Why we need encryption

When data is exchanged over the Internet, it passes through various networks and devices before reaching each other. Data may pass through malicious users’ devices during transmission, resulting in content theft. Therefore, to use the Internet safely, security technology is indispensable.

Four problems with transferring data

There are four main problems that can occur when transferring data over the Internet:

  • Eavesdropping: A message sent from A to B may be read by X in transit. This is eavesdropping

  • Impersonation: A thinks it has sent A message to B, but THE message B receives may be impersonated by X

  • Tamper: B does receive the message sent by A, but the content of the message is changed by X on the way. In addition to being tampered by A third party, data damage caused by communication failure may also change the content of the message.

  • Later denial: B received the message from A, but A, as the sender of the message, may harbor malicious intent against B and later claim “This is not my message”.

What security techniques need to be used to solve these problems

  • In response to eavesdropping, we use encryption

  • We will use message captcha or digital signature technology to deal with impersonation and tampering

  • In response to post-denial, we use digital signatures

Encryption methods

There are two ways to encrypt data:

  • Both encryption and decryption are encrypted using a shared key with the same key
  • Both encryption and decryption are encrypted using public keys with different keys

Symmetric encryption

Shared key encryption is an encryption method in which encryption and decryption use the same key. This algorithm is also known as symmetric encryption because it uses the same key

Let’s first understand the processing flow of shared key encryption:

  1. User A uses the key to encrypt data and sends the ciphertext to user B.
  2. B Uses the same key to decrypt the ciphertext. So B gets the original data. As long as the data is encrypted, there is no need to worry about third party eavesdropping

Shared key encryption Has a fatal algorithm to implement shared key encryption, including Caesar password, AES, DES, and dynamic password, among which AES is the most widely used

Next, think about the problems in shared key encryption

Here we assume that A and B cannot communicate directly and THAT B does not know what key is used for encryption. A needs to somehow give the key to B. Like ciphertext, A sends A key to B over the Internet. B Decrypts the ciphertext using the received key. However, the key may also be eavesdropped by X. In this way, X can also use the key to decrypt the ciphertext. How to send the key safely to B is actually a key distribution problem.

Asymmetric encryption

Public-key encryption is an encryption method in which encryption and decryption use different keys. This algorithm is also known as asymmetric encryption because of the different keys used. Because shared key encryption has key allocation problems, public key encryption requires data receiving and releasing to provide public and private keys. The encryption key is called public key, and the decryption key is called private key.

Public key encryption process:

  1. Recipient B generates the Public Key and Secret Key

  2. Receiver B then sends the public key to data sender A

  3. User A uses the public key sent by user B to encrypt data

  4. User A sends the ciphertext to user B. User B decrypts the ciphertext using the private key. So, B gets the original data

Both the public key and the ciphertext are transmitted over the Internet and can therefore be eavesdropped on by X. However, the ciphertext cannot be decrypted using the public key, so X cannot get the original data. So the public key is not afraid to be known, recipient B can post the public key on the Internet. A private key, by contrast, cannot be known and must be closely guarded.

However, public key encryption has the problem of public key reliability:

  1. Let’s go back to when B generates the public and private keys. In the following description, the public key generated by B is represented by PB and the private key by SB.

  2. X wants to eavesdrop on the data A sends to B, so he also prepares the public key PX and the private key SX

  3. When B sends the public key PB to A, X replaces the public key PB with its own public key PX

  4. So the public key PX goes to A. Since the public key cannot show who generated it, USER A will not find that the public key she received has been replaced. So A uses the public key PX to encrypt the data.

  5. After USER A sends the ciphertext to user B, X receives the ciphertext. The ciphertext is encrypted by the public key PX generated by X, so X can use its private key SX to decrypt the ciphertext.

  6. Next, X encrypts the data with the public key PB generated by B.

  7. X sends the ciphertext to B. The ciphertext is encrypted by the public key PB sent by B. Therefore, B can decrypt the ciphertext with its private key SB. There is no problem between receiving the ciphertext and decrypting the ciphertext. Therefore, USER B is not aware that the data has been tapped. This method of eavesdropping on data by replacing public keys midway is called a man-in-the-middle attack.

Problems with public keys

  1. The reliability of the public key is affected because A cannot determine whether the public key is from B. To solve this problem, we’ll use digital certificates, which we’ll talk about later.
  2. Another problem with public-key encryption is that both encryption and decryption are time-consuming, so it is not suitable for sending fragmentary data continuously. To solve this problem, use hybrid encryption.

Mixed encryption

Shared key encryption has the problem of key allocation that cannot be transmitted safely, and public key encryption has the problem of slow encryption and decryption. One encryption method that combines these two methods to complement each other is hybrid encryption. In hybrid encryption, data is encrypted with shared key encryption, which is fast in processing. However, the encryption key needs to be processed using public key encryption.

The processing flow of mixed encryption is as follows:

  1. Suppose A is about to send data to B over the Internet. Data is encrypted using shared key encryption, which is fast in processing. The keys used in encryption are also used in decryption,Therefore, USER A needs to send the shared key to user B.
  2. To securely send the shared key PA to recipient B, we need to use the public key to encrypt the shared key PA. Therefore, recipient B needs to produce the public key PB and private key SB in advance
  3. Public key transmission: User B sends the public key to user A. User A uses the received public key to encrypt the shared key, and User B uses the private key to decrypt the key
  4. Data transfer: USER A securely sends the key used in the shared key encryption to user B. Next, A simply sends the data encrypted with the key to B. Data is encrypted with a shared key that is fast in processing.

Hybrid encryption has advantages in both security and processing speed. The SSL protocol, which provides communication security for networks, also uses hybrid encryption. SSL is short for Secure Sockets Layer (SSL). After a version upgrade, the protocol is now officially called TLS (TransportLayer Security). But the name SSL has become so ingrained in people’s minds that the protocol is now often referred to as SSL or SSL/TLS.

Diffie – Hermann key exchange

Although hybrid encryption solves the problem of public encryption time, the problem of public key reliability during key transmission is not solved, and there is still the risk of man-in-the-middle attack.

Diffie-hellman key exchange is a method that can exchange keys securely between communication parties. This method realizes the secure exchange of key between two parties by hiding the secret value shared by both parties in the operation related to the open value.

So let’s just think a little bit about the concept of this algorithm

Suppose there is a way to synthesize two keys. Using this method to synthesize the key P and the key S, the key P-S composed of the components of the two keys will be obtained. This method of synthesis has three characteristics:

  1. Even with the key P and the synthesized key P-S, the key S cannot be taken out separately.That is, keys can be synthesized but cannot be decomposed
  2. The synthesized key can be used as a new element to continue to be synthesized with other keys. For example, using the key P and the key P-S, you can also synthesize a new key P-P-S.That is, the synthesized key can continue to be synthesized
  3. The result of key composition has nothing to do with the composition order, but only with which key is used. That ABC and BAC are the same

Let’s take a look at the key exchange process

  1. First, A generates the key P and then sends the key P to B. Then A and B prepare their private keys SA and SB respectively
  2. A uses the key P and the private key SA to synthesize the new key P-sa. B also uses the key P and the private key SB to synthesize the new key p-sb
  3. The two parties exchange the synthesized key. That is, A sends the key P-sa to B, and B sends the key P-sb to A
  4. The private key SA and the received P-SB are combined into the new key sa-p-sb. B also combines the private key SB and the received P-sa into the new key P-sa-sb. According to the previous assumption, both A and B have obtained the key P-SA-SB, which will be used as the shared key for data encryption

Let’s verify the security of the key exchange. Because key P, p-SA, and P-SB need to be transmitted over the Internet, X may eavesdrop on them. However, X cannot synthesize p-SA-SB from its eavesdropped key, so this exchange is secure.

With diffie – Hermann key exchange, communication parties can exchange keys simply by exchanging some public information. But in reality, the two parties don’t exchange keys, they generate them.