Cryptography is the science of studying information security protection in order to realize the confidentiality, integrity, availability and non-repudiation of information. Simply put , it is the comprehensive protection of the transmitted information without blind spots!
Cryptography is mainly composed of two parts: password encoding and cryptanalysis. Cryptography studies the transformation and processing of information to realize the security protection of information, and cryptanalysis studies the corresponding plaintext information through ciphertext. To put it simply, it is the study of cryptographic coding to study encryption technology, and cryptanalysis to study how to crack a code.
0x01 password system
Cryptosystem consists of the following five parts
Plaintext space M: messages that need to be protected by cryptographic technology
Ciphertext space C: the result of plaintext processed with cryptographic technology
Key space K: K=< K e K_eKe, K d K_d Kd>, each K consists of an encryption key K e K_eKeAnd decryption key K d K_dKdcomposition
Encryption Algorithm E: The group operation algorithm used to transform plaintext into ciphertext
Decryption Algorithm D: The group operation algorithm used to restore the ciphertext to plaintext
0x02 cryptosystem
Obviously, if K d = K e K_d=K_eKd=Ke, Known as single key cryptosystem or symmetric cryptosystem or traditional cryptosystem . Otherwise, it is a dual-key system . Furthermore, if K d K_dKdCan’t be K e K_eKeLaunch, you can put K e K_eKeOpen without harming K d K_dKdThis kind of cryptosystem is called public key cryptosystem , or public key cryptosystem for short.
0x02.1 Symmetric cryptosystem
Symmetrical cryptography (private key cryptography) : A cryptosystem that uses the same key for encryption, decryption and decryption when transforming information between plain and cipher text
Security depends on:
1. The security of encryption algorithm
2. The secret of the key
Advantages: high efficiency, simple algorithm, fast encryption speed, suitable for a large number of encryption
Disadvantages:
- The sender and receiver of the message must exchange keys in advance through a secure channel
- n users, you need n (n − 1) / 2 n(n-1)/2n(n−1 ) / 2 keys, difficult key management
- Unable to authenticate the message source, unable to digitally sign
Purpose: Encryption demand with large amount of information
Representative algorithms: DES algorithm, 3DES algorithm, IDEA algorithm, AES algorithm, SM4 grouping algorithm
0x02.2 Asymmetric cryptosystem
Asymmetric cryptosystem (public key cryptosystem) : A cryptosystem in which the encryption and decryption keys are different when the information is converted from plain to cipher text.
In an asymmetric cryptographic system, each user has a pair of keys, one for encryption and one for decryption. The encryption key can be made public and is called a public key. The decryption key is a secret and is called a private key. Key, only the user knows.
advantage:
- Convenient key distribution
- Less key storage
- Support digital signature
Disadvantages: slow implementation speed, not suitable for encryption with large amount of information
Purpose: suitable for encrypting critical and core confidential data
Representative algorithms: RSA algorithm, ElGamal algorithm, elliptic curve encryption algorithm
Question: Since the public key is publicly available,
1. If someone encrypts data with his own public key and sends it to me, I can’t tell who sent the data
2. Anyone who knows the user's public key can decrypt the data encrypted by the user's private key.
Representative algorithm: RSA algorithm
-
Related mathematical foundation
-
Euler function: For a positive integer n, the number of positive integers less than n and relatively prime to n is recorded as φ(n).
对于一个素数n,可知φ(n) = n-1 对于两个素数p和q,它们的乘积满足n = p * q,则可知φ(n) = (p-1) * (q-1) -
Euclid's algorithm: gcd(a,b) represents the greatest common divisor of a and b
gcd(a,b) = 1,表示a,b最大公约数为1,说明a和b互质 -
Congruence:
If two integers a, b are divided by the integer m, the remainders are equal, then a and b are congruent with respect to modulo m, or a congruence b modulo m, denoted as a ≡ b (mod m) a \equiv b (mod\;m)a≡b(modm)
-
-
Definition of RSA cryptosystem parameters
- Randomly select two large prime numbers p and q (secret)
- Calculate n = p * q (n public)
- Calculate φ(n) = (p-1) * (q-1) (φ(n) is confidential)
- Randomly select a positive integer e, and satisfy 1 <e <φ(n), and gcd(e,φ(n)) = 1 (e is public)
- According to e ∗ d = 1 mod φ (n) e*d=1\;mod\;φ(n)e∗d=1modφ ( n ) , find d (d is confidential)
- Encryption operation C = M e mod n C=M^e\;mod\;nC=Memodn Decryption operationM = C d mod n M=C^d\;mod\;nM=Cdmodn
The public encryption key K e K_e of the RSA passwordKe=<n,e>, the secret decryption key K d K_dKd=<p,q,d,φ(n)>
-
Characteristics of RSA ciphers
- RSA algorithm has the reversibility of encryption and decryption algorithms, and the encryption and decryption operations can be exchanged, which can ensure the secrecy and authenticity of data at the same time
- The core operation of RSA cipher is modular exponentiation operation, which achieves high efficiency
-
Security of RSA password
- Ensure that the selected prime numbers p and q are large enough so that decomposing n with a given n is computationally infeasible. A sufficiently large integer n should be used. Generally, n should be at least 1024 bits, usually 2048 bits
0x02.3 Hybrid encryption system
Hybrid encryption system : A system that uses both symmetric and asymmetric encryption.
