Why do we need an encryption algorithm?
Generally in the development process, we have to ensure the security of sensitive data, the data will be encrypted transmission operation, thereby enhancing the security of the entire system.
For example, data exchange transmission, the server client and server from the database query out data to the client via the encrypted form, submitted to the server after the data encryption client will also be submitted to the user, on both sides by corresponding decryption rules decrypted, so that the process of data transmission, some people with ulterior motives trying and trying to get some privacy data will be extremely difficult for data capture through tools such as Fiddler, which also reached our aim to enhance data security .
On Monday, I received a demand, some leaders want to avoid dense jump to system B through the system A, system B because the leadership felt again enter a user name, password, authentication code is too cumbersome, especially in he has a case of a lot of work to be done for approval.
If the preliminary framework of a unified system to do the work of two CAS single sign-on, it can be said that things did not call, but the system A and system B are nearly a decade old system, is certainly no such conditions , so how security-free dense logged increase has become a top priority of this requirement.
the whole idea
Put aside the encryption itself, let me say that my overall consideration of this requirement:
Specific steps are:
- A dense system login request initiated free
- System B obtained by an encryption algorithm key (public and private keys - asymmetric encryption)
- System B public key encrypted returned to the system A
- A public key system using a public key decrypts and encrypts the data submitted to the system B
- System B get the private key used to resolve the ciphertext
- Successfully resolved on the implementation of free secret login, failed to give up the operations.
The whole idea of architecture generally is the case, so even people with ulterior motives to use these two tools capture API requests are intercepted, it is difficult to get to the real data.
Encryption Algorithm Selection
What algorithm?
Is well known, there are two commonly used encryption general direction, it is a symmetric encryption, an asymmetric encryption.
Symmetric encryption: encryption and decryption of the original with the same key, a key common to both the communication.
- Encryption: Original Key + => ciphertext
- Decryption process: ciphertext - key => description
Asymmetric encryption: has two keys, namely a public key (Public Key) and a private key (Private Key), encrypting and decrypting data using a different key. The use of public key encryption, using a private key to decrypt it.
- Encryption: the original public key + => ciphertext
- Decryption process: ciphertext - private key => description
Symmetric encryption disadvantages:
Disadvantage of symmetric encryption algorithms: not ensure the safety key is passed. If the key is intercepted, the entire encrypted ciphertext is unsafe.
Symmetric encryption features:
Using asymmetric encryption algorithms even if a third party to intercept encrypted on the network, but it can not obtain the recipient's private key, will not be able to decrypt the ciphertext, as the recipient must ensure that their own private security, so asymmetric encryption technology to solve the security problem of key transmission process.
Well, see here, the general direction is certainly settle down, asymmetric encryption not run, and then we see what encryption algorithm asymmetric encryption have it?
Asymmetric encryption algorithm type:
RSA, Elgamal, knapsack algorithms, Rabin, Diffie-Hellman, ECC (Elliptic Curve Cryptography). The most widely used is the RSA algorithm, Elgamal is another commonly used asymmetric encryption algorithm, taking into account the problems of cost and learning curve, this time I chose the ElGamal encryption algorithm, because two points:
-
ElGamal algorithm is not a two-way encryption and decryption, RSA is a two-way encryption and decryption.
Two-way encryption and decryption: a public key, the private key can be encrypted and decrypted (public-key encryption requires private key to decrypt the private key encryption requires public key to decrypt)
-
ElGamal I checked online for a long time did not find the decryption tool, I found out the RSA (of course, uncertain whether it is available) ......
As the saying goes tree attracts the wind, with its use of RSA this most common non-symmetric encryption, I decided to choose some relatively less popular encryption, so some of the common online hack site does not provide a simple hack channels, further increasing data security, however unpopular, it also brings some inherent problems unpopular, to say this later.
Some questions ElGamal algorithm in use
1.Illegal key size or default parameters
DEMO When you find some of the existing ElGamal or RSA algorithm, from elated Run after its main method, there is a great probability that you will encounter this problem, you are forced to look ignorant do not panic, this is due to US imperialism export restrictions to limit encryption algorithm Key length results of the specific reasons:
Every country, especially the United States, involving cryptographic software products that control is very strict, in the United States, have made a lot of cryptographic algorithms length restrictions, and some algorithms in some countries did not apply for patents, can be "excessive" use, and in some countries, it made a clear limit, are not allowed to use such a premise, Sun must act in accordance with established practice.
