Recently in the study of the book illustration the password techniques, there will be a series of cryptography study notes, involves the related concept of the password, symmetric encryption, asymmetric encryption, one-way hash function, message authentication codes, digital signature, digital certificate etc, at the same time involves Golang code section will be used for display, interested can look at the update. Okay, so today we’re going to start with some conceptual issues in cryptography.

  • 1. Introduction to cryptography
  • 2. Symmetric encryption
  • 3. Packet encryption mode
  • 4. Asymmetric encryption
  • 5. One-way hash functions
  • 6. Message authentication code
  • 7. Digital signature
  • Certificate of 8.
  • 9.SSL/TLS

Sender, receiver, and eavesdropper

Imagine a scenario where Alice sends an email to Bob. In this scenario, Alice who sends the email is called the sender and Bob who receives the email is called the receiver.

When someone sends a message to another person, the sender of the message is called the sender and the receiver is called the receiver. In addition, the message being sent is sometimes referred to collectively as a message.

The mail is sent from Alice’s computer to Bob’s computer over the Internet. As it is sent, it will pass through a number of computers and communications devices, and in the process, there is the possibility of eavesdropper eavesdropping

The eavesdropper Eve doesn’t have to be human. It could be some kind of eavesdropper installed on communications equipment, or some program installed on mail software and mail servers.

Although the content of an email should be known only to the sender and recipient, there is a risk that it will be known to a third party if you do not take appropriate measures.

Encryption and decryption

So how do you prevent eavesdroppers from eavesdropping? Alice doesn’t want anyone to see the message, so she decides to encrypt it and send it.

A message before encryption is called plaintext, and a message after encryption is called cipher-text.

  • After the plaintext is encrypted, it becomes unreadable ciphertext

Bob receives an encrypted message from Alice, but as the recipient, Bob cannot read the ciphertext directly, so Bob needs to decrypt the ciphertext before reading it. Decryption is the process of restoring ciphertext to plaintext.

  • After decryption, the ciphertext becomes plain text

If a message is encrypted and sent, even if the message is bugged, the eavesdropper only gets the ciphertext, not the plaintext before encryption

  • By encrypting the message and sending it, eavesdroppers can only get the ciphertext

    In the above scenario, Alice encrypts the email, while Bob decrypts it, in order to prevent Eve from reading the contents of the email. Alice and Bob use cryptography technology to ensure the confidentiality of the email.

    The secret key

    Cryptographic algorithms

    The steps used to solve complex problems are often called algorithms. The step of generating ciphertext from plain text, that is, the encryption step, is called the encryption algorithm, and the decryption step is called the decryption algorithm. Encryption and decryption algorithms collectively referred to as cryptographic algorithms.

    The secret key

    A cryptographic algorithm requires a key. Keys in the real world are small pieces of metal with subtle and complex shapes like keys. The key cryptographic algorithms, however, is like 203554728568477650354673080689430768 a bunch of very large Numbers.

Encryption, decryption and secret keys

You need to know the key both when you encrypt and when you decrypt it.

Just as the key to a safe protects the valuables stored there, the key in your password protects your important data. Even the strongest safe can be robbed of its valuables if the keys are stolen. Likewise, we must be careful not to let the key of the password be stolen by others.

Caesar password

The Caesar cipher is a code that is said to have been used by Julius Caesar. Caesar was born in Rome around 100 BC. He was a famous military commander.

The cipher is encrypted by “shifting” the alphabet used in the plain text to a certain number of words. For example, in Japanese (such as Hiragana) or Chinese (such as Hanyu Pinyin) or the English alphabet can be implemented in the same way.

We’ll use lower case letters (a, B, C…) for ease of explanation. To express small plaintext, use capital letters (A, B, C…). To represent ciphertext.

Now we shift the alphabet by three letters, so that a in plain text becomes D three letters apart, and so on. B becomes E, C becomes F, d becomes G…… V becomes Y, w becomes Z, and X goes back to the beginning of the alphabet and becomes A, and Y becomes B and Z becomes C. It is easy to understand how “panning” works.

The encryption of the Caesar cipher

Here, we assume that the information to be kept secret is monkey D Luffy, the boy’s name. Regardless of whether the name represents a real man or just a code word, we’ll just consider sending it to the recipient confidentially.

The plaintext contains the following 12 letters: monkeydluffy. Then we encrypt the letters one by one:

                                m	--->	P				
                                o	--->	R
                                n	--->	Q
                                k	--->	N
                                e	--->	H
                                y	--->	B
                                d	--->	G
                                l	--->	O
                                u	--->	X
                                f	--->	I
                                f	--->	I
                                y	--->	B
Copy the code

The plaintext monkey D luffy is then converted to PRQNHB G OXIIB, monkey d luffy we can understand, but

PRQNHB G OXIIB.

