The purpose of data transmission encryption technology is to encrypt the data stream in transmission, which usually includes line encryption and end-to-end encryption. Line encryption focuses on the line without considering the source and destination, and provides security protection for confidential information by using different encryption keys on each line. End-to-end encryption means that information is automatically encrypted by the sender and encapsulated by TCP/IP, and then passed through the Internet as unreadable and unrecognizable data. When the information reaches its destination, it will be automatically reassembled and decrypted into readable data.
The purpose of data storage encryption technology is to prevent data from being lost in storage. Data storage encryption technology can be divided into ciphertext storage and access control. The former is generally realized by encryption algorithm conversion, additional password, encryption module and other methods; The latter is to review and restrict the user's qualification and authority to prevent illegal users from accessing data or legal users from accessing data beyond their authority.
The purpose of data integrity authentication technology is to verify the identity of people involved in information transmission, access and processing and related data content, which generally includes the authentication of passwords, keys, identities, data and other items. By comparing and verifying whether the eigenvalues input by the object conform to the preset parameters, the system realizes the security protection of the data.
Key management technology includes security measures in key generation, distribution, preservation, replacement and destruction. The term for data encryption is:
Clear text, that is, original or unencrypted data. Encrypt with an encryption algorithm, and the input information of the encryption algorithm is plaintext and key;
Ciphertext is the encryption format of plaintext and the output information of encryption algorithm. The encryption algorithm is public, but the key is not public. Ciphertext should not be understood by users without keys for data storage and transmission;
Key, a character string composed of numbers, letters or special symbols, is used to control the process of data encryption and decryption;
Encryption, the process of converting plaintext into ciphertext;
Encryption algorithm, transformation method used in encryption;
Decryption, that is, the process of realizing the inverse transformation of ciphertext and encryption to obtain plaintext;
Decryption algorithm, transformation method used in decryption.
Encryption technology is a technology to prevent information leakage. Its core technology is cryptography, which is a subject to study cryptographic systems or communication security, and it is divided into cryptography and cryptanalysis.
Any encryption system is composed of plaintext, ciphertext, algorithm and key. The sender encrypts the data with encryption key through encryption equipment or encryption algorithm and sends it out. After receiving the ciphertext, the receiver decrypts the ciphertext with the decryption key and restores it to plaintext. In the transmission process, even if the ciphertext is stolen by criminals, only the unrecognizable ciphertext is obtained, thus playing the role of data confidentiality.
Example: plaintext is a string:
When kingfisher caught fire.
(For simplicity, it is assumed that only uppercase letters and space characters are processed). Suppose the key is a string:
surname
The encryption algorithm is:
1) divides plaintext into blocks of the length of the key string (spaces are indicated by+).
Her+is on fire.
2) Replace each character of plaintext with an integer in the range of 0~26, with space character =00, A=0 1, ..., Z = 26.
3) Replace each character of the key as described in step 2:
05 1209 1520
4) For each plaintext block, each character is replaced by the value (integer code) after the sum of the corresponding integer code and the integer code of the character in the corresponding position in the key is modulo 27:
For example, the first integer code is (0 1+05)%27=06.
5) Replace the integer code in the result of step 4 with equivalent characters:
FDIZB SSOXL MQ+GT HMBRA ERRFY
If the key is given, the decryption process of this example is simple. The problem is how difficult it is for a malicious attacker to obtain the key by using matching plaintext and ciphertext without knowing the key. For the simple example above, the answer is quite easy, generally speaking, it is not easy, but the complex encryption method is also easy to design. Ideally, the encryption mode adopted should make the attacker pay more for cracking than he gains. In fact, this purpose applies to all security measures. The acceptable ultimate goal of this encryption mode is that even the inventor of this mode can't get the key by matching plaintext and ciphertext, so he can't crack the ciphertext. There are two traditional encryption methods, replacement and permutation. The above example uses another method: using a key to convert each character in the plaintext into a character in the ciphertext. Substitution simply rearranges the characters of plaintext in a different order. It is not safe to use either of these two methods alone, but the combination of these two methods can provide quite high security. Data Encryption Standard (DES) adopts this combination algorithm, which was formulated by IBM and became the official encryption standard in the United States in 1977.
