IOS security-2

 

Encryption: divided into symmetric encryption and asymmetric encryption; discussed the role of asymmetric encryption algorithms: encryption, authentication, and key distribution

Specified Ric encryption occurs when the same key is used for both encryption and decryption, as Figure. This key is called the shared key or session key.

 

Asymmetric encryption algorithm:

Uses Bob's public key to ensure that only Bob, the intended recipient, can read the message. because every entity has Bob's public key, they can use it to encrypt the message. only Bob has its private key, however, so only he can decrypt the cipher text to receive the original message.

----------------------------------

 

----------------------------------

Limitations of asymmetric encryption algorithms

Although this application of asypolicric encryption is perfectly valid, it suffers from low performance compared to policric-encryption algorithms. it is seldom used to encrypt bulk messages; instead, it encrypts a shared key sent from Alice to Bob. this shared key is further used to specified rically encrypt the bulk of data.
This is a way to achieve key distribution-For example, TLS uses it.

Compared with symmetric encryption algorithms, asymmetric encryption algorithms have low performance in Data Encryption. asymmetric encryption algorithms are only used for authentication and key exchange. PKI is based on asymmetric encryption algorithms, including digital certificates and digital signatures. It is usually used for CA public (CA can be divided into public, private, and private ), that is, based on Web browsers. Of course, if an enterprise deploys PKI, some security technologies such as ipsec vpn or dot1.x will be used. For key distribution, symmetric encryption algorithms are used to encrypt actual data, while the share key of symmetric encryption algorithms is obtained in two entities, namely through DH group exchange in asymmetric encryption algorithms.

--------------------------------------------

In the Basic Principles of PKI, we talked about privacy, integrity, authenticity, and non-repudiation.

PKI Based on asymmetric encryption algorithms can achieve the following: authenticity, non-repudiation, and authentication. The reason is as follows:

An entity has a CA Public Key. The digital certificate issued by the sender is decrypted by the recipient using the CA Public Key. A digital signature signed by the CA private key and a Public Key obtained by the sender are obtained. Note that CA only maintains a trust relationship. At this time, the recipient uses the received public key to encrypt the share key and send it to the sender, so that the share can be exchanged. The digital signature is also true. It is undeniable that when an entity registers with a CA, the CA must strictly review the entity's qualifications and then issue a globally unique digital certificate and digital signature. It is undeniable. Therefore, certificates issued by the same CA have a trust relationship between entities. They all trust CA. The trust relationship between two parents is based on the kinship between parents. The following is the explanation given by cisco.

Because Alice cannot repudiate the computation (only Alice has her private key), this is called a signature. this completely differs from the specified Ric cryptosystems, where HMAC can be repudiated. the HMAC here is the hash value of message + key, and the key is used for authentication.

The recipient can then compute the hash of the specified ed message and decrypt the specified ed encrypted hash. If both the computed and the decrypted hashes are identical, there's reasonable proof. The recipient can calculate the message hash value sent by the sender and decrypt the encrypted hash value. If two are equal. The difference between the figure below and the figure above

 

? Authentication. only the owner of the private key, which encrypted the original hash, cocould have encrypted it. hence, the originator cannot repudiate his message. only the private key owner has the private key, and the hash value encrypted with the private key is undeniable.
? Integrity. If the message itself was altered before it reached the recipient, the computed hash wocould differ from the decrypted one. This wowould indicate alteration.
Because alteration is detectable, the message is transmitted with integrity.

--------------------------------------------

Key Distribution and Certificates

With asypolicric cryptosystems, key distribution is easier to secure-only the public key of every entity must be distributed, and these are public keys. (Everyone can safely access them without breaching the system .)

The remaining issue is to ensure that Bob's public key is truly Bob's public key and not a hacker's public key. otherwise, Alice encrypts her message to Bob with a hacker's public key, and a hacker easily decrypts Alice's message with his own private key.
The binding of the public key to its owner involves using digital certificates. A digital certificate, typically under the ITU-T X.509 version 3 format, is a small piece of data that contains Bob's public key and Bob's name; this piece of data is further digitally signed by an entity trusted by Alice, Bob, and all other entities. this trusted entity is called the certification authority (CA), and it's the issuer of the certificate.
This article is about how to ensure that I accept the public key of the discoverer, rather than being forged by hackers. Solution: the sender's public key is bound with the digital certificate. The digital certificate contains the sender's public key and name. A third-party organization, that is, CA, uses its own private key to encrypt some messages and obtain a digital signature. CA is also the issuer of the certificate.

This article is from the "Cisco_Security" blog