preface

Most of the projects I know of so far are developed in a way that separates the front and back ends. This is the problem of data transmission, front-end to the server or server to the front end of the data are easy to be stolen by others. The transmitted data is encrypted and decrypted to ensure data security.

The following describes two methods of data transmission at the front and back ends

The first method (add signature to parameter, verify signature)

The front and back ends agree on a key, and the request parameters are concatenated into a string in alphabetical order (usually in ASCll order), then concatenated with the key, and finally encrypted with MD5 or SHA to obtain an encrypted signature sign, which is then sent to the server as the last parameter.

After getting the result sent from the front end, the server also splices the parameter (excluding sign) into a string in sequence, then splices the key, and encrypts it with MD5 or SHA. A new sign is also obtained. The server compares the two signs, and if they are the same, it means there is no problem with the data returned. It means the data has been changed.

For example, the passed argument is

id=5&age=10

The argument that should now be passed by checkmark is

id=5&age=10&sign=MD5(age=10&id=5&key=asdasqweqeweqe)

What the server gets is

id=5&age=10&sign=MD5(age=10&id=5&key=asdasqweqeweqe)

Sign1 = MD5(age=10&id=5&key= ASDASqWeqeWEQE) Then sort to get age= 10&ID =5, plus the agreed key (ASDASqWEqeWEQE) and MD5 to get sign2, and the two signs are compared

The second way (encryption and decryption of data, mixed cipher mode)

As far as I know, there are two types of passwords, depending on how the key is used

  • Symmetric cryptography (commonly known as symmetric encryption and decryption)

  • Public key cryptography (asymmetric cryptography)

In symmetric cryptography, encryption and decryption use the same key. The AES algorithm is the symmetric cryptography algorithm. Specific AES algorithm we baidu is good

But when symmetric ciphers are commonly used, there are key distribution problems.

For example: Sender A will send the information encrypted with symmetric password to recipient B, and recipient B can decrypt the information only after sending the secret key to recipient B. In this case, when A sends the secret key to recipient B, it is easy for others to steal the secret key, and others can decrypt the information with the secret key.

How to solve the key distribution problem

I know of several solutions

  • Share the secret key beforehand
  • Key distribution center
  • Public key cryptography (asymmetric cryptography)

Public key cryptography

In public key cryptography, there are two types of keys: encryption key and decryption key.

The most widely used public key cryptography algorithm is RSA

The encryption key, which is usually public, is called a public key.

A decryption key that is held by the receiver and cannot be made public. It is also called a private key.

The public key and private key correspond to each other and cannot be generated separately. A pair of public keys and private keys is called a key pair.

The ciphertext encrypted by the public key can be decrypted only by using the private key corresponding to the public key

The ciphertext encrypted by the private key can be decrypted only by using the public key corresponding to the private key

We use public key cryptography to solve the secret key distribution problem

1. The receiver of the message generates a pair of public and private keys

2. Send the public key to the sender of the message

3. The sender of the message uses the public key to encrypt the message

Hybrid cryptosystem

  • Disadvantages of symmetric ciphers

The key distribution problem cannot be solved well

  • Disadvantages of public key cryptography

The encryption and decryption speed is slow

Hybrid cryptosystem, which combines the advantages of symmetric cryptography and public key cryptography, solves the slow speed of public key cryptography, and solves the key distribution problem of symmetric cryptography by public key cryptography

Hybrid cryptosystem encryption

The session key is a temporary key randomly generated during the communication. It is used as the key of symmetric passwords to encrypt information and improve the speed

  1. First, the message sender has the message receiver’s public key (the public key of asymmetric ciphers)
  2. Generates a session key that acts as the key to a symmetric cipher, encrypting the message
  3. The session key is encrypted with the message receiver’s public key
  4. Send the encryption result generated in the previous two steps to the receiver

The content sent out includes

  1. Message encrypted with session key (encryption method: symmetric cipher)
  2. Session key encrypted with public key (encryption method: public key ciphers)
Hybrid cryptosystem decryption
  1. The message receiver decrypts the session key with its own private key (asymmetric cipher private key)
  2. Then use the session key decrypted in step 1 to decrypt the message

Method 2 Summary (Mixed cryptography)

Front-end A >>>>> Server B

Sending process, encryption process

  1. Mr. B is a pair of public and private keys
  2. User B shares the public key with user A
  3. A Randomly generated session key (temporary key) for each request
  4. A Encrypts the message to be sent with the session key (using symmetric cryptography)
  5. A encrypts the session key with B’s public key (using public key cryptography, also known as asymmetric cryptography)
  6. A sends the encryption results of steps 4 and 5 to B

Reception process, decryption process

  1. B decrypts the session key using its own private key (using public key cryptography, also known as asymmetric cryptography)
  2. B decrypts the sent message using the session key (using symmetric cipher decryption)

In this paper, we refer to the ape world. And Li Mingjie’s underlying principle of iOS signature mechanism