1. Confidentiality of data: to ensure that the transmitted data is not read
2. Data integrity: to ensure that the transmitted data is not destroyed
3. User authentication: to ensure that the transmission The identity of the party is correct Confidentiality of
data :
In order to prevent the transmitted data from being read, the data can be encrypted, because the data is transmitted in clear text by default.
The entire encryption process can be understood as follows:
encryption: plaintext--->conversion rules--->ciphertext
decryption: ciphertext--->conversion rules--->plaintext
The conversion rules here are the encryption/decryption algorithms we often say, There are 2 main encryption algorithms:
1. Asymmetric encryption algorithm: use public key encryption, private key decryption
2. Symmetric encryption algorithm: encryption and decryption keys are the same.
Because asymmetric encryption algorithm is relatively slow, we often encrypt data in general. Using a symmetric encryption algorithm, although the symmetric encryption algorithm can solve the confidentiality of the data, it cannot manage the key problem.
Data integrity:
For data integrity, one-way encryption algorithm is generally used. One-way encryption has the following characteristics:
1. The input is the same, the output must be the same.
2. It has an avalanche effect, that is, a small change will cause a huge result. Change
3. Fixed-length output: no matter how big the original data is, the result size is the same
4. It is irreversible, and the original data cannot be restored according to the feature code
The process of one-way encryption to ensure data integrity is as follows:
First, in order to prevent the plaintext data from being tampered with by others, user A uses a one-way encryption algorithm to generate a feature code A, and then converts data A and feature code A. sent to User B together. When user B receives data A and feature code A, it also uses the same one-way encryption algorithm for data A, and also generates a feature code B; if the feature codes A and B are the same, the data is complete; otherwise, Data is incomplete.
Although the one-way encryption algorithm can guarantee the integrity of the data, but there are still problems?
Just imagine, if user A is accidentally attacked by user C when transmitting data to B, so that the data sent by user A is sent to user C, and user C also encrypts the data in one way. If it is, a feature code C will also be produced, and then the data and feature code C will be sent to user B. Obviously, user B encrypts the data in one direction, and the feature code produced is the same as C. At this time, although the feature codes are the same, this is not the data sent by user A, and user B at this time cannot judge whether the source of the data is correct, so we need to authenticate the source of the data. Only in this way can the legality and integrity of the data be guaranteed.
How can I make sure that the sender's identity is correct?
User authentication:
To authenticate a user, an asymmetric encryption algorithm is required:
an asymmetric encryption algorithm consists of a public key (P) and a private key (S).
If the sender uses its own private key to Encryption can achieve authentication and data integrity
. If the sender uses the public key to encrypt, the confidentiality of
the data can be guaranteed. The data encrypted by the public key can only be decrypted by the corresponding private key, so this mechanism can be used to ensure the confidentiality of
the data. Symmetric encryption algorithms are slow and therefore rarely used to encrypt data
If A's private key is used to encrypt the feature code at this time, and C obtains the data and feature code sent by A in time, the feature code can also be decrypted (because the public key is public), and C's own private key is used to encrypt the feature code. , but he still can't restore A's feature code, so the data and feature code sent to B are encrypted with C's private key, so when B receives the data and feature code, if it can use A's public key to decrypt the description It is sent by A; otherwise, it is not sent by A, and B will not believe the data sent at this time.
Therefore, this mechanism can be used to implement authentication and guarantee data integrity. In this process, the most important thing is the public key.
If A and B exchange data for the first time, at this time A and B do not know who the two parties are, so if someone pretends to replace A or B, then all the data is between A or B and the impostor, At this time, A and B do not really transmit data.
Therefore, in order to achieve identity verification, it is necessary to use a third-party organization to realize it. The whole process is as follows:
when user A wants to send data to B, it first produces a key pair (private key and public key), and then the third-party organization will also Produce a public key and a private key, use your own public key to produce a certificate, and use your own private key to encrypt the data sent by A. This data probably includes: user name, user address, user A's public key. Then a feature code is generated, which constitutes a digital certificate, which is sent to user B together. User B receives the certificate sent by A. At this time, User B needs to confirm whether the certificate is valid and authentic. Since this certificate is encrypted by the private key of the certificate authority, it needs to be decrypted using the public key of the third-party authority. can only be viewed, so user B can decrypt this data by purchasing a certificate from a third-party organization. After the decryption is completed, the certificate contains A's public key, and it can be determined whether the certificate is sent by user A.
So how is the confidentiality of the data guaranteed?
1. Use a key exchange algorithm (Internet Key Exchange, IKE) to generate a symmetric key
The key exchange algorithm is implemented using the Diffle-Hellman protocol. The general working principle is:
When A--->B transmits data, only g (large prime number) and p (generated number) are passed, and then user A produces locally. An x,
user B produces a y locally.
Then user A produces a number according to g, p, x as (g^x%p), and then passes this number to user B;
user B also produces a number according to g, p, y as (g^y%p) , which is passed to User A.
Therefore, only the four numbers g, p, (g^x%p), and (g^y%p) are passed on the Internet at this time, and x and y will not be passed on the Internet.
At this time, A is obtaining another data (g^y%p)^x according to the data passed by B, and this data is the key;
and B also generates another key (g^x%p) according to the data passed by A )^y, the keys produced by user A and user B at this time are symmetric keys.
After the symmetric key is produced, the data and feature code can be encrypted, and when user B receives the data, it can also be decrypted accordingly. In this way, the confidentiality of the data is achieved, but due to the complexity of using the exchange key, another method can be used to ensure the confidentiality of the data.
2. User A randomly generates a number, uses the random number to encrypt the data and the feature code, and uses B's public key to encrypt the random number, and then encrypts the data with the random number together with the feature code + data A sends it to user B.
At this time, user B can use his private key to decrypt the random number, use this random number to decrypt data A and the feature code, and finally use user A's public key to decrypt the feature code, which ensures that Data confidentiality, data integrity and authentication.
Encryption type:
1. Symmetric encryption:
DES: Data Encrption Standard, 56bit
3DES:
AES: Advanced
AES192, AES256, AES512
Blowfish
2. One-way encryption:
MD4
MD5
SHA1
SHA192, SHA256, SHA384
CRC-32
3. Public key encryption (asymmetric encryption) The
public key encryption algorithm can realize authentication (digital signature), data encryption, and key exchange.
There are two main algorithms:
RSA: This algorithm can both sign and encrypt
DSA: This algorithm can only realize signature.
Another algorithm is Commercial version, called ElGamal