In the early days of computer network construction, due to the number of people who can use the computer less, and did not consider the need for data encryption, with the development of society, the Internet has become an indispensable part of our lives, whether it is exchange, shopping, or work has been inseparable from the Internet. In computers, mobile phones, all kinds of electronic equipment to build the Internet, the security of data has become a very important aspect of attention.
Now, let's look at how Linux can encrypt and decrypt data.
To ensure data security, we have three goals to achieve:
Confidentiality, completeness, availability.
Nowadays, there are a lot of people with strong curiosity to find out about other people's data, which is a threat to the three security targets:
Threat privacy attacks: eavesdropping, traffic analysis;
Threat integrity attacks: change, disguise, replay, deny;
Attack on threat Availability: Denial of service (Dos)
For these annoying attacks, we have to come up with some ways to prevent people with ulterior motives from threatening our data security, with encryption and decryption technology, as well as an authentication mechanism to protect against attacks, and access control mechanism services.
First, we have a simple understanding of the cryptographic decryption algorithm:
Traditional encryption methods in the rapid development of science and technology today, has become vulnerable to the vulnerable, this has a modern block encryption method.
The encryption method under Linux mainly has symmetric encryption, public key encryption, one-way encryption;
Symmetric encryption: Encryption and decryption using the same key, the original data is divided into fixed-size blocks, encrypted one by one;
Disadvantage: When the file too many, need to manage too many keys, not easy to manage;
Encryption Method:
DES Data Encryption Standard,56bit (Low security, deprecated)
3DES 3 times des
AES Advanced Encryption Standard,128bit (National Security Agency)
aes192,aes256,aes512
Blowfish, TWOFISH,IDEA,RC6,CAST5, etc.
Asymmetric encryption: The key is divided into public key and private key, public key is published with the public key, anyone can get a copy, and the private key is only owned by the parties, not allowed to be obtained by any other person; The data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa; This encryption is mainly used for digital signature ;
Disadvantage: For data encryption speed is too slow, than the symmetric encryption method at least 3 orders of magnitude, is 1000 times times, for large files, this speed is probably no one can tolerate
Encryption method: Mainly RSA, DSA, ELGamal
One-way encryption: Data can only be encrypted, but not decrypted, but this encryption can be fixed long output encrypted data, and the slightest change of the encrypted data will result in the same encryption method encrypted data has a considerable difference, this is the avalanche effect, so often used to do data integrity of the decision;
Encryption Method: md5:message Digest 5, 128bits
Sha1:secure Hash algorithm 1, 160bits
sha224, sha256, sha384, sha512
Let's take a look at how these methods are used to encrypt data to meet people's security needs:
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s4.51cto.com/wyfs02/m02/79/4b/wkiol1an-iucgzx3aafrtckidlk756.jpg "title=" 1.jpg "alt=" Wkiol1an-iucgzx3aafrtckidlk756.jpg "/>
It looks perfect, but think about it, if a A, B is not known, and is the first time to communicate, how to ensure that they get the other's public key is it must be the other side of the public key? Suppose that the two sides of a, B communication have always had a malicious C listening to each other's every move, a to get the B public key request, C will own the public key to a, and tell a He is B, and B. Get a public key, C also put his public key to B, to B said he is a, so a, b Communication Content C can be processed and then sent to both sides, this is the man-in-the-middle attack, since there is such a dangerous possibility, then how can we solve him?
at this point, it is PKI (Public key Infrastructure) key infrastructure comes up, his It is a kind of technology and specification that follows standard public key cryptography to provide a set of security foundation platform for e-commerce development.
A complete PKI system must have an authoritative certification Authority (CA), a digital certificate library, a key backup and recovery system, a certificate revocation system, an application interface (API) and other basic components, Building a PKI will also be built around these five systems.
The basic technology of PKI includes encryption, digital signature, data integrity mechanism, digital envelope, double digital signature and so on. A typical, complete, and effective PKI application system should have at least the following parts:
· Public key password certificate management.
· Blacklist publishing and administration.
· Backup and recovery of keys.
· The key is automatically updated.
· Automatic management of historical keys.
· Cross-certification is supported.
So the question comes again, how to ensure that the authority of the certification body can not be impersonating? This requires some methods under the Internet, such as on-site services, in-person exchange of authority certificates, as well as certification.
The current certificate format is mainly X.509v3, including:
Version number
Serial number
Signature Algorithm ID
Issuer Name
Validity period
Principal Name
Principal public key
Issuer's unique identity
The unique identity of the subject
Extended
Issuer's signature
And so, knowing the basics, how does Linux implement these methods? and listen to tell
This article is from the "Amengmon" blog, make sure to keep this source http://amengmon.blog.51cto.com/10985711/1732463
Marco Linux Learning Notes: encryption, decryption basics