A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Cryptographic decryption related concepts
Three ways in which man-in-the-middle attacks are commonly used on the Internet: 1) eavesdropping 2) data tampering 3) session hijacking
Classification of cryptographic algorithm protocols:
a) symmetric encryption
commonly used are: DES, 3DES, AES, Blowfish, RC6, CAST5, etc.
Features: 1. Encrypt and decrypt using the same key.
2. split the original data into fixed-size blocks and encrypt them one by one.
3. Fast decryption speed, short key.
b) Asymmetric encryption (public-key cryptography)
commonly used are: RSA, DSA, DH
Features: 1. Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa.
2. The public key is disclosed to all, the private key is retained by itself and must be kept private.
Some other introductions:
1.RSA can be used for digital signatures and key exchange
2.DSA for digital Signatures (Digital signaturealgorithm)
3. the encryption algorithm based on large number operation reduces the speed of encryption and decryption. Generally, only a small amount of data encryption is used. Symmetric encryption algorithms are generally used to encrypt their files, and then use asymmetric algorithms to encrypt symmetric keys used by symmetric algorithms
4.DH only for key exchange
c) One-way encryption
commonly used are: MD5, SHA-1, SHA224, SHA256, SHA384
Features: 1. For data integrity check
2. Fixed- length output, avalanche effect
3. can only encrypt, cannot decrypt, one-way operation
Key exchange algorithm:
DH The algorithm can only be used for the exchange of keys, but not for the encryption and decryption of messages.
DH the principle and process of the key exchange algorithm are as follows:
There are users Alice and Bob need to communicate.
1. The parties first identified 2 large primes n and G, and these two numbers cannot be kept secret.
2.Alice then select a large random number x and calculate a:a=g^x mod n
3.Alice send A to Bob
4.Bob also select a large random number y, and calculate B as follows: B=g^y mod n
5.Bob send B to Alice
6. calculate secret key k1,k1=b^x mod n
7. calculate secret key k2,k2=a^y mod n
The end result must be K1=K2, and K1 and K2 are not exposed, so Alice and Bob can use K1 or K2 to encrypt and decrypt.
Knowledge of public key private keys:
1 , the public and private keys appear in pairs
2 , the public key is called the public key, only what you know is called the private key
3 , the data encrypted with the public key can only be decrypted by the corresponding private key
4 , the data encrypted with the private key can only be decrypted by the corresponding public key
5 , if the public key can be decrypted, it must be the corresponding private key plus the secret
6 , if the private key can be decrypted, it must be the corresponding public key plus the secret
2 features of public key cryptography:
1. Authentication/digital Signature: "Private key encrypts data, public key to verify digital signature"
For example: Alice generates two digits, public key A, and private key B. Alice encrypts a piece of data C with the private key B (private key signature), encrypts the result to D, sends Bob, and tells the other person that the decrypted data should be c. If Bob decrypted after the confirmation is C, then it must be Alice sent, because the public key can decrypt the data, it must be the corresponding private key encryption, the private key is only Alice, so confirm the sender is Alice, this process is called digital signature. "
2. Data encryption: "Public key encrypted data, private key to decrypt"
For example: Alice generates two digits, public key A, and private key B. Send A to Bob and tell him it's a public key. So Bob uses public key A to encrypt a piece of data C, the encrypted data is D, put on the Internet, if the person is stolen, but can not be solved, because do not know the private key B, only alcie himself know that the private key is B, only Alice to know the content after D decryption. "
1 , encrypt the data with the public key, decrypt the data with the private key (data encryption)
2 , encrypt the data with the private key, decrypt it with the public key, and verify the digital signature. In the actual use, the public key does not appear alone, always appears as a digital certificate, this is for the security and validity of the public key.
3. because public key encryption is too time consuming. Usually only used when the key exchange, with the public key encryption.
The following excerpt from the blog: http://blog.itpub.net/21851324/viewspace-1023022/
SSL applications in communications:
Alice and Bob is going to secure the communication. Very often, encrypting data with a public key is not a problem:
1.Bob no public private key pair, unable to send message (in fact, can both have a working private key pair)
2. Public Private key encryption is time-consuming and affects speed.
Alice the public key 1 is public, Bob found a number 3, with Alice's public key 1, encrypted and sent to Alice, said we later use this number to encrypt the information it, Alice Untied, got the number 3, so only Alice and Bob know the secret of the number 3, no one else knows , because they don't know what number Bob picked up, and they can't untie the encrypted content, and we call this secret number 3 a session key.
