My Android Advanced tour------>android uses the AES+RSA encryption mechanism to encrypt HTTP requests

Source: Internet
Author: User
Tags modulus rounds asymmetric encryption





    • Objective
      • Non-encrypted grab packets
      • Packet capture after encryption
    • Basic requirements and concepts
    • AES algorithm
      • AES Fundamentals and Algorithmic flow
      • AES Algorithm Flow
    • RSA algorithm
      • Fundamentals and flow of RSA algorithms
      • RSA algorithm Implementation process
    • AES and RSA combined data encryption scheme
    • Android End Aesrsa Combined practice
      • Basic requirements
      • Basic process
        • Android side
        • Server-side
        • Java Version Example
    • More references




Objective

Recently, the login module for the company app was maintained, as testers grabbed the company's clear login information with the Fiddler capture tool. Although the HTTP request was made using HTTPS, the plaintext content was caught by fiddler. Therefore, the previously unencrypted logon information needs to be encrypted. Search online for an article on the Aes+rsa encryption scheme, as shown in the link below, according to this program successfully solved the encryption problem, here to record.

    • Secure authentication scheme for open interfaces (AES+RSA)
Non-encrypted grab packets


The first thing to look at is unencrypted, the plaintext information obtained by the Fiddler grab is shown in 1:


    • Figure 1 The request body captured by Fiddler when unencrypted




    • Figure 2 The request header captured by Fiddler when unencrypted





With Figure 1, you can clearly see that all HTTP request information is transparent. If there is really a person to steal the user's information, it will cause much loss.


Packet capture after encryption
    • Figure 4 after encryption, the request body captured by the fiddler packet




    • Figure 5 after encryption, the Fiddler grab packet gets the request header





Figure 4, you can see all the request body through the AES encryption, and then use Base64 to encode and decode the converted request body, even if it is a conscientious to steal, it is difficult to crack in the effective time.



First look at a diagram to see the implementation of the need for the use of a number of commonly used encryption and decryption nouns


    • Figure 6 Adding and decrypting common nouns




Basic requirements and concepts

With the wide application of Internet network, the information security problem is becoming more and more prominent, and the information security technology with data encryption technology has been greatly developed. Current data encryption technology can be divided into private key encryption ( symmetric encryption ) system and public key cryptography (asymmetric encryption ) system according to the encryption key type.

Symmetric encryption algorithm is a more traditional encryption system, the communication between the two sides in the process of encryption and decryption using their shared single key, given its simple algorithm and the advantages of fast encryption, is still one of the mainstream cipher system. The most common symmetric cipher algorithm is the Data Encryption Standard (des) algorithm, but due to the short length of Des key, it is not suitable for the security of data encryption in today's distributed open Network. Finally, a new symmetric advanced Data Encryption Standard AES based on the Rijndael algorithm replaces the data Encryption Standard DES. Asymmetric encryption because of the different encryption/decryption key (public key encryption, private key decryption), Key management is simple, also has been widely used. RSA is the most famous public-key cryptography algorithm for asymmetric encryption systems.

AES algorithm AES basic principle and algorithm flow


The National Institute of Standards and Technology (NIST) selects the Rijndael algorithm as the Advanced Encryption Standard (AES) from a number of block ciphers by selecting the tri-Rounds candidate algorithm. The Rijndael password is an iterative block cipher, the packet length and password length are variable, and the packet length and password length can be specified independently of 128-bit, 192-bit, or 256-bit. AES's cryptographic algorithm data processing unit is byte, 128 bits of bits information is divided into 16 bytes, in order to copy into a 4*4 matrix, called State, all the transformations of AES are based on the state matrix transformation.



A nr is used to denote the number of rounds of encryption for a data packet (the relationship between the number of encryption wheels and the key length is shown in table 1). In each iteration of the wheel function, there are four-step transformations, namely the byte substitution operation (Bytesub ()), the row transform (Shiftrows ()), the column blending (Mixcolumns ()), and the addition transformation of the wheel key AddRoundKey () [3], The function is to realize the validity of encryption by repeating the simple non-linear transformation and the mixed function transformation, and the nonlinear diffusion of the byte substitution operation is achieved, and the different keys are introduced in each iteration.



Table 1 is a comparison of three different types of AES encryption key grouping size and corresponding number of encryption wheels. When encryption begins, each byte of the input grouping is loaded into the matrix state as in table 2. If you enter Abcdefghijklmnop, the input block is mapped to the state matrix in table 2.



