Embedded software test preparation_5 Basic knowledge of security

Security Basics

Overview of Cybersecurity Issues

Passive-aggressive: listening (interception).

Active attack: active destruction (interruption tampering, virus, ddos ​​makes a certain service denial of service, replay attack: hacker intercepts the encrypted message of normal user input username and password, changes the ip header and sends the message to the server , can also pass the authentication).

Example: Distinguish between active and passive attacks.

Three major contents of network security: confidentiality (providing confidential communication), security protocol design (for specific issues), and access control (permissions).

Symmetric encryption algorithm: the encryption key and the decryption key are the same.

• DES: replace + shift. It is easy to crack. 56 bits.
• 3DES: Two keys, 1 encryption-2 decryption-1 encryption, decryption is just the opposite.
• RC-5: Stream encryption with more key bits.
• IDEA。
• AES has replaced DES.

Symmetric encryption algorithms are fast, but the strength is very low. Moreover, it is inconvenient to distribute the key, and it will be over if someone intercepts it during the distribution process.

Public key cryptography (asymmetric encryption algorithm): Encryption and decryption keys are different.

The public key is public, A sends a message to B, encrypts it with B's public key, and B decrypts it with its own private key. Don't worry about distribution.

• RSA。
• Elgamal。
• ECC。

The key has thousands of bits, the speed is slow, and large files are not suitable for use.

Digital signatures and message digests

Authentication and encryption are not the same thing. Authentication is to determine whether the communication object is the person you want to send, or an imposter.

Entity authentication: confirm that the sender is correct, non-repudiation. such as digital signatures.

Message authentication: Make sure that the message is sent by the sender, not forged and tampered by others. Such as message summary.

Digital signature: A uses the private key to process the ciphertext, sends the ciphertext to B, and B uses A's public key to restore it. But everyone can receive the message, and after knowing who sent it, they can decrypt it.

Encrypted digital signature: Sign with A's private key first, and then encrypt with B's public key. B decrypts with his private key and verifies the signature with A's public key.

Message digest: such as md5 message digest algorithm, sha secure hash algorithm, sha is long but slow. Use the hash function to return a string of variable length strings.

• For the same digest algorithm, no matter what the input data is, the output is a value of the same length. For example MD5, no matter how big the data is, the output is always a 128-bit hash value.
• The digest algorithm is one-way, and its digest value can only be calculated based on the original data, but the original data cannot be reversely calculated based on the digest value.
• The better the digest algorithm, the harder it is to find Hash collisions. Although long content generates short summaries, collisions are bound to occur, but it is difficult for an excellent summarization algorithm to actively construct two pieces of data so that their summaries are the same.

What are message digest (Digest), digital signature (Signature), and digital certificate (Certificate)? _Digital Signature and Message Digest_T-OPEN's Blog-CSDN Blog

A first generates a hash value by digest operation, then generates an authentication code by private key operation, and sends both the original data message x and the authentication code to B; B uses A's public key to calculate the message digest, and then performs digest operation on the original data to generate Hash value, compare the two to determine whether it has been modified during transmission.

digital envelope

Digital encryption and non-digital encryption have their own advantages and disadvantages, and are usually used in combination, such as the digital envelope is the product of the combination.

A encrypts with a symmetric key - encrypts asymmetrically with B's public key - B decrypts asymmetrically with a private key - B decrypts symmetrically with a public key. That is, the email body is encrypted with a symmetric key, and the package of the email (session key, symmetric key) is encrypted with an asymmetric key.

Example: E-mail transmission, encrypted transmission (encryption), maximum 500MB (asymmetric algorithm cannot be used), non-repudiation (digital signature), intercepted third party cannot change (message digest). Please design a plan.

We encrypt with a random key and send the email ciphertext;

The digest operation generates a hash value, and then uses the sender's private key digital signature to calculate the digest ciphertext and sends it to the receiver. The receiver uses the sender's public key to unlock the digital signature, and then decrypts the email ciphertext. After the digest operation, compare whether Same.

Remember to send the random key again. The K key can be encrypted with the recipient's public key, asymmetric encryption.

PKI

public key infrastructure.

What if A gives B the public key and C the public key, and how to avoid this situation?

CA: Certificate Authority, which issues digital certificates, similar to ID cards, can bind each user's public key with its related information.

Signature of the certification body: It is equivalent to stamping the certificate by the Public Security Bureau, and the stamped description will take effect.

CA process:

1. The receiver generates its own key.
2. The public key is sent to the CA for registration.
3. The CA digitally signs the public key with its own private key.
4. The sender gets the public key signed by the CA.
5. The sender verifies the digital signature with the CA public key to confirm the legitimacy.
6. If it is legal, use the obtained receiver public key to send the message.

firewall

Packet filtering: separate the internal network and external network.

Status inspection: You can perform status inspection on the router at the network layer, and set which ports ip packets can pass through.

Dual-home host: a server deployed at the application layer that can filter data.

Shielded host: A shielded router is established on the external network, and there is also a bastion host on the internal network. Double-layer defense is more secure.

Blocked subnets: Allow external networks to access content in blocked subnets (perimeter networks), but not internal networks.

Picture reference: shielded subnet architecture of firewall structure_whoim_i's blog-CSDN blog

Firewalls cannot detect viruses.

Intrusion Detection System

Computer Virus: Self-replicating code inserted into a program to damage a computer or data.

Virus

Antivirus system:

Network Security Protocol

Isolation: Wired. Shield: Wireless.

Data Link Layer: Some protocols for tunneling.

IPSec: Used to encrypt IP datagrams. There are two types, one is to package the IP datagram as a whole, and then encapsulate the IP in the header; the other is to extract the IP header first, then encrypt the data, and then add the IP header back.

https: port 443, http+ssl.

PGP: Email Protocol.