Symmetric encryption algorithm
Symmetric encryption is also called private key encryption. The encryption and decryption processes of this method use the same key, so the key is also called a shared key. As shown in Figure 2.2, in the symmetric encryption method, the sender uses a symmetric encryption algorithm and a shared key to process the original data and obtain an encrypted ciphertext. After the receiver receives the ciphertext and wants to obtain the original data, it needs to use the same decryption algorithm and the same shared key to process the ciphertext to obtain the original data.
Small amount of calculation, fast encryption speed and high encryption efficiency are the characteristics of symmetric encryption method. However, in symmetric encryption, only one key is used, which requires the decryptor to know the encryption key in advance. If the key is leaked, this means that anyone can obtain the original message data of both communicating parties. Therefore, when each pair of communicating users uses symmetric encryption, they need to use a specific and unique key, and the keys need to be updated regularly. This will increase the number of keys held by both communicating parties, and users will spend more money. The cost zone maintains the management of keys. Therefore, it is difficult to use symmetric encryption on distributed network systems.
Symmetric encryption methods currently widely used in computer software systems include DES, 3DES, AES, etc. DES encryption algorithm is a classic symmetric encryption algorithm, which laid a solid foundation for the development of subsequent symmetric encryption algorithms. However, the key of the DES encryption algorithm is relatively short, only 56 bits, so it is threatened by various attacks such as fractional cryptanalysis and linear cryptanalysis. Triple DES (3DES) encryption algorithm is an improvement of the DES encryption algorithm. It is based on three iterations of the DES encryption algorithm, which significantly enhances the ability to resist exhaustive attacks. However, it also results in slower processing speed, longer key calculation time, and low encryption efficiency. Because of the shortcomings of the DES encryption algorithm, the AES encryption algorithm advocated by the American National Bureau of Standards will soon replace the DES encryption algorithm as the new standard for symmetric encryption algorithms. The AES encryption algorithm has the advantages of short key establishment time, good sensitivity, and low memory requirements.
asymmetric encryption algorithm
Asymmetric encryption is also called public key encryption. Unlike symmetric encryption, the keys used in the encryption and decryption processes are different. The key used in the encryption process is called the public key, and the key used in the decryption process is called the private key. The public key is made public and the private key is kept secret. As shown in Figure 2.3, in asymmetric encryption, because the public key is public, the data sender can directly use the receiver's public key to process the plaintext with a special encryption algorithm, thereby generating an encrypted ciphertext. After the receiver receives the ciphertext, it directly uses its own private key and decrypts the ciphertext to obtain the plaintext information. At the same time, the sender can also use its own private key to encrypt, and the receiver uses the sender's public key to decrypt.
Asymmetric encryption is characterized by complex algorithm strength and security that depends on the algorithm and key. asymmetric
There are two keys for encryption. The public key is public. The sender only needs to ensure that his private key is safe.
That's fine, this way the security is much greater than symmetric encryption. However, due to the complexity of its algorithm, it makes
Encryption and decryption speeds are slower than symmetric encryption and decryption speeds. If asymmetric encryption is used for communication, not only will the system performance overhead be large, but it will also cause a certain system delay. Using public key encryption and private key decryption can ensure the confidentiality of data, but it cannot prevent data from being tampered with. Using private key encryption and public key decryption can ensure data consistency and prevent data from being tampered with, but it cannot prevent data leakage. RSA is currently the only asymmetric encryption algorithm that is widely accepted and used, and has become the international standard for asymmetric encryption algorithms.
Irreversible encryption algorithm
In addition to symmetric encryption and asymmetric encryption, there is also a data encryption method that can only be encrypted in one direction and cannot be decrypted, called irreversible encryption. The characteristic of irreversible encryption is that it does not require a key. The general implementation principle is to use a hash function, also known as a hash function or one-way function. In the irreversible encryption method, the input plaintext is processed into ciphertext by a hash function. However, this encryption method has no corresponding decryption method. Only by reusing the same plaintext and processing it again with the same hash function can the same encrypted ciphertext be obtained, which can be considered true decryption. Irreversible encryption is generally used as a message digest of data to verify the integrity of the data. Some software systems also use irreversible encryption to encrypt user login passwords and store the encrypted ciphertext in the database. Every time a user logs in, the software system processes the password entered by the user with a hash function, and compares the generated ciphertext with the ciphertext in the database. If they are the same, they can log in. Once the database of the software system is destroyed by an attacker, the data in the database will be obtained by the attacker. However, since the password is one-way encrypted and cannot be decrypted, the attacker cannot obtain the user's login password and cannot use the user's account.
The MD5 encryption algorithm is a typical irreversible encryption algorithm, which is improved from the MD4, MD3, and MD2 algorithms. A random length message passed through the MD5 encryption algorithm will produce a 128-bit message digest. If you convert this 128-bit binary message digest into hexadecimal, you get a 32-bit string. Most of the message digests processed by MD5 in software systems are 32-bit strings stored in hexadecimal.
SHA1 is a message digest algorithm as popular as MD5, however SHA1 is more secure than MD5. For messages less than 2^64 bits in length, SHA1 produces a 160-bit message digest. If you convert this 160-bit binary message digest into hexadecimal, you get a 40-bit string. Most of the message digests processed by SHA1 in software systems are 40-digit strings stored in hexadecimal.
Introduction to SSL
SSL (Secure Sockets Layer) is a connection-oriented communication security protocol developed by Netscape and applied to the transport layer. It runs on the TCP/IP protocol and under other high-level protocols. It provides authentication and Data confidentiality and integrity services. The SSL protocol is divided into two layers: the handshake layer and the record layer. Among them, the handshake layer is responsible for identity authentication of both parties and negotiating the algorithm and key used in the recording protocol; the recording layer ensures the confidentiality of data during transmission through encryption processing, and ensures that the connection is reliable by calculating the message authentication code MAC.
SSL can be viewed as a layer between the application layer and the transport layer. On the sender side, it receives the data from the application layer, encrypts the data, and then sends the encrypted data to the TCP socket; on the receiver side, it reads the data from the TCP socket, decrypts the data and hands it to the application layer. SSL provides the following three functions: SSL server authentication, SSL client authentication, and encrypted SSL session. It uses asymmetric encryption technology to realize the secure transmission of information between the two parties in the conversation. It can achieve the confidentiality and integrity of the information transmission, and the two parties in the conversation can identify each other. SSL not only provides authentication services for servers and clients, but also provides an encrypted channel for securely transmitting data on the Internet to establish a secure connection.
Because SSL provides identity authentication, authorization authentication, and secure network transmission channels, it is widely used in Internet transmission security design. However, public key encryption and decryption schemes are required to establish an SSL communication connection and initialize an SSL session. Therefore, the use of the SSL protocol will reduce the speed of establishing connections and secure communications between both ends of the communication. Moreover, SSL can only run on the TCP/IP protocol and is not suitable for real-time data network communication based on UDP protocol transmission.
Hybrid encryption combining AES and SSL
Because network security requirements include two aspects: one is to prevent unauthorized users from entering the network; the other is to encrypt the data transmitted over the Internet. Based on the previous analysis, the SSL protocol for general TCP communication can meet the security design requirements. However, for the security design of information with high real-time requirements, especially communication based on UDP protocol, SSL is not an ideal choice, and a new encryption algorithm must be sought to achieve real-time communication.
The principle of encryption algorithm
Real-time data communication based on the Internet must not only ensure the security of real-time data transmission on the network, but also minimize the network transmission delay of real-time data encryption. The AES algorithm is very fast to encrypt/decrypt, but requires secret distribution of keys before communication. The decrypted private key must be transmitted from the encrypted sender to the recipient of decrypted data through the network. How to effectively manage the security of AES keys? It is an important link to ensure the security of AES encryption. In addition to providing a secure encrypted channel, SSL also has functions such as authorization authentication and identity authentication. When transmitting real-time data, if AES is used to encrypt the real-time data, and SSL is used to implement identity authentication and transmit the AES key, a new real-time data encryption method can be obtained by combining the advantages of AES and SSL.
The implementation principle of this solution: before real-time data network transmission, after the sender passes identity authentication, it uses the SSL secure channel to send the AES key to the receiver. At the same time, it uses the AES algorithm to encrypt the real-time data, and then sends the encrypted real-time data through the Internet based on the UDP protocol. data to the receiver. In this way, the receiver can use the received AES key to decrypt the encrypted real-time data to obtain specific real-time data.
Encryption algorithm implementation process
During the implementation process, the sender realizes the encryption of real-time data, and the receiver completes the decryption of real-time data, as shown in Figure 1. Specifically, the sender first sends an SSL connection request, establishes an SSL connection with the receiver after passing identity authentication, and transmits the AES key created by the sender to the receiver through SSL communication. At the same time, the sender uses the AES key to encrypt real-time data. Then transmit the encrypted real-time data over the Internet to
receiver. The receiver receives the sender's SSL connection request through identity authentication, receives the AES key from the sender through the SSL secure encryption channel, and at the same time receives AES-encrypted real-time data through the Internet. Finally, the receiver uses the just-accepted AES key to decrypt the real-time data ciphertext to obtain the specific real-time data. The combination of AES and SSL algorithms realizes the authorization and authentication function, effectively ensures the security of key transmission, and inherits the advantages of the AES algorithm.
