Marco Linux Learning Notes: encryption, decryption basics

In the early days of computer network construction, due to the number of people who can use the computer less, and did not consider the need for data encryption, with the development of society, the Internet has become an indispensable part of our lives, whether it is exchange, shopping, or work has been inseparable from the Internet. In computers, mobile phones, all kinds of electronic equipment to build the Internet, the security of data has become a very important aspect of attention.

Now, let's look at how Linux can encrypt and decrypt data.

To ensure data security, we have three goals to achieve:

Confidentiality, completeness, availability.

Nowadays, there are a lot of people with strong curiosity to find out about other people's data, which is a threat to the three security targets:

Threat privacy attacks: eavesdropping, traffic analysis;

Threat integrity attacks: change, disguise, replay, deny;

Attack on threat Availability: Denial of service (Dos)

For these annoying attacks, we have to come up with some ways to prevent people with ulterior motives from threatening our data security, with encryption and decryption technology, as well as an authentication mechanism to protect against attacks, and access control mechanism services.

First, we have a simple understanding of the cryptographic decryption algorithm:

Traditional encryption methods in the rapid development of science and technology today, has become vulnerable to the vulnerable, this has a modern block encryption method.

The encryption method under Linux mainly has symmetric encryption, public key encryption, one-way encryption;

Symmetric encryption: Encryption and decryption using the same key, the original data is divided into fixed-size blocks, encrypted one by one;

Disadvantage: When the file too many, need to manage too many keys, not easy to manage;

Encryption Method:

DES Data Encryption Standard,56bit (Low security, deprecated)

3DES 3 times des

AES Advanced Encryption Standard,128bit (National Security Agency)

aes192,aes256,aes512

Blowfish, TWOFISH,IDEA,RC6,CAST5, etc.

Asymmetric encryption: The key is divided into public key and private key, public key is published with the public key, anyone can get a copy, and the private key is only owned by the parties, not allowed to be obtained by any other person; The data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa; This encryption is mainly used for digital signature ；

Disadvantage: For data encryption speed is too slow, than the symmetric encryption method at least 3 orders of magnitude, is 1000 times times, for large files, this speed is probably no one can tolerate

Encryption method: Mainly RSA, DSA, ELGamal

One-way encryption: Data can only be encrypted, but not decrypted, but this encryption can be fixed long output encrypted data, and the slightest change of the encrypted data will result in the same encryption method encrypted data has a considerable difference, this is the avalanche effect, so often used to do data integrity of the decision;

Encryption Method: md5:message Digest 5, 128bits

Sha1:secure Hash algorithm 1, 160bits

sha224, sha256, sha384, sha512

Let's take a look at how these methods are used to encrypt data to meet people's security needs:

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s4.51cto.com/wyfs02/m02/79/4b/wkiol1an-iucgzx3aafrtckidlk756.jpg "title=" 1.jpg "alt=" Wkiol1an-iucgzx3aafrtckidlk756.jpg "/>

It looks perfect, but think about it, if a A, B is not known, and is the first time to communicate, how to ensure that they get the other's public key is it must be the other side of the public key? Suppose that the two sides of a, B communication have always had a malicious C listening to each other's every move, a to get the B public key request, C will own the public key to a, and tell a He is B, and B. Get a public key, C also put his public key to B, to B said he is a, so a, b Communication Content C can be processed and then sent to both sides, this is the man-in-the-middle attack, since there is such a dangerous possibility, then how can we solve him?

at this point, it is PKI (Public key Infrastructure) key infrastructure comes up, his It is a kind of technology and specification that follows standard public key cryptography to provide a set of security foundation platform for e-commerce development.

A complete PKI system must have an authoritative certification Authority (CA), a digital certificate library, a key backup and recovery system, a certificate revocation system, an application interface (API) and other basic components, Building a PKI will also be built around these five systems.

The basic technology of PKI includes encryption, digital signature, data integrity mechanism, digital envelope, double digital signature and so on. A typical, complete, and effective PKI application system should have at least the following parts:

· Public key password certificate management.

· Blacklist publishing and administration.

· Backup and recovery of keys.

· The key is automatically updated.

· Automatic management of historical keys.

· Cross-certification is supported.

So the question comes again, how to ensure that the authority of the certification body can not be impersonating? This requires some methods under the Internet, such as on-site services, in-person exchange of authority certificates, as well as certification.

The current certificate format is mainly X.509v3, including:

Version number

Serial number

Signature Algorithm ID

Issuer Name

Validity period

Principal Name

Principal public key

Issuer's unique identity

The unique identity of the subject

Extended

Issuer's signature

And so, knowing the basics, how does Linux implement these methods? and listen to tell

This article is from the "Amengmon" blog, make sure to keep this source http://amengmon.blog.51cto.com/10985711/1732463

Marco Linux Learning Notes: encryption, decryption basics