Encryption and digital signature
Copyright Disclaimer: csdn is the hosting service provider of this blog. If this article involves copyright issues, csdn does not assume relevant responsibilities, ask the copyright owner to directlyArticleContact the author.
Encryption and digital signature
I. Encryption
The technical implementation of data encryption is divided into two aspects: software and hardware. Based on different functions, data encryption technology is mainly divided into four types: data transmission, data storage, data integrity identification, and key management technology.
In network applications, two types of encryption are generally used: symmetric keys and public keys. Algorithm It is necessary to combine the specific application environment and system, rather than simply judging based on its encryption strength. In addition to the encryption algorithm itself, key distribution, encryption efficiency, and the combination of existing systems, as well as input-output analysis, should be taken into account in the actual environment.
Encrypt symmetric keys. The common encryption standard is des. When des is used, users and recipients use 64-bit keys to encrypt and decrypt packets. When there are special security requirements, idea and triple DES should be adopted. As a widely used encryption technology in traditional enterprise networks, secret keys are highly efficient. KDC is used to centrally manage and distribute keys and authenticate identities based on these keys, but it is not suitable for Internet environments.
Public key systems are used in the Internet. That is, public key encryption. Its encryption key and decryption key are different. After each user generates a key pair, one of them is made public as the public key, and the other is saved as the private key by the owner. Common public key encryption algorithms are RSA Algorithms with high encryption strength. The specific method is to combine digital signatures and data encryption. The sender must add a Data signature when sending data. In this way, use its own private key to encrypt a piece of data related to the sent data as a digital signature, and then use the receiver key to encrypt the data together with the sent data. After the ciphertext is received by the receiver, the receiver decrypts the ciphertext to obtain the sent data and the digital signature of the sender. Then, the receiver decrypts the digital signature with the public key published by the sender, if the request succeeds, it is determined that the request is sent by the sender. The digital signature is also related to factors such as the transmitted data and time. Because of the high encryption strength and does not require both parties to establish a trust relationship or share a secret in advance, it is very suitable for Internet use.
The following describes the technical implementation of several of the most common encryption systems:
1. Conventional Key Cryptography
The so-called conventional key and password system means that the encryption key is the same as the decryption key.
In the early general key cryptography system, there were typical password replacement methods. The principle can be illustrated using an example:
The letters a, B, c, d ,..., The natural order of W, X, Y, and Z remains unchanged, but it is consistent with that of D, E, F, G ,..., Z, A, B, and C correspond respectively (that is, the difference is 3 characters ). If the plaintext is student, the corresponding ciphertext is vwxghqw (in this case, the key is 3 ).
Because the frequency of occurrence of letters in English letters has already been counted, it is easy to decrypt the replace password in the letter frequency table.
2. Data Encryption Standard des
The DES algorithm was developed by IBM from 1971 to 1972 to protect product confidentiality. It was then selected as a Data Encryption Standard by the US National Bureau of Standards and National Security Administration and promulgated and used in 1977. ISO also uses des as the Data Encryption Standard.
Des encrypts 64-bit binary data and generates 64-bit ciphertext data. The key used is 64-bit, and the actual length of the key is 56-bit (eight-bit for parity ). The decryption process is similar to the encryption process, but the key order is the opposite.
The confidentiality of des only depends on the confidentiality of the key, and the algorithm is public. The complex structure of DES is the root cause why there is no way to crack shortcuts. Des can now be implemented by software and hardware. At&t first uses an LSI chip to implement all des working modes. This product is called DEP, a Data Encryption processor.
3. public key cryptography
The public key password system emerged in 1976. Its primary feature is that different keys are used for encryption and decryption. Each user stores a pair of keys? Public Key PK and secret key SK. Therefore, this system is also called a two-key or asymmetric key cryptography system.
In this system, PK is public information and used as an encryption key, and SK needs to be kept confidential by the user and used as a decryption key. Both the encryption algorithm e and the decryption algorithm D are public. Although SK and PK appear in pairs, SK cannot be calculated based on PK. The Public Key algorithm has the following features:
1. Use the encryption key PK to encrypt plaintext X, and then use the decryption key SK to decrypt it to restore the plaintext, or write it as DSK (EPK (x) = x
2. the encryption key cannot be used for decryption, that is, dpk (EPK (x) =x
3. It is easy to generate a pair of PK and SK on the computer.
4. sk cannot be exported from a known PK.
5. the encryption and decryption operations can be reversed, that is, EPK (DSK (x) = x
In the public key cryptography system, the most famous one is the RSA System. It has been recommended as the Public Key Data Encryption Standard by the ISO/tc97 data encryption technology sub-committee sc20.
Ii. Digital Signature
Digital signature technology is one of the core technologies to achieve transaction security. Its implementation is based on encryption technology. Here, we will introduce the basic principles of digital signatures.
In the past, letters or documents were signed or stamped to prove their authenticity. But how should we stamp the packets transmitted in the computer network? This is the problem to be solved by the digital signature. The following must be ensured for digital signatures:
The receiver can verify the sender's signature to the message. The sender cannot offset the signature to the message afterwards. The receiver cannot forge the signature to the message.
There are many methods to implement digital signatures, but the public key algorithm is easier to implement than the conventional algorithm. This digital signature is introduced below.
Sender A uses its secret decryption key ska to calculate message X and sends the result dska (X) to receiver B. B uses the public encryption key of known a to obtain epka (dska (x) = x. No one except a can have a's decryption key ska, so no one except a can generate a ciphertext dska (X ). In this way, message X is signed.
If a is to deny a packet sent to B. B can present X and dska (X) to a third party. It is easy for a third party to confirm that a actually sends the message X to B using the ka. Otherwise, B cannot present dska (x') in front of a third party '). This proves that B has forged the packet. It can be seen that the digital signature is also used to identify the message source.
However, the preceding process only signs the packets. The transmitted packet x itself is not kept confidential. Because anyone who captures the ciphertext dska (X) and knows the sender's identity can obtain the public key of the sender through the query manual, and thus can understand the message content. You can implement both private communication and digital signatures. Ska and SKB are the secret keys of A and B respectively, while ka and PKB are the public keys of A and B respectively.
Iii. Key Management
A critical weakness of symmetric key encryption is its key management difficulty. Therefore, it is difficult to be widely used in e-commerce practices. At this point, the public key encryption method has an absolute advantage. However, no matter which solution is implemented, key management should be considered. This is especially true when the network is larger and more users are added. Cyardoin, president of Cypress Consulting, a security consulting firm, said: "In all encryption schemes, keys must be managed ."
Currently, it is recognized that the key distribution center (kdc) is used to manage and allocate public keys. Each user only saves his/her own secret key and KDC's public key pkas. You can obtain the public key of any other user through KDC.
First, a applies to KDC for a public key and sends the information (a, B) to KDC. The information returned by KDC to a is (Ca, CB), where CA = dskas (A, ka, T1), CB = dskas (B, PKB, T2 ). CA and CB are known as certificates and contain the public keys of A and B respectively. KDC uses its decryption key skas to sign Ca and CB to prevent forgery. Timestamp t1 and t2 are used to prevent replay attacks.
Finally, a sends the certificate Ca and CB to B. B obtains the Public Key PKS of A and can also test its own public key PKB.
