Cryptographic decryption and algorithmic explanation

Source: Internet
Author: User
Tags decrypt gpg hmac session id openssl enc sha1 asymmetric encryption cipher suite

1. Introduction

?? Today I would like to share with you the various encryption and decryption algorithms used in Internet communication, before we introduce the encryption and decryption knowledge, we first understand the meaning of the relevant terms such as cryptography, cryptography, encryption, digital signature, key exchange and so on.

1.1 Cryptography

?? Cryptography is a technological science that studies the coding and decoding of passwords. This paper studies the objective Law of password change, which is used to compile passwords to keep the secret of communication, called coding, which is used to decipher the password to obtain the communication information, which is called the deciphering of cryptography.

1.2 Password

?? The password is an important secret means for the communication parties to make special transformation of information according to the rules of Agreement. According to these laws, the plaintext is known as ciphertext, which is called the cryptographic transformation, and the ciphertext is plaintext, which is called the de-compaction transformation. Password in the early only on text or digital to add, de-dense transformation, with the development of communication technology, voice, image, data, etc. can be implemented plus, de-dense transformation.

Encryption: encryption is a way to send information in a password. Only the person with the correct key can unlock the password for this message. For others, the message looks like a series of random letters, numbers, and symbols. Encryption is especially important if you want to send sensitive information that should not be made visible to others.

Digital Signature: digital signature is a kind of common physical signature written on paper, but it uses the technology of public key cryptography to identify the digital information method. A set of digital signatures typically defines two complementary operations, one for signing and the other for validation.

Key Exchange: The two sides use the key exchange algorithm to determine the symmetric key, and then use this key for encryption and decryption. This key exchange protocol/algorithm can only be used for exchange of keys, but not for the encryption and decryption of messages.

2. Characteristics of encryption Algorithm 2.1 encryption algorithm

symmetric encryption: encrypt and decrypt using the same password
Public Key cryptography:
1) Each password appears in pairs, one for the private key (secret key) and one for the public key
2) Public-key cryptography is seldom used to encrypt data, which is slower than the symmetric encryption algorithm to encrypt data 3 orders of magnitude, about 1000 times times the speed
one-way encryption is hash encryption : Extracting data signatures, often used for data integrity checks
1) Avalanche effect, small changes in input, will cause a huge change in results. Irreversible, unable to restore the original data according to the signature
2) fixed-length output, regardless of the original data is how large, the result size is the same. Input, the output must be the same

2.2 Common functions and algorithms of encryption and decryption technology:

Symmetric encryption :

    • Algorithm: DES, 3DES, AES, Blowfish, Twofish, RC6, CAST5
    • Tools: GPG, OpenSSL enc
    • Encryption algorithm + password
    • Key exchange
    • User identity authentication
    • Data integrity

Asymmetric Encryption :

    • Algorithms: RSA, Eigamal, DSA
    • Tool: OpenSSL
    • Key exchange
    • Identity verification

one-way encryption :

    • Algorithm: MD5, SHA1, SHA512, CRC-32
    • Tools: Sha1sum, Md5sum, cksum, OpenSSL dgst
    • Integrity

MAC: Message Digest code, one-way encryption extension application

    • Application: Used to ensure the integrity of the data transferred in network communication
    • Mechanism:
    • Cbc-mac
    • HMAC: Using the MD5 and SHA1 algorithms

Key exchange (ike:internet key Exchange):

    • Algorithm: DH, public key encryption [and no transmission over the Internet, more secure]
    • Diffie-hellman
      Public Key cryptography: Public key cryptography, private key decryption, and vice versa
    • Public key: Pkey
    • Private key: Skey
    • Algorithm: RSA, Eigamal
    • Tools: GPG, OpenSSL rsautl

Digital Signature: The electronic signature private key is used for encryption, and the public key is used to decrypt

    • Algorithm: RSA, Eigamal, DSA [DSA can only be used for signing, cannot be used for encryption]

Digital certificates:

*       证书格式:x509、pkcs【x509、pkcs12】*       x509格式:*               公钥和有效期限;*               证书的合法拥有者;(主机名)*               证书的使用方式;*               CA的信息;*               CA的数字签名;(CA签名的校验码)*       谁给CA发证:自签署证书
3. PKI

