preface
This does not go deep into the source code, do not analyze the principle, only clarify some confusing concepts and their relevance. This time, from the perspective of the evolution of communication history, the concept and its role will be explained step by step. Through this article, you will learn:
Plaintext communication 2, ciphertext communication 3, symmetric encryption 4, asymmetric encryption 5, message digest 6, digital signature 7, CA and digital certificate 8, summary
1. Plaintext communication
Most of the time, we communicate mouth-to-mouth, with information completely exposed to the other person’s ears.
Lesbian small talk is fine, but not when it comes to important, personal information. At this point, you might think, let’s talk in private.
2. Ciphertext communication
Whisper can only be achieved in close proximity, if far apart how can you send information to each other safely? You’ve seen spy movies more or less, but how do undercover agents get information to organizations? The answer is through the password book.
Both parties agree to use a password book, which is actually a mapping:
1. The sender uses the password text to convert plaintext messages into hard-to-understand messages, which is called ciphertext. 2. After receiving the ciphertext, the recipient inverts the plaintext from the password text mapping.
In this case, the communication between the two parties is encrypted, which is called ciphertext communication. A third party that wants to decrypt the message needs to get hold of the cipher book or decode the cipher book mapping to convert the ciphertext into plain text.
3, symmetric encryption
With the development of science and technology, people’s communication has gradually changed from letters to electronic communication.
When we type a piece of text on the keyboard, this piece of information will be sent to each other through the network, how to ensure that this piece of information will not be easily known by others? We came up with the idea of encryption. The two parties negotiate a key before transmitting the information. The sender uses the key to encrypt the information into ciphertext before sending it.
Because the same key is used to encrypt plaintext and decrypt ciphertext, this encryption mode is called symmetric encryption.
Here’s a simple example:
Ming now encrypts messages symmetrically:
1. Set the key to X. 2, set the encryption algorithm to: each character +X. 3. Assume the key X=1 is used.
So plaintext Hello, +1 for each character, yields the following result: hello– >ifmmp
After red gets the ciphertext IFMMP, she knows that the key X=1, so she puts each character -1 in the ciphertext and gets the following result: ifmmp– >hello
So far, Xiao Ming and Xiao Hong have successfully communicated.
At this time xiaogang wanted to know what Xiaoming and Xiao Hong were talking about, so he intercepted the message:
Of course, symmetric encryption algorithms are not so simple, common symmetric encryption algorithms are as follows:
1. Data Encryption Standard (DES) is a Data Encryption Standard with low strength and easy to crack. Currently, it is rarely used. 2. Triple Data Encryption Algorithm (TDEA) 3DES is an enhanced version of DES. It encrypts a piece of Data with three different keys. 3. Advanced Encryption Standard (AES), the mainstream symmetric Encryption algorithm. 4. RC4 stream encryption algorithm designed by Ron Rivest. Blowfish block encryption algorithm, designed by Bruce Schneier 6. SM4 block cipher algorithm, designed by China and published by the National Cryptography Administration.
It seems that symmetric encryption can solve our communication security problem, but it introduces another problem:
#4. Is there a way for asymmetric encryption to be fair and square? The answer is asymmetric encryption.
1. Asymmetric encryption has two keys, one is a public key and the other is a private key. 2. The ciphertext encrypted with the public key can be decrypted only by the private key. 3. The ciphertext encrypted with the private key can be decrypted only by the public key. Public keys can be published for others to use, while private keys need to be kept secret and cannot be accessed by others.
Because encryption and decryption use different keys, this type of public-private key encryption is called asymmetric encryption.
Let’s see how Ming and Hong use asymmetric encryption to achieve secure communication. Xiao Ming and Xiao Hong generate their own public and private keys respectively:
1. Xiao Hong tells Xiao Ming her public key. 2. Xiao Ming encrypts the key of Xiao Hong and sends it to Xiao Hong. 3, red use their own private key to decrypt, the plaintext.
As can be seen from the above, the information encrypted with Xiao Hong’s public key can only be unlocked by Xiao Hong’s private key. As long as xiao Hong’s private key is not leaked, the communication between Xiao Ming and Xiao Hong is secure. Of course, the real asymmetric encryption algorithm is not so simple. There are several common asymmetric encryption algorithms:
1. DSA(Digital Signature Algorithm) is a variant of Schnorr and ElGamal Signature algorithms. ECC(Elliptic Curves Cryptography), Elliptic curve Cryptography. 3. The DH algorithm is generally used for key exchange. 4, RSA(Ron Rives, Adi Shamir, Leonard Adleman) three gods together proposed, named with the first letter of the last name. RSA is the most popular asymmetric encryption algorithm that can be used as both a key exchange and a digital signature.
5. Message summary
Is the correspondence between Xiao Ming and Xiao Hong really secure? At this time Xiaogang came to do things again:
1. Because Xiao Hong’s public key is public, it means xiao Gang can also get the public key. 2, Xiaogang intercepted the message xiaoming sent to Xiao Hong, although Xiaogang can not decrypt, but he can forge information. 3, Xiao Gang will forge good information with xiao Hong’s public key to send Xiao Hong. In this process, xiao Ming and Xiao Hong do not know the existence of Xiao Gang, but Xiao Gang secretly poke poke to replace the information.
