First statement about talking about here SSH, not three traditional Java framework, but an established Secure Shell protocol at the application layer and the transport layer based on the familiar Linux friends often use to a SSH Secure Shell Cilent of tool, this article is also based on the principle of learning encryption tool, encrypted SSH in principle, to use the RSA asymmetric encryption algorithm, also do together to learn and understand.
Asymmetric encryption algorithm
In the daily production work, we often need to communicate, developers often need data for data encryption and decryption operations to ensure data security. Data encryption algorithm is a non-symmetric encryption and asymmetric encryption two kinds, commonly used DES, Triple DES, AES symmetric encryption belong, i.e., data encryption and decryption may be performed by a key, data key event of leakage, the transmission insecurity.
The core asymmetric encryption algorithm from a mathematical problem, it exists the concept of public and private keys, encryption and decryption operations to complete, requires two keys at the same time to participate. We often say "public key encryption, private key encryption" or "private key encryption, public key to decrypt" asymmetric encryption algorithms belong to the category of asymmetric encryption, RSA algorithm article also mentioned a typical. Public key encryption data must use the private key can decrypt the same private key to encrypt data can only be decrypted by the public key.
Compared with symmetric encryption, asymmetric encryption security has been improved, but there are obvious drawbacks, asymmetric encryption and decryption efficiency is much smaller than symmetric encryption. Therefore, asymmetric encryption is often used in some high security applications or requirements in the field.
Typical RSA asymmetric encryption
RSA encryption algorithm is a typical non-symmetric encryption algorithm, which is based on factoring large numbers of math problems, it is also the most widely used asymmetric encryption algorithms, three in 1978 by the Massachusetts Institute of Technology (MIT) of learn: Ron Rivest, Adi Shamir and Leonard Adleman jointly proposed.
Its principle is simple, we assume the message sender A and recipient B a message, the following steps, we can complete the encryption of the transmitted message:
-
A message sender constructs the key pair in the local public and private keys;
-
A sender of a message generated public key is sent to the message recipient B;
-
B, when A transmission data by the public key of the encrypted, data A received by the private key to decrypt a complete communication;
-
Conversely, when the transmission data A to B, by the private key to encrypt data, the data received by the B public key for decryption.
Since the public key is exposed to the message sender A message receiver B, so that in this way there are some security risks, if the public key leakage in the data transmission process, by the A private key encrypted data can be decrypted.
If you want to establish a more secure encrypted messaging model requires the message sender and the message recipient a key pair for each construct, and were exposed to each other's public key, performing message passing, A by B, public key encrypt the data, the received message B through B of the private key to decrypt, and vice versa, by a, B public key encrypted by a, after receiving the message a private key for decryption.
Of course, there may be risks in this way data transfer is simulated, we can further enhance the security of a digital signature technology. Due to the presence of asymmetric encryption and decryption many times, in this way it brings efficiency and more serious.
SSH encryption principle
In principle SSH secure protocol, in conjunction with a symmetric encryption and asymmetric encryption algorithms, look at the following:
A clarification here:
-
First, the server will asymmetric encryption, generating a public key and a private key ;
-
在客户端发起请求时,服务端将公钥暴露给客户端,这个公钥可以被任意暴露;
-
客户端在获取公钥后,会先产生一个由256位随机数字组成的会话密钥,这里称为口令;
-
客户端通过公钥将这个口令加密,发送给服务器端;
-
服务器端通过私钥进行解密,获取到通讯口令;
-
之后,客户端和服务端的信息传递,都通过这个口令进行对称的加密。
个人感觉,这样的设计在一定程度上提高了加解密的效率,不过,与客户端服务端各构建一套密钥对的加解密方式相比,在安全性上可能有所下降。在上面所述的通过口令进行加密的过程中,数据也是可以被窃听的,不过由于密钥是256个随机数字,有10的256次方中组合方式,所以破解难度也很大。相对还是比较安全的。服务端和客户端都提前知道了密钥,SSH的这种方式,服务端是通过解密获取到了密钥。
DH密钥交换算法
SSH的原理,是基于RSA非对称加密,RSA是基于大数的因式分解数学难题,下面要提到的DH密钥交换算法则是基于有限域上的离散对数难题。
DH算法是一种密钥协商算法,只用于密钥的分配,不用于消息的加解密。它提供了一种安全的交换密钥的方式,通过交换的密钥进行数据的加解密。就像SSH原理中,口令的交换,不过DH算法更安全。
我们举个例子来进行说明,假设有A、B两方,A作为发送者,B作为接收者。通过下面的几个步骤就可以构建出一个只属于双方的密钥口令,如下:
-
首先A、B双方,在通信前构建专属于自己的密钥对,假设分别是公钥A,私钥A,公钥B,私钥B;
-
A将自己的公钥A暴露给B,B通过私钥B和公钥A经过一定的运算产生出本地的密钥B;
-
同样,B将自己的公钥B暴露给A,A通过私钥A和公钥B经过一定的运算产生出本地的密钥A;
-
最后,这个算法有意思的一点就是,密钥A和密钥B是一致的,这样A、B双方就拥有了一个属于双方的“秘密”口令;
DH算法的产生是,对称加密向非对称加密的过度,为后续非对称加密的产生和发展奠定了基础。
转载于:https://www.cnblogs.com/Alenliu/p/5040062.html