Table of contents
Advantages and disadvantages of symmetric and asymmetric algorithms
How Asymmetric Encryption Can Solve the Dilemma of Symmetric Encryption
Password management is difficult
The Best Solution for Integrity and Identity Authentication
Application of Identity Authentication Technology
How to confirm that the sender of the information is the person
Complete application of cryptographyEdit
Handshake process for clientless authenticationEdit
Handshake process with client authenticationEdit
Session recovery process (session has been established before, connect again)
The details of the SSL protocol
Cryptography
definition
Cryptography is the foundation of network security, information security, blockchain and other products. Common asymmetric encryption, symmetric encryption, hash functions, etc. all belong to the category of cryptography. Cryptography has a history of thousands of years. From the initial substitution method to today's asymmetric encryption algorithm, it has gone through three stages: classical cryptography, modern cryptography and modern cryptography. Cryptography is not only the wisdom of mathematicians, but also an important foundation for today's cyberspace security.
Substitution method --- is to use fixed information to replace the original text with cipher text information that cannot be read directly. For example,
b
replace withw
,e
replace withp
, so thatbee
the word is transformed intowpp
, and people who don't know the replacement rules cannot read the meaning of the original text.
Cryptography for information transmission --- establishing a secure output channel in an insecure environment
Password --- plaintext --> algorithm + key ---> ciphertext
举例:
明文: ok
使用凯撒密码
算法:对字母进行平移可以左也可以右,移动若干位
密钥:向右平移3个字母
密文:rn
Classification of passwords
Symmetric encryption
Encryption and decryption use the same key, and the mathematical point of view is a two-way function
Symmetric encryption must first ensure that the algorithm is sufficiently complex and the key transmission is sufficiently secure
Encrypted information transmission and two channels
cipher text transmission channel
key delivery channel
There is a problem --- how the key is transmitted
asymmetric encryption
In the Internet age, we hope to be able to transmit the key in an open way on the Internet
diff and hellmen created an asymmetric encryption algorithm --- DH algorithm
The DH algorithm solves the problem of safe key transfer in public
Advantages and disadvantages of symmetric and asymmetric algorithms
- Symmetric encryption algorithm solves the safe transmission channel of information
- Asymmetric encryption algorithm solves the secure transmission channel of symmetric encryption algorithm key
- Symmetric encryption is fast but insecure
- Asymmetric encryption algorithms are slow but secure
The best solution --- Encrypt the key of the symmetric encryption algorithm with an asymmetric encryption algorithm
How Asymmetric Encryption Can Solve the Dilemma of Symmetric Encryption
Secure Key Transmission --- Flaws of Symmetric Encryption Algorithms
Key Transmission Risk
Alice and Bob must use a secure channel to transmit the symmetric key, but the channel for message transmission is not secure. The key of symmetric encryption A needs to be transmitted with symmetric encryption B --- the insecurity of B's key will lead to the insecurity of A.
Password management is difficult
Without asymmetric encryption, Baidu, a company that needs to securely communicate with users, needs to store at least 300-500 million keys. According to our asymmetric algorithm in the above figure, only one public key is required, while symmetric ones require billion-level keys
common algorithm
Symmetric algorithm
asymmetric algorithm
The Best Solution for Integrity and Identity Authentication
Core principle --- private key encryption , public key decryption
Process --- Perform hash operation on plaintext a to obtain fixed-length value h, then perform asymmetric operation on h and encrypt with private key to obtain value k, then perform symmetric operation on plaintext value a to obtain y, and transmit it to y and k at the same time , after receiving it, use the asymmetric public key to unlock k to get ,然后用堆成算法解开y得到a,然后对a进行hash得到h``,如果h
the same as h``, then prove the integrity and identity authentication.
Applications of Cryptography
Application of Identity Authentication Technology
Identity authentication --- by identifying and authenticating user identities, preventing attackers from impersonating legitimate users to gain access
Identity authentication technology --- an effective solution in the process of always confirming the identity of the operator in the network
How to confirm that the sender of the information is the person
The sender is Alice, who uses an asymmetric algorithm to generate private key A and public key B.
-
alice gives the public key to bob
-
alice sends a message hello, world!