A big problem with symmetric encryption is how the two parties in communication transmit the key to each other. For security reasons, out-of-band transmission is generally adopted. That is to say, if the encrypted communication is on the network, the transmission of the key needs to be through other channels, such as SMS, even In this way, it is difficult to guarantee the security of key transmission. In addition, the key should be replaced regularly for security, which makes the key distribution and management more difficult.
The biggest advantage of asymmetric encryption is that it does not need to transmit the key in advance, but the speed is slow.
Therefore, in practical applications, a mixed cryptosystem is often adopted.
Assuming that Harden and James want to achieve confidential communication, the working process is as follows:
1. The message sender Harden encrypts the message to be sent with a symmetric key
2, Harden by James public key to a symmetric key encryption, digital envelope formed
3. Harden sends the encrypted message and digital envelope to James
4. After James receives Harden's encrypted message and digital envelope, he first uses his private key to unlock the digital envelope to obtain the symmetric key
5. James uses the symmetric key to decrypt the encrypted message
0x02.4 Domestic commercial cryptographic algorithm
0x03 Hash function and message digest
Hash function is also called Hash function, which can produce fixed-length output for input information of different lengths.
The fixed-length output is called the hash or message digest of the original message . The message digest has a fixed length and is much smaller than the original information. Generally, the message digest is irreversible, that is, the original text cannot be restored from the message digest.
Let h denote the Hash function, and h satisfies the following conditions:
1. The input length is arbitrary, and the output is fixed
2. It is easy to calculate h(M) for each given h and M
3. Given h, find two different M1 and M2 so that h(M1)=h(M2) is computationally infeasible
Common hash algorithms: MD5, SHA, SM3, SHA-1
| Algorithm name | Algorithm feature description |
|---|---|
| MD5 algorithm | Input 512 bits to generate 128-bit message digest, often used for file integrity check |
| SHA algorithm | Input 512 bits to generate 160-bit message digest, which is more secure than MD5. There are versions SHA-2 and SHA-3 |
| SM3 domestic algorithm | Enter 512 bits to generate a 256-bit message digest |
0x04 digital signature
Digital signature means that the sender signs a message or file in electronic form. The signed message or file can be transmitted on the network, and the signer is responsible for the content of the message or file.
The digital signature uses a combination of message digest and asymmetric encryption technology.
The digital signature meets the following three conditions:
1. Non-repudiation. The signer cannot deny his signature afterwards
2. Authenticity. The recipient can verify the signature, and no one else can forge the signature
3. Distinguishability. When the two parties have a dispute about the authenticity of the signature, the third party can resolve the dispute between the two parties
Suppose Harden needs to sign and send an electronic contract document to James.
Schematic diagram of Harden digital signature:
1. Harden uses the Hash function to generate a message summary from the electronic contract file
2. Harden uses its own private key to encrypt the message digest to form a digital signature
3. Harden sends the electronic contract document and digital signature to James
After James receives the electronic contract document and digital signature sent by Harden, the process of verifying the digital signature is as follows:
1. James uses the same Hash function as Harden to calculate the message digest of the received electronic contract
2. James uses Harden’s public key to decrypt the digital signature from Harden and restore Harden’s message digest
3. James compares the similarities and differences between the message digest calculated by James and the message digest recovered by Harden. If the digest is the same, it means that the electronic contract document comes from Harden, otherwise it means that the electronic contract document has been tampered with.
0x05 digital certificate
A digital certificate, also called a public key certificate, is an authoritative electronic document, issued by an authoritative and impartial third-party certification authority (CA), and is widely used in fields that require identity authentication and data security.
To put it simply, digital certificates can be analogous to our ID number, while a third-party certification authority (CA) is equivalent to a public security bureau.
We all know that when checking into the hotel, you must show your ID to the front desk staff, and the staff will compare the ID with the ID information stored in the hotel system, and you can check in. In the network, the role of a digital certificate is equivalent to an ID card .
The format of the digital certificate:
The simplest can be: public key, name and digital signature of certificate authority
At present, X.509 is a universal certificate format. Its third version is currently widely used. The content of the certificate includes: version, serial number, signature algorithm identification, issuer, validity period, subject, subject public key, CA number Signature, optional type, etc.
Types of digital certificates:
1. Server certificate: Prove the identity of the server and encrypt the communication. The client can establish an SSL connection with the server, and then the communication data will be encrypted.
2. E-mail certificate: Prove the authenticity of the sender of the e-mail, and can also send encrypted e-mails, which can only be opened by the receiver.
3. Client certificate: It is mainly used for identity verification and digital signature. The secure client certificate is often stored in a special USBKey. When using it, you need to enter a protection password to prevent it from being exported and copied, such as fingerprint recognition, voice broadcast, USBKey with display and so on.