Pki:public key Infrastructure Public Key Infrastructure
Ca:certificate Authority CA Certificate Authority
Build your own CA and complete the server certification:

3.1 Self-built CA (ca side)
    生成一对儿密钥    生成自签证书

Command:
# (Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048) "Generate CA private key"
#openssl Req-new-x509-key private/cakey.pem-out Cacert.pem "generated from the Visa book" (. Pem)

3.2 Certificate Request (client)
    生成一对儿密钥    生成证书申请(.csr)    将申请发送给CA

Command:
# (Umask 077; OpenSSL genrsa-out httpd.key 2048) generate key
#openssl Req-new-key httpd.key-out HTTPD.CSR to generate a certificate request certificate signing requests (. CSR)

3.3 Issuing certificate (ca side)
    签署证书    传送给客户端

Command:
#openssl ca-in httpd.csr-out httpd.crt-days 365 signing Certificate (. crt)

Implementation of 3.4 PKI

pki:tls/ssl:x509
The first implementation: the famous Internet security mechanism Tls/ssl is using the X509 certificate
Pki:opengpg
The second implementation: This is another PKI implementation, they realize the management of certificates, the mechanism of the CA's signaling relationship is slightly different. OPENGPG on Linux is also a certificate management mechanism, or a PKI implementation architecture.

The ssl:secure Socket Layer is a set of Internet data security protocols developed by Netscape, with the current version of 3.0.

    • NetScape Netscape
    • Secure Socket Layer
    • SSLv2, SSLv3

tls:transport Layer Security is a universal protocol developed by the International Organization for Standardization, the current version is 1.2.

    • TLSv1
    • HTTP-to-HTTPS
    • LDAP--Ldaps
    • FTP--FTPs
    • SMTP--Smtps
    • POP3-Pop3s
    • IMAP-IMAPS
      OpenSSL is an open source implementation of SSL
    • Libcrpto: Universal Encryption Library
    • The realization of LIBSSL:TLS/SSL
    • Session-based TLS/SSL library for identity authentication, data confidentiality, and session integrity
    • OpenSSL: Multi-purpose command-line tool that enables one-way encryption, symmetric encryption, asymmetric encryption, and implementation of a private certification authority
3.5 SSL Communication principle:


The handshake process for SSL is:

  • (1) The SSL client sends its supported SSL version, encryption algorithm, key exchange algorithm, MAC algorithm and other information to the SSL server via client Hello message.
  • (2) The SSL server determines the SSL version and encryption suite that this communication uses and notifies the SSL client via the server Hello message. If the SSL server allows the SSL client to reuse this session in future communications, the SSL server assigns the session ID to the session and sends it to the SSL client via the server Hello message.
  • (3) The SSL server sends the digital certificate with its own public key information to the SSL client via the certificate message.
  • (4) The SSL server sends the server Hello done message, notifies the SSL client version and the cryptographic suite negotiation ends and begins the key exchange.
  • (5) The SSL client verifies that the SSL server's certificate is valid, encrypts the SSL client's randomly generated premaster secret with the public key in the certificate, and sends it to the SSL server via client key exchange messages.
  • (6) The SSL client sends a change CIPHER spec message notifying the SSL server that subsequent messages will be encrypted and Mac computed using a negotiated key and encryption suite.
  • (7) The SSL client computes the hash value of the interactive handshake message (except for all interactive messages outside the Change Cipher spec message), processes the hash value with the negotiated key and cipher suite (calculates and adds Mac values, encryption, etc.). and sent to the SSL server via finished messages. The SSL server computes the hash value of the interactive handshake message using the same method, and compares it with the decryption result of the finished message, and if the two are the same and the Mac value is validated successfully, the key and cryptographic suite are successfully negotiated.
  • (8) Similarly, the SSL server sends a change CIPHER spec message notifying the SSL client that subsequent messages will be encrypted and Mac computed using a negotiated key and encryption suite.
  • (9) The SSL server computes the hash value of the interactive handshake message, processes the hash value with the negotiated key and cipher suite (calculates and adds Mac values, encryption, etc.) and sends it to the SSL client via the finished message. The SSL client uses the same method to calculate the hash value of the interactive handshake message and compares it with the decryption result of the finished message, and if the two are the same and the Mac value is validated successfully, the key and cryptographic suite are successfully negotiated.
3.6 Internet Applications Secure communication must meet the following features
   1、私密性   2、身份认证   3、完整性