In the Caesar cipher, the operation of shifting letters of the alphabet is the cipher algorithm, and the number of shifting letters is equal to the key. In the example above, the key is 3 (figure below).

The decryption of Caesar’s code

Now, suppose the receiver has received the ciphertext PRQNHB G OXIIB, which must be decrypted into plaintext because the ciphertext itself is unreadable.

The decryption process of the Caesar cipher is a reverse translation operation using the same key as when it was encrypted. In the example above, it only takes 3 letters to reverse the translation.

                                P	--->	m				
                                R	--->	o
                                Q	--->	n
                                N	--->	k
                                H	--->	e
                                B	--->	y
                                G	--->	d
                                O	--->	l
                                X	--->	u
                                I	--->	f
                                I	--->	f
                                B	--->	y
Copy the code

So we have the plaintext monkeydluffy.

In this scenario, key 3 must be agreed upon in advance by the sender and receiver.

Common sense and threat of password information security

Common sense of password information security

Before we move on, let’s introduce some common sense about passwords. New password learners often wonder at the following tips because they go against common sense.

  • Do not use secret cryptographic algorithms
  • Using a weak password is more dangerous than no encryption at all
  • Any code will be broken one day
  • Passwords are only part of information security
Do not use secret cryptographic algorithms

Many companies have the following ideas:

“By developing a password algorithm and keeping it secret, the company can keep it secure. However, this is a big mistake. You cannot achieve high security by using a secret cryptographic algorithm. We should not create or use any secret cryptographic algorithms, but should use those that are already public and have been recognized as strong cryptographic algorithms.

There are two main reasons for this:

  • The secret of the cryptographic algorithm is only a matter of time

    Historically, the secrets of cryptographic algorithms have always been exposed eventually. For example, THE RC4 cryptography algorithm developed by RSA was once secret, but its equivalent was eventually developed and published by an anonymous source.

    Once the details of the cryptographic algorithm are exposed, the cryptographic system that relies on keeping the cryptographic algorithm itself secret to ensure its confidentiality falls apart. In contrast, algorithms that are public were never intended to be secret in the first place, so their exposure does not make them any less powerful.

  • It is very difficult to develop strong cryptographic algorithms

    • It is extremely difficult to compare cryptographic algorithms because the strength of cryptographic algorithms is not as rigorously proven as mathematics. The strength of a cryptographic algorithm can only be proved by fact. If a professional cryptographer fails to crack a cryptographic algorithm after years of trying, the algorithm is relatively strong.
    • Clever programmers can easily write “their own cryptosystem”. Such passwords may seem unbreakable to the layman, but to the expert cryptographer, they are almost impossible to crack.
    • Now the world’s public cryptographic algorithms are considered to be strong, almost all of them survived after a long time of cryptbreakers trying to crack failed. Therefore, to think that a company’s own cryptosystem is better than those that are open to the public is to overestimate its own company’s capabilities.
    • Attempts to make securityby making cryptography algorithms themselves a secret, often referred to as securitybyobscurity, are dangerous and stupid.
    • On the other hand, the detailed information of the cryptographic algorithm and the source code of the program are all handed over to the professional cryptographer, and a large number of plaintext and ciphertext samples are provided. If it still takes quite a long time to decipher a new ciphertext, it indicates that the cipher is of high strength.
Using a weak password is more dangerous than no encryption at all

It is generally believed that. Even if the password is weak, it’s better than no encryption at all, right? In fact, this kind of thinking is very dangerous.

** The right idea is: ** It’s better not to use a password at all to begin with than to use a low-strength password, mainly because the word “password” gives users a “false sense of security.” For the user, security has nothing to do with the strength of the password, but only the fact that the message has been encrypted, which often leads to carelessness when dealing with confidential information.

Any code will be broken one day

If a password product claims to “use an unbreakable password algorithm,” then you have to question the security of the product because there are no unbreakable passwords.

Any ciphertext generated using any cryptographic algorithm can be deciphered one day by trying all possible keys once. The tradeoff between the time it takes to decipher the ciphertext and the value of the plaintext to be kept secret is therefore very important.

Passwords are only part of information security

Let’s go back to the example of Alice sending an encrypted email to Bob. Even without cracking the password algorithm, there are many ways to find out what Alice sent. For example:

Instead of trying to decipher the encrypted message, an attacker could attack Alice’s computer to get the plaintext of the message before it was encrypted.

None of the attacks mentioned above has anything to do with password strength. Good security requires an understanding of the nature of the very concept of a system. A complex system is like a chain of countless links that, if pulled hard, will break from its weakest link. A system is therefore only as strong as its most vulnerable links.

The most vulnerable link is not the code, but the human itself.

Password Message Threat

We graphed the direct relationship between the threats to information security and the cryptographic techniques used to counter those threats.

Welcome to talk to me