Encryption and Decryption Basics

Network security in modern network communication is very important, the most basic security is of course encryption and decryption, today with you to share the basis of encryption and decryption.

The goal of security:

Confidentiality: Confidentiality

Completeness: Integrity

Availability: Availability

Attack Type:

Threat privacy attacks: eavesdropping, traffic analysis;

Threat integrity attacks: change, disguise, replay, deny;

Threat availability attacks: Denial of service (DoS);

Solution:

Technical aspects: encryption and decryption;

Traditional encryption Method: Alternative encryption method and substitution encryption method

Modern encryption Method: Modern Block encryption method

Service aspect: The service that is used to defend against the attack, is also the security service specially designed for the above security objective;

Authentication mechanism

Access control mechanism

Cryptographic algorithms and protocols:

1, one-way encryption: that is to propose data fingerprint;

Characteristics: fixed-length output, avalanche effect;

function: Integrity verification;

Flaw: can only encrypt, cannot decrypt;

Common algorithms: MD5 (128bits), SHA1 (160bits), sha224, sha256, sha384, sha512 ...

2, symmetric encryption: Encryption and decryption using the same key;

Features: (1) encryption and decryption using the same key, (2) The original data is divided into fixed-size blocks, encrypted one by one;

Function: Good encryption, fast encryption;

Defects: (1) Too many keys, (2) Key distribution difficulties;

Common algorithms: 3DES (Triple DES), AES (128bits, 192bits, 256bits, 384bits), Blowfish, RC6 ...

3, Public key cryptography: The key is divided into public key and private key;

Private key:secret key, created by the tool and retained by the user, must ensure its privacy;

Public key: PubKey, extracted from the private key, can be disclosed to everyone;

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Function:

Digital signature: The main purpose is to let the receiver confirm the identity of the sender;

Key exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;

Data encryption: Not commonly used, than symmetric encryption to 3 orders of magnitude slower;

Common algorithms: RSA (can be signed, can also be decrypted), DSA (can only sign, not add decryption), ELGamal ...

The above three kinds of encryption algorithms are introduced, the following is a detailed description of the encryption and decryption process:

Encryption process:

1. Digital Signature:

(1) The sender uses one-way encryption technology to extract the original data signature;

(2) The sender uses its own private key to encrypt the signature and append it to the original data;

2. Key exchange:

(1) The sender encrypts the data with digital signature using symmetric encryption technology, and generates a temporary symmetric key;

(2) The sender uses the receiver's public key to encrypt the generated temporary symmetric key, and attaches to the encrypted data behind;

Decryption process:

1. Key exchange:

(1) The receiver uses its own private key to decrypt the encrypted symmetric key, and obtains the temporary key;

(2) The receiver uses the obtained temporary symmetric key, decrypts the data, obtains the data with the digital signature;

2, Identity authentication: The recipient uses the sender's public key to decrypt the digital signature, verifies the sender identity, and obtains the original characteristic code;

3. Data integrity Verification: Recipient uses one-way encryption technology to extract data signatures and compare with original signatures to verify data integrity

This encryption and decryption process can guarantee the security and integrity of the data, but also to ensure that the identity of both sides of the communication authentication. But because the public key is accessible to all, all such security mechanisms still have a security risk, that is, the man-in-the-middle deception. But don't worry, there are CA agencies that can solve this problem, and the CA agency will do the detailed introduction later. Let's go on to the last encryption protocol: key exchange.

4. Key exchange: Ike:internet key exchange

There are two ways of implementing this:

(1) Public key encryption, in the public key encryption and encryption, decryption process has been said, no longer say;

(2) Dh:deffie-hellman

Both parties do not need to transmit the public key on the network, negotiate to generate random numbers and transmit random numbers on the network.

Generates a key by calculating a random number. The following examples illustrate:

(1) A and B are the two sides of the communication, the two parties first negotiated to generate two random numbers m and N, and transmitted on the network;

Now states: A and B have at the same time two random numbers m and N;

(2) A and B each generate a private random number, which is not transmitted on the network, only the self-aware own private random number;

For example: A generates x random numbers, B generates y random numbers, and only knows its own private random number;

Now state: A has 3 random numbers: M, N, X, where x only knows by itself, M and N and b are shared;

B has 3 random numbers: M, N, y, where y only knows, M and N and b share;

(3) calculates the random number and sends the result to the other person.

A:--m^x%n ==> B

B:--m^y%n ==> A

(4) Receive the result of the other side, and then use their own private random number and the results of the calculation, to obtain the same key;

A: (m^y%n) ^x = m^xy%n

B: (m^x%n) ^y = m^xy%n

M^xy%n is the key calculated after the negotiation between the two sides, improve the security, even if others get m and n two values,

It is also impossible to calculate the values of x and Y.

Next we introduce the prevention of middleman cheating CA agency, CA agency is a third-party trusted institution, for the communication party issued a certificate, can let the communication party reliable access to the other public key basic guarantee mechanism. He is done by a system of PKI architecture.

Pki:public Key Infrastructure

Public key infrastructure, with CA as the core of a set of architecture system, providing certificate services to ensure the legitimacy of the certificate. The components are as follows:

Visa agency: CA

Registration Authority: RA

Certificate Revocation list: CRL

Certificate Access library: CB

The structure of the certificate and the standard of the authentication protocol are defined by X.509v3, with the following structure and standards:

Version number

Serial number

Signature Algorithm ID

Issuer Name

Validity period

Principal Name

Principal public key

Issuer's unique identity

The unique identity of the subject

Extended

Issuer's signature

So how CA to ensure the legitimacy of the two sides of the communication certificate and the two sides of the communication reliable access to the other public key? The CA has worked as follows:

1, since the Visa book: the CA first issued itself a certificate, the contents of the certificate as stipulated in X.509v3, and send the certificate to the required communication party. Obtains the communication party to the CA the trust, the communication party and may obtain the CA's public key from the certificate;

2, CA issued a certificate: The direction of communication CA Application registration certificate, the CA will sign the certificate and the certificate after the digital signature, and then the certificate issued to the applicant Party;

3. The communication party obtains and verifies the certificate:

(1) After the communication party obtains its own certificate or obtains the certificate, the CA public key can be used to decrypt the certificate after the digital signature, confirming that the certificate is indeed issued by the CA that it trusts;

(2) using the same one-way encryption algorithm to calculate the certificate signature, compare the original signature, verify the integrity of the certificate;

(3) Check the validity of the certificate, see if the certificate is within the validity period;

(4) Verify the name of the subject in the certificate, whether it is the name of the communication partner;

(5) Check whether the certificate has been revoked;

We will then summarize the communication process between the two parties:

1, the communication party obtains the CA certificate, and requests obtains own certificate;

2, the communication between the two parties to negotiate encryption algorithm;

3, the communication parties to obtain the other party public key and verify the certificate;

4. The sender encrypts the data and sends it;

5, the receiving party receives the data, and decrypts the verification;

Detailed procedures are described above and are not explained in detail here.

This concludes the basics of secure encryption and decryption. Just a personal summary, hope to learn from each other!

Encryption and Decryption Basics