System security and confidentiality Design

Source: Internet
Author: User
Tags md5 hash
Information security technology Encryption and decryption technology can attack electronic data in two forms: one is a passive attack, that is, Illegally intercepting information from the transmission channel, or stealing and copying information from the storage carrier. Another type of attack is malicious deletion or tampering of transmitted or stored data. Practice has proved that password technology is an effective and economical way to prevent data attacks. Encryption Algorithm
  • Symmetric encryptionThe advantage is that the algorithm is efficient and fast. Common algorithms include des (Data Encryption Standard), idea (International Data Encryption Algorithm), HMAC-SHA1
  • Asymmetric encryptionThe RSA algorithm can be used for digital signatures.
  • MD5 hash algorithm:One-way encryption algorithms can only be encrypted and cannot be decrypted.
Digital Certificate
Both digital signatures and public key encryption are based on asymmetric encryption technology. The following problems exist: how to ensure that the holder of a public key is authentic, how to generate, distribute, and manage public keys in a large-scale information system environment. A digital certificate is an authoritative electronic document, issued by an authoritative and impartial third-party organization
Authentication) issued by the center. For example, Verisign

It uses digital certificates as the core encryption technology to encrypt and decrypt information transmitted over the network, digital signatures, and signature verification to ensure the confidentiality and integrity of information transmitted over the Internet. If a digital certificate is used, your account and funds can be secured even if the information you send is intercepted by others on the Internet or even your personal account and password are lost. For Internet-based e-commerce, the banking system must have digital certificate security certification.
Digital Signature and digital certificate difference:
Identity Authentication Technology

  • User name and password authentication (What do You know)There are three authentication methods: Verify the plaintext transmission of data, use the unidirectional hash function to process the verification data, and use the unidirectional hash and random number to process the verification data.
  • Use Token Authentication (what is it ),The key for verification is stored in the Soft Token or Hard token, And the password (PIN code) is used to control access to the key.
    The implementation of tokens is divided into question response tokens and timestamp tokens.
  • Biometric identification (what is it) and three-factor authentication,Biometric identification is based on the certified image, fingerprint, smell, and other authentication data. Based on what the user knows, what the user has, and what the three-factor authentication is currently the most widely used method.
Security protocol
  • IPSec protocol
  • SSL (Secure Socket Layer) Protocol
    The SSL Security Service is located between the transport layer communication protocol (TCP/IP) and the application layer. It can provide security services for the application layer, such as HTTP, FTP, and SMTP.
    HTTPS = http + SSL
    Working principle:
    In SSL, the sending segment compresses the data transmitted over the upper layer (HTTP), applies MAC (message authentication code), encrypts the data, adds an SSL header, and transmits SSL packets over TCP, the receiving end uses the SSL protocol to decrypt, verify, decompress, and reassemble the received data to obtain the plaintext (HTTP) message.
    Message authentication code (MAC) is placed at the back of the data packet to ensure data integrity, and is encrypted with the data. In this way, if the data is modified, the hash value cannot match the original verification code to detect whether the data is modified. Mac is also used to protect SSL connections from interference.
  • Establish SSL session (handshake negotiation ):
    1. Establish security capabilities
    2. Server authentication and key exchange
    3. client authentication and key exchange
    4. Complete
    SSL Protocol Security Analysis:
    1. prevent eavesdropping and man-in-the-middle attacks (in the middle of the channel, data is eavesdropped because of encryption, even if eavesdropped, there is no risk)-Prevent passive attacks
    2. Prevent clipboard attacks (prevent malicious information tampering and deletion)-Prevent active attacks
    3. protection against replay attacks and short packet attacks (SSL uses serial numbers to protect the communication party from packet replay attacks. In the entire SSL handshake, there is a unique random number to mark this SSL handshake, in this way, the replay can be multiplied .)
  • PGP (pretty good privacy) Protocol
    It is a hybrid encryption system designed for the security of email communication over the Internet. It consists of four cryptographic units: one-key password (encrypted mail), two-key password (Encrypted Key), one-way hash (digital signature), and random number generation algorithm.
Data backupThere are many causes of data destruction and loss, such as hard disk damage and virus intrusion. In general, the measures taken include installing firewall and anti-virus software. However, we don't want to imagine Wang Yu. The security and accuracy of data have always been greatly tested. Therefore, data backup is necessary, and it is the most important line of defense to prevent "Active attacks.
Data Backup Type:
  • Full backup
  • Differential backup,That is, all files changed after the last full backup are backed up. In other words, backup is not required if no change occurs.
  • Incremental Backup, Back up the file that changes after the last backup (completely or differently.
  • Backup on demand,Good selectivity.
Remote Backup is the core technology of the disaster recovery system. Information Security Assurance System
  • Establish a unified Identity Authentication System
    Identity Authentication is the most basic factor for information exchange. If the physical identities of both parties cannot be confirmed, information security cannot be guaranteed. ID Authentication instance, CA digital certificate, and VPN token.
  • Establish a unified information security management system
  • Establish a standardized information security and confidentiality system
    Information Confidentiality is an indispensable requirement of a large information application network.
  • Establish a sound network boundary protection system
    Important information networks are generally isolated from the public Internet to a certain extent, and there is a network boundary between the internal information network and the Internet. A complete network boundary protection system must be established.
Information security is characterized by ensuring the confidentiality, integrity, availability, controllability, and non-repudiation of information.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.