Information security: basic theory of cryptography.
Cryptography is the technical science that studies the preparation and deciphering of codes. The study of the objective laws of cryptographic changes, which is applied to compiling codes to keep communication secrets, is called cryptography; the study of which is applied to deciphering codes to obtain communication information is called deciphering, generally called cryptography.
Table of contents
Network security: basic theory of cryptography.
Basic concepts of cryptography:
(1) Private key cryptography system:
(2) Public key cryptography system:
Common cryptographic algorithms:
Hash function and digital signature:
Password management and digital certificates:
(1) Diffie-Hellman password exchange protocol:
Basic concepts of cryptography:
(1) The main purpose of cryptography: to keep the plain text secret to prevent attackers from knowing it.
(2) Cryptoanalysis is the science of identifying plaintext without knowing the key.
(3) Plain text: refers to messages that need to be protected using cryptographic technology.
(4) Ciphertext: refers to the result of plaintext processed using cryptographic technology, usually called an encrypted message.
(5) The process of converting plaintext into ciphertext is called encryption, and its reverse process, that is, the process of recovering the original plaintext from ciphertext, is called decryption.
(6) The set of operation rules used in the encryption process is called the encryption algorithm, and the set of operation rules used in the decryption process is called the decryption algorithm.
(7) The operations of encryption and decryption algorithms are usually performed under the control of keys, which are called encryption keys and decryption keys respectively.
Password security analysis:
(1) Ciphertext-only attack: The cryptanalyst only has one or more ciphertexts encrypted with the same key, and does not have any usable information.
(2) Known plaintext attack: The cryptanalyst only knows some plaintext under the current key and the corresponding ciphertext.
(3) Chosen plaintext attack: The cryptanalyst can obtain the ciphertext corresponding to the plaintext selected by him under the current key.
(4) Ciphertext verification attack: For any selected ciphertext, the cryptanalyst can determine whether the ciphertext is legal or not.
(5) Chosen ciphertext attack: In addition to challenging the ciphertext, the cryptanalyst can obtain the plaintext corresponding to any selected ciphertext.
Cryptosystem analysis:
(1) Private key cryptography system:
Private key system: also called symmetric key system. The key encryption algorithm uses the same key for encryption and decryption.
The shortcomings of private key cryptography can be attributed to three points: key distribution problems, key management problems, and the inability to authenticate the source.
Advantages of the private key system: Encryption and decryption are very fast, but key distribution and management are difficult.
Typical algorithms for private key cryptography: DES IDEA AES
(2) Public key cryptography system:
Public key cryptography: also known as asymmetric cryptography. The basic principle is to use different key processing methods during the encryption and decryption processes.
In terms of the security of the public key cryptography system, even if the cryptographic algorithm is made public, it is computationally infeasible to infer the decryption key from the encryption key.
Public key cryptography encryption technology: using a pair of matching keys for encryption and decryption, with two keys, one is the public key and the other is the private key.
Properties of public key cryptography: Each key performs a one-way processing of data, and the function of each key is exactly the opposite of the other. When one key is used for encryption, the other key is used for decryption.
Files encrypted with the public key can only be decrypted with the private key, and files encrypted with the private key can only be decrypted with the public key. The public key is made public by its owner, while the private key must be kept secret. To send a confidential message, the sender must encrypt the data using the recipient's public key. Once encrypted, it can only be decrypted by the recipient using his or her private key. Conversely, users can also process data using their own private keys.
Compared with private key cryptography, public key cryptography has the following advantages:
(1)密钥分发方便,能以公开方式分配加密密钥。例如,因特网中个人安全通信常将自己的公钥
公布在网页中,方便其他人用它进行安全加密。
(2) 密钥保管量少。网络中的消息发送方可以共用 个公开加密密钥,从而减少密钥数量。只要接
收方的解密密钥保密,就能实现消息的安全性
(3) 支持数字签名。Public key cryptography system types: RSA system, ELGamal system, elliptic curve cryptography system.
(3) Mixed cryptosystem:
Hybrid cryptosystem: A method that combines the advantages of symmetric cryptography and public key cryptography. Generally speaking, the combination of two different methods is called mixing.
In the hybrid cryptosystem, a fast symmetric cipher is first used to encrypt the message, so that the message is converted into ciphertext, thereby ensuring the confidentiality of the message. Then we only need to ensure the confidentiality of the symmetric encryption key. Here it is the turn of public key cryptography to come into play. We can use public key cryptography to encrypt the key of the symmetric cryptography used when encrypting messages.
