Encryption type and its related algorithms
As the internet becomes more and more intense, attacks on the internet are on the rise, so the information passed on the Internet is increasingly unsafe, so in order to prevent users from stealing data that is transmitted over the Internet, we have to strengthen the security of the data being transmitted.
The security of data mainly includes the following three aspects:
Confidentiality of data: guaranteed data not to be read
To make the passed data unreadable, the data can be encrypted because the default data is passed in clear text
The entire encryption process can be understood as follows:
Encryption: PlainText---> Conversion rules--->ciphertext
Decryption: Ciphertext---> Conversion rules--->plaintext
The conversion rules here are what we often call encryption/decryption algorithms, the main encryption algorithm has 2 kinds:
Asymmetric encryption algorithm: Private key decryption using public key cryptography
Symmetric encryption algorithm: Encryption and decryption keys are the same
Because the asymmetric encryption algorithm is slow, so the general data encryption we often use symmetric encryption algorithm, although symmetric encryption algorithm
Can resolve data confidentiality, but cannot manage key issues
Data integrity: Ensures that the transmitted data is not compromised
For data integrity, a one-way encryption algorithm is generally used, one-way encryption has the characteristics of:
1, input, the output must be the same
2, has the avalanche effect, is the small change may cause the result huge change
3, fixed-length output: The original data can not be large, the result size is the same
4, irreversible, unable to restore the original data according to the signature code
One-way encryption ensures that the integrity of the data is as follows:
650) this.width=650; "title=" A.png "src=" Http://s3.51cto.com/wyfs02/M01/45/DE/wKiom1PswXnzpRMdAAEDviO8qYA510.jpg " alt= "Wkiom1pswxnzprmdaaedvio8qya510.jpg"/>
First, user A is to prevent the plaintext data from being tampered with by others, so a one-way encryption algorithm is used for this article, a signature A is produced, and data A and signature A are sent to User B. When User B receives data A and signature A, it also uses the same one-way encryption algorithm for data A, and also produces a signature B; if the signatures A and B are the same, the data is complete; otherwise, the data is incomplete.
Although a one-way encryption algorithm can guarantee the integrity of the data, there is still a problem?
Imagine, if user A in the delivery of data to B, accidentally by the user C to attack, so that user a sent data is sent to the user C up, at this time user C to this data is also a one-way encryption, will also produce a signature C, and then the data and the signature C sent to User B, Obviously User B encrypts this data one-way, producing the same signature as C. While the signature is the same, but this is not the data sent by a user, and User B at this time can not tell whether the source of the data is correct, so we need to authenticate the source of the data. This will ensure the legitimacy and completeness of the data.
How do I make sure the sender's identity is correct?
User authentication: To ensure sender identity is correct
To authenticate a user, you need to use an asymmetric encryption algorithm:
Asymmetric encryption algorithm contains a public key (P) and a private key (S)
authentication and data integrity can be achieved if the sender uses its own private key for encryption
If the sender uses the public key to encrypt, it can guarantee the confidentiality of the data.
Public key-encrypted data can be decrypted only by the corresponding private key, so this mechanism is used to ensure the confidentiality of the data
Because the asymmetric encryption algorithm is slow, it is seldom used to encrypt data
continue to talk about possible problems with one-way encryption that you just said , if the signature is encrypted using A's private key at this time, in a timely manner, C obtains the data and signatures sent by a, and can also decrypt the signature (because the public key is public), in order to The signature is encrypted with C's own private key, but he still cannot restore A's signature, so the data sent to B and The signature is encrypted with the private key of C, so when B receives the data and the signature, if can use the public key of a to decrypt The description is sent by a, and conversely, is not a send, then B will not believe the data sent over at this time.
Therefore, this mechanism can be used to achieve authentication and to ensure the integrity of the data.
And in this process, the most important thing is the public key.
Imagine: If A and b exchange data for the first time, then A and b don't know who the two sides are, so if someone is risking
Fill in a or B, then all the data is between a or B and the impostor, while A and B are not really
the data is being transferred.
so in order to show authentication, you also need to use a third-party organization to implement
And the whole display process is this:
When user A wants to send data to B, it first produces a key pair (private key and public key), and then a third-party organization produces a public key and a private key, which uses its own public key to produce a certificate (certificate), which encrypts the data sent with its own private key, which presumably includes: User name, The user address, and the public key of User A. A signature is then generated, which makes up a digital certificate that is sent to User B together. At this point, User B wants to confirm whether it is a sent data, just need to see if there is a public key in this data. To view A's public key, you need to use the third-party's public key to decrypt to see, so B users buy a third-party certificate can be decrypted this piece of data.
So how to ensure the confidentiality of the data?
1. Using the key exchange algorithm (Internet key exchange,ike) to produce the symmetric key
The key exchange algorithm is implemented using the Diffle-hellman protocol.
The approximate working principle is:
A--->b pass data, only g (large prime number), p (generation) is passed, and user A produces an x locally, User B
produce a Y locally. Then a user produces a number (g^x%p) based on G, p, X, and then passes this number to B
User; b The user also produces a number (g^y%p) according to G, p, X, which is passed to user A. At this time therefore in the Internet
Only G, p, (g^x%p), (g^y%p) of these four numbers, X, Y will not be passed on the Internet. Then
A in the data passed by B to get another data (g^y%p) ^x, this data is the key, and B is based on a
the data passed over generates another key (g^x%p) ^y , at which point the key produced by user A and User B is symmetric
Key.
Once the symmetric key has been produced, data and signatures can be encrypted, and when user B receives the data, it can also
In order to decrypt it accordingly. This achieves the confidentiality of the data, but because of the way the Exchange key is used to compare the complex
So you can use another way to keep your data confidential
2, User A randomly generated a number, using this random number to encrypt the data and signature, and use B's public key to the
Random number is encrypted, and then the encrypted data of this random number is sent together with the signature + data A to User B,
At this point, User B can use their own private key to decrypt the random number, using this random number to decrypt the data A and signature, and finally use
User A's public key decrypts the signature, which guarantees the confidentiality, data integrity, and authentication of the data.
This article from the "Linux Learning Path" blog, declined reprint!