1. Data security:
1.01 攻城利器:Charles(公司中一般都使用该工具来抓包,并做网络测试)
2.注意:Charles在使用中的乱码问题,可以显示包内容,然后打开info.plist文件,找到java目录下面的VMOptions,在后面添加一项:-Dfile.encoding=UTF-8
3.02 数据安全的原则
4. 1)在网络上"不允许"传输用户隐私数据的"明文"
5. 2.)在本地"不允许"保存用户隐私数据的"明文"
6.03 数据加密的方式和规范一般公司会有具体的规定,不必多花时间。
2, Base64
1.1.base64 Simple Explanation
2. Description: Base64 can be the cornerstone of cryptography, very important.
3. Features: can be arbitrary binary data for BASE64 encoding
4. Result: All data can be encoded as a text file that can be represented with only 65 characters.
5.65 characters: A~z a~z 0~9 +/=
6. File data changes after Base64 encoding of the file: encoded data ~= 4/3 of the data before encoding, will be about 1/3.
7.
8.2. Command line for BASE64 encoding and decoding
9. Code: Base64 123.png-o 123.txt
10. Decoding: Base64 123.txt-o test.png-d
11.
12.2.BASE64 Coding principle
13.1) Convert all characters to ASCII code;
14.2) Convert ASCII code to 8-bit binary;
15.3) binary 3 is grouped into a group (less than 3 in the back of 0) total 24, and then split into 4 groups, 6 bits per group;
16.4) Unity in 6-bit binary pre-complement two 0 to fill 8 bits;
17.5) Convert the binary into decimal after 0;
18.6) Obtain the decimal corresponding BASE64 encoding from the BASE64 encoding table;
19.
20. Process Description:
A. When converting, the data of three bytes is placed in a 24bit buffer successively, and the first byte occupies a high position.
B. If the data is less than 3byte, the remaining bits in the buffer are filled with 0. Then, each time you take out 6 bit, select the corresponding character as the encoded output according to the value of the check table.
C. Continuous, until all input data conversion is complete.
D. If the last two input data is left, add 1 "=" after the coded result;
E. If the last input data is left, add 2 "=" after the encoding result;
F. If there is no data left, nothing will be added, so as to ensure the correctness of the data restoration.
27.
28.3. Implement
A. Description:
30.1) Apple provides base64 encoding and decoding support starting from iOS7.0
31.2) If you are an older project, you will also see a third-party framework for Base64 encoding and decoding, and it is recommended to replace if the following versions of iOS7.0 are not currently supported.
32.
B. Related code:
34.//Given a string, the string is BASE64 encoded and returned with the encoded result
-(NSString *) base64encodestring: (NSString *) string
36. {
37.//1. Convert the string to binary data first
NSData *data = [string datausingencoding:nsutf8stringencoding];
39.
40.//2. base64 encoding of binary data, returns the encoded string
return [data base64encodedstringwithoptions:0];
42.}
43.
44.//Decode the Base64 encoded string
-(NSString *) base64decodestring: (NSString *) string
46. {
47.//1. "Decode" the Base64 encoded string into binary data
NSData *data = [[NSData alloc]initwithbase64encodedstring:string options:0];
49.
50.//2. Converting binary data to string return
[[NSString Alloc]initwithdata:data encoding:nsutf8stringencoding];
52.}
53.
C. Terminal Test commands
$ echo-n A | Base64
$ echo-n qq== |base64-d
3. Common cryptographic algorithms and others:
1.1. base64 编码格式
2.2. 密码学演化 "秘密本"-->RSA
3.3. 常见的加密算法
4. 1)消息摘要(单向散列函数)
5. 2)对称加密
6. 3)非对称加密
7. 4)证书等
4, one-way hash function:
1.1. Characteristics of one-way hash function:
The length of ciphertext after 2.① encryption is fixed long
3.② if the plaintext is different, then the result must be different after the hash
4.③ If the plaintext is the same, then encrypted ciphertext must be the same (encrypt the same data, encrypted ciphertext)
5.④ all cryptographic algorithms are public
6.⑤ can not reverse the inverse calculation
7.2. Classic encryption algorithm
8.1) MD5 Encryption
9.2) SHA1
3) SHA512
Simple description of 11.3.MD5 encryption algorithm
12.1) The string is MD5 encrypted to get a 32-character cipher
13.2) After encryption can not be launched in accordance with the ciphertext inverse clear
3) MD5 has been cracked (brute force | Collision detection)
15.4.MD5 Encryption Advanced
16.1) Add salt first and then MD5
17.2) First disorderly order, then MD5 encryption
18.3) Disorderly Order | Add salt, multiple MD5 encryption, etc.
