1. There are three common man-in-the-middle attacks on the network: 1) eavesdropping 2) data tampering 3) session hijacking.
2. There are three commonly used methods for data encryption: symmetric encryption, asymmetric encryption and one-way encryption.
3.ssl: secure socket layer, a secure socket layer.
4.TLS: Transport layer security, similar to ssl.
5. Random number generators: /dev/random and /dev/urandom. -Salt: Depends on the random number generator.
6. Sources of random numbers: entropy pool and pseudo-random number generator. The random number in the entropy pool comes from the interruption of the block device and the tapping time interval of the keyboard and mouse; The random numbers in the pseudo-random number generator come from entropy pool and software generation.
7.openssl rand [base64] num can also be used to generate random numbers.
8. Echo–n "QQ" | OpenSSL base64, which means base64 encodes QQ.
Second, symmetric encryption:
1. The encryption party and the decryption party use the same key.
2. The encryption and decryption speed is relatively fast, which is suitable for long data.
3. The key transmission process is unsafe and easy to be cracked, and the key management is also troublesome.
4. Encryption algorithms: DES (data encryption standard), 3DES, AES (advanced encryption standard, supporting encryption 128, 192, 256, 5 12-bit key), Blowfish.
5. Encryption tools: openssl, gpg(pgp tool)
Third, asymmetric encryption (public key encryption):
1. Each user is encrypted with a pair of keys: a public key and a private key.
2. Public key encryption and private key decryption; Private key encryption, public key decryption.
3. The public key transmission process is unsafe and easy to be stolen and replaced.
4. Because the length of the key used by the public key is very long, the encryption speed of the public key is very slow, and it is generally not used for encryption.
5. One user encrypts with his private key and other users decrypts with his public key, thus realizing the function of digital signature.
6. Another function of public key encryption is to realize key exchange.
7. Encryption and signature algorithm: RSA, ELGamal.
8. Public key signature algorithm: DSA.
9. Encryption tools: gpg, openssl
Four, one-way encryption:
1, features: avalanche effect, fixed-length output, irreversibility.
2. The function is to ensure the integrity of data.
3. Encryption algorithms: md5 (standard key length 128 bits), sha 1 (standard key length 160 bits), md4, CRC-32.
4. Encryption tools: md5sum, sha 1sum, openssl dgst.
5. Calculate the hash value of the file, for example: md5sum/shalsumfilename, OpenSSL dgst–MD5/-sha1filename.
Five, two key exchange mechanisms:
1. Implementation of public key encryption: the sender encrypts his own key with the public key of the receiver, and the receiver decrypts it with his own private key to obtain the sender's key, and vice versa, realizing key exchange.
2. Use DH algorithm: provided that the sender and the receiver negotiate to use the same big prime number P and the generated number G, and the generated random numbers X and Y respectively. The sender sends the value generated by the X-power mod P of G to the receiver, and the receiver sends the value generated by the Y-power mod P of G to the sender. The sender performs the X-power operation on the received result, and the receiver performs the Y-power operation on the received result, finally forming a password and completing the key exchange.
Six, in order to achieve data integrity at the same time, the data encryption and authentication mechanisms adopted are as follows:
Suppose Bob and Ross communicate:
1 encryption process:
Bob uses one-way encryption algorithm to get the signature of the sent data (for data integrity detection). Bob encrypts this signature with his own private key (for authentication) and puts this signature behind the data. Bob generates a password D, and uses this password to encrypt the encrypted signature and data (realize data encryption). The data generated at this time is called Q. Finally, the password D is encrypted with Rose's public key, and D is placed after Q..
2 decryption process:
Rose decrypts with her private key to get D, then decrypts with D to get data and encrypted feature code, and then decrypts this feature code with Bob's public key. If it can be decrypted, it means that Bob sent the data, otherwise it is not. Finally, the one-way encryption algorithm is used to calculate the feature code of the data, and whether the data has been tampered with is determined by comparing the sent feature code with the feature code calculated by Rose. If the feature codes are consistent, the data has not changed. If the signatures are inconsistent, the data has changed.
Seven, openssl:
1) component: libcrypto: encryption library.
Libssl: a library that implements ssl functions.
Openssl: A multipurpose encryption tool, which can provide symmetric encryption, public key encryption and one-way encryption, and can be used as a simple local CA.
2) In symmetric encryption, the file is encrypted by openssl:
OpenSSL enc-des 3-salt-a-in plaintext-out ciphertext
Decryption via openssl:
Opensleenc-d-des3-salt-a-in ciphertext. des3 -out plaintext.
3)openssl version: View openssl version information.
4)openssl: Enter the command line mode of openssl.
5)openssl speed: Test the speed at which an encryption algorithm encrypts keys with different lengths.
6) In public key encryption, openssl can be used to generate private keys.
Openssl genrsa specifies the generated private key length >; The file name to save to.
Openssl genrsa [des3] -out The saved file name specifies the length of the generated private key.
Permission to modify the key file when generating it: (umask 077Openssl genrsa specifies the generated private key length >; Save file name to)
Openssl genrsa specifies the generated private key length [-des3] (encrypted private key file) >; The file name to save to.
Openssl genrsa [-des3] -out The saved file name specifies the length of the generated private key.
When the private key is generated and the file is unencrypted, the unencrypted private key file can be encrypted and saved in the following format: the file is stored in the unencrypted private key of openssl rsa in–the file name is saved to DES 3-out.
Decrypt private key: the private key file that openssl rsa in needs to decrypt-save the file name of -out.
7) Extract the public key from the private key: OpenSSL RSA–in my.key-pub out specifies the file name for saving the public key.