Then, we choose a symmetric key algorithm, such as DES, (symmetric algorithm is that the encryption process and decryption process is symmetric, with a key encryption, can be decrypted with the same key), to encrypt our communication between the content. Others are unable to decrypt because they do not know that 3 is our session key.
Description: The security of the symmetric algorithm relies on the key, which means that anyone can decrypt the message. The key must be kept secret as long as the communication needs to be kept secret. "
1 , SSL enables secure communication
2 , both sides of the communication use the public key of either party or both to pass and contract the session key (this process is called handshake)
3 , both parties use the session key to encrypt the communication content of both parties
In practice, it's a lot more complicated than it says. Fortunately, the pioneers have implemented this layer, named SSL (Secure Socket layer)
OpenSSL: Open Source project
OpenSSL: Multi-purpose command-line tools
Libcrypto: Public Encrypted library
LIBSSL: library for SSL and TLS
Tools: OpenSSL enc, GPG
Algorithm: 3DES, AES, Blowfish, Twofish
ENC command: "Man enc See more Help"
OpenSSL enc-e-des3-a-salt-in fstab-out fstab.ciphertext
OpenSSL enc-e-des3-a-salt-in fstab-out fstab
Ciphertext-k 123456 #一步到位, set password to 123456
OpenSSL enc-d-des3-a-salt-in fstab.ciphertext-out fstab
Tools: Md5sum, Sha1sum, Sha224sum, sha256sum,..., OpenSSL dgst
Sha1sum Inittab and OpenSSL dgst-sha1 inittab as a result.
Md5sum Inittab and OpenSSL dgst-md5 inittab as a result.
DGST command: Calculate message digest
such as: OpenSSL dgst [-MD5|-SHA1] FILE # Two common methods of calculation summary
OpenSSL base64-in file-out file.b64# base64 encoded files
OpenSSL base64-d-in file.b64-out file.bin# base64 decode file
Mac:message authentication Code, one-way encryption extension application for ensuring the integrity of transmitted data in network communication
HMAC: Using the MD5 or SHA1 algorithm
Generate User password:
OpenSSL passwd-1-salt Salt "-1 is the number 1, not the letter, salt"
such as: OpenSSL passwd-1-salt 123456
Generate random Number:
OpenSSL rand [-base64|-hex] NUM
Support-BASE64 and-hex two kinds.
NUM: Represents the number of bytes. -hex, each character 4 bits, the number of characters appearing is num*2;
such as: OpenSSL Rand-hex 4 # randomly generated 8-digit string
# Use scenarios (such as generating passwords when adding users in bulk)
For ((i=1;i<=10;i++));d o
Useradd user$i &>/dev/null
p=$ (OpenSSL Rand-hex 4)
echo $p |passwd--stdin user$i &>/dev/null
echo "user$i: $p" >>/tmp/add_user.txt
OpenSSL Cryptographic Command Basics:
To generate a key pair:
# Generate the private key, and then extract the public key from the private key.
OpenSSL genrsa-des3-out [private key file path] [key length] # Generate the private key and encrypt it des3 "so every time you use it to enter the password, generally have the following this"
(umask 077; OpenSSL genrsa-out key.pri 2048) # generates the private key without password encryption. For security reasons, set file permissions
Extract the Public key:
such as: Opens SL rsa-in server.key-pubout > Pub.key "Public key file Permissions 644"
Random number generator:
/dev/random: Random numbers are returned from the entropy pool only, random numbers are exhausted, blocking
/dev/urandom: A random number is returned from the entropy pool, and the random number is exhausted, the pseudo-random number is generated by the software, non-blocking;
echo $RANDOM |md5sum#生成随机数
or the following 3 ways to generate random numbers:
Head-200/dev/urandom | Cksum | Cut-d ""-f1
cat/proc/sys/kernel/random/uuid| Cksum | Cut-d ""-f1
Encryption and Decryption Basics
Start building with 50+ products and up to 12 months usage for Elastic Compute Service