19.4) Use the message authentication mechanism, that is, hmac-md5-encryption of the key, after encryption two times MD5 hash
20.5) Encrypt the command line
MD5 Encryption-String $ echo-n "520it" |md5
MD5 Encryption-File 1 $ MD5 abc.png
SHA1 encryption: $ echo-n "520it" |openssl sha-sha1
SHA256 $ echo-n "520it" |openssl sha-sha256
SHA512 $ echo-n "520it" |openssl sha-sha512
HMACMD5 encryption $ echo-n "520it" |openssl Dgst-md5-hmac "123"
27.
28.5. hash function Application Fields
29.1) Search for multiple keywords, first hash each keyword, then multiple keywords to do or operations, if the values are consistent search results consistent
30.2) The copyright file is hashed to determine whether the file is genuine or original
31.3) File Integrity verification hashes the entire file, comparing hash values to determine whether the file is complete or tampered with
32.6. Message authentication mechanism (HMAC) Simple description
33.1) principle
34.① the sender and receiver of a message have a shared key
35.② the sender uses a shared key to encrypt the message to get the MAC value (message authentication code)
36.③ message recipient uses shared key to encrypt message to get Mac value
37.④ comparison of two Mac values
38.2) Use
39.① client needs to send (message) + (message) at the time of sending HMAC) sent to the server together
After the 40.② server receives the data, it uses the shared key to HMAC the received message, the comparison is consistent, and if it is consistent, the trust
5. Symmetric encryption:
1.1.对称加密的特点
2. 1)加密/解密使用相同的密钥
3. 2)加密和解密的过程是可逆的(明文-》密文-》明文)
1.2.经典算法
2. 1)DES 数据加密标准
3. 2)3DES 使用3个密钥,对消息进行(密钥1·加密)+(密钥2·解密)+(密钥3·加密)
4. 3)AES 高级加密标准
5.3.分组密码简单说明
6. 密码算法可以分为分组密码和流密码两种。
7. 分组密码:每次只能处理特定长度的一zu数据的一类密码算法。一个分组的比特数量就称之为分组长度。
8. ex:DES和3DES的分组长度都是64比特。即每次只能加密64比特的明文,并生成64比特的密文。AES的分组长度有128比特、192比特和256比特可以选择。
9. 流密码:对数据流进行连续处理的一类算法。流密码中一般以1比特、8比特或者是32比特等作为单位俩进行加密和解密。
10.4.ECB分组模式
11. ECB模式的全称为Electronic CodeBook模式。又成为电子密码本模式。
12. 特点:
13. 1)使用ECB模式加密的时候,相同的明文分组会被转换为相同的密文分组。
14. 2)类似于一个巨大的明文分组-》密文分组的对照表。
1. 终端测试命令:
2. 加密 $ openssl enc -des-ecb -K 616263 -nosalt -in 123.txt -out 123.bin
3. 解密 $ openssl enc -des-ecb -K 616263 -nosalt -in 123.bin -out 1231.txt -d
4.5.CBC分组模式
5. CBC模式全称为Cipher Block Chainning模式(密文分组链接模式|电子密码链条)
6. 特点:在CBC模式中,首先将明文分组与前一个密文分组进行XOR运算,然后再进行加密。
1. 终端命令:
2. 加密 $ openssl enc -des-cbc -K 616263 -iv 0102030405060708 -nosalt -in a.txt -out a.bin
3. 解密 $ openssl enc -des-cbc -K 616263 -iv 0102030405060708 -nosalt -in a.bin -out a1.txt -d
6. Asymmetric Encryption:
1.1.非对称加密的特点
2. 1)使用公钥加密,使用私钥解密
3. 2)公钥是公开的,私钥保密
4. 3)加密处理安全,但是性能极差
1.2. Classic Algorithm---RSA
