I. symmetric encryption algorithm
. NET provides four classes for symmetric encryption algorithms: descryptoserviceprovider, rc2cryptoserviceprovider, rijndaelmanaged, and tripledescryptoserviceprovider. They all inherit from the symmetricalgorithm class in the system. Security. cryptography namespace, so the usage is similar. The first two algorithms correspond to DES and RC2 respectively. Relatively speaking, the next two are better. Rijndael is an implementation of the AES (Advanced Encryption Standard) algorithm, while tripledes is a three-step continuous iteration using the DES algorithm, that is, Triple DES encryption. In terms of key length, des is 56 bits, the Triple DES is 112 or 168 bits, and the AES is 128, 192, or 256 bits. In the number of cycles, des takes 16 times, and the Triple DES takes 48 times. AES only needs 10, 12, or 14 times based on the key length. From some data point of view, AES may be better, but I have not tested it yet.
An example is provided. This example can be found in. NET Framework SDK:
1 tripledescryptoserviceprovider TDES = new tripledescryptoserviceprovider ();In. net, symmetric encryption and decryption are implemented using process streams. For example, in the cryptostream in row 2nd, during the construction process, the first parameter associates cryptostream with fout. Here, fout is generally a filestream of the output result. The second parameter is to use the createencryptor method of the tripledescryptoserviceprovider class to generate a encryptor object to complete the actual encryption process. If you need decryption, you can use the createdecryptor method. They all return icryptotransform interfaces.
In the example, we can see that the createencryptor method uses two parameters. The first parameter corresponds to the key. This is easy to understand. The symmetric encryption algorithm, of course, requires a key. The second parameter corresponds to an object called "initialization Vector. Before explaining the initialization vector, let us first say that if we do not specify the key and initialization vector in advance, we can also let the Encryption Class generate a random one for us.
Well, what is "initialization Vector "? What does it do? Let's first imagine that when the same data is encountered during the encryption process, if the encrypted results are the same, the encryption is obviously easier to crack. Therefore, when encrypting a data block, the encryption algorithm must use both the key and the encryption result of the previous block. In this way, even the same data block, the encrypted results are different. However, what should I do because the first data block has no leading input? Here we will use our initialization vector. It encrypts the first block together with the key.
The next few lines are easy to understand. read data from the input stream and send the data to the output stream after the encryption process. The encryption process is complete. Correspondingly, during decryption, you can use the same key and initialization vector to create an encryptor and then process it again.
Ii. asymmetric encryption algorithms
Asymmetric rical encryption is also called the Public Key algorithm (Public Key Algorithm ). This encryption algorithm is designed as follows: The key used for encryption is different from the key used for decryption, And the decryption key cannot be calculated based on the encryption key (at least for a reasonable long time ). It is also called the Public Key algorithm because the encryption key can be made public, that is, a stranger can obtain it and use it to encrypt information. However, only the corresponding decryption key can be used to decrypt the information. In this encryption algorithm, the encryption key is called a public key, and the decryption key is called a private key ).
The previous principles seem complicated, but in most cases, they are simple .. Net Framework provides two asymmetric encryption classes: rsacryptoserviceprovider and dsacryptoserviceprovider, which correspond to the RSA and DSA algorithms respectively. Their usage is similar. Example:
1 static public byte [] rsaencrypt (byte [] datatoencrypt, rsaparameters rsakeyinfo, bool dooaeppadding)From the perspective of Row 3, The exportparameters method returns a structure of rsaparameters. It contains information required by the RSA algorithm. This method includes a bool parameter. If it is set to true, the public key and the private key are exported together. If it is set to false, only the public key is exported.
The information exported from exportparameters can then be obtained by another rsacryptoserviceprovider class using the importparameters method, and then the encrypt method can be called for encryption. Note that in row 7th, The dooaeppadding parameter specifies whether the encryption process is filled with OAEP. Note that it can only be true in Windows XP or later versions.
In this example, we can see that the information used during encryption does not include the private key, that is, the encryption process can be completed only by using the public key. However, the private key must be used for decryption. Therefore, in row 32nd, the parameter of the exportparameters method must be true.
An important application of asymmetric encryption algorithms is digital signature. You can use the signdata and verifydata methods of the encryption class to complete this process.
1 rsacryptoserviceprovider RSA = new rsacryptoserviceprovider ();Fullkey in the second line and publickey in the fifth line are read in advance from the XML file. fullkey contains the public key and private key information, and publickey only contains the public key information. The information is consistent with the data in the rsaparameters structure. The difference is that publickey only contains modulus and exponent, while fullkey also contains p, q, DP, DQ, inverseq, and D.
We can see that after setting the key information, we can call the signdata method to sign orginaldata using the sha1 algorithm to obtain signature. Then it can be used for verification by the verifydata method. The verifydata parameter is the data to be verified.
Similar to this, there are signhash and verifyhash methods. The use of these two methods is detailed in the. NET Framework SDK, and is not listed here.
By the way, this section describes the technical implementation process of digital signatures. (Originally from China Tobacco Network Business Channel)
======================================
The file transfer process is as follows:
1. The sender first uses the hash function to obtain a digital signature from the original text, and then uses the public key system to encrypt the digital signature with the private key of the sender, add the encrypted digital signature to the original text to be sent.
2. the sender selects a secret key to encrypt the file and transmits the encrypted file to the receiver over the network.
3. The sender encrypts the secret key with the public key of the receiver, and transmits the encrypted secret key to the receiver through the network.
4. The receiver uses its own private key to decrypt the key information and obtain the plaintext of the secret key.
5. The recipient decrypts the file with a secret key to obtain an encrypted digital signature.
6. The receiver decrypts the digital signature with the public key of the sender to obtain the plaintext of the digital signature.
7. The receiver recalculates the digital signature with the obtained plaintext and hash functions and compares them with the decrypted digital signature. If the two digital signatures are the same, the file is not damaged during transmission.
If the third party impersonates the sender to send a file because the receiver uses the public key of the sender when decrypting the digital signature, as long as the third party does not know the private key of the sender, the decrypted digital signature must be different from the calculated digital signature. This provides a safe way to confirm the sender's identity.
Although both the encryption and decryption processes of digital signatures and secret keys use public key systems, the implementation process is the opposite, and the key pairs used are different. The digital signature uses the sender's key pair. The sender encrypts the key with its own private key, and the receiver decrypts the key with the public key of the sender. This is a one-to-many relationship: anyone who owns the sender's public key can verify the correctness of the digital signature, while the encryption and decryption of the secret key uses the close pair of the receiver, this is a many-to-one relationship: anyone who knows the accesskey published by the receiver can send encrypted information to the receiver. Only the only person with the private key of the receiver can decrypt the information. This is a complex but interesting process. In practice, a user usually has two key pairs one by one to encrypt and decrypt the digital signature, and one to encrypt and decrypt the secret key. This method provides higher security.
======================================
Which of the following experts can fully understand this excerpt? I haven't fully figured it out yet ~~~~ Sleepy, want to go to bed, put it here first, come back and think about it in a few days!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
