Encryption and digital signature
First, encryption
Data encryption technology is divided into two aspects of software and hardware. Different by action, data encryption technology is mainly divided into data transmission, data storage, data integrity, and four types of key management technology.
In network applications, two encryption forms are generally adopted: symmetric key and public key, which encryption algorithm are used to combine specific application environments and systems, and cannot be simply determined according to their encryption strength. Because in addition to the encryption algorithm itself, the key is reasonable, the encryption efficiency and the combination of existing systems, and the input production analysis should be considered in the actual environment.
For symmetric key encryption. Its common encryption standard is DES. When using DES, the user and acceptor uses a 64-bit key to encrypt and decrypt packets. When there is special requirements for security, IdeA and Triple DES are taken. As a wide application of traditional enterprise networks, the secret key is high, which uses KDC to centrally manage and distribute keys and conduct identities based on this, but is not suitable for the Internet environment.
Use more public key systems in the Internet. That is, the public key is encrypted, and its encryption key and the decryption key are different. Generally, after each user generates a pair of keys, one of them is disclosed as a public key, and one other is saved by the owner of the owner. Common public key encryption algorithms are RSA algorithms, high encryption intensity. The specific method is to combine digital signatures and data encryption. The sender must be added to the data signature when sending data, and the practice is to encrypt a section of the private key as a digital signature, and then encrypt the receiver key with the transmitted data. When these ciphenses are received by the recipient, the recipient uses its own private key to decrypt the ciphered data and the number signature of the sender, and then decrypt the digital signature with the public key published by the publisher. If successful Then it is determined by the sender. Digital signatures are related to factors such as data and time being transmitted each time. Due to the high encryption strength, it is not required to establish a certain trust relationship or sharing some secret, so it is very suitable for Internet online.
Here are the technical implementation of several most common encryption systems:
1. Conventional key cryptosystem
The so-called conventional key cryptographic system, that is, the encryption key is the same as the decryption key.
In the early conventional key cryptosystem, typically replace the password, whose principle can be described in an example:
The natural order of the letters A, B, C, D, ..., W, X, Y, and Z remains unchanged, but it corresponds to D, E, F, G, ..., Z, A, B, and C. That is, the difference of 3 characters). If the other text is STUDENT, the corresponding ciphertext is VWXGHQW (at this time the key is 3).
Since the frequency of all letters in English letters has already been statistics, this replacement password can be easily decipherous based on the alphabetic frequency table.
2. Data Encryption Standard DES
The DES algorithm is the success of IBM's secrets in 1971 to 1972, after being successfully developed from 1971 to 1972, and was selected as data encryption standards by the US State Standards Bureau and the National Security Agency, and promulgated in 1977. ISO has also set DES as data encryption standards.
DES encrypts 64-bit binary data to generate 64-bit ciphertext data. The key used is 64 bits, and the actual key length is 56 bits (8 bits for parity). The process of decryption is similar to the encryption, but the order of the key is opposite.
The confidentiality of DES depends only on the confidentiality of the key, and the algorithm is open. The complex structure of the DES is that there is no root cause of shortcut deciphering methods. Now DES can be implemented by software and hardware. US AT & T first implements the full working mode of DES with the LSI chip, which is called data encryption processor DEP.
3. Public key cryptographic system public key (PUBLIC Key) The password system appeared in 1976. Its most important feature is to encrypt and decrypt different keys. Each user saves a pair of keys? Public key PK and secret key SK, therefore, this system is also called a key or asymmetric key Cryptographic system.
In this system, the PK is an open information, used as an encryption key, while SK needs to be kept by the user himself and used as a decryption key. The encryption algorithm E and the decision algorithm D are also disclosed. Although SK and PK are paired, SK cannot be calculated according to PK. The characteristics of the public key algorithm are as follows:
1
2, the encryption key cannot be used to decrypt, ie DPK (EPK (X)) ≠ x
3, can easily produce paired PK and SK on your computer.
4. SK is not possible from known PK.
5, encryption and decryption operations can be treated, namely: EPK (DSK (x)) = x
In the public key cryptosystem, the most famous is the RSA system. It has been recommended to public key data encryption standard by ISO / TC97 data encryption technology.
Second, digital signature
Digital signature technology is one of the core technologies that implement transaction security. Its implementation is the encryption technology. Here, we introduce the basic principles of digital signatures.
The past letters or documents prove its authenticity based on the personal signature or seal. But how do messages transmitted in a computer network? This is the problem to be solved by digital signatures. Digital Signatures must ensure the following points:
The recipient can verify the signature of the sender; the sender cannot rely on the signature of the packet afterwards; the recipient cannot fake the signature of the message.
There are now many ways to implement various digital signatures, but the public key algorithm is used to be more easily implemented than conventional algorithms. Let's introduce this digital signature.
The sender A operates the message X with its secret decryption key SKA, transmitting the result DSKA (X) to the recipient B. B is obtained by the public encryption key of known A (DSKA (X)) = x. Since there is no other person in addition to A, there is no decryption key SKA, so no one can generate ciphertext DSKA (X) in addition to A. In this way, the message X is signed.
If A is to rely, it has sent a message to B. B You can present X and DSKA (X) to the third party. Third, it is easy to use PKA to confirm that A does send message X to B. Conversely, if B is bored into X ', B cannot present DSKA (X') in the face of the third party. This demonstrates B forged a message. It can be seen that realization of digital signatures also implements authentication of packet sources.
However, the above process is only signing the packets. The transmitted message X itself is not confidential. Because of the interception DSKA (X) and know anyone of the sender's identity, the sender's public key PKA can be obtained by checking the manual, so it is possible to understand the content of the message. Secret communications and digital signatures can be achieved at the same time. SKA and SKB are the secret keys of A and B, respectively, while PKA and PKB are public key of A and B.
Third, the management of the key
A weakness of the symmetric key encryption method is that its key management is very difficult, so it is difficult to get extensive applications in the practice of e-commerce. At this point, the public key encryption method has an absolute advantage. However, regardless of the implementation of which solution, the management of the key is to consider. This is especially true when the network is larger. Cyardoin, president of company CYPRESS CONSULTING specially engaged in safety consultation: "In all encrypted schemes, there must be someone to manage the key." Currently, the recognized effective way is to manage and distribute the public secret through key allocation center KDC key. Each user only saves its secret key and the public key PKAS of KDC. The user can obtain the public key of any other user through the KDC.
First, a to the KDC application for the public key, send information (a, b) to the KDC. The information returned to A is (CA, CB), where Ca = DSKAS (A, PKA, T1), CB = DSKAS (B, PKB, T2). CA and CB are called certificates, which contain the public keys of A and B. KDC has signed CA and CB using its decryption key SKAS to prevent forgery. The role of timestamp T1 and T2 is to prevent playback attacks.
Finally, a transfer the certificate CA and CB to B. B Get a public key PKA of A, but also test his own public key PKB.
