1. Symmetric key management. Symmetric encryption is based on synchronously keeping secrets. Trading parties using symmetric encryption technology must ensure that they use the same key, ensure that the exchange of keys between each other is safe and reliable, and also set up procedures to prevent key leaks and key changes. In this way, the management and distribution of symmetric keys becomes a potentially dangerous and cumbersome process. The management of symmetric keys through public key encryption technology makes the corresponding management simpler and more secure, and also solves the reliability problems and authentication problems existing in the pure symmetric key mode. The trading party can generate a unique symmetric key for each exchange of information (such as each EDI exchange) and encrypt the key with the public key, and then encrypt the encrypted key with the key. The information (such as EDI exchange) is sent to the corresponding trading party together. Since a unique key is generated for each information exchange, trading parties no longer need to maintain the key and worry about the leakage or expiration of the key. Another advantage of this method is that even if a key is leaked, it will only affect one transaction and will not affect all trading relationships between the trading parties. This approach also provides a secure way to distribute symmetric keys between trading partners.
2. Public key management/digital certificate. Digital certificates (public key certificates) can be used to exchange public keys between trading partners. The standard X.509 developed by the International Telecommunications Union (ITU) defines digital certificates. This standard is equivalent to the ISO/IEC 9594-8:195 standard jointly issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Digital certificates usually contain the name that uniquely identifies the owner of the certificate (i.e., the trading party), the name that uniquely identifies the issuer of the certificate, the public key of the certificate owner, the digital signature of the certificate issuer, the validity period of the certificate, and the serial number of the certificate, etc. . The certificate issuer is generally called a certificate authority (CA), which is an organization trusted by all parties in the trade. Digital certificates can play a role in identifying trading parties and are one of the technologies currently widely used in e-commerce.
3. Standards and specifications related to key management. At present, relevant international standardization organizations are beginning to formulate technical standards and specifications on key management. The Information Technology Committee (JTC1) under ISO and IEC has drafted international standards and specifications on key management. The specification mainly consists of three parts: the first is the key management framework; the second is the mechanism using symmetric technology; the third is the mechanism using asymmetric technology. This specification has now entered the international standard draft voting stage and will soon become an official international standard.
Digital signature
Digital signature is another application of public key encryption technology. Its main method is: the sender of the message generates a 128-bit hash value (or message digest) from the message text. The sender encrypts this hash value with its own private key to form the sender's digital signature. This digital signature will then be sent to the recipient of the message as an attachment to the message. The receiver of the message first calculates the 128-bit hash value (or message digest) from the original message received, and then uses the sender's public key to decrypt the digital signature attached to the message. If the two hash values ??are the same, then the receiver can confirm that the digital signature belongs to the sender. The identification and non-repudiation of the original message can be achieved through digital signatures.
ISO/IEC JTC1 is already drafting relevant international standards and specifications. The preliminary title of the standard is "Information technology security technology digital signature scheme with attachments", which consists of two parts: an overview and an identity-based mechanism. Introduction to cryptography According to records, in 400 BC, the ancient Greeks invented the substitution cipher. In 1881, the world's first telephone security patent appeared. During World War II, the German military used the "Enigma" cipher machine. Cryptography played a very important role in the war.
With the development of informatization and digital society, people's awareness of the importance of information security and confidentiality continues to increase, so in 1997, the National Bureau of Standards announced the implementation of the "American Data Encryption Standard (DES)" ”, private forces began to fully intervene in the research and application of cryptography, and the encryption algorithms used include DES, RSA, SHA, etc. As the demand for encryption strength continues to increase, AES, ECC, etc. have recently emerged.
Using cryptography can achieve the following purposes:
Confidentiality: Preventing user identification or data from being read.
Data integrity: Prevent data from being changed.
Authentication: Ensure that data is sent from a specific party.
2. Introduction to Encryption Algorithms Modern cryptography technologies are divided into two categories according to different key types: symmetric encryption algorithms (secret key encryption) and asymmetric encryption algorithms (public key encryption).
Symmetric key encryption system uses the same secret key for encryption and decryption, and both communicating parties must obtain this key and keep the key secret.