Table 1:


Key
AES Type Length Group Length number of encryption wheels
AES-128 4 words 4 words 10
AES-192 6 words 4 words 12
AES-256 8 words 4 words 14


Table 2:


A E I M
B F J N
C G K O
D H L P
    • 1, byte substitution operation (Bytesub ())

      BYTE substitution operations are a reversible non-linear byte substitution operation that is performed on each byte in the packet, and the operation of the byte follows a substitution table, i.e. s box. The S box consists of two steps, the multiplication inversion on the finite field GF (28) and the affine transformation on GF (2).

    • 2, Line transform Shiftrows ()

      The line transformation is a kind of linear transformation, the purpose is to make the password information to achieve full confusion, improve the non-linear degree. Row transforms each line of the state in bytes to the right, moving the number of bytes according to the number of rows to determine, the No. 0 line does not shift, the first line of the loop to the right one byte, the second line to move two, and so on.


+3, Row Mixed transformation Mixcolumns ()


Column transformation is to take a column from the state, expressed as a polynomial form, multiply it by a fixed polynomial a (x), and then the resulting results are modulo operation, the modulus is x4+1. where a (x) ={03}x3+{02}x2+{01}x+{02},
This polynomial is coprime with x4+1 and therefore reversible. The arithmetic expression for a column blending transformation is: s ' (x) = A (x) s (x), where S (x) represents the column polynomial of the state.

    • 4, Wheel key Add transform AddRoundKey ()
      In this operation, the wheel key is simply different or into the state, the wheel key is derived from the key table, its length is equal to the length of the data block NB.
AES algorithm flow for the sender, it first creates an AES private key and encrypts the private key with a password. The AES key encrypted with the password is then sent over the Internet to the receiving party. The sender decrypts the private key and encrypts the plaintext with this private key, and the ciphertext and encrypted AES keys are sent over the Internet to the receiver. The receiving party then uses the password to decrypt the encryption key to obtain the AES key, and finally decrypts the received ciphertext into plaintext with the decrypted key. Figure 7 is the implementation process for this process.
    • Figure 7 AES Algorithm flow




The basic principle and flow of RSA algorithm


RSA is the acronym for the initials of three people who invented the RSA Cryptography system in 1977, they are: Ron Rivest, Adi Shamir and Leonard Adleman. It is the first public-key cryptographic algorithm that has applications in many cryptographic protocols, such as SSL and S/MIME. RSA algorithm is a public key system based on factorization of large prime numbers. In simple terms, it is two large prime numbers, one as the public key and the other as the private key, such as one that encrypts with the other. The key length varies from 40 to 2048 bits, and the longer the key, the better the encryption effect, but the greater the cost of encryption and decryption. The RSA algorithm can be simply described as follows:


Public key: n = pq, (p, q are two different and large prime numbers, p and q must be kept secret)
Multiply (p-1) and (q-1) to get φ (n)
Choose an integer e (1 <e <φ (n)) and φ (n) are prime
Secret key: d = e-1modφ (n), that is, calculate a number d such that it satisfies the formula de = 1 modφ (n)
Encryption: c = mc (mod n)
Decryption: m = cd (mod n), m is plaintext, and c is ciphertext.
RSA algorithm Implementation process


First, the receiver creates the RSA key pair, which is a public key and a private key, the public key is sent to the sender, and the private key is saved to the receiving party. After receiving this public key, the sender encrypts the plaintext with the public key, then transmits the ciphertext to the receiver through the network. After receiving them, the receiver decrypts the ciphertext received with the RSA private key, and finally obtains the plaintext. Figure 8 is the implementation process for the entire process.


    • Figure 8 RSA algorithm implementation process




AES and RSA combined data encryption scheme


RSA algorithm is the representative of public key system, and its security is based on the law of composite with large prime factor and its factor decomposition difficulty. Rijndael algorithm as a new generation of advanced encryption standards, the runtime does not require the computer has very high processing power and large memory, the operation can be easily protected against time and space attacks, in different operating environments can always maintain good performance. This makes AES a safe, efficient, performance, convenient, flexible set in one, it should be the preferred network data encryption. Compared with the length of the AES key is only 256 bits, the software and hardware can be used to achieve high-speed processing, and the RSA algorithm needs to be large integer of the exponentiation and modulus, such as multi-word word processing, processing speed is significantly slower than aes[5]; so the AES algorithm and decryption processing efficiency is significantly higher than the RSA algorithm. In terms of key management, because the AES algorithm requires the secret allocation of the key before communication, the decrypted private key must be transmitted over the network to the encrypted data receiver, while RSA uses public key encryption, private key decryption (or private key encryption, public key decryption), encryption and decryption process does not need the network to transmit the secret key , so RSA algorithm Key management is obviously superior to AES algorithm.