The above information shows that:
1. Even in ciphertext, information can be easily forged. Xiaogang’s behavior is a man-in-the-middle attack MITM.
Together, Xiao Ming and Xiao Hong came up with a solution:
1. Xiaoming hashes the plaintext with Hash algorithm to generate message digest. 2. Xiao Ming encrypts the plaintext with Xiao Hong’s public key and sends the message summary to Xiao Hong together. 3. After receiving the message, Xiao Hong uses the private key to decrypt it. The decrypted plaintext uses the Hash algorithm to generate a message digest, and compares it with the message digest sent by Xiao Ming.
Message Digest features:
1. Generate target information of fixed length from a group of source information of indefinite length through message summarization algorithm. 2. The target information generated by different source information is inconsistent.
Common message digest algorithms include MD5 and SHA1.
6. Digital signature
Although the message summary is adopted, Xiao Gang can still forge the information by himself and generate the corresponding message summary. After receiving the message, Xiao Hong verifies that the summary is correct and thinks that it is sent by Xiao Ming. There are still loopholes in this method. The public key and private key of Xiao Hong were used in the preceding part, but the public key and private key of Xiao Ming were not used. On the basis of message summary, try to let Xiaoming’s public and private key also participate in the communication process:
1. Xiao Ming tells Xiao Hong the public key. 2. Xiao Ming uses his private key to encrypt the message summary and uses Xiao Hong’s public key to encrypt the plaintext, and sends both to Xiao Hong. 3. After receiving the information, Xiao Hong decrypts the plaintext with her own private key, and then decrypts the encrypted message abstract with Xiao Ming’s public key. 4. Compare message digests for consistency.
In contrast to the message digest process, there is an additional step:
Encrypt message digest with Xiaoming’s private key.
The process of encrypting information with a private key is called: Digital signature Digital signature has the characteristics of non-repudiation. As described above, information encrypted with a private key can be unlocked only by the corresponding public key. Therefore, if Xiao Hong uses Ming’s public key to unlock the ciphertext, it means that the message must be sent by Ming. On the other hand, Ming encrypts the message with a private key and sends it out, which means that the message is confirmed to be sent by himself, and this is his signature.
Common digital signature algorithms include RSA, DSA, and ECDSA. As usual, use the graph to see how Ming and Hong use digital signatures.
Xiaoming sends a message:
Little Red processing information process:
A digital signature has two functions:
1. Prove that the message was sent by an identified entity. 2, prove that the message is not string modified.
The whole process of xiao Ming’s public and private key, xiao Hong’s public and private key are involved. Because Xiaogang did not have Xiaoming’s private key, he could not generate Xiaoming’s digital signature, and ultimately failed to pass The verification of xiaoming’s digital signature.
7. CA and digital certificates
So xiao Gang can’t do anything about it? Not too! Review the pain points of symmetric encryption: How to pass symmetric keys? Asymmetric encryption also presents problems: how do you pass the public key? Therefore, both symmetric and asymmetric encryption need to solve the key transfer problem.
If Xiao Gang forged Xiao Hong’s public key, the situation is as follows:
1. When Xiao Ming obtains Xiao Hong’s public key, Xiao Gang replaces it with his own public key. 2. Xiao Ming encrypts the message with Xiao Gang’s public key (which he thinks is Xiao Ming’s) and digitally signs the abstract with his private key. After receiving the information, Xiaogang decrypts it with his private key. 4. Xiaogang encrypts with Xiaoming’s public key and digitally signs the abstract with his own private key. In the same way, Xiao Gang also cheated Xiao Hong. 6, finally, Xiaogang happily in the middleman…
Because the public key was forged, Xiao Gang could do whatever he wanted. How can Xiao Ming know that the public key he received is Xiao Hong’s? In this case, you need to introduce the Certificate Authority (CA)
With CA, red’s public key publishing process changes:
1. Xiao Hong submits her public key to THE CA. 2. CA confirms Xiaohong’s identity information, such as organization, name, city, etc. 3. Sign the above information and the public key with the CA private key to generate a digital certificate. 4. The certificate is returned to Xiao Hong.
It is shown as follows:
Some students don’t understand the fourth step of the five steps in the picture:
Xiao Ming verifies Xiao Hong’s certificate. The certificate is signed by CA, so CA’s public key is needed to decrypt it. How does the PUBLIC key of CA pass to Xiao Ming?
It seems to be back to square one: how to safely transfer a public key. Actually, trust has a starting point. The CA not only generates certificates for others, but also generates its own certificates. The certificates generated by the CA include the PUBLIC key of the CA. The CA certificate is preset in the system and browser when devices such as computers and mobile phones appear.
Therefore, when Ming verifies Xiao Hong’s certificate, he will look for the CA public key that can unlock xiao Hong’s certificate in the system. If he finds it, it means that the issuing authority of Xiao Ming certificate is trusted. Since he trusts the certificate, Ming also recognizes the public key extracted from the certificate as Xiao Hong’s. At this point, xiao Hong’s public key is safely passed to Xiao Ming, and then they can communicate happily.
What is the impact if the corresponding certificate cannot be found in the system? You may recall that when 12306 was first launched, browsers warned users that the site was untrusted, and 12306 prompted users to install their root certificates. This also explains from the side, we do not easily change the certificate in the system.
8, summary
Symmetric encryption has the risk of key transmission leakage, while asymmetric encryption does not need to transfer the private key, but needs to transfer the public key, and also has the risk of man-in-the-middle attack. Therefore, CA production certificate is introduced to solve the asymmetric encryption public key transfer problem.
Asymmetric encryption is slow and suitable for information with a small amount of data, while symmetric encryption is fast and suitable for information with a large amount of data. How to combine symmetric encryption and asymmetric encryption to create a secure communication link, the next chapter will focus on the analysis of the typical: SSL/TLS principle and application.