The most detailed knowledge summary of encryption and decryption algorithms in the whole network, with Java Demo

The concept and application of cryptography

Cryptography is a science with a long history. For the past and present of cryptography, you can refer to this book

https://crypt.wenwoha.com/preface/index.html

1. What is cryptography

Cryptography is a scheme for securing information and communication through the use of codes so only the intended recipient of the information can read and process it. Cryptography is an important security tool used in a variety of applications, including:

• secure communication. Cryptography is used to protect data in transit, such as email, web browsing, and file transfers. For example, the TLS/SSL technology commonly used by https
• static data. Cryptography is used to protect data stored on computers, such as passwords, financial information, and medical records.
• Digital Signature: Cryptography is used to create digital signatures, which can be used to verify the authenticity of a message or document.
• Non-repudiation: Cryptography can be used to provide non-repudiation, which means that the sender cannot refuse to send a message or the receiver cannot refuse to receive a message.

Cryptography has been produced as early as 400 BC, and the history of human use of ciphers is almost as long as the use of words.

The development of cryptography can be roughly divided into three stages:

1. The stage of classical cryptography before 1949;

2. 1949-1975 Cryptography as a branch of science;

3. After 1976, the symmetric key cryptography algorithm was further developed, resulting in a new direction of cryptography—public key cryptography.

   In 1976, W. Diffie and M. Hellman first publicly proposed the concept of public-key cryptography in the published article "New Directions of Cryptography". The proposal of public-key cryptography realizes the independence between the encryption key and the decryption key, and solves the problem that the communication parties must share the key in the symmetric cryptosystem, which has epoch-making significance in the field of cryptography.

2. Symmetric encryption and asymmetric encryption

The application methods of cryptography in the existing human society are nothing more than symmetric encryption and asymmetric encryption.

Symmetric encryption: Symmetric key encryption uses a single key to encrypt and decrypt data. This type of cryptography is relatively fast, but it requires the sender and receiver to share a secret key.

Asymmetric encryption: Asymmetric key encryption uses two keys: a public key and a private key. The public key is used to encrypt data and the private key is used to decrypt data. This type of encryption is slower than symmetric key encryption, but it does not require a shared key between sender and receiver.

2.1 Commonly used symmetric encryption on the market

Common symmetric encryption methods currently on the market include DES, 3DES, AES, TDEA, Blowfish, RC2, RC4 , and RC5 .

2.1.1 DES and 3DES

Data Encryption Standard (DES) and Triple DES (3DES) are block ciphers used to encrypt data. DES has a key size of 56 bits, while 3DES has a key size of 112 or 168 bits. This means that 3DES is more secure than DES because it takes longer to crack a 3DES key than a DES key.

First released in 1977, DES has been the standard for data encryption for many years. However, as computers became more powerful, DES became easier to crack. In 1999, a distributed.net project was able to crack DES keys in 22 hours.

3DES was developed in response to the increasing security holes of DES. 3DES works by encrypting data three times with two or three keys. This makes 3DES much more secure than DES, and is still considered secure today.

However, 3DES is also slower than DES because it requires three encryption operations. This makes 3DES less suitable for applications where speed is critical.

Today, 3DES is being replaced by newer, more secure block ciphers such as the Advanced Encryption Standard (AES). AES has a key size of 128 bits and is considered the most secure block cipher available today.

2.1.2 AES Algorithm

AES (Advanced Encryption Standard) is considered the most secure block cipher available today and is currently the most widely used symmetric encryption algorithm in the world. It still has a dominant position to this day.

AES was born when the US government chose it to replace the Data Encryption Standard (DES). AES is a block cipher, which means it encrypts data in blocks of 128 bits. AES has three key sizes: 128, 192, and 256 bits. The key size determines the strength of the encryption. 128-bit keys are considered to be very secure and unfeasible to break with current technology. 192-bit keys are more secure, while 256-bit keys are considered unbreakable.

2.1.3 RC algorithm

RC algorithms are a series of symmetric key encryption algorithms invented by Ron Rivest. "RC" could stand for Rivest's cipher, or more colloquially, Ron's cipher. Despite their similar names, these algorithms are largely unrelated. There are six RC algorithms so far:

• RC1 was never released.
• RC2 is a 64-bit block cipher developed in 1987.
• RC3 was broken before being used.
• RC4 is a stream cipher.
• RC5 is a 32/64/128-bit block cipher developed in 1994.
• RC6 is a 128-bit block cipher based primarily on RC5, the AES finalist developed in 1997.