From the above, because the RSA and decryption slow, not suitable for a large number of data file encryption, so in the network completely with the public password system to transmit confidential information is not necessary, is not very realistic. AES encryption is fast, but how to securely manage the AES key during network transmission is an important step to ensure the security of AES encryption. In this way, if we encrypt the transmitted data using AES symmetric cryptosystem and use the RSA asymmetric cryptosystem to transmit AES key, we can combine the advantages of AES and RSA and avoid their shortcomings to implement a new data encryption scheme. Encryption and decryption implementation process (9).


    • Figure 9 AES-RSA combined data encryption scheme flow


The process is to first create an RSA key pair by the receiver, and the receiver sends the RSA public key to the sender over the Internet while saving the RSA private key. The sender creates an AES key, encrypts the plaintext data to be transmitted with the AES key, encrypts the AES key with the accepted RSA public key, and finally transmits the AES key encrypted with the RSA public key to the receiver via the Internet with ciphertext. When the receiving party receives the encrypted AES key and ciphertext, it first invokes the RSA private key saved by the receiver and decrypts the encrypted AES key with the private key to obtain the AES key. Finally, the AES key is used to decrypt the text to get the plaintext.


Android End Aes+rsa combined with practical basic requirements
    1. Ensure the security of transmitted data
    2. Ensure the integrity of your data
    3. Ability to verify the identity of the client
Basic process Android Side
1. The server (server) generates its own RSA key pair, and provides an interface for the Android client to obtain the RSA public key (rsaPublicKey)
2. The client generates an AES key (aesKey)
3. The client uses its own AES key (aesKey) to encrypt the request plaintext data (data) converted into json format to obtain the encrypted request data encryptedData
4. The client provides the interface provided by the server to obtain the RSA public key (rsaPublicKey).
5. The client uses the obtained RSA public key (rsaPublicKey) to encrypt the AES key (aesKey) to obtain the encryptedAesKey
6. The client takes encryptedAesKey as the HTTP request header parameter, and transmits the encrypted request data encryptedData as the request body to the server.
Server-side
1. The server responds to the client's http request and reads the http request header. Obtain the encrypted AES key (encryptAesKey) transmitted by the client, read the HTTP request body, and obtain the encrypted request data (encryptData) transmitted by the client.
  2. The server uses its own RSA private key (rsaPrivateKey) to perform RSA decryption on the encrypted AES key (encryptAesKey) to obtain the AES key (aesKey).
  3. Use the decrypted AES key (aesKey) to perform encrypted AES decryption on the encrypted request data (encryptData) to obtain the decrypted request data (data), which is in json format
  4. JSON parse the decrypted request data (data), and then perform related response operations. 


Basically as shown in the process:






Because the company code design too much content, it is not good to stick here. You can refer to the following GitHub above the link to learn, I realized the way is also reference to the following code, the specific process or to work with the server personnel together out of the scheme, AES and RSA encryption, attention


Java Version Example


Aes+rsa Double-encrypted Java example


More references
  • About the AES256 algorithm Java-side encryption, the iOS side decryption problem can not be decrypted solution

    http://my.oschina.net/nicsun/blog/95632

  • Java uses bouncy Castle for AES128 encryption and decryption (CBC mode PKCS7 padding)

    http://blog.csdn.net/aflight/article/details/13626385

  • Security article-AES/RSA encryption mechanism

    Http://www.jianshu.com/p/ec7bb7325ff2

  • Secure authentication scheme for open interfaces (AES+RSA)

    https://wustrive2008.github.io/2015/08/21/%E5%BC%80%E6%94%BE%E6%8E%A5%E5%8F%A3%E7%9A%84%E5%AE%89%E5%85%A8%E9% aa%8c%e8%af%81%e6%96%b9%e6%a1%88 (AES+RSA)/

  • Java encryption and decryption quick start "including MD5, BASE64, DES, RSA and other algorithms" in the previous article

    http://hello-nick-xu.iteye.com/blog/2103775

  • Java encryption and decryption quick start "including MD5, BASE64, DES, RSA and other algorithms" next

    http://hello-nick-xu.iteye.com/blog/2103781

  • "Java" AES Encryption decryption | And the use of Base64

    Http://www.cnblogs.com/arix04/archive/2009/10/15/1511839.html

  • . Net/android/java/ios AES Universal Encryption decryption

    Http://www.cnblogs.com/jys509/p/4768120.html

  • Security article-AES/RSA encryption mechanism

    Http://www.jianshu.com/p/ec7bb7325ff2

  • IOS & JAVA RSA Encryption & Decryption

    Http://www.cnblogs.com/makemelike/articles/3802518.html

  • Doc_rsa_java

    Http://cryptojs.altervista.org/publickey/doc/doc_rsa_java.html

  • Cryptographic algorithm Detailed--aes

    Http://www.mamicode.com/info-detail-514466.html


My Android Advanced tour------>android uses the AES+RSA encryption mechanism to encrypt HTTP requests


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.