2.1) RSA principle
3. (1) Ask N, prepare two prime numbers p and q,n = p x q
4. (2) Seeking l,l is the least common multiple of p-1 and q-1. L = LCM (p-1,q-1)
5. (3) Greatest common divisor of e,e and L are 1 (E and L coprime)
6. (4) Seek d,e x D mode L = 1
7.2) RSA encryption Small Practice
8. (1) p = 17,q = =>n = 323
9. (2) LCM (p-1,q-1) =>LCM (16,18) =>l= 144
Ten. (3) gcd (e,l) =1 =>e=5
One. (4) e multiplied by a few can mode L =1? D=29 can meet
12. (5) Get the public key: e=5,n=323
13. (6) Get the private key: d=29,n=323
14. (7) Encrypted plaintext e-party mod N = 123 of 5-time MoD 323 = 225 (ciphertext)
15. (8) Decryption text D-square mod N = 225 of 29-time MoD 323 = 123 (Clear text)
----------------
3) OpenSSL generate key command
18. The build strength is 512 RSA private key: $ OpenSSL genrsa-out PRIVATE.PEM 512
19. Output private key contents in clear text: $ OpenSSL rsa-in private.pem-text-out private.txt
20. Verify the private key file: $ openssl rsa-in Private.pem-check
21. Extract the public key from the private key: $ openssl rsa-in private.pem-out public.pem-outform pem-pubout
22. Output public key contents in clear text: $ OpenSSL rsa-in public.pem-out Public.txt-pubin-pubout-text
23. Encrypt small files with public key: $ openssl rsautl-encrypt-pubin-inkey public.pem-in msg.txt-out msg.bin
24. Decrypt small files with private key: $ openssl rsautl-decrypt-inkey private.pem-in msg.bin-out a.txt
25. Convert the private key to DER Format: $ OpenSSL rsa-in private.pem-out Private.der-outform der
26. Convert the public key to DER Format: $ OpenSSL rsa-in public.pem-out Public.der-pubin-outform der
-----------------.
7. Digital Signature:
1.1.数字签名的应用场景
2. 答:需要严格验证发送方身份信息情况
3.2.数字签名原理
4. 1)客户端处理
5. ①对"消息"进行 HASH 得到 "消息摘要"
6. ②发送方使用自己的私钥对"消息摘要" 加密(数字签名)
7. ③把数字签名附着在"报文"的末尾一起发送给接收方
8. 2)服务端处理
9. ①对"消息" HASH 得到 "报文摘要"
10. ②使用公钥对"数字签名" 解密
11. ③对结果进行匹配
12.
8. Digital Certificate:
1.1.简单说明
2. 证书和驾照很相似,里面记有姓名、组织、地址等个人信息,以及属于此人的公钥,并有认证机构施加数字签名,只要看到公钥证书,我们就可以知道认证机构认证该公钥的确属于此人
3.2.数字证书的内容
4. 1)公钥
5. 2)认证机构的数字签名
6.3.证书的生成步骤
7. 1)生成私钥 openssl genrsa -out private.pem 1024
8. 2)创建证书请求 openssl req -new -key private.pem -out rsacert.csr
9. 3)生成证书并签名,有效期10年 openssl x509 -req -days 3650 -in rsacert.csr -signkey private.pem -out rsacert.crt
10. 4)将 PEM 格式文件转换成 DER 格式 openssl x509 -outform der -in rsacert.crt -out rsacert.der
11. 5)导出P12文件 openssl pkcs12 -export -out p.p12 -inkey private.pem -in rsacert.crt
12.
13.4.iOS开发中的注意点
14. 1)在iOS开发中,不能直接使用 PEM 格式的证书,因为其内部进行了Base64编码,应该使用的是DER的证书,是二进制格式的
15. 2)OpenSSL默认生成的都是PEM格式的证书
iOS Core notes-network programming-network security