Common cryptographic algorithms:
(1) DES: It is a block encryption algorithm that can support 64-bit plaintext block encryption, and its key length is 56 bits.
三重的 DES 叫 TDEA,其 TDEA 算法的工作机制是使用 DES 对明文进行“加密一解密一加密”操作,
即对 DES 加密后的密文进行解密再加密,而解密则相反。设EK() DK ()代表 DES 算法的加密和解
密过程, 代表 DES 算法使用的密钥, 代表明文输入, 代表密文输出,则 TDEA 的加密操作过程如下:
(2) IDES: is the abbreviation of International Data Encryption Algorithm. It is a block encryption processing method. Its plaintext and ciphertext groups are both 64 bits, and the key length is 128 bits.
IDEA 算法能够接受 64 比特分组加密处理,同一算法既可用于加密又可用千解密,该算法的设计思想
是“混合使用来自不同代数群中的运算”。(3) AES: It is a non-confidential, public, and globally free block cipher algorithm.
NIST 规定候选算法必须满足下面的要求:
• 密码必须是没有密级的,绝不能像商业秘密那样来保护它;
• 算法的全部描述必须公开披露;
• 密码必须可以在世界范围内免费使用;
• 密码系统支持至少 128 比特长的分组;
• 密码支持的密钥长度至少为 128 192 256 比特.(4) RSA: It is an asymmetric algorithm. In the encryption algorithm, both the public key and the private key can be used to encrypt the message. The key used to encrypt the message is opposite to the key used to decrypt the message.
RSA 算法提供了一种保护网络通信和数据存储的机密性、完整性、真实性和不可否认性的方法。
目前, SSH , OpenPGP , S/MIME 和 SSL/TLS 都依赖千 RSA 进行加密和数字签名功能。
(5) Domestic key algorithms: Domestic cryptographic algorithms refer to commercial cryptographic algorithms independently developed by relevant national cryptography research institutions and with relevant intellectual property rights.
1999 年国务院发布实施的《商用密码管理条例》第一章第二条规定: “本条例所称商用密码,是指对
不涉及国家秘密内容的信息进行加密保护或者安全认证所使用的密码技术和密码产品。
Hash function and digital signature:
(1) Hash function:
The hash function is referred to as the Hash function, which can convert information of any length into a fixed-length hash value (also known as a digital digest or message digest), and the hash values generated by any different messages or files are different.
令 h 表示 Hash 函数,则 满足下列条件:
(l) h 的输入可以是任意长度的消息或文件 M;
(2) h 的输出的长度是固定的;
(3) 给定 h 和 M, 计算 h(M) 是容易的;
(4) 给定 h 的描述,找两个不同的消息 Ml M2, 使得 h(M1)=h(M2) 是计算上不可行的;(2) Hash algorithm:
(1)MD5 算法:
MD5 以 512 位数据块为单位来处理输入,产生 128 位的消息摘要,即MD5 能产生 128 比特长度的
哈希值,MD5 使用广泛,常用在文件完整性检查.
(2)SHA 算法:
以 512 位数据块为单位来处理输入,产生 160的哈希值,具有比 MD5 更强的安全性 SHA 算法的安全
性不断改进,已发布的版本有 SHA-2,SHA-3。SHA 算法 生的哈希值长度有 SHA-224 SHA-256
SHA-384 SHA-512 等.
(3)SM3 国产算法:
SM3 是国家密码管理局千 2010 年公布的商用密码杂凑算法标准 该算法消息分组长度为512 比特,
输出杂凑值长度为 256 比特,采用 Merkle-Damgard 结构.(3) Digital signature:
(1) Digital signature: It is the result obtained by the signer using the private key to perform cryptographic operations on the hash value of the data to be signed. The result can only be verified with the signer's public key, which can be used to confirm the integrity of the data to be signed and the signer. Authenticity of identity and non-repudiation of signature behavior.
(2) The purpose of digital signature: to realize the function of traditional paper signature or seal through network information security technology to confirm the true identity of the transaction parties and ensure the security, authenticity and non-repudiation of the transaction.
(3) Digital signatures have the same characteristics as handwritten signatures, which are credible, non-forgeable, non-reusable, non-repudiable and non-modifiable numbers.
数字签名 少应满足以下三个条件:
(1) 非否认。签名者事后不能否认自己的签名。
(2) 真实性。接收者能验证签名,而任何其他人都不能伪造签名。
(3) 可鉴别性。当双方关于签名的真伪发生争执时,第三方能解决双方之间发生的争执。(4) A digital signature scheme generally consists of a signature algorithm and a verification algorithm. Typical digital signature schemes include RSA signature system, Rabin signature system, ElGamal signature system and DSS (Data Signature Standard) standard.
(5) The difference between signature and encryption is that the purpose of encryption is to protect information from being accessed by unauthorized users, while signature is to make the message recipient sure who the sender of the information is and whether the information has been tampered with by others.
出数字签名工作的基本流程,假设 Alice 需要签名发送一份电子合同文件给 BobAlice 的签名步骤如下:
第一步, Alice 使用 Hash 函数将电子合同文件生成一个消息摘要;
第二步, Alice 使用自己的私钥,把消息摘要加密处理,形成一个数字签名;
第三步, Alice 把电子合同文件和数字签名一同发送给 Bob Alice 的签名过程;
Bob 收到 Alice 发送的电子合同文件及数字签名后,为确信电子合同文件是 Alice 所认可的,
验证步骤如下:
第一步, Bob 使用与 Alice 相同的 Hash 算法,计算所收到的电子合同文件的消息摘要;
第二步, Bob 使用 Alice 的公钥,解密来自 Alice 的加密消息摘要,恢复 Alice 原来的消息摘要;
第三步, Bob 比较自己产生的消息摘要和恢复出来的消息摘要之间的异同。若两个消息摘要相同,
则表明电子合同文件来自 Alice 。如果两个消息摘要的比较结果不一致,则表明电子合同文件已被篡改。
Password management and digital certificates:
The security of a cryptographic system relies on password management. Password management can be mainly divided into three aspects, namely key management, password management policy, and password evaluation.
(1) Password management:
(1)密钥管理:
主要围绕密钥的生命周期进行,包括密钥生成、密钥存储、密钥分发、密钥使用、密钥更新、
密钥撤销、密钥备份、密钥恢复、密钥销毁、密钥审计。
(2)密码管理政策:
密码管理政策是指国家对密码进行管理的有关法律政策文件、标准规范、安全质晕测评等。
《中华人民共和国密码法》明确规定,密码分为核心密码、普通密码和商用密码,实行分类管理。
核心密码、普通密码用千保护国家秘密信息,属于国家秘密,由密码管理部门依法实行严格统一管理
商用密码用千保护不属千国家秘密的信息,公民、法人和其他组织均可依法使用商用密码保护网络与
信息安全.
(3)密码测评:
密码测评是指对相关密码产品及系统进行安全性、合规性评估,以确保相关对象的密码安全有效,
保障密码系统的安全运行。(2) Digital certificate:
数字证书 (D ital Certificate) 也称公钥证书,是由证书认证机构 (CA) 签名的包含公开密钥
拥有者信息、公开密钥、签发者信息、有效期以及扩展信息的 种数据结构。
(1)数字证书按类别可分为:个人证书、机构证书和设备证书.
(2)按用途可分为:签名证书和加密证书。
其中,签名证书是用于证明签名公钥的数字证书。加密证书是用于证明加密公钥的数字证书。
(3)为更好地管理数字证书, 般是基千 PK.I 技术建立数字证书认证系统(简称为 CA),
CA 提供数字证书的申请、审核、签发、查询、发布以及证书吊销等全生命周期的管理服务。Security Protocol:
(1) Diffie-Hellman password exchange protocol:
简称 Dillie-Hellman 密钥交换协议。 Dillie-Hellman 密钥交换协议基于求解离散对数问题的困难性;
(2)SSH:
SSH Secure Shell is the abbreviation of "Secure Shell". It is a secure application protocol based on public keys. It consists of three sub-protocols: SSH transport layer protocol, SSH user authentication protocol and SSH connection protocol. Each protocol divides labor and cooperates to achieve encryption and authentication. , integrity check and other security services.
SSH 传输层协议:提供算法协商和密钥交换,并实现服务器的认证,最终形成一个加密的安全连接,
该安全连接提供完整性、保密性和压缩选项服务。
SSH 用户认证协议:则利用传输层的服务来建立连接,使用传统的口令认证、公钥认证、主机认证等
多种机制认证用户。
SSH 连接协议:在前面两个协议的基础上,利用已建立的认证连接,并将其分解为多种不同的并发逻辑通道,
支持注册会话隧道和 TCP 转发 (TCP-forwarding) ,而且能为这些通道提供流控服务以及通道参数协商机制。The working mechanism of SSH is divided into seven steps:
In actual applications, SSH can support multiple security services such as remote login (Telnet), rsh rlogin, and file transfer (scp) based on port forwarding technology. Linux systems generally provide SSH services, and the SSH service process port is usually 22.
Study books: Information Security Engineer Tutorial