-
Alice encrypts the sent information to encrypted information C with a symmetric encryption algorithm.
-
Alice sent hello, world! First use the hash algorithm to calculate the hash value D.
-
Alice calculates the hash value D with asymmetric encryption to obtain E. The E value is used for authentication.
-
Alice sends C and E together to bob.
-
Bob receives the C and E values, first decrypts E with an asymmetric public key, and if it can be decrypted normally, it proves that the C value belongs to Alice.
There is a problem
In the above 1, if the hacker steals Alice's public key, then there will be an identity authentication vulnerability
Solve the problem
Solutions:
The link where alice gives the public key to bob can be guaranteed to be safe, and it must be given by alice.
Find a way to prove that Alice's public key must belong to Alice.
Configure the "identity card" of the public key ----- digital certificate
CA
PKI
PKI system
PKI --- is a collection of all software and hardware involved in creating, issuing, managing, and revoking certificates. Its core element is a digital certificate , and the core executor is a CA certification authority
CA center
digital certificate
Including --- user identity information; user public key information; identity verification agency information and signature data
Classification --- Signing Certificates --- Authentication, Non-repudiation
Encryption Certificate - Encryption, Integrity and Confidentiality
Complete Application of Cryptography
SSL protocol analysis
definition
SSL Protocol (Secure Sockets Layer) Secure Sockets Layer --- Developed by Netscape Communications (Netscape) since 1990, it is used to ensure WWW communication security. The main tasks are to provide privacy , message integrity and authentication .
introduce
SSL --- a protocol that does not depend on the platform and the application program, it is located between the TCP/IP protocol and various application layer protocols, and provides security support for data communication .
Handshake process for clientless authentication
Notice:
Possible attacks: replay attacks
Replay Attacks --- also known as replay attacks and replay attacks, means that the attacker sends a package that has been received by the destination host to deceive the system . It is mainly used in the identity authentication process and destroys the correctness of authentication. sex .
PreMasterKey key parameter --- The pre-value of the synthetic symmetric key
initialization vector
Handshake process with client authentication
message type | parameter |
hello_request | null |
client_hello | Version, random number, session ID, ciphertext family, compression method |
server_hello | Version, random number, session ID, ciphertext family, compression method |
certificate | x.509V3 certificate chain |
server_key_exchange | parameter, signature |
certificate_request | type, authorization |
server_done | null |
certificate_verify | sign |
client_key_exchange | parameter, signature |
finished | Hash value |
Session recovery process (session has been established before, connect again)
The details of the SSL protocol
protocol location
Notice:
ssl --- Between the application layer and the tcp layer . Application layer data is no longer directly passed to the transport layer, but to the SSL layer . The SSL layer encrypts the data received from the application layer and adds its own SSL header.
Architecture
SSL Handshake Protocol (SSL Handshake Protocol) --- Built on the SSL record protocol, it is used for identity authentication, negotiation of encryption algorithms, and exchange of encryption keys before the actual data transmission begins.
SSL Record Protocol (SSL Record Protocol) --- Built on a reliable transmission protocol (such as TCP ), it provides support for basic functions such as data encapsulation , compression , and encryption for high-level protocols .
Notice:
The SSL protocol is actually a protocol family composed of the SSL handshake protocol , the SSL modified ciphertext protocol , the SSL warning protocol , and the SSL record protocol .
SSL modified ciphertext protocol --- After the client and the server complete the handshake protocol, it needs to send a relevant message to the other party (the message only contains a single byte with a value of 1), informing the other party that subsequent data will use the newly negotiated Cryptographic specification algorithm and associated key processing, and responsible for coordinating the local modules to work according to the negotiated algorithm and key .
SSL Alert Protocol --- is used to deliver SSL related alerts to peer entities. If a party finds any abnormality during the communication process , it needs to send a warning message to the other party .
Two concepts of SSL
Connection --- is a transport that provides a suitable type of service ( OSI layered definition). SSL is a point-to-point relationship. Connections are transient, and each connection is associated with a session .
Session --- is an association between a client and a server . Sessions are created by the handshake protocol . A session defines a set of cryptographic security parameters that can be shared by multiple connections . Sessions are used to avoid the expensive negotiation required to provide new security parameters for each connection .