Then there is the problem of network security:
Data encryption technology
The so-called encryption means that a message (or plaintext) is converted into meaningless ciphertext through Encrypt ionkey and encryption function, and the receiver restores the ciphertext into plaintext through decryption function and decryption key. Encryption technology is the cornerstone of network security technology.
Data encryption technology requires that the original data can only be obtained under the specified user or network, which requires some special information to be encrypted and decrypted for the data sender and receiver, which is called the key. The value of its key is selected from a large number of random numbers. According to encryption algorithm, it can be divided into private key and public key.
Private keys, also known as symmetric keys or single keys, use the same key, that is, the same algorithm. Kerberos algorithms, such as DES and MIT. Single bond is the simplest method. Communication parties must exchange each other's keys. When sending a message to the other party, it is encrypted with its own encryption key, and when receiving the data, it is decrypted with the key given by the other party. This method becomes very complicated when communicating with many parties, because it needs to save many keys, and the security of the keys themselves is also a problem.
DES is a data block encryption algorithm, which divides the data into six 4-bit data blocks, of which 8 bits are used for parity check and the remaining 56 bits are used as the length of the password. The first step is to replace the original text and get six 4-bit chaotic data sets; Step 2, divide it into two equal sections; Step 3, transform with encryption function, and iterate for many times under the condition of given key parameters to get encrypted ciphertext.
Public key, also known as asymmetric key, uses different keys, that is, different algorithms, including a public key and multiple decryption keys, such as RSA algorithm.
In computer networks, encryption can be divided into "communication encryption" (that is, data encryption during transmission) and "file encryption" (that is, storage data encryption). There are three kinds of communication encryption: node encryption, link encryption and end-to-end encryption.
(1) node encryption, in time coordinates, is carried out before the information is transmitted to the physical communication link; As far as the coordinates (logical space) of OSI layer 7 reference model are concerned, it is carried out between the first layer and the second layer; As far as the implementation object is concerned, it encrypts the data transmitted between two adjacent nodes, but only encrypts the message, not the header, so as to facilitate the selection of transmission routes.
② Link encryption, which is performed at the data link layer, encrypts the data transmitted on the link between adjacent nodes, not only encrypting the data, but also encrypting the header.
③ End-to-end encryption, which is carried out at the sixth or seventh layer, provides continuous protection for data transmission between users. It is also effective to implement encryption at the originating node, transmit it in the form of ciphertext at the intermediate node and decrypt it when it finally reaches the destination node.
In the OSI reference model, all layers except the session layer can implement some encryption measures. However, it is usually the most advanced encryption, that is, every application in the application layer is modified by password coding, so it can keep every application secret, thus protecting the investment of the application layer. If encryption is implemented on one of the following layers, such as TCP layer, only this layer can be protected.
It is worth noting that whether the encryption mechanism can play its role effectively depends on key management, including the whole process of key survival, distribution, installation, storage, use and invalidation.
(1) digital signature
Although the encryption mechanism of public key provides good confidentiality, it is difficult to identify the sender, that is, anyone who obtains the public key can generate and send messages. Digital signature mechanism provides an authentication method to solve the problems of forgery, denial, counterfeiting and tampering.
Digital signature generally adopts asymmetric encryption technology (such as RSA), and a value is obtained as a verification signature by some transformation of the whole plaintext. The receiver decrypts the signature using the sender's public key. If the result is plain text, the signature is valid, which proves the true identity of the other party. Of course, signatures can also be used for many purposes, such as attaching signatures to plain text. Digital signature is widely used in banking, e-commerce and other fields.
Digital signature is different from handwritten signature: digital signature changes with the change of words, and handwritten signature reflects a person's personality characteristics and is unchanged; Digital signature and text information are inseparable, while handwritten signature is attached to text and separated from text information.
(2)Kerberos system
Kerberos system is designed by MIT for Athena project, which provides an authentication method to verify both users in distributed computing environment.
Its security mechanism lies in firstly authenticating the requesting user to confirm whether it is a legal user; If it is a legitimate user, check whether the user has the right to access the service or host he requested. In terms of encryption algorithm, its verification is based on symmetric encryption.
Kerberos system has been widely used in distributed computing environment (such as Notes) because it has the following characteristics:
(1) has high security. Kerberos system encrypts the user's password and uses it as the user's private key, thus avoiding the display and transmission of the user's password on the network, making it difficult for eavesdroppers to obtain the corresponding password information on the network;
(2) High transparency, users only need to enter a password when logging in, which is exactly the same as normal operation, and the existence of Ker beros is transparent to legitimate users;
③ Good scalability. Kerberos provides authentication for each service to ensure the security of the application.
The Ker beros system is somewhat similar to the process of watching movies. The difference is that only customers who log in to Kerberos system in advance can apply for service. Kerberos requires customers who apply for tickets to TGS (ticket distribution server) to request the final service.
The authentication protocol process of Kerberos is shown in Figure 2.
Kerberos has its advantages and disadvantages, mainly as follows.
(The secret shared by Kerberos server and user * * * is the user's password, and the server does not verify the authenticity of the user when responding, assuming that only legitimate users have passwords. If an attacker records an application reply message, it is easy to form a codebook attack.