DES works by dividing plaintext into many 64-bit blocks, and each block is encrypted with a 64-bit key. In fact, the key consists of 56 bits of data and 8 bits of parity, so there are only 56 possible passwords instead of 64. Firstly, each block is encrypted by the initial permutation method, then 16 complex permutations are performed continuously, and finally, the inverse operation of the initial permutation is performed. The substitution in step I does not directly use the original key K, but uses the key Ki calculated by K and I. ..
DES has the characteristic that its decryption algorithm is the same as the encryption algorithm except that the key Ki is applied in the reverse order. For many years, many people thought DES was not really safe. In fact, even if there is no intelligent method, with the emergence of fast and highly parallel processors, it is possible to crack DES forcibly. The public key encryption method makes DES and similar traditional encryption technologies obsolete. In the public key encryption method, the encryption algorithm and encryption key are public, and anyone can convert plaintext into ciphertext. However, the corresponding decryption key is confidential (public key method includes two keys for encryption and decryption respectively) and cannot be derived from the encryption key, so even the encryptor cannot decrypt it without authorization.
The idea of public key encryption was first put forward by Diffie and Hellman, and the most famous one was put forward by Rivest, Shamir and Adleman, which is usually called RSA (named after the initials of the three inventors). This method is based on the following two facts:
1) There is a fast algorithm to judge whether a number is a prime number;
2) A fast algorithm for determining the prime factor of a composite number has not been found.
The RSA method works as follows:
1) Choose two different big prime numbers p and q at will and calculate the product r = p * q;;
2) Choose a large integer e at will, e is coprime with (p- 1)*(q- 1), and the integer e is used as the encryption key. Note: the selection of e is easy, for example, all prime numbers greater than p and q have it.
3) determine the decryption key d:
(d * e) module (p-1) * (q-1) =1
D can be easily calculated from e, p and q.
4) disclose the integers r and e, but not d;
5) encrypt plain text p (assuming that p is an integer less than r) into cipher text c, and the calculation method is as follows:
C = P^e module r
6) Decrypt the ciphertext c into plaintext p, and the calculation method is as follows:
P = C^d module r
However, it is impossible to calculate d only from r and e instead of p and q. Therefore, anyone can encrypt plaintext, but only authorized users (who know D) can decrypt ciphertext.
Let's give a simple example to illustrate the above process. Obviously, we can only choose a very small number.
Example: if p = 3 and q = 5, then r= 15, (p- 1)*(q- 1)=8. Choose e= 1 1 (a prime number greater than p and q) and pass (d * 1 1) module (8) = 1.
Calculate d =3.
Suppose the plaintext is an integer of 13. Then ciphertext c is
C = P^e module r
=1311module 15
= 1, 792,160,394,037 15
= 7
The recovered plaintext p is:
P = C^d module r
= 7 3 module 15
= 343 mode 15
= 13
Because e and d are reciprocal, the public key encryption method also allows the encrypted information to be signed in this way, so that the receiver can be sure that the signature is not forged. Suppose A and B want to transmit data through public key encryption, and A and B disclose the encryption algorithm and the corresponding key respectively, but not the decryption algorithm and the corresponding key. The encryption algorithms of A and B are ECA and ECB, the decryption algorithms are DCA and DCB, ECA and DCA are reciprocal, and ECB and DCB are reciprocal. If A wants to send plaintext P to B, it does not simply send ECB(P), but first applies its decryption algorithm DCA to P, and then encrypts the result with the encryption algorithm ECB and sends it out.
Ciphertext c is:
C = European Central Bank
After receiving C, B applies its decryption algorithm DCB and encryption algorithm ECA in turn to obtain plaintext P:
ECA
= ECA(DCB(ECB(DCA(P)))
= ECA(DCA(P)) /*DCB and ECB cancel each other out */
= P /*DCB and ECB cancel each other out */
In this way, B can determine that the message is indeed sent from A, because only when DCA algorithm is used in the encryption process can P be obtained by ECA, and only A knows DCA algorithm.
