**Cryptographic decryption related concepts**

Three ways in which man-in-the-middle attacks are commonly used on the Internet: 1) eavesdropping 2) data tampering 3) session hijacking

Classification of cryptographic algorithm protocols:

**a) ** **symmetric encryption**

commonly used are: DES, 3DES, AES, Blowfish, RC6, CAST5, etc.

Features: 1. Encrypt and decrypt using the same key.

2. split the original data into fixed-size blocks and encrypt them one by one.

3. Fast decryption speed, short key.

**b) ** Asymmetric **encryption (public-key cryptography)**

commonly used are: RSA, DSA, DH

Features: 1. Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa.

2. The public key is disclosed to all, the private key is retained by itself and must be kept private.

Some other introductions:

1.**RSA** **can be used for digital signatures and key exchange**

2.**DSA** **for digital Signatures** (Digital signaturealgorithm)

3. the encryption algorithm based on large number operation reduces the speed of encryption and decryption. Generally, only a small amount of data encryption is used. Symmetric encryption algorithms are generally used to encrypt their files, and then use asymmetric algorithms to encrypt symmetric keys used by symmetric algorithms

4.DH only for key exchange

**c) ** **One-way encryption**

commonly used are: MD5, SHA-1, SHA224, SHA256, SHA384

Features: 1. For data integrity check

2. Fixed- length output, avalanche effect

3. can only encrypt, cannot decrypt, one-way operation

**Key exchange algorithm:**

DH The algorithm can only be used for the exchange of keys, but not for the encryption and decryption of messages.

DH the principle and process of the key exchange algorithm are as follows:

There are users Alice and Bob need to communicate.

1. The parties first identified 2 large primes n and G, and these two numbers cannot be kept secret.

2.Alice then select a large random number x and calculate a:a=g^x mod n

3.Alice send A to Bob

4.Bob also select a large random number y, and calculate B as follows: B=g^y mod n

5.Bob send B to Alice

6. calculate secret key k1,k1=b^x mod n

7. calculate secret key k2,k2=a^y mod n

The end result must be K1=K2, and K1 and K2 are not exposed, so Alice and Bob can use K1 or K2 to encrypt and decrypt.

**Knowledge of public key private keys:**

1 , the public and private keys appear in pairs

2 , the public key is called the public key, only what you know is called the private key

3 , the data encrypted with the public key can only be decrypted by the corresponding private key

4 , the data encrypted with the private key can only be decrypted by the corresponding public key

5 , if the public key can be decrypted, it must be the corresponding private key plus the secret

6 , if the private key can be decrypted, it must be the corresponding public key plus the secret

**2 features of public key cryptography:**

**1.** ** Authentication/digital Signature: "Private key encrypts data, public key to verify digital signature"**

For example: Alice generates two digits, public key A, and private key B. Alice encrypts a piece of data C with the private key B (private key signature), encrypts the result to D, sends Bob, and tells the other person that the decrypted data should be c. If Bob decrypted after the confirmation is C, then it must be Alice sent, because the public key can decrypt the data, it must be the corresponding private key encryption, the private key is only Alice, so confirm the sender is Alice, this process is called digital signature. "

**2.** ** Data encryption: "Public key encrypted data, private key to decrypt"**

For example: Alice generates two digits, public key A, and private key B. Send A to Bob and tell him it's a public key. So Bob uses public key A to encrypt a piece of data C, the encrypted data is D, put on the Internet, if the person is stolen, but can not be solved, because do not know the private key B, only alcie himself know that the private key is B, only Alice to know the content after D decryption. "

*Summarize:*

1 , encrypt the data with the public key, decrypt the data with the private key (data encryption)

2 , encrypt the data with the private key, decrypt it with the public key, and verify the digital signature. In the actual use, the public key does not appear alone, always appears as a digital certificate, this is for the security and validity of the public key.

3. because public key encryption is too time consuming. Usually only used when the key exchange, with the public key encryption.

**The following excerpt from the blog: http://blog.itpub.net/21851324/viewspace-1023022/**

**SSL** ** applications in communications:**

Alice and Bob is going to secure the communication. Very often, encrypting data with a public key is not a problem:

1.Bob no public private key pair, unable to send message (in fact, can both have a working private key pair)

2. Public Private key encryption is time-consuming and affects speed.

Alice the public key 1 is public, Bob found a number 3, with Alice's public key 1, encrypted and sent to Alice, said we later use this number to encrypt the information it, Alice Untied, got the number 3, so only Alice and Bob know the secret of the number 3, no one else knows , because they don't know what number Bob picked up, and they can't untie the encrypted content, and we call this secret number 3 a session key.