RC4 is the most widely used RC algorithm. It is a stream cipher, which means it encrypts data one bit or byte at a time. RC4 is a very fast algorithm and is easy to implement in software. RC4 is used in a variety of applications including:

• Secure Sockets Layer (SSL): SSL is a protocol used to encrypt data as it travels on the Internet. RC4 is commonly used as an encryption algorithm in SSL.
• Wireless networks: RC4 is commonly used to encrypt data on wireless networks, such as Wi-Fi and Bluetooth.
• File encryption: RC4 is often used to encrypt files, such as password files, financial files, etc.

2.1.4 Main implementation

Java's native JDK provides almost all of the above symmetric encryption algorithms, but since JDK1.8, the oracle protocol has changed, and private packages may not be accessible, so the recommended implementation is still Bouncycastle .

JDK natively provides Cipherclasses to support encryption and decryption.

Encrypted AES example:

// 创建一个密码实体，使用AES Provider
Cipher cipher = Cipher.getInstance("AES");

// 随机生成一个key
SecretKey key = KeyGenerator.getInstance("AES").generateKey();

// 执行加密模式
cipher.init(Cipher.ENCRYPT_MODE, key);

// 得到加密数据
byte[] encryptedData = cipher.doFinal(plaintextData);

Decrypt AES example:

// 创建一个密码实体，使用AES Provider
Cipher cipher = Cipher.getInstance("AES");

// 随机生成一个key
SecretKey key = KeyGenerator.getInstance("AES").generateKey();

// 执行解密模式
cipher.init(Cipher.DECRYPT_MODE, key);

// 得到解密数据
byte[] decryptedData = cipher.doFinal(encryptedData);

In actual use, we use a specific string as the key, and at the same time ensure the security of the key.

2.1.5 Bouncy Castle cipher suites

As the most popular Java implementation of cryptography at present, it is necessary for us to introduce it separately.

Bouncy Castle is a free and open source cryptographic library written in Java. It provides a wide range of cryptographic algorithms and tools, including:

• Block ciphers such as AES, DES, and 3DES
• Stream ciphers such as RC4 and Salsa20
• Hash functions such as SHA-256 and SHA-512
• Digital signatures such as RSA and DSA
• Key exchange algorithms, such as DH algorithm and ECC elliptic curve algorithm

The current latest version is 1.74, and the last update was on June 12. Please keep the stable version.

For a detailed introduction, you can check the official website: http://www.bouncycastle.org/

We can enjoy using it based on jce. Example usage:

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.security.Security;

public class EncryptMessage {
    
    

    public static void main(String[] args) throws Exception {
    
    
        // 注册bc的算法提供者
        Security.addProvider(new BouncyCastleProvider());

        // 生成128密钥位的密钥
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(128);
        SecretKey secretKey = keyGenerator.generateKey();

        // 创建密码对象并设置为加密模式
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);

        // 加密消息
        byte[] encryptedMessage = cipher.doFinal("Hello, world!".getBytes());
    }
}

2.2 Asymmetric encryption commonly used in the market

Common asymmetric encryption algorithms include: **RSA, Elgamal, Knapsack Algorithm, Rabin, DH, ECC (Elliptic Curve Encryption Algorithm)**, etc.

The asymmetric encryption widely used in the world is still RSA, but the ECC algorithm is becoming more and more mainstream because of its superiority.

2.2.1 RSA encryption

RSA algorithm is a relatively mature and perfect public key cryptosystem in theory so far, and it is a typical representative of asymmetric cryptosystem. The RSA algorithm is used in many aspects such as network and information security, especially the digital signature of the typical application of the RSA algorithm in communication, which can realize the identity and non-repudiation verification of the opponent. It has broad application prospects in identity authentication, information security, and e-commerce.

2.2.1.1 Basic principles

The RSA algorithm consists of three parts: key generation, encryption algorithm and decryption algorithm.

The key generation process is as follows:

1. Generate two large prime numbers p and q;
2. Calculate $n=p\times q$ , Euler function$\phi \left(n\right)=(p-1)(q-1)$
3. Select the integer e so that it satisfies the condition: 1 < e < φ(n), and gcd(e,φ(n)) = 1 (Note: gcd () function calculates the greatest common divisor of two numbers);
4. Calculate the inverse element d of e: d∙e ≡ 1 mod φ(n) (note: since gcd(e,φ(n)) = 1, d must exist);
5. The sequence pair (e,n) is the public key, which can be made public; (d,n) is the private key, which is kept secret.

