Click to enter the series of articles directory
现在的一切都是为将来的梦想编织翅膀,让梦想在现实中展翅高飞。
Now everything is for the future of dream weaving wings, let the dream fly in reality.
System architecture design professional skills · System security analysis and design (4)
- 1. Basic security technology
- 2. Network security
- 3. Information security
1. Basic security technology
1.1 Symmetric and asymmetric encryption
Data encryption is a means of preventing unauthorized users from accessing sensitive information and ensuring the confidentiality element of the system. There are two types of data encryption: symmetric encryption algorithms and asymmetric encryption algorithms.
1.1.1 Symmetric encryption technology
The encryption key and decryption key of the symmetric secret key algorithm are the same, also known as the shared key algorithm.
Disadvantages :
- The encryption strength is not high, but the efficiency is high.
- Difficulty in distributing secret keys.
Common symmetric encryption key algorithms are:
- DES : Key encryption block algorithm (Data Encryption Standard, DES), replacement + shift, the plaintext is divided into 64-bit blocks (that is, groups), and the 56-bit secret key is used to control the conversion into 64-bit ciphertext. It is fast and the secret key is easy to generate.
- 3DES : Triple DES (Triple-DES) is an improved algorithm of EDS. It uses two 56-bit keys to perform DES encryption and decryption on the plain text three times. The key length is 112 bits. Two 56-bit keys K1 and K2 are used for encryption: K1 encryption
. → K2 decryption → K1 encryption
Decryption: K1 decryption → K2 encryption → K1 decryption - RC-5 : RC-5 is used in many of RSA Data Security's products.
- IDEA : International Data Encryption Algorithm (IDEA), with a block length of 64 bits and a key length of 128 bits. It has been called a global encryption standard.
- AES : Advanced Encryption Standard (AES) has a block length of 128 bits and supports three key lengths of 128, 192 and 256 bits. It is used to replace the fragile DES algorithm and can achieve high-speed encryption and decryption through software or hardware. .
- SM4 national secret algorithm , the block length and key length are both 128 bits.
1.1.2 Asymmetric encryption technology
The encryption key and decryption key of the asymmetric key encryption algorithm are different, also known as the unshared key algorithm or the public key encryption algorithm.
In asymmetric encryption algorithms:
- Encryption with the public key and decryption with the private key can achieve confidential communication.
- Digital signatures can be achieved by encrypting with the private key and decrypting with the public key.
Disadvantages :
- Encryption is slow.
Common asymmetric encryption key algorithms are:
- RSA: (Rivest, Shamir and Adleman) is an internationally accepted public key encryption algorithm. Its security is based on the difficulty of decomposing large prime numbers. The length of the secret key can be selected, but the current safe secret key length is as high as 2048 bits. The calculation speed of RSA is about 1,000 times slower than the symmetric encryption algorithm with the same security level. A 2048-bit or 1024-bit key requires a lot of calculations and is difficult to crack.
- Elgamal: Security relies on the difficult problem of computing discrete ages over finite fields.
- ECC: Elliptic Curve Algorithm.
- SM2 National Secret Algorithm: Based on the elliptic curve discrete logarithm problem, under the same security requirements, the secret key length and calculation rules are much smaller than RSA.
1.2 Summary of information
Message summary: One-way hash function, fixed-length hash value .
Information digests are one-way and cannot be restored.
Commonly used message digest algorithms include MD5, SHA, etc. The hash values of MD5 and SHA algorithms widely used in the market are 128 and 160 bits respectively. Since SHA usually uses a longer secret key, it is more secure than MD5 .
Main function: To prevent the original content from being tampered with .
1.3 Digital signature
Digital signature is the application of public key encryption technology and digital digest technology. The conditions for digital signatures are: trustworthy, non-forgeable, non-reusable, non-changeable and non-repudiation.
In practical applications, the file is summarized first and then the summary is signed, which can greatly improve the speed of digital signatures.
At the same time, the leakage of the abstract will not affect the confidentiality of the document.
1.4 Digital envelope
Digital envelope is a method of distributing symmetric keys through the results of asymmetric encryption (that is, there are two public keys and private keys). Digital envelope is a technology that enables information confidentiality verification.
Digital envelope is defined as a term in PKCS#7 and explained in the text as follows: A digital envelope contains encrypted content and an encrypted key used to encrypt the content .
Although the "encryption key" is often encrypted using the recipient's public key, this is not required and can also be encrypted using a symmetric key pre-shared by the sender and recipient. When the recipient receives the digital envelope, it first decrypts it with the private key or pre-shared key to obtain the "encryption key", and then uses the key to decrypt the ciphertext and obtain the original text. Digital envelope technology uses a two-layer encryption system.
Digital envelope is a technology that comprehensively utilizes the advantages of both symmetric encryption technology and asymmetric encryption technology for secure transmission of information. Digital envelopes not only take advantage of the advantages of fast speed and good security of symmetric encryption algorithms, but also take advantage of the advantages of convenient key management of asymmetric encryption algorithms.
1.6 Digital certificate
Contents of digital certificate :
- Certificate version information ;
- Certificate serial number , each certificate has a unique certificate serial number;
- The signature algorithm used by the certificate;
- The issuing authority of the certificate, the naming rules generally adopt the X.500 format;
- The validity period of the certificate . Nowadays, common certificates generally use UTC time format, and its timing range is 1950 - 2049;
- The name of the certificate owner, the naming rule generally adopts the X.500 format;
- The public key of the certificate owner ;
- The certificate issuer's signature on the certificate .
1.7 Comprehensive application of information summary, digital signature and digital envelope
For example:
Please design a secure email transmission system. Requirements:
The email is transmitted in an encrypted manner. The maximum attachment content of the email can be up to 2GB. The sender cannot deny it. If the email is intercepted by a third party, the third party cannot tamper with it.
The design is as follows :
1.8 PKI public key system
CA (Certificate Authority) Certification Center
RA (Registration Authority) Registration Approval Authority
Certificate Acceptance Point
Key Management Center - KMC
2. Network security
2.1 Security Protocol
Security at all levels :
2.2 Cyber attacks
Passive attack: mainly collects information and destroys confidentiality.
Active attacks: The main categories of active attacks are: interruption (destroy availability), tampering (destroy integrity), forgery (destroy authenticity)
2.3 Level protection standards
The security level is the lowest level of user autonomy protection and the highest level of access verification protection .
Security protection level :
3. Information security
3.1 System security protection system level
The hierarchical division of the security prevention system:
- (1) Security of the physical environment :
including the security of communication lines, physical equipment and computer rooms, etc. - (2) The security of the operating system :
mainly manifested in three aspects. First, the insecurity factors caused by the defects of the operating system itself, mainly including identity authentication, access control and system vulnerabilities; second, the security configuration issues of the operating system. ; The third is the threat of viruses to the operating system. - (3) Network security :
Security issues at the network layer are mainly reflected in the security of computer networks, including network layer identity authentication, access control of network resources, confidentiality and integrity of data transmission, remote access security, domain name System security, routing system security, intrusion detection methods and network facility anti-virus, etc. - (4) Application security :
generated by the security of application software and data used to provide services, including Web services, email systems, DNS, etc. In addition, threats to the system from viruses are also included. - (5) Management security :
including the management of safety technology and equipment, safety management systems, organizational rules for departments and personnel, etc.
3.2 Information security architecture
Security services :
