Table of contents
Chapter Five, System Security Analysis and Design
1. Information system security attributes
Security attributes
Confidentiality : principle of least authorization, anti-exposure, information encryption, physical confidentiality
The principle of least privilege means that the least privilege granted to a program or user is necessary to achieve the desired task. That is, authorization should be as restrictive as possible, granting only the minimum privileges necessary for a user or program to perform a task
Integrity : security protocol, verification code, password verification, digital signature, notarization
Availability : comprehensive guarantee (IP filtering, business flow control, routing control, audit trail)
Non-repudiation : digital signature
2. Symmetric encryption technology and asymmetric encryption technology
Common symmetric key encryption algorithm (shared key encryption) :
- DES: replace + shift, 56-bit key, 64-bit data block, fast speed, easy to generate key
- 3DES (triple DES): two 56-bit keys K1, K2
encryption: K1 encryption -> K2 decryption -> K1 encryption
Decryption: K1 decryption -> K2 encryption -> K1 decryption - AES: Advanced Encryption Standard Rijndael encryption method is a block encryption standard adopted by the US federal government. This standard is used to replace the original DES. Its requirement is "at least as safe as 3DES".
- RC-5: Many products from RSA Data Security use RC-5.
- IDEA algorithm: 128-bit key, 64-bit data block, better encryption than DES, relatively low requirements for computer functions, PGP.
Defects: 1. The encryption strength is not high, 2. It is difficult to distribute the secret key
Common asymmetric key encryption algorithms (public key encryption) :
- RSA: 512-bit (or 1024-bit) key, extremely computationally intensive, difficult to crack
- Elgamal: its basis is the Diffie-Hellman key exchange algorithm
- ECC: Elliptic Curve Algorithm
- Other asymmetric algorithms include: knapsack algorithm, Rabin, DH
Cons: slow encryption
Generally speaking, asymmetric encryption is often used in the transmission stage of data for encryptionKeys in Symmetric Encryption Algorithms; while symmetric encryption is used toData is encrypted and protected, used to encrypt the transmitted data. In this way, the speed of encryption and decryption and the difficulty of implementation can be taken into account while ensuring security
3. Summary of information
One-way hash function (one-way Hash function), fixed-length hash value.
Information digest , also known as hash (hash), refers to the process of transforming an input (message) of any length into a fixed-length output string through a hash function. This output string is the hash value, also known asSummary (digest), fingerprint (fingerprint). A hash function is airreversible one-way function, generally used to ensure the integrity of data, and can be used in digital signatures, message authentication codes, random number generation, etc. in cryptography
Commonly used message digest algorithms include MD5, SHA, etc. MD5 is widely used in the market, and the hash values of the SHA algorithm are 128 and 160 bits respectively. Since SHA usually uses a longer key length, it is more secure than MD5.
4. Digital signature
Digital signature refers to the use ofsender's private key据进行加密The signature formed on the original number , and then usesender's public keyright 签名进行解密验证process. Digital signature can be used to verify the integrity of the message, authentication and prevent repudiation, it is a technology widely used in modern communication and e-commerce
5. Digital envelope and PGP
The sender uses the originalSymmetric key encrypted transmission, and willThe symmetric key is encrypted with the receiver's public keysend to the other party. The receiving party receives the electronic envelope and uses his ownprivate key to decrypt the envelope,take outSymmetric key to decrypt the original text。
PGP (Pretty Good Privacy) is a software for encrypting, signing, and compressing electronic files, and it is also a secure communication protocol based on asymmetric key encryption. PGP uses a method 混合加密方法that usesSymmetric key encryption of file content, then use the receiver'spublic key encryption symmetric key, and finally send the ciphertext to the receiver. recipient usesDecrypt the symmetric key with your own private key, and then use the symmetric key to decrypt the file content
- PGP can be used for email, but also for file storage. Hybrid algorithms are used, including IDEA, RSA, MD5, and ZIP data compression algorithms.
- PGP recognizes two different certificate formats: PGP certificates and X.509 certificates.
- The PGP certificate includes the PGP version number, the public key of the certificate holder, the information of the certificate holder, the digital signature of the certificate holder, the validity period of the certificate, and the preferred symmetric encryption algorithm for the key.
- The X.509 certificate includes the certificate version, certificate serial number, signature algorithm identifier, certificate validity period, and the following data: certificate issuer name, certificate subject name, subject public key information, and issuer's digital signature.
Exercise – Designing an Email Encryption System
Requires emails to be transmitted in an encrypted manner. The maximum attachment content of an email can be up to 500MB. The sender cannot be denied. If the email is intercepted by a third party, the third party cannot tamper with it.
Emails are required to be transmitted in an encrypted manner, and the maximum attachment content of emails can reach 500MB: Symmetric
encryption Sender non-repudiation: Digital signature
If the email is intercepted by a third party, the third party cannot tamper with it: Information summary
6. Network security
6.1. Security guarantee at each network level
6.2. Cyber Threats and Attacks
6.3. Firewall