Then, we choose a symmetric key algorithm, such as DES, (symmetric algorithm is that the encryption process and decryption process is symmetric, with a key encryption, can be decrypted with the same key), to encrypt our communication between the content. Others are unable to decrypt because they do not know that 3 is our session key.

Description: The security of the symmetric algorithm relies on the key, which means that anyone can decrypt the message. The key must be kept secret as long as the communication needs to be kept secret. "

**To summarize:**

1 , SSL enables secure communication

2 , both sides of the communication use the public key of either party or both to pass and contract the session key (this process is called handshake)

3 , both parties use the session key to encrypt the communication content of both parties

In practice, it's a lot more complicated than it says. Fortunately, the pioneers have implemented this layer, named SSL (Secure Socket layer)

**OpenSSL: Open Source project**

Three components:

OpenSSL: Multi-purpose command-line tools

Libcrypto: Public Encrypted library

LIBSSL: library for SSL and TLS

**Symmetric encryption:**

Tools: OpenSSL enc, GPG

Algorithm: 3DES, AES, Blowfish, Twofish

ENC command: "Man enc See more Help"

Encryption:

OpenSSL enc-e-des3-a-salt-in fstab-out fstab.ciphertext

OpenSSL enc-e-des3-a-salt-in fstab-out fstab

Ciphertext-k 123456 #一步到位, set password to 123456

Decrypt:

OpenSSL enc-d-des3-a-salt-in fstab.ciphertext-out fstab

One-way encryption:

Tools: Md5sum, Sha1sum, Sha224sum, sha256sum,..., OpenSSL dgst

Sha1sum Inittab and OpenSSL dgst-sha1 inittab as a result.

Md5sum Inittab and OpenSSL dgst-md5 inittab as a result.

DGST command: Calculate message digest

such as: OpenSSL dgst [-MD5|-SHA1] FILE # Two common methods of calculation summary

OpenSSL base64-in file-out file.b64# base64 encoded files

OpenSSL base64-d-in file.b64-out file.bin# base64 decode file

Mac:message authentication Code, one-way encryption extension application for ensuring the integrity of transmitted data in network communication

Mechanism:

Cbc-mac

HMAC: Using the MD5 or SHA1 algorithm

Generate User password:

passwd command

OpenSSL passwd-1-salt Salt "-1 is the number 1, not the letter, salt"

such as: OpenSSL passwd-1-salt 123456

Generate random Number:

OpenSSL rand [-base64|-hex] NUM

Support-BASE64 and-hex two kinds.

NUM: Represents the number of bytes. -hex, each character 4 bits, the number of characters appearing is num*2;

such as: OpenSSL Rand-hex 4 # randomly generated 8-digit string

# Use scenarios (such as generating passwords when adding users in bulk)

For ((i=1;i<=10;i++));d o

Useradd user$i &>/dev/null

p=$ (OpenSSL Rand-hex 4)

echo $p |passwd--stdin user$i &>/dev/null

echo "user$i: $p" >>/tmp/add_user.txt

Done

**OpenSSL Cryptographic Command Basics:**

**To generate a key pair:**

**# Generate the private key, and then extract the public key from the private key.**

OpenSSL genrsa-des3-out [private key file path] [key length] # Generate the private key and encrypt it des3 "so every time you use it to enter the password, generally have the following this"

(umask 077; OpenSSL genrsa-out key.pri 2048) # generates the private key without password encryption. For security reasons, set file permissions

**Extract the Public key:**

such as: Opens SL rsa-in server.key-pubout > Pub.key "Public key file Permissions 644"

Random number generator:

/dev/random: Random numbers are returned from the entropy pool only, random numbers are exhausted, blocking

/dev/urandom: A random number is returned from the entropy pool, and the random number is exhausted, the pseudo-random number is generated by the software, non-blocking;

Common usage:

echo $RANDOM |md5sum#生成随机数

or the following 3 ways to generate random numbers:

Date +%n

Head-200/dev/urandom | Cksum | Cut-d ""-f1

cat/proc/sys/kernel/random/uuid| Cksum | Cut-d ""-f1

Encryption and Decryption Basics