Apply Chinese old saying: There are policies on measures to counter. Oracle also released a separate file no policy restrictions on the settlement of this issue ( local_policy.jar and US_export_policy.jar ), we just download the corresponding JDK version of the file and overwrite to specify the path ( % either the JDK_HOME% \ jre \ lib \ Security ) under It can be.
2.JDK algorithm does not directly support Elgamal
This is brought about by popular problem, you can not directly use the ElGamal algorithm in JDK support, it is necessary to introduce two jar package:
-
bouncycastle Download:
-
commons-codec Download:
Both Jar is a package of support for ElGamal algorithm itself, and the other is to provide support for Base64, we need to introduce into the project.
3.ElGamal KeyFactory not available
In actual use ElGamal algorithm, we are less likely to use only public and private keys at one end, which is facing we need to use public-key encryption algorithm on another platform, common public key encryption algorithm is written like this:
public static byte[] encryptByPublicKey(byte[] data,byte[] key) throws Exception{
//实例化密钥工厂
KeyFactory keyFactory=KeyFactory.getInstance(KEY_ALGORITHM);
//初始化公钥
//密钥材料转换
X509EncodedKeySpec x509KeySpec=new X509EncodedKeySpec(key);
//产生公钥
PublicKey pubKey=keyFactory.generatePublic(x509KeySpec);
//数据加密
Cipher cipher=Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return cipher.doFinal(data);
}
复制代码When you write a public key encryption algorithm in the same program is no problem, because when you start the main method, has already done the work related to the initKey, but you call this method directly will be reported in another platform error:
java.security.NoSuchAlgorithmException: ElGamal KeyFactory not available
复制代码In fact, this is also a popular after-effects, because the JDK does not realize ElGamal algorithm, so do not do initialization call KeyFactory instance corresponding algorithm directly KeyFactory, is certainly an error, the solution is to do their own initialization, go world are not afraid:
public static byte[] encryptByPublicKey(byte[] data,byte[] key) throws Exception{
//加入对BouncyCastle支持
Security.addProvider(new BouncyCastleProvider());
AlgorithmParameterGenerator apg=AlgorithmParameterGenerator.getInstance(KEY_ALGORITHM);
//初始化参数生成器
apg.init(KEY_SIZE);
// 实例化密钥生成器
KeyPairGenerator kpg = KeyPairGenerator.getInstance(KEY_ALGORITHM);
//实例化密钥工厂
KeyFactory keyFactory=KeyFactory.getInstance(KEY_ALGORITHM);
//初始化公钥
//密钥材料转换
X509EncodedKeySpec x509KeySpec=new X509EncodedKeySpec(key);
//产生公钥
PublicKey pubKey=keyFactory.generatePublic(x509KeySpec);
//数据加密
Cipher cipher=Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
return cipher.doFinal(data);
}
复制代码4.Cannot find any provider supporting ElGamal
The problem is that not everyone will encounter, because I was a colleague service side of the write method to make their own call encryption method own end of the line needed, so I consider them the necessary classes packaged into a jar package of ideas, so I the source after their separation, a basic package, then the data is encapsulated into Build FatJar jar package calls, test calls projects introduced smoothly, everything is ready to run the main method, and then on the error .....
java.security.NoSuchAlgorithmException: Cannot find any provider supporting ElGamal
复制代码Does not support Elgaml ??? clearly has added corresponding initialization method, ah, how you can not enforce it?
In fact, this method does not perform the initialization, but the required third-party jar in the jar inside the package has not been loaded due to normal, I checked and found the jar MANIFEST.MF file packaged third-party merge lost Export- Include-Resource package and the description of the third-party jar package, the solution can be viewed:
Due to this project and I only need two jar package, so my solution is to export a single jar of my bag, and then separately introduced me to export jar package and bouncycastle packages and codec package for new projects, so that everything can be properly executed a.
to sum up
These are some of the problems I encountered when using the ElGamal algorithm, I hope you try to avoid these problems in the use of the process, but also to be a record for himself.