Cryptographic decryption Technology Foundation and public Key Infrastructure (PKI)

The communication between networks is realized by means of transmitting messages, and in the process of transmitting these messages, it is very important to encrypt the message in order to protect the content from being stolen and modified.

Encryption and decryption: Traditional encryption method, modern encryption method.

Traditional encryption algorithm: Replacement encryption algorithm, displacement encryption algorithm.

Modern encryption Method: Modern block encryption method.

Encryption and decryption all depend on the implementation of the algorithm, but the security of encryption can not rely on the algorithm itself, because the algorithm is public, everyone can know. Therefore, it is necessary to implement the encapsulation of the data message in a more secure way, which requires a key.

Key algorithms and protocols: symmetric encryption, public key cryptography, one-way encryption, authentication protocols.

symmetric encryption : Encrypted decryption uses the same key, and the encryption algorithm and decryption algorithm may be different.

Common symmetric encryption algorithms: DES, 3DES, AES

Features: (1) encryption, decryption using the same key, (2) The original data is divided into fixed-size blocks, encrypted one by one.

Defects: (1) Too many keys, (2) Key segmentation difficulties

Public Key Cryptography : Keys are divided into public and private keys

Public key: Extracted from the private key; available to all; PubKey

Private key: Created by the tool and retained by the user, it must be guaranteed to be private; secret key

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Purpose: Digital signature (mainly in order to let the receiver confirm the identity of the sender); key exchange (the sender encrypts a symmetric key with the other's public key and sends it to the other); Data encryption;

Algorithm: Rsa,dsa,elgamal

one-way encryption : The extraction of data fingerprint (signature), can only be encrypted, can not be decrypted;

Characteristics: fixed-length output, avalanche effect (small changes in initial data will result in huge changes in encryption results);

Function: test data integrity;

Algorithm: md5,sha1,sha224,sha256,sha384,sha512;

Key Exchange (IKE):

Public key cryptography, DH algorithm.

650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" single-to-single encryption decryption "border=" 0 "alt=" single-pair single-encryption decryption "src=" http://s3.51cto.com/wyfs02/M01/79/56/ Wkiol1apatdjnvnraadlrmmwqqi811.jpg "width=" 803 "height=" 358 "/>

Single-to-single encryption decryption mechanism:

Encryption phase:

The first step: B generates data.

Step Two: B uses a one-way encryption algorithm to extract the data signature.

Step Three: B encrypts the signature with its own private key and is attached to the data after it is digitally signed.

Fourth Step: b Generate a random password using symmetric encryption, the data and cryptographic signatures are uniformly encrypted.

Fifth Step: B Gets the public key of a.

Sixth step: B uses the public key of a to encrypt the password used for symmetric encryption and is attached to the data behind.

Decryption phase:

First step: A after receiving the data, the symmetric encrypted password is decrypted with its private key, and a symmetric encrypted password is obtained.

The second step: a decryption of the obtained password to decrypt the data, to obtain data and B cryptographic signatures.

Step three: A uses the public key of B to decrypt the signature, thus verifying the reliability of the data source (the ability to decrypt the signature indicates that this data originates from B).

The fourth step: a Use the same one-way encryption algorithm to extract the signature in the data, and to decrypt the signature of the comparison, so as to verify the integrity of the data (a extraction of signature and B-cipher signature comparison of the results if the same, the data is complete, in the transmission process has not been arbitrarily modified).

This kind of encryption and decryption method, although for the transmission of data provides a mechanism of encryption and decryption, to ensure the security of data transmission, but in such a mechanism, there is a link is flawed. When b obtains the public key of a to encrypt the data, B does not know whether the obtained public key is really from a, the same a decryption signature when the public key of B is not determined whether the public key is actually derived from B, which is dangerous in data transmission, there will be a third-party insertion in the transmission process, But both sides of the data do not know. This is a man-in-the-middle attack. To compensate for this danger, a third party's presence is required to verify the real nature of the transmission data. This third-party certification authority is the CA.

CA is to ensure that both sides of the communication can reliably get the other public key, and both sides of the public trust of the third-party communications agencies.

PKI (Public Key Infrastructure):P ublic Key Infrastructure: Visa Authority (CA), registration Authority (RA), certificate revocation list (CRL), certificate Access library.

X.509v3: Defines the structure of the certificate and the standard of the authentication protocol.

Version number, serial number, Signature algorithm ID, publisher name, expiration date, principal name, principal public key, issuer's unique identity, unique identity of the principal, extension, Publisher's signature.

