In a typical case where encryption is used, two parties (Xiaohong and Xiaoming) communicate on an insecure channel. Xiaohong and Xiaoming want to make sure that anyone who may be listening can't understand their communication. And because Xiaohong and Xiaoming are far apart, Xiaohong must ensure that the information she received from Xiaoming has not been modified by anyone during transmission. In addition, she must make sure that the information is really sent by Xiao Ming, not someone imitating Xiao Ming.
Encryption is used for the following purposes:
Privacy: Helps protect the user's identity or data from being read.
Data integrity: helps protect data from being changed.
Authentication: Ensure that the data comes from a specific party.
To achieve these goals, you can use a combination of algorithms and conventions (called encryption primitives) to create encryption schemes. The following table lists encryption primitives and their usage.
Encryption primitive usage
Private key encryption (symmetric encryption) transforms data so that third parties cannot read it. This type of encryption uses a single key to encrypt and decrypt data.
Public key encryption (asymmetric encryption) transforms data so that it cannot be read by a third party. This type of encryption uses a public/private key pair to encrypt and decrypt data.
Encrypted signatures help to verify whether data comes from a specific party by creating a digital signature unique to that party. This process also uses a hash function.
A cryptographic hash maps data of any length to a byte sequence of fixed length. Hashes are statistically unique; Different double-byte sequences do not hash to the same value.
Private key encryption
The private key encryption algorithm uses a single private key to encrypt and decrypt data. Since anyone who owns the key can use it to decrypt the data, it is necessary to protect the key from the attack of unauthorized agents. Private key encryption is also called symmetric encryption because encryption and decryption use the same key. The private key encryption algorithm is very fast (compared with the public key algorithm), which is especially suitable for performing encryption conversion on large data streams.
Usually, a private key algorithm (called block cipher) is used to encrypt one data block at a time. Block ciphers (such as RC2, DES, TrippleDES and Rijndael) convert an input block of n bytes into an output block of encrypted bytes through encryption. If you want to encrypt or decrypt a byte sequence, you must do it block by block. Since n is very small (for RC2, DES and TripleDES, n = 8 bytes; N = 16[ default value]; N = 24 for Rijndael, n = 32), so values greater than n must be encrypted one block at a time.
The block cipher class provided in the basic class library uses a chain mode called cryptographic blockchain (CBC), which uses a key and an initialization vector (IV) to perform encryption conversion on data. For a given private key K, a simple block cipher without initialization vector will encrypt the same plaintext input block into the same ciphertext output block. If there are duplicate blocks in the plaintext stream, there will also be duplicate blocks in the ciphertext stream. If unauthorized users know any information about the structure of plaintext blocks, they can use this information to decrypt known ciphertext blocks and may find your key. In order to overcome this problem, the information in the previous block can be mixed into the process of encrypting the next block. In this way, the output of two identical plaintext blocks will be different. Because this technique uses the previous block to encrypt the next block, it uses IV to encrypt the first data block. Using this system, the public message header that unauthorized users may know will not be used to reverse engineer the key.
One way to destroy data encrypted with this type of password is to thoroughly search every possible key. Depending on the size of the key used to perform encryption, even using the fastest computer to perform such a search is extremely time-consuming and therefore difficult to implement. Using a larger key size will make decryption more difficult. Although in theory, encryption will not make it impossible for opponents to retrieve encrypted data, it does greatly increase the cost of doing so. If it takes three months to perform a thorough search to retrieve data that is meaningful only in a few days, then the method of exhaustive search is not practical.
The disadvantage of private key encryption is that it assumes that both parties have reached an agreement on the key and IV, and conveyed the values of the key and IV to each other. In addition, the key must be kept secret from unauthorized users. Because of these problems, private key encryption is usually used with public key encryption to secretly pass the values of key and IV.
Suppose Xiaohong and Xiaoming are two parties who want to communicate on an insecure channel. They may use the following private key encryption. Both Xiaohong and Xiaoming agree to use a specific algorithm (such as Rijndael) and a specific key and IV. Xiaohong wrote a message and created a network stream to send it. Next, she uses the key and IV to encrypt the text and send it over the Internet. She didn't send Xiao Ming the key and IV. Xiao Ming received the encrypted text and decrypted it with the pre-agreed key and IV. If the transmitted content is intercepted, the interceptor will not be able to recover the original message because the interceptor does not know the key or IV. In this scheme, the key must be kept secret, while IV does not need to be kept secret. In the actual scheme, Xiaohong or Xiaoming will generate a private key and use public key (asymmetric) encryption to transfer the private key (symmetric) to the other party. For more information, see the public key encryption section later in this topic.
Yes. NET Framework provides the following classes that implement the private key encryption algorithm:
DESCryptoServiceProvider
RC2CryptoServiceProvider
RijndaelManaged
TripleDESCryptoServiceProvider
Public key encryption
Public key encryption uses a private key that must be kept secret from unauthorized users and a public key that can be made public to anyone. The public key and the private key are mathematically related; Data encrypted with public key can only be decrypted with private key, and data signed with private key can only be verified with public key. The public key can be provided to anyone; The public key is used to encrypt data to be sent to the holder of the private key. Both keys are unique to the communication session. Public key encryption algorithm is also called asymmetric algorithm, because one key is needed to encrypt data and another key is needed to decrypt data.