The secret shared by Kerberos server and user * * * is the user's password, and the server does not verify the authenticity of the user when responding, assuming that only legitimate users have passwords. If an attacker records an application reply message, it is easy to form a codebook attack.
③ AS and TGS are centralized management, which is easy to form a bottleneck. The performance and security of the system also depend on the performance and security of AS and TGS to a great extent. There should be access control before AS and TGS to enhance the security of AS and TGS.
④ With the increase of users, key management becomes more complicated. Kerberos has the hash value of each user's password, and as and TGS are responsible for the distribution of communication keys between families. When n users want to communicate at the same time, N*(N- 1)/2 keys are still needed.
(3) PGP algorithm
PGP(Pretty Good Privacy) is a scheme put forward by author hil Zimmermann, and it has been written since the mid-1980s. The public key and the group key are in the same system, and the public key uses RSA encryption algorithm to manage the key; The IDEA algorithm is used to encrypt information in the group key.
The first characteristic of PGP application is its high speed and efficiency. Another notable feature is its excellent portability, which can run on a variety of operating platforms. PGP mainly includes encrypting files, sending and receiving encrypted emails, digital signatures and so on.
(4) PEM algorithm
Private Enhanced Mail (PEM) is a product developed by American RSA Lab based on RSA and DES algorithms. Its purpose is to enhance the privacy function of individuals. At present, it has been widely used on the Internet, providing the following two types of security services for e-mail users:
Provide security service functions such as verification, integrity and non-repudiation for all messages; Provide optional security service functions, such as confidentiality.
Pemthe mail is handled as follows:
Step 1: Normalization: In order to make PEM compatible with MTA (Message Transfer Agent), the message is normalized according to MTP protocol;
Step 2, MIC (Message Integrity Code) calculation;
The third step is to convert the processed mail into a format suitable for SMTP system transmission.
Authentication technology
Identity recognition is the process of specifying users to show their own identities to the system. Authentication is the process that the system checks the user's identity. People usually refer to these two tasks as identity authentication (or identity authentication), which are two important links to identify and confirm the true identities of the two communication parties.
Network security technology
There are two ways to realize network security on the Web: SHTTP/HTTP and SSL.
(1) HTTP/HTTP
SHTTP/HTTP can encapsulate information in many ways. The encapsulated contents include encryption, signature and MAC-based authentication. And messages can be encapsulated and encrypted repeatedly. In addition, SHTTP also defines header information for key transmission, authentication transmission and similar management functions. SHTTP can support a variety of encryption protocols, and also provides a flexible programming ring for programmers.
SHTTP does not depend on a specific key authentication system, and currently supports RSA, in-band and out-of-band and Kerberos key exchange.
(2) SSL (condom layer) Secure Socket Layer is an industrial standard using public key technology. SSL is widely used in intranet and Internet, and its products include SSL-supporting clients and servers provided by companies such as Netscape, Microsoft, IBM and Open Market, and Apa che-SSL.
SSL provides three basic security services, all of which use public key technology.
① Information confidentiality, which is realized by using public key and symmetric key technology. All business between SSL client and SSL server is encrypted by using the key and algorithm established during SSL handshake. This can prevent some users from eavesdropping illegally by using the IP packet sniffer tool. Although the packet sniffer can still capture the content of the communication, it cannot decipher it. (2) Information integrity to ensure that all SSL services achieve their goals. If the Internet becomes a feasible e-commerce platform, we should ensure that the information content between the server and the client is not destroyed. SSL provides information integrity services by using secret sharing and hash function groups. ③ Mutual authentication is a process of mutual recognition between client and server. Their identification numbers are encoded with public keys, and when SSL handshakes, their identification numbers are exchanged. In order to verify that the certificate holder is its legitimate user (not an impostor), SSL requires the certificate holder to digitally identify the exchanged data when shaking hands. The certificate holder identifies all information data including the certificate to show that he is the legal owner of the certificate. This can prevent other users from using certificates under pseudonyms. The certificate itself does not provide authentication, only the certificate and the key work together. ④SSL security services should be as transparent as possible to end users. Usually, users can connect to SSL hosts by clicking buttons or links on the desktop. Unlike standard HTTP connection applications, the default port of a typical network host supporting SSL connection is 443, not 80.
When the client connects to the port, the handshake protocol is initialized to establish an SSL session. After the handshake, the communication will be encrypted and the integrity of the information will be checked until the end of the conversation. Only one handshake occurs during each SSL session. In contrast, HTTP needs to shake hands every time it connects, which reduces the communication efficiency. The following events occur in SSL handshake:
1. Client and server exchange X.509 certificates for mutual confirmation. In this process, you can exchange all the proof chains, or you can choose to exchange only some of the underlying proofs. The verification of the certificate includes: the effective date of the certificate and the signing authority.
2. The client randomly generates a set of keys for information encryption and MAC calculation. These keys are encrypted by the server's public key before being sent to the server. There are four keys for server-to-client communication and client-to-server communication.
3. Information encryption algorithm (used for encryption) and hash function (used for ensuring information integrity) are used together. The SSL implementation scheme of Netscape is that the client provides a list of all the algorithms it supports, and the server chooses the password it thinks is the most effective. Server administrators can use or prohibit certain passwords.