The CA generates the signature in one-way encryption based on the content specified by the protocol, and then encrypts the signature with the CA's own private key to generate the publisher's digital signature after the certificate is encrypted.

Communication between the two parties before the communication to obtain the other party's public key information, through the CA to obtain the public key is much more secure, in order to achieve this security, both sides to get the other side of the public key to verify the certificate is particularly important, so we need to understand the working mode of the CA.

How the CA works:

The first step: to use the CA's public key to decrypt the CA's signature, if it can decrypt the certificate from a reliable source.

The second step: using the same one-way encryption algorithm to extract the certificate content signatures, and the CA's digital signature comparison, if the same, the integrity of the certificate content is guaranteed.

Step three: Check whether the validity period of the certificate expires.

Fourth step: Verify that the principal name is the communication partner itself.

Fifth step: Check that the certificate is revoked, that is, view the certificate revocation list.

Here there will be an unreliable link, when the user gets the CA's public key to decrypt the CA's signature, how to determine the CA's public key is the CA itself.

Note: The CA's public key certificate is issued to itself by the CA itself, and all CAs must first be self-signed for themselves.

The above explained to the single-user manual communication, if the rise to the network level of communication, encryption and decryption method does not require the user to communicate manually, so based on the communication between the server and the client mechanism is more complex.

There are two main protocols for communicating between servers and clients:

SSL: Secure Sockets Layer (SSL 1.0,SSL 2.0, SSL 3.0)

TLS: Transport Layer Security (TLS 1.0, TLS 1.1, TLS 1.3)

Communication between the server and the client (SSL-based communication):

SSL Session Basic Process:

(1) The client requests and validates the certificate from the server side.

(2) Both parties negotiate to generate a "session key".

(3) The two parties use the "session key" for encrypted communication.

650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" SSL Protocol Communication Handshake Model "border=" 0 "alt=" SSL Protocol Communication Handshake Model "src=" http://s3.51cto.com/wyfs02/M02/79/56/ Wkiol1apauwjsb-taaejcjjoprk188.jpg "width=" 511 "height=" 659 "/>

First stage: Client makes a request (ClientHello)

First the client (usually the browser) sends a request for encrypted communication to the server, which is called a ClientHello request.

At this stage, the client primarily sends the following information to the server:

(1) The protocol version supported by the client. Like TSL1.2.

(2) The client generates a random number that is later used to generate a "session key"

(3) cryptographic algorithms supported by the client, such as Aes,rsa

(4) Compression algorithm supported by the client

Second Stage: Server Response (Serverhello)

After the server receives the client request, it sends a response to the client, called Serverhello.

At this stage. The server responds mainly to the following information to the client:

(1) Confirm the use of the encrypted communication protocol version, such as TSL1.2, if the client and the server support version inconsistent, the server will turn off encrypted communication

(2) server-side generates a random number that is later used to generate a "session key"

(3) The encryption algorithm used by the server to confirm

(4) Certificate of the server

(At this stage, if the server needs to authenticate the client, it will issue a request requesting the client to provide a "client's certificate" to authenticate the client.) ）

Phase three: Client response:

After the client receives the server-side response, it first verifies the server's certificate (issuing authority, certificate integrity, certificate holder, certificate validity, revocation list), takes out its public key after confirmation is correct, and displays a warning message to the visitor if the validation content is inconsistent.

If certificate validation is passed, the client sends the following information to the server side:

(1) The client generates a third random number (Pre-master-key), which is encrypted with the server's public key.

(the client will generate a session key using the three random numbers using the pre-negotiated algorithm)

(2) Code change notification, indicating that subsequent information will be sent using mutually agreed encryption algorithm and key

(3) Client Handshake end Notification

(If the previous stage server authenticates the client, the client sends its own certificate and related information in this step)

Phase four: Server response:

The server side receives the client's third random number pre-master-key and decrypts it with its own key, using the pre-negotiated algorithm to generate the same "session key" as the client for three random numbers

The following message is then sent to the client:

(1) Code change notification, indicating that subsequent information will be used by both parties to secure the encryption algorithm and key to send

(2) Server side handshake end Notification

At this point, the entire handshake phase is complete, then, the client and server side into the encrypted channel to communicate, all the communication content is "session key" to encrypt, the communication content has become more secure.

Cryptographic decryption Technology Foundation and public Key Infrastructure (PKI)