Website Security Series article (i) Encryption and signing

1. Encryption overview

Encrypted scenarios

1) password encryption, often used for login password and payment password, such as the characteristics of this type of encryption is not to be decrypted after the password encryption, so it can be more secure to save the password without leaking clear text, so suitable for the use of irreversible encryption algorithm, and do not need a key, the current encryption algorithm is the only way to crack the brute force, That is, using a password dictionary and other means

Irreversible cryptographic algorithms have MD5

2) network Transmission message Encryption

Network transmission If the use of clear text, easy to be intercepted, after the disclosure of user-sensitive information, so for the transaction class, such as high security requirements of the message transmission, to encrypt it, and to choose a reversible encryption algorithm, the server needs to decrypt, can choose the encryption algorithm has rsa,3des, etc.

3DES Cryptography Flaws :

3DES is a symmetric encryption algorithm that encrypts and decrypts the same key, so that the secret key is compromised in the distribution and delivery key.

Scenario One: The two parties agree on an encryption key, the key can be distributed through the offline secret, so long as the two sides ensure that the key is not compromised, then the encryption will be safe

However, the solution still has the following drawbacks:

1. If the key is not replaced for a long time, it is easy to leak, then it is not safe to distribute the key again

2. If the client is used by a normal user, it cannot guarantee the security of the key, so it is not suitable for 3DES

This refers to the persistence of the Save key.

Scenario Two: Each request generates a random key, the key is transmitted over the network and transferred to the server, so that the client does not need to save the key, and then the network transfer key is still unsafe

Rsa Cryptography Flaws:

RSA encrypted messages are slow and suitable for users to encrypt small amounts of data

So there is no better solution, of course, that is the RSA and 3DES together encryption

With 3DES encryption message, with RSA encryption 3DES key, so in the transmission process, can ensure that the 3DES key is not leaked, so as to ensure that the message ciphertext is not cracked

Examples of encryption methods:

Request message: RSA public key (3DES encryption key) |3des (report civilized text)

Response message: 3DES (report civilized text)

Specific program Flow:

1) The client first randomly generates a 3DES key on each request server, and temporarily saves the key in the client program's memory

2) and then use 3DES to report civilized text encryption to get ciphertext m

3) Encrypt the 3DES key with RSA public key to get ciphertext n

4) The M and N are stitched together and sent to the server

5) The server uses RSA private key to decrypt the 3DES key

6) Use the 3DES key to decrypt the message

7) When responding, encrypt the response message with 3DES

8) The client decrypts the response message with the saved 3DES key.

9) Discard the 3DES key after decryption

2. Signature overview

The meaning of the signature:

Digital signature can guarantee the originality and integrality of information, so the digital signature can solve the problems of denial, forgery, tampering and impersonation. Specific requirements: After the sender can not deny the message signature sent, the recipient can verify the sender's message signature, the recipient can not forge the sender's message signature, the recipient can not be part of the sender's message tampering, a user in the network can not impersonate another user as the sender or receiver

Specific options:

Scenario one (MD5 encryption algorithm + key for signing):

First in the data sender, the message and the key together, then MD5 encryption, the message after the encryption is called the signature, and then the signature and the original message is sent to the service side, the service side also has a key to the signature verification, so even if the message transmission process was tampered with, because the tamper does not know the key, There is no way to work out the correct signature, so the service is signed, and the signature is bound to the client, which ensures that the message is from a legitimate client.

Effect of Scenario 1:

Ensure the integrity of data transmission

Ensure that the data originates from a legitimate client, that other users (other than the server) cannot forge or tamper

But the client can deny it because the server can impersonate the signature

The typical case for this scenario is the MD5 signature

Scenario Two (Mac signature)

Use a key to encrypt the message segment with Des

Similar to Scenario 1, because of this scheme, the encryption algorithm of key and message is more complex, so it is more secure than MD5.

Programme III (RSA+MD5)

Using the MD5 algorithm to encrypt the message to get a string m, with the RSA private key to the M encryption to get the signature s

Recipient of the message with MD5 encryption to get M1, with RSA public key decryption s get m2, compare M1 and M2

The scheme achieves the effect of scenario 1, and the encryption algorithm is also secure, and because the sender's key is unique, even the recipient, can not forge the signature, so the sender can not deny their own signature

3. Encryption algorithm Classification

Symmetric and asymmetric

From the key point of view, encryption algorithm is divided into symmetric and asymmetric encryption

Symmetric encryption:

The encryption password and decryption password are the same

Des

3des

Asymmetric Encryption:

The encryption password and decryption password are not the same

Rsa

Reversible and irreversible

From the reversible point of view, can be divided into irreversible and reversible algorithm

Irreversible: MD5, not decrypted after the completion of the encryption

Reversible encryption:

Rsa,des,3des

After the completion of the secret can be solved

4. MD5 encryption

Purpose: Commonly used for password encryption and signing

The basic algorithm is to find redundancy

Principle please refer to article: http://www.jiamisoft.com/blog/index.php/2271-md5jiamisuanfa-2.html

5. des

Principle

DES uses a 56-bit key and an additional 8-bit parity bit to produce a maximum of 64-bit packet size. This is an iterative grouping cipher that uses a technique called Feistel, which divides the encrypted block of text into two halves. Use the sub-key to apply the loop function to half of them, then "XOR" the output with the other half, and then swap the two halves, the process will continue, but the last loop does not swap. DES uses 16 loops, using XOR, permutation, substitution, and shift operations for four basic operations.

For more information, please refer to: http://aub.iteye.com/blog/1131504

6.3DES

An encryption algorithm that is more secure than DES encryption

Please refer to: http://aub.iteye.com/blog/1131514

7. RSA

Encryption: Public key encryption, private key decryption, know the public key, ciphertext, clear text cannot deduce the private key, only the private key can be decrypted, as long as the private key, ciphertext will not leak, encryption security is high

Principle please refer to the article:

RSA algorithm principle 1http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html

RSA Algorithm Principle 2

Http://www.ruanyifeng.com/blog/2013/07/rsa_algorithm_part_two.html

8. HTTPS

HTTPS is also encrypted based on asymmetric encryption algorithms (such as RSA) and symmetric encryption algorithms (such as 3DES).

Reference article: http://www.guokr.com/post/114121/

Website Security Series article (i) Encryption and signing