The encryption key (public key) and decryption key (private key) used in the asymmetric key encryption system are different. In symmetric encryption algorithms, only one key is used to encrypt and decrypt information, that is, the same key is used for encryption and decryption.
Commonly used algorithms include: DES (Data Encryption Standard): Data encryption standard, fast, suitable for situations where large amounts of data are encrypted.
3DES (Triple DES): Based on DES, a piece of data is encrypted three times with three different keys, which is stronger.
AES (Advanced Encryption Standard): Advanced Encryption Standard, a next-generation encryption algorithm standard with fast speed and high security level;
In October 2000, NIST (American National Standard and Technology Association) announced the adoption of a new key encryption standard selected from 15 candidate algorithms. Rijndael was selected to be the future AES. Rijndael was created in the second half of 1999 by researchers Joan Daemen and Vincent Rijmen. AES is increasingly becoming the de facto standard for encrypting all forms of electronic data.
The National Institute of Standards and Technology (NIST) developed the new Advanced Encryption Standard (AES) specification on May 26, 2002.
Algorithm principle The AES algorithm is based on permutation and substitution operations. Permutation is the rearrangement of data, and permutation is the replacement of one data unit with another. AES uses several different methods to perform permutation and permutation operations.
AES is an iterative, symmetric key-blocked cipher that can use 128-, 192-, and 256-bit keys and encrypts and decrypts data in 128-bit (16-byte) blocks. Unlike public key ciphers which use key pairs, symmetric key ciphers use the same key to encrypt and decrypt data. The encrypted data returned by the block cipher has the same number of bits as the input data. Iterative encryption uses a loop structure in which the input data is repeatedly permuted and replaced.
Comparison of AES and 3DES Algorithm Name Algorithm Type Key Length Speed ??Decryption Time (Construction machine attempts 255 keys per second) Resource Consumption AES Symmetric block cipher 128, 192, 256 bits high 1490000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Mayor 2009 0000000000000000000000000000000000000000000000000000000000000 and 3DES symmetric feistel cipher 112-bit or 168-bit common asymmetric encryption algorithms are as follows:
RSA: Invented by RSA Company, it is a public key that supports variable length keys Algorithm, the length of the file block that needs to be encrypted is also variable;
DSA (Digital Signature Algorithm): Digital signature algorithm, a standard DSS (Digital Signature Standard);
ECC (Elliptic Curves Cryptography): elliptic curve cryptography.
In 1976, because symmetric encryption algorithms could no longer meet the needs, Diffie and Hellman published an article called "New Trends in Cryptozoology", which introduced the concept of public key encryption by Rivet, Shamir, Adelman proposed the RSA algorithm.
With the advancement and improvement of the method of decomposing large integers, the improvement of computer speed and the development of computer networks, in order to ensure the security of data, the number of RSA keys needs to continue to increase. However, the increase in key length leads to In addition to the greatly reduced encryption and decryption speed, the hardware implementation has become more and more unbearable, which puts a heavy burden on applications using RSA, so a new algorithm is needed to replace RSA.
In 1985, N. Koblitz and Miller proposed using elliptic curves for cryptographic algorithms, based on the discrete logarithm problem ECDLP in a point group on an elliptic curve in a finite field. ECDLP is a harder problem than the factorization problem, it is exponentially harder.
Principle - Problems on elliptic curves The discrete logarithm problem on elliptic curves ECDLP is defined as follows: given a prime number p and an elliptic curve E, for Q=kP, when P and Q are known, find Find a positive integer k less than p. It can be shown that it is easier to calculate Q from k and P, but it is more difficult to calculate k from Q and P.
Assuming that the addition operation in elliptic curves corresponds to the modular multiplication operation in discrete logarithms, and the multiplication operation in elliptic curves corresponds to the modular exponentiation operation in discrete logarithms, we can establish a Cryptosystems corresponding to elliptic curves.
For example, corresponding to the Diffie-Hellman public key system, we can implement it on the elliptic curve in the following way: select the generator P on E, requiring that the group elements generated by P are enough, and the communicating party A and B respectively select a and b, a and b are kept confidential, but aP and bP are made public, and the key used for communication between A and B is abP, which cannot be known by a third party.
The corresponding ELGamal cryptosystem can be implemented on the elliptic curve in the following way: