Consider situations where users may attempt to bypass the system, such as physically removing the database or eavesdropping on the communication lines. The most effective solution to such threats is data encryption, which stores and transmits sensitive data in an encrypted format.
The terms for data encryption are: plaintext, that is, original or unencrypted data. It is encrypted through an encryption algorithm. The input information of the encryption algorithm is plaintext and key; the ciphertext, the encrypted format of the plaintext, is the output information of the encryption algorithm. The encryption algorithm is public, but the key is not. Ciphertext, which should not be understood by users without a key, is used for data storage and transmission.
Example: The plain text is a string:
AS KINGFISHERS CATCH FIRE
(For simplicity, it is assumed that the data characters processed are only uppercase letters and space characters ). Assume that the key is a string:
ELIOT
The encryption algorithm is:
1) Divide the plaintext into multiple blocks of the length of the key string ( The space character is represented by "+")
AS+KI NGFIS HERS+ CATCH +FIRE
2) Replace each character of the plaintext with an integer in the range of 00~26, space character = 00 , A=01,..., Z=26:
0119001109 1407060919 0805181900 0301200308 0006091805
3) Replace each character of the key as in step 2:
p>
0512091520
4) For each block of plaintext, the sum of each character using the corresponding integer encoding and the integer encoding of the character at the corresponding position in the key modulo 27 Replace:
5) Replace the integer encoding in the result of step 4 with its equivalent character:
FDIZB SSOXL MQ+GT HMBRA ERRFY
If Given the key, the decryption process in this example is simple. The question is how difficult would it be for a malicious attacker to obtain the key using matching plaintext and ciphertext without knowing the key? For the simple example above, the answer is fairly easy, not trivially easy, but complex encryption patterns are equally easy to design. Ideally, the encryption mode used should be such that the cost to an attacker to break it should far outweigh the benefits gained. In fact, this purpose applies to all security measures. The acceptable end goal of this encryption mode is that even the inventor of the mode cannot obtain the key by matching the plaintext and ciphertext, and thus cannot break the ciphertext.
1. Data encryption standards
There are two traditional encryption methods, substitution and replacement. The above example uses the substitution method: using the key to convert each character in the plaintext into a character in the ciphertext. Permutation only rearranges the plaintext characters in a different order. Either method alone is not secure enough, but combining them can provide a considerable degree of security. The Data Encryption Standard (DES) uses this combination algorithm. It was developed by IBM and became the official encryption standard of the United States in 1977.
DES works by splitting the plaintext into many 64-bit blocks, and encrypting each block with a 64-bit key. In fact, the key consists of 56 data bits and 8 parity bits. consists of digits, so there are only 256 possible passwords instead of 264. Each block is first encrypted using the initial permutation method, then 16 consecutive complex replacements are performed, and finally the inverse of the initial permutation is applied to it. The replacement in step i does not directly use the original key K, but the key Ki calculated from K and i.
DES has the property that its decryption algorithm is the same as the encryption algorithm, except that the key Ki is applied in the opposite order.
2. Public Key Encryption
For many years, many people have believed that DES is not really secure. In fact, even without using smart methods, with the advent of fast, highly parallel processors, it is possible to forcefully crack DES. "Public key" encryption methods make DES and similar traditional encryption techniques obsolete. In the public key encryption method, the encryption algorithm and encryption key are public, and anyone can convert plaintext into ciphertext. But the corresponding decryption key is kept secret (the public key method consists of two keys, one for encryption and one for decryption) and cannot be deduced from the encryption key, so even the encryptor cannot perform it if he is not authorized to do so. Corresponding decryption.
The idea of ??public key encryption was originally proposed by Diffie and Hellman, and most famously by Rivest, Shamir and Adleman. It is now commonly called RSA (named after the first letters of the three inventors) method, which is based on the following two facts:
1) There is a fast algorithm for determining whether a number is prime;
2) The prime factors for determining a composite number have not yet been found fast algorithm.
The working principle of the RSA method is as follows:
1) Randomly select two different large prime numbers p and q, and calculate the product r=p*q;
2) Randomly select a large integer e, e is relatively prime with (p-1)*(q-1), and the integer e is used as the encryption key. Note: The selection of e is easy, for example, all prime numbers greater than p and q are available.
3) Determine the decryption key d:
d * e = 1 modulo (p - 1) * (q - 1)
According to e, p and q can easily calculate d.
4) Disclose the integers r and e, but not d;
5) Encrypt the plaintext P (assuming P is an integer less than r) into the ciphertext C, calculation method is:
C = Pe modulo r
6) Decrypt the ciphertext C into plaintext P. The calculation method is:
P = Cd modulo r
p>
However, it is impossible to calculate d based only on r and e (not p and q). Therefore, anyone can encrypt plaintext, but only authorized users (who know d) can decrypt ciphertext.
The following is a simple example to illustrate the above process. Obviously we can only select a very small number.
Example: Select p=3, q=5, then r=15, (p-1)*(q-1)=8. Select e=11 (a prime number greater than p and q), and calculate d =3 through d * 11 = 1 modulo 8.
Assume that the plaintext is the integer 13. Then the ciphertext C is
C = Pe modulo r
= 1311 modulo 15
= 1,792,160,394,037 modulo 15
= 7
p>Recover the plaintext P as:
P = Cd modulo r
= 73 modulo 15
= 343 modulo 15
= 13
Because e and d are inverse to each other, public key encryption methods also allow the encrypted information to be "signed" in such a way that the recipient can be sure that the signature is not forged. Assume that A and B want to transmit data through a public key encryption method. A and B respectively disclose the encryption algorithm and the corresponding key, but do not disclose the decryption algorithm and the corresponding key. The encryption algorithms of A and B are ECA and ECB respectively, the decryption algorithms are DCA and DCB respectively, ECA and DCA are reciprocal, and ECB and DCB are reciprocal. If A wants to send plaintext P to B, it does not simply send ECB (P), but first applies its decryption algorithm DCA to P, and then uses the encryption algorithm ECB to encrypt the result before sending it out. The ciphertext C is:
C = ECB (DCA (P))
After receiving C, B applies its decryption algorithm DCB and encryption algorithm ECA successively to obtain the plaintext P:
ECA(DCB(C))
= ECA(DCB(ECB(DCA(P))))
= ECA(DCA(P)) /*DCB and ECB cancel each other*/
= P /*DCB and ECB cancel each other*/
In this way, B determines that the message is indeed sent from A, because only when The encryption process uses the DCA algorithm. Only A can obtain P using ECA. Only A knows the DCA algorithm. No one, not even B, can forge A's signature.