The encryption algorithm process is as follows:

Divide the character string to be sent into groups whose length is m < n, and then perform an encryption operation on the group mi to obtain the ciphertext

$$ci\equiv \left(mi\right)e\mathrm{mod}n$$

The decryption algorithm process is as follows:

After receiving the ciphertext ci, the recipient uses his own private key to perform decryption operations to obtain the plaintext

$$mi\equiv \left(ci\right)dmodn$$

2.2.1.2 Applications

On the Java side, we can use BouncyCastle to support RSA.

// 生成密钥对
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048);
KeyPair pair = generator.generateKeyPair();

// 得到公钥
PublicKey publicKey = pair.getPublic();

// 加密消息
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encryptedMessage = cipher.doFinal("Hello, world!".getBytes());

// 获得私钥
PrivateKey privateKey = pair.getPrivate();

// 解密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] decryptedMessage = cipher.doFinal(Files.readAllBytes(Paths.get("encrypted-message.txt")));

RSA can be used in a variety of applications, including:

• Secure Messaging: RSA can be used to encrypt and decrypt messages.
• Data Encryption: RSA can be used to encrypt data files.
• Digital signatures: RSA can be used to generate and verify digital signatures.
• Key Exchange: RSA can be used to securely exchange keys.
• Web security: RSA can be used to implement various web security functions, such as SSL/TLS and X.509 certificates.

2.2.2 ECC elliptic curve algorithm

Elliptic Curve Cryptography (ECC) is an asymmetric cryptographic algorithm based on elliptic curve mathematics. It is a cryptographic system based on the discrete logarithm problem based on elliptic curves.

With the advancement of the method of decomposing large integers and the improvement of various aspects, the RSA algorithm is gradually unable to meet the status quo, and the demand for the ECC algorithm is gradually increasing. ECC has been widely used for its obvious "short key" advantage, and has gradually been determined as a digital signature standard for many encoding methods.

Of course, there are still many unresolved problems in ECC, but this algorithm that cites rich mathematical theories also confirms that it is more feasible to apply more mathematics to the field of cryptography.

2.2.2.1 Principle of ECC

First, the principle of algorithm encryption is explained from a mathematical point of view. The mathematical basis of the ECC elliptic curve encryption algorithm is to use the computational difficulty of the elliptic curve discrete logarithm problem (ECDLP) over a finite field. The so-called elliptic curve refers to the Wellstra equation. Its elliptic curve equation is as follows:

$$y^2+a_{1}xy+a_{2}y=x^3+a_3{x}^2+a_{4}x+a_5$$

2.2.2.2 Application of ECC

The purpose of ECC is almost the same as that of RSA. When we choose RSA or ECC, the main consideration is the wide range of supported scenarios.

ECC keys are much smaller than traditional RSA keys, which makes them more efficient to use. ECC keys are also considered more secure than RSA keys, which makes them a good choice for applications that require high security, such as online banking and e-commerce.

The main purpose of ECC is to accelerate SSL access, which can obviously improve server performance under the same security. Most modern web browsers and servers support ECC certificates. However, some older browsers and servers do not support ECC certificates.

Here are some of the most popular browsers and servers that support ECC certificates:

• Web browsers: Chrome, Firefox, Edge, Safari, Opera
• Server: Apache, Nginx, IIS

2.2.3 SSL/TLS and related technologies

In order to achieve network security, all data transmitted on the https protocol is encrypted.

Asymmetric encryption, symmetric encryption and HASH algorithms are used in TLS/SSL .

2.2.3.1 DH algorithm

Diffie–Hellman key exchange, abbreviated as DH, is a security protocol used by both parties to establish a shared secret key on an insecure communication network. After the shared secret key is available, this key can be used to encrypt interactive messages . Since the key used by the two parties in the communication is the same, it can be considered that the goal of the protocol is to create a symmetric key (the symmetric key and the asymmetric key can be learned by themselves). The protocol is also called Diffie-Hellman key agreement, and the name is named after the inventor, which conforms to the convention and has no other special meaning.

Diffie-Hellman key exchange itself is an anonymous (unauthenticated) key exchange protocol, which is the basis of many authentication protocols and is used to provide forward security in the ephemeral mode of the transport layer security protocol .

The DH protocol is the core algorithm for SSL to realize key exchange, which can ensure the security and reliability of the key during transmission.

2.2.3.2 SSL and TLS protocols

SSL (Secure Socket Layer, Secure Socket Layer): Developed by Netscape in 1994, the SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication.

TLS (Transport Layer Security, Transport Layer Security): Its predecessor is SSL.

Its first few versions (SSL 1.0, SSL 2.0, SSL 3.0) were developed by Netscape, and were standardized and renamed by IETF starting from 3.1 in 1999. Up to now, there have been three versions: TLS 1.0, TLS 1.1, and TLS 1.2. SSL3.0 and TLS1.0 are rarely used due to security holes. TLS 1.3 has undergone major changes, greatly improving security and access speed, and is well supported by all modern browsers.

But currently the most widely used are TLS 1.1 and TLS 1.2.

2.3 my country's standard encryption protocol

National secret refers to the domestic encryption algorithm recognized by the State Cryptography Administration. There are mainly SM1, SM2, SM3, SM4. Both the key length and block length are 128 bits. SM1 is symmetric encryption, SM2 is asymmetric encryption, SM3 is message digest, and SM4 is block cipher algorithm.

The SM2 algorithm is based on the elliptic curve ECC algorithm, and its performance is better than that of RSA. Therefore, in conventional encryption services, we often consider using the SM2 algorithm instead of the RSA algorithm to ensure efficient content exchange.

At present, many open source components in China have fully implemented the national secret algorithm. From Java to JavaScript to C++, you can choose an encryption algorithm that meets my country's national conditions according to your needs to increase product security.

For the detailed implementation principle and java application of the national secret, if you are interested, you can refer to the following posts:

https://crypt.wenwoha.com/china/index.html

3. One-way hash function (algorithm)

In fact, the scope of this chapter does not belong to encryption, but since people often confuse these concepts, it is specially emphasized.

One-way hash function, also known as one-way Hash function and hash function, is a function that changes an input message string of any length into a fixed-length output string and it is difficult to obtain an input string from the output string. This output string is called the hash value of the message. Generally used to generate message digests, key encryption, etc.

Currently the most commonly used algorithm is MD5, followed by SHA, SHA-2, SHA-3, etc.

Note that the one-way hash function does not belong to encryption, because it is irreversible, that is, it cannot be decrypted, but it naturally belongs to the category of cryptography, and humans use it to ensure data security.

3.1 MD5 algorithm

MD5 is a one-way hash algorithm developed by RSA Data Security Company. It is widely used and can be used to encrypt data blocks of different lengths into a 128-bit value. Different values ​​produce different results.

3.1.1 MD5 implementation

As far as the java language is concerned, JDK encapsulates the basic support of the MD5 algorithm, and there are many third-party libraries that also implement the algorithm. The most widely used implementation is the MessageDigest class, which is defined in the java.security package.

import java.security.MessageDigest;

public class MD5 {
    
    

    public static void main(String[] args) throws Exception {
    
    
        // 创建一个消息摘要对象
        MessageDigest digest = MessageDigest.getInstance("MD5");

        // 将要计算的文本转换为字节数组
        byte[] data = "Hello, world!".getBytes();

        // 更新消息摘要对象内的数据体
        digest.update(data);

        // 计算得到摘要结果
        byte[] digestValue = digest.digest();

        // 将摘要结果转换为32位的hex数字文本
        String hexString = new String(digestValue, "UTF-8");
        
        // 将输出 97c992559122e4d1f4a42fd7a2fdb848
        System.out.println(hexString);
    }
}

We generally use strings as input and output terminals, so most of the time we simply encapsulate a tool class.

In addition, in JavaScript, there are many mature libraries that already support md5, such as md5js

3.1.2 MD5 usage

Consistency Verification

A typical application of MD5 is to generate an information summary for a piece of text information to prevent tampering. We often see its MD5 value in some software information on some software download sites. Its function is that after downloading the software, we can use special software (such as Windows MD5 Check, etc.) to do an MD5 on the downloaded file. checksum to make sure we get the same file as the one provided by the site.

digital certificate

If there is a third-party certification authority, using MD5 can also prevent the "repudiation" of the author of the document, which is the so-called digital signature application.

Secure Access Authentication

In the Unix system, the user's password is stored in the file system after Hash operation with MD5 (or other similar algorithms). When the user logs in, the system performs MD5 Hash operation on the password entered by the user, and then compares it with the MD5 value stored in the file system to determine whether the entered password is correct. Through such steps, the system can determine the legitimacy of the user's login system without knowing the clear code of the user's password.

3.2 SHA algorithm and its revision

The Secure Hash Algorithm (English: Secure Hash Algorithm, abbreviated as SHA) is a family of cryptographic hash functions that can calculate a fixed-length string (also known as a message digest) corresponding to a digital message.

And if the input messages are different, there is a high probability that they correspond to different strings. The SHA family algorithms are SHA-0; SHA-1; SHA-224, SHA-256, SHA-384, SHA-512 and SHA3.

SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2. SHA3 is the third-generation Secure Hash Algorithm (Secure Hash Algorithm 3), previously known as the Keccak algorithm, which is implemented in hardware , this algorithm is obviously much faster than other algorithms. At present, SHA-0 and SHA-1 have been cracked.

3.2.1 Main purpose

We often use SHA-256 to generate hash keys, which is also the ultimate embodiment of the "intermediate law" in cryptography. In addition, the main purpose of the SHA algorithm is to provide a secure method to verify the authenticity of data and integrity. The SHA algorithm is used in a variety of applications, including:

• Digital signature: The SHA algorithm is used to create a digital signature, which can be used to verify the authenticity of a message or document.
• Data Integrity Verification: The SHA algorithm can be used to verify the integrity of data by comparing the hash value of the data with a known hash value.
• Password Hashing: Passwords can be hashed using the SHA algorithm, making it harder for an attacker to crack the password.
• File Verification: The SHA algorithm can be used to verify the integrity of a file by comparing its hash value with a known hash value.

3.2.2 Core implementation

Similar to MD5, Java's MessageDigest class also provides a built-in implementation of the SHA algorithm. The following is an example of implementing a SHA-256 algorithm in java.

import java.security.MessageDigest;

public class SHA {
    
    

    public static void main(String[] args) throws Exception {
    
    
        // 创建一个消息摘要对象
        MessageDigest digest = MessageDigest.getInstance("SHA-256");

        // 将要计算的文本转换为字节数组
        byte[] data = "Hello, world!".getBytes();

        // 更新消息摘要对象内的数据体
        digest.update(data);

        // 计算得到摘要结果
        byte[] digestValue = digest.digest();

        // 将摘要结果转换为64位的hex数字文本
        String hexString = new String(digestValue, "UTF-8");

        // 将输出 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        System.out.println(hexString);
    }
}

In addition to the MessageDigest class, there are several other Java implementations of the SHA algorithm, including:

• BouncyCastle
• Apache Commons Codec Apache Commons
• Google Guava

These implementations provide additional features such as support for different hashing algorithms and generating SHA hashes for data streams.

The most widely used implementation of Java's SHA algorithm is the MessageDigest class. It is the most basic and straightforward implementation, included in the standard Java distribution.

4. Data bare coding

Naked coding is a very common data processing method in computers. From a definition point of view, all methods that can obtain the original data after encoding without losing the integrity of binary data according to certain rules are called data naked encoding.

In practical applications, what we see most is HEX encoding and Base64 encoding.

4.1 HEX encoding

HEX encoding is actually a kind of naked encoding, and the goal is to convert a binary array byte[]into a common algorithm for human-readable strings.

Its principle is very simple.

Hex encoding works by converting each byte of binary data into two hexadecimal digits. Hexadecimal numbers are the numbers 0 through 9 and the letters A through F. Each hexadecimal digit can represent 4 bits of binary data. Therefore, two hexadecimal numbers can represent 8-bit binary data, which is equivalent to one byte.

For example, the binary data 10101010 would be encoded as the hexadecimal number A2. The first hexadecimal digit A represents the four digits 1010. The second hexadecimal number 2 represents four digits of 1010.

4.2 Base64 encoding

Base64 is a way to represent binary data as a printable string. It is commonly used to transfer binary data over protocols designed to transfer text, such as HTTP and SMTP.

Base64 encoding works by converting each group of three bytes of binary data into four characters of text. These characters are selected from a set of 64 characters, including the numbers 0-9, the letters AZ, and the characters + and /.

For example, binary data 10101010 would be encoded as the character A2. The first two characters A and 2 represent the first two bytes of binary data. The third character +, represents the third byte of binary data. The fourth character / is a padding character added to make the encoded data a multiple of four characters.