The public key encryption algorithm uses a fixed buffer size, while the private key encryption algorithm uses a variable length buffer. Public key algorithm can't link data into streams like private key algorithm, because it can only encrypt a small amount of data. Therefore, asymmetric operations do not use the same flow model as symmetric operations.
Both parties (Xiaohong and Xiaoming) can use public key encryption in the following ways. First, Xiaohong generates a public/private key pair. If Xiaoming wants to send an encrypted message to Xiaohong, he will ask her for the public key. Xiaohong sends her public key to Xiaoming through an insecure network, and Xiaoming uses this key to encrypt the message. If Xiao Ming receives Xiao Hong's key over an insecure channel (such as a public network), Xiao Ming must check with Xiao Hong whether he has the correct copy of her public key. Xiaoming sends the encrypted message to Xiaohong, who decrypts the message with her private key.
However, in the process of Xiaohong's public key transmission, unauthorized agents may intercept the key. In addition, the same agent can intercept encrypted messages from Xiaoming. However, the proxy cannot decrypt the message with the public key. The message can only be decrypted with Xiaohong's private key, which has not been transmitted. Xiaohong doesn't use her private key to encrypt the reply message to Xiaoming, because anyone with a public key can decrypt the message. If Xiaohong wants to send the message back to Xiaoming, she will ask Xiaoming for his public key and use it to encrypt her message. Xiao Ming then uses the private key associated with him to decrypt the message.
In a practical scheme, Xiaohong and Xiaoming use public key (asymmetric) encryption to transmit the private key, and use private key encryption in the rest of their conversations.
Public key encryption has a larger key space (or range of possible values of keys), so it is less vulnerable to exhaustive attacks of trying every possible key. Because there is no need to protect the public key, it is easy to distribute. Public key algorithms can be used to create digital signatures to verify the identity of the data sender. However, the public key algorithm is very slow (compared with the private key algorithm) and is not suitable for encrypting a large amount of data. The public key algorithm is only useful for transmitting a small amount of data. Public key encryption is usually used to encrypt the key and IV used by the private key algorithm. After the key and IV are transferred, the rest of the session will be encrypted with the private key.
Yes. NET Framework provides the following classes that implement public key encryption algorithms:
DSACryptoServiceProvider
RSACryptoServiceProvider
digital signature
Public key algorithms can also be used to form digital signatures. Digital signatures verify the sender's identity (if you trust the sender's public key) and help protect the integrity of data. Using the public key generated by Xiaohong, the receiver of Xiaohong's data can verify whether Xiaohong sent the data by comparing the digital signature with Xiaohong's data and Xiaohong's public key.
In order to digitally sign a message using public key encryption, Xiaohong first applies a hash algorithm to the message to create a message digest. Message digest is a compact and unique representation of data. Xiaohong then encrypts the message digest with her private key to create her personal signature. When receiving the message and signature, Xiao Ming uses Xiaohong's public key to decrypt the signature to recover the message digest, and uses the same hashing algorithm as Xiaohong to hash the message. If the message digest calculated by Xiaoming is exactly the same as the message digest received from Xiaohong, Xiaoming can determine that the message is from the holder of the private key and the data has not been modified. If Xiaoming believes Xiaohong is the holder of the private key, then he knows that the message is from Xiaohong.
Please note that since the sender's public key is well known, and it is usually included in the digital signature format, anyone can verify the signature. This method cannot guarantee the confidentiality of the message; In order to keep the message secret, you must also encrypt the message.
Yes. NET Framework provides the following classes that implement digital signature algorithms:
DSACryptoServiceProvider
RSACryptoServiceProvider
hashed value
Hash algorithm maps an arbitrary length binary value to a smaller fixed length binary value, which is called hash value. Hash value is a unique and extremely compact digital representation of a piece of data. If the plaintext is hashed, or even a letter in a paragraph is changed, the subsequent hash calculation will produce different values. It is impossible to find two different inputs with the same hash value by calculation.
Message authentication code (MAC) hash function is usually used to sign data with digital signature, while message detection code (MDC) hash function is used for data integrity.
Both parties (Xiaohong and Xiaoming) can use hash function to ensure data integrity in the following ways. If Xiaohong writes a message to Xiaoming and creates a hash of the message, Xiaoming can hash the message later and compare his hash with the original hash. If the two hash values are the same, the message has not been changed; If the values are different, the message has been changed since Xiaohong wrote it. In order to make this system work, Xiaohong must keep the original hash value secret from everyone except Xiaoming.
Yes. NET Framework provides the following classes that implement digital signature algorithms:
HMACSHA 1
MACTripleDES
MD5CryptoServiceProvider
Sha 1 managed
Sha 256 trusteeship
Sha 384 management
Sha 5 12 managed
Random number generation
Random number generation is an indispensable part of many encryption operations. For example, encryption keys need to be as random as possible to make the generated keys difficult to copy. The encrypted random number generator must generate a number that cannot be calculated (lower than P
The RNGCryptoServiceProvider class is the implementation of the random number generator algorithm.