practical application, that is, combining des/idea and RSA, using DES as the "kernel" and RSA as the "shell", des or idea encryption is available for data transmitted over the network, while the encryption key is encrypted using RSA for transmission, this method not only ensures data security but also increases the speed of encryption and decryption, which is also one of the new directions of encryption technology development.

② Search for new algorithms: jump out of the construction ideas based on common iterations, and break away from the construction methods based on the complexity of some mathematical problems. For example, the Liu's algorithm proposed by Mr. Liu Zun-Quan is a key-based public key system. It uses the random principle to construct encryption/Decryption transformations, all its operation control is hidden in the key, and the key length is variable. It constructs a large search space by dividing a certain length to realize a nonlinear transformation. This encryption algorithm features high encryption strength, high speed, and low computing overhead.

③ Encryption will eventually be integrated into systems and networks. For example, IPv6 already has built-in encryption support. In terms of hardware, Intel is developing an encryption coprocessor. It can be integrated into the Master Pole of a microcomputer.

Iv. Classification of encryption technologies

Encryption types can be simply divided into four types:

1. decryption is not considered at all;

2. Private Key Encryption technology: symmetric key encryption: symmetric encryption uses the same key for encryption and decryption. Generally, this encryption method is difficult to implement in applications because it is difficult to share keys in the same security mode. Such as RC4, RC2, Des, and AES series encryption algorithms.

3. public key encryption technology: asypolicric key encryption: asymmetric key encryption uses a group of public/private key systems, another key is used for decryption. Public keys can be widely shared and disclosed. This encryption method is more convenient when you need to transmit data externally to the server. Example: RSA

4. Digital Certificate. (Certificate): a digital certificate is an asymmetric key encryption. However, an organization can use a certificate and associate a set of public and private keys with their owners using a digital signature.

V. symmetric encryption-DES encryption and decryption

1. symmetric encryption

Symmetric encryption is a traditional encryption method. Its encryption and decryption operations use the same key, when transmitting and processing information, the sender and receiver of information must jointly hold the password (called Symmetric password ). Therefore, both parties must obtain the key and keep the key secret.

The security of a single-key password system depends on the following two factors:

First, the encryption algorithm must be strong enough. It is impossible to decrypt information only based on the ciphertext itself.

Second, the security of the encryption method depends on the confidentiality of the key, rather than the confidentiality of the algorithm. Therefore, we do not need to ensure the confidentiality of the algorithm (in fact, in reality, many algorithms for single-key cryptographic systems are public), but we must ensure the confidentiality of keys.

Des (Data Encryption Standard) and tripledes are two types of symmetric encryption.

The DES and tripledes algorithms are the same, but the tripledes algorithm provides more key bits and higher encryption reliability.

The key used by DES is 8 bytes, and the initial vector IV is also 8 bytes.

Tripledes uses a 24-byte key, and the initial vector IV is also 8 bytes.

Both algorithms are encrypted by 8 bytes. One data block and one data block are encrypted. The encrypted ciphertext of an 8-byte plaintext is also 8 bytes. If the plaintext length is not an integer multiple of 8 bytes, add a byte with a value of 0 to overwrite an integer multiple of 8 bytes. Therefore, the encrypted ciphertext must be an integer multiple of 8 bytes.

Ii. encryption and decryption process

Figure 1. Des encryption and decryption process

Is the encryption and decryption process of the entire des and tripledes algorithms. The following uses tripledes as an example to analyze the encryption and decryption steps in conjunction with DOTNET, and provides relevant implementationCode.

1. generate key and IV

The system. Security. cryptography. tripledescryptoserviceprovider class is the main class for implementing the tripledes Algorithm in DOTNET.

The tripledescryptoserviceprovider class has only one constructor, tripledescryptoserviceprovider (), which initializes some attributes:

Keysize (length of the encryption key, in bits) = 192 (24 bytes)

Blocksize (the size of the encrypted data block, in bits) = 64 (8 bytes)

Feedbacksize (size of the data returned after the encrypted data block, in bits) = 64 (8 bytes)

The tripledescryptoserviceprovider constructor initializes a set of random keys and IV.

The key of the default tripledescryptoserviceprovider is 24 bytes, IV is 8 bytes, And the encrypted data block is 8 bytes.

The code for generating keys and IV is simple:

The following is a code snippet: Tripledescryptoserviceprovider tdesalg = new tripledescryptoserviceprovider (); Byte [] keyarray = tdesalg. Key; Byte [] ivarray = tdesalg. IV;

The generated key and IV must be used in both the encryption and decryption processes.

2. Convert string plaintext to the encoded byte stream corresponding to a certain code page

The data to be encrypted may be in two forms: binary data, which is a set of byte streams. Such data can be skipped and directly enters the encryption step. Another case is that the same character in a string uses different code pages to generate different bytecode. Therefore, the conversion from string to byte stream requires specifying the encoding type. After decryption, the same code page must be used for decoding to switch from byte to string. Otherwise, garbled characters may occur.

The following is a code snippet: // String to be encrypted String plaintextstring = "here is some data to encrypt. Here is some data to be encrypted. "; // Use UTF-8 encoding (Other encoding can also be used) Encoding sencoding = encoding. getencoding ("UTF-8 "); // Converts the string plaintext to a UTF-8 encoded byte stream Byte [] plaintextarray = sencoding. getbytes (plaintextstring );

3. Encryption

The raw material for encryption is text throttling. The tripledes algorithm encrypts the byte stream and returns the encrypted byte stream. At the same time, you must specify the keys and IV used for encryption.

The following is a code snippet: // converts the string plaintext to a UTF-8 encoded byte stream. byte [] plaintextarray = sencoding. getbytes (plaintextstring); Public static byte [] encryptstring (byte [] plaintextarray, byte [] key, byte [] IV) {< br> // create a memorystream that stores the encrypted data stream. memorystream mstream = new memorystream (); // use memorystream, key, and IV to create a cryptostream object cryptostream cstream = new cryptostream (mstream, New tripledescryptoserviceprovider (). createencryptor (Key, IV), cryptostreammode. write); // write the encrypted byte stream to memorystream cstream. write (plaintextarray, 0, plaintextarray. length); // update the final state in the buffer to memorystream, and clear the cstream cache cstream. flushfinalblock (); // convert the decrypted data stream to a byte stream. byte [] ret = mstream. toarray (); // close two streams. cstream. close (); mstream. close (); return ret; }

4. decryption

The ciphertext byte [] generated in the preceding steps must be decrypted using the same group of keys and IV used in the encryption step.

the following code snippet: // call the decryption method to return the decrypted Data byte [] byte [] finalplaintextarray = decrypttextfrommemory (data, keyarray, ivarray); Public static byte [] decrypttextfrommemory (byte [] encrypteddataarray, byte [] key, byte [] IV) {< br> // create a memorystream that stores the encrypted data stream memorystream msdecrypt = new memorystream (encrypteddataarray ); // use memorystream, key, and IV to create a cryptostream object cryptostream csdecrypt = new cryptostream (msdecrypt, New tripledescryptoserviceprovider (). createdecryptor (Key, IV), cryptostreammode. read); // based on the length of the ciphertext byte [] (may be longer than the plaintext before encryption ), create a new byte [] byte [] decryptdataarray = new byte [encrypteddataarray. length]; // read the decrypted data to decryptdataarray csdecrypt. read (decryptdataarray, 0, decryptdataarray. length); msdecrypt. close (); csdecrypt. close (); return decryptdataarray; }

Note that DES encryption is encrypted by data blocks in 8 bytes. If the length of the plaintext [] to be encrypted is not an integer multiple of 8 bytes, the algorithm uses byte with a value of "0" to Supplement 8 bytes and then encrypts the data. Therefore, the encrypted ciphertext length must be an integer multiple of 8. If the ciphertext is decrypted with a byte value of 0, the byte value of 0 still exists after decryption. For example, in the above example, the plaintext to be encrypted is:

"Here is some data to encrypt. Here is some data to be encrypted ."

After being converted to plaintext byte [], it is 66 bytes. The DES algorithm will add 6 0-value byte to 72 bytes. In this way, the decrypted ciphertext byte [] string is as follows:

 

The following is a code snippet: "Here is some data to encrypt. Here is some data to be encrypted. \ 0 \ 0 \ 0 \ 0 \ 0 \ 0" 5. Transfer from encoded bytes to string plaintext // Use the previously defined encoding, UTF-8 encoding to convert byte [] into a string Plaintextstring = sencoding. getstring (finalplaintextarray );

Not finished, down: http://www.cnblogs.com/wifi/archive/2011/11/16/2250760.html