OpenSSL Supplemental Materials:

    • A file with the following suffix in OpenSSL
    • . Key format: Private key
    • . CRT format: Certificate files, certificate abbreviations
    • . CSR format: Certificate signing request (certificate request file), containing public key information, certificate signing request abbreviation
    • . CRL Format: Certificate revocation list, Certificate revocation list abbreviation
    • . PEM format: The format of the certificate used to export, import the certificate, with the beginning of the certificate, the end of the format

    • Common Certificate Protocol
    • Certificate standards for X509V3:IETF
    • X.500: Standard for catalogs
    • SCEP: Simple certificate Request protocol, using HTTP to apply, the data has pkcs#7 encapsulation, data in fact format is PKCS#10
    • PKCS#7: Is the standard for encapsulating data, where certificates and some request information can be placed
    • PKCS#10: Data format for certificate requests for offline certificate requests, note that packets are encapsulated with PKCS#7 data
    • PKCS#12: Used to exchange public and private objects in a single file, that is, public keys, private keys, and certificates, which are packaged, encrypted and placed in a storage directory.
    • Cisco is placed in NVRAM, and the user can export it in case the certificate Server hangs up and can recover accordingly. Cisco is. P12, Microsoft is. pfx
4, Summary algorithm classification summary

one, one-way hashing algorithm: belongs to the digest algorithm, is not a cryptographic algorithm, the function is to change any long input message string into a fixed long output string of a function

  • BASE64 (strictly speaking, it belongs to the encoding format, not the encryption algorithm)
  • MD5 (Message Digest algorithm 5, Information Digest algorithm)
  • SHA (Secure Hash algorithm, security hashing algorithm)
  • HMAC (Hash message authentication code, hash messages authentication code)
  • CRC (cyclical redundancy check, cyclic redundant code check)
  • symmetric encryption algorithm: The encryption key is the same as the decryption key

  • DES (data encryption, standard algorithm for encryption)
  • AES (Advanced encryption, premium Encryption Standard)
  • PBE (password-based encryption, password-based authentication)
  • RC5 (variable-parameter block cipher algorithm)
  • BLOWFISH (symmetric key block encryption algorithm)
  • three, asymmetric encryption algorithm : Encryption key and decryption key is not the same

  • RSA (the name of the algorithm is named after the inventor: Ron Rivest, Adishamir and Leonard Adleman)
  • DH (Diffie-hellman algorithm, key-consistent protocol)
  • Elgamal (can be used for both data encryption and digital signatures)
  • DSA (digital Signature algorithm, digitally signed)
  • ECC (Elliptic Curves cryptography, Elliptic curve algorithm)
  • Merkle-hellman (knapsack algorithm)
  • Miller Rabin algorithm (prime number test algorithm)
    ?? After learning the encryption and various algorithms, the most commonly used scenes are encryption, verification, key exchange. Asymmetric encryption algorithm 3 orders of magnitude slower than symmetric encryption algorithm, when we need to encrypt a large amount of data, it is recommended to use symmetric encryption algorithm, improve the encryption and decryption speed. Asymmetric cryptographic algorithms are usually signed. The key management of symmetric encryption algorithm is a complicated process, and the management of the key directly determines his security, so when the amount of data is very small, we can consider using asymmetric encryption algorithm.
    ?? In the business use, we usually adopt the way is: Asymmetric encryption algorithm to manage the symmetric algorithm of the key, and then encrypt the data with symmetric encryption algorithm, so that the advantages of the two encryption algorithms, both the advantages of fast encryption, but also the advantages of a secure and convenient management key. RSA recommends the use of 1024-bit numbers, ECC recommended 160-bit, AES with 128.

Cryptographic decryption and algorithmic explanation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.