Some people, even B, can't forge A's signature. order
With the rapid development of information technology, people's demand for information security comes one after another. Talent competition, market competition, financial crisis and enemy spy agencies all bring great risks to the development of enterprises and institutions. Internal stealing, hacker attacks, unconscious leaks and other means of stealing secrets have become security risks between people, enterprises and countries.
Market demand, people's safety awareness and many environmental factors have promoted the rapid development of information security in China. Information security has experienced a single protection from the traditional firewall to the overall solution of information security, from the traditional old firewall, intrusion detection and antivirus software to diversified information security protection, from the traditional external network protection to the internal network security and host security.
Analysis of traditional data encryption technology
The traditional three kinds of information security (firewall, intrusion detection, anti-virus) have become the infrastructure of network construction in enterprises and institutions, which is far from meeting the security needs of users. New security protection means have gradually become the main force of information security development. Such as host monitoring, file encryption and other technologies.
In the new security product queue, the host monitoring mainly adopts the technical scheme of peripheral interception. Although the information security has been improved to a certain extent, because the product itself depends on the operating system and there is no effective security protection for the data itself, there are many security loopholes, such as: the most basic means of unplugging hard disk, winpe CD boot, USB boot and so on can steal data without leaving a trace; This technology can be more understood as enterprise asset management software, and a single product can not meet the requirements of users for information security.
Document encryption is the main force of information security protection at present. Using transparent encryption and decryption technology, the data is forcibly encrypted without changing the original usage habits of users. This technology encrypts the data itself. No matter whether you leave the operating system or illegally leave the secure environment, the user data itself is secure and has little dependence on the environment. The main technologies of document encryption in the market are disk encryption, application-level encryption and driver-level encryption. Application-level encryption is gradually eliminated by various information security vendors because of its strong dependence on applications, compatibility and secondary development problems.
Two mainstream data encryption technologies today
What we often see are mainly disk encryption and driver-level decryption technologies:
The whole disk encryption technology mainly encrypts the whole disk, and uses host monitoring, waterproof wall and other protection means to protect it as a whole. Disk encryption is mainly to provide users with a safe operating environment, and the data itself is not encrypted. Once the operating system is started, the data itself exists on the hard disk in clear text, which is mainly protected by intercepting it by waterproof walls. The main disadvantage of disk encryption technology is that it takes a long time to encrypt the disk, which leads to a long project implementation cycle, which is generally unbearable for users; Disk encryption technology is to encrypt the whole disk, once the operating system has problems. The need to recover data is also a headache for users. It takes 3-4 hours to decrypt a normal 500G hard disk. The main method in the market is not to encrypt the system disk, but to use peripheral technology for security access control. As we all know, the version of the operating system is constantly upgrading, Microsoft's own security mechanism is getting higher and higher, and people's control over the system is getting lower and lower, especially the hacking technology is getting higher and higher. Once the protection system is broken, everything will be exposed. In addition, disk encryption technology is to safely control the whole information, including system files, which will greatly affect the efficiency and performance of the system.
Driver-level technology is the mainstream technology of information encryption, which adopts the method of process+suffix for security protection, users can flexibly configure according to the actual situation of enterprises and institutions, and forcibly encrypt important data, which greatly improves the operating efficiency of the system. The biggest difference between the driver-level encryption technology and the disk encryption technology is that the driver-level encryption technology will protect the user's data itself, and the driver-level encryption adopts transparent encryption and decryption technology, so that the user does not feel the existence of the system and does not change the user's original operation. Once the data leaves the secure environment, users will not be able to use it, which effectively improves the security of the data. In addition, the driver-level encryption technology can be more fine-grained than the disk encryption technology, which can effectively realize the whole life cycle management of data, control the use time, times, copying, screen capture, video recording and other operations of files, and carry out fine-grained authorization management and data access control within files to achieve all-round management of data. Driver-level encryption technology not only brings security to user data, but also brings some problems to user convenience. Driver-level encryption uses process encryption technology to encrypt all similar files, which cannot effectively distinguish the classified management of personal files and enterprise file data, and the parallel operation of personal computers and enterprise offices.