Common types of key encryption algorithms can be roughly divided into three categories: symmetric encryption, asymmetric encryption and one-way encryption. Let's take a look at the relevant algorithm principles and its commonly used algorithms.
In encrypted transmission, the symmetric key method was originally adopted, that is, both encryption and decryption use the same key.
1. Symmetric encryption algorithm adopts single key encryption. In the communication process, the data sender divides the original data into fixed-size blocks, encrypts them one by one with keys and encryption algorithms, and sends them to the receiver.
2. After receiving the encrypted message, the receiver uses the same key to decrypt the combination with a decryption algorithm to obtain the original data.
Illustration:
Asymmetric encryption algorithm uses two different passwords (public key and private key) for encryption and decryption. Public keys and private keys exist in pairs. The public key is extracted from the private key and made public to everyone. If the data is encrypted with a public key, only the corresponding private key (which cannot be disclosed) can be decrypted, and vice versa. N users need 2N keys to communicate.
Asymmetric key encryption is suitable for encrypting sensitive information such as keys or identity information to meet the security needs of users.
1.a uses B's public key combined with the corresponding asymmetric algorithm to encrypt the plaintext and send it to B, and send the ciphertext to B. ..
2. After receiving the ciphertext, B decrypts it with its own private key and asymmetric algorithm to get plaintext and get the original plaintext.
Illustration:
One-way encryption algorithm can only be used to encrypt data, but not decrypt it. Its characteristics are fixed-length output and avalanche effect (a small number of message bits will change many bits in the message digest).
One-way encryption algorithm is often used to extract data fingerprints, verify data integrity, digital abstract, digital signature and so on.
1. The sender encrypts the plaintext with a one-way encryption algorithm to generate a ciphertext string with a fixed length, and then transmits it to the receiver.
2. The receiver uses the same one-way encryption algorithm to encrypt the plaintext used for comparison and verification to obtain the encrypted ciphertext string.
3. Compare it with the ciphertext string sent by the sender. If the ciphertext string before and after transmission is consistent, it means that the data has not been destroyed in the transmission process; If they are not consistent, it means that the data was lost during transmission.
Illustration:
MD5, sha 1, sha224, etc.
IKE (Internet Key Exchange) usually means that both parties can encrypt and decrypt data by exchanging keys.
There are two common key exchange methods:
The public key is encrypted and transmitted to the other party for decryption through the network. The disadvantage of this method is that it is likely to be intercepted and cracked, so it is not commonly used.
DH algorithm is a key exchange algorithm, which is not used for encryption or digital signature.
DH algorithm is encrypted with * * * parameters, private parameters and algorithm information that both parties have, and then the two parties exchange calculation results. After the exchange is completed, they execute a special algorithm with their own private parameters. The calculation results of both sides are the same, and this result is the key.
For example:
safe
In the whole process, the third party can only get two values, P and G, and AB exchanges the calculation results, so this method is very safe.
Answer: Use a public key certificate.
Public key infrastructure is a collection of hardware, software, personnel, policies and programs.
It is used to realize the generation, management, storage, distribution and revocation of keys and certificates based on public key cryptography.
Certificate Authority CA, Registration Authority RA, Certificate Revocation List CRL and Certificate Access Library CB.
A public key certificate is declared by a digital signature, which binds the value of the public key to the identity of the person, device or service holding the corresponding private key. The generation of public key certificate follows the provisions of X.509 protocol, and its contents include: certificate name, certificate version, serial number, algorithm identification, issuer, validity period, effective start date, effective end date, public key, certificate signature, etc.
1. Customer A prepares digital information (plain text) to be transmitted. (Prepare plain text)
2. Client A hashes the digital information to obtain an information digest. (Prepare summary)
3. Client A encrypts the information digest with CA's private key (SK) to obtain the digital signature of Client A and attach it to the digital information. (Digitally signing digital information with private key)
4. Client A randomly generates an encryption key (DES key), and uses this key to encrypt the information to be sent to form ciphertext. (generate ciphertext)
5. Client A encrypts the encryption key randomly generated just now with the public keys (PK) of both parties, and sends the encrypted DES key to Party B together with the ciphertext. (Asymmetric encryption, where DES key is encrypted with public key)
6. Bank B receives the ciphertext and the encrypted DES key sent by customer A, and decrypts the encrypted DES key with its own private key (SK) to obtain the DES key. (Decrypt DES key with private key)
7. Bank B decrypts the received ciphertext with DES key to obtain plaintext digital information, and then discards DES key (that is, DES key is invalid). (Decrypted Text)
8. Bank B decrypts the digital signature of customer A with the public key (PK) owned by both parties, and obtains the information summary. Bank B uses the same hashing algorithm to hash the received plaintext again to obtain a new message digest. (Decrypt digital signature with public key)
9. Bank B compares the received information summary with the newly generated information summary, and if they are consistent, it means that the received information has not been modified. (Comparing information summary with information)
The answer is that there is no guarantee that the CA's public key has not been tampered with. Usually, the operating system and browsers will prefabricate some CA certificates locally. Therefore, the sender should go to those certified CA to apply for a digital certificate. This is guaranteed.
However, if a malicious CA certificate is inserted into the system, the fake sender's public key can still be sent through a fake digital certificate to verify the fake text information. Therefore, the premise of security is that illegal CA certificates cannot be inserted into the system.
end