Symmetric encryption, asymmetric encryption, certificate, do you understand?

Time:2020-9-29
1、 It is necessary to encrypt sensitive information on the Internet. Encryption is divided into symmetric encryption and asymmetric encryption

1. Asymmetric encryption (public key and private key)

RSA principle: the core is that it is difficult to decompose a number into the product of two prime numbers, especially when the two prime numbers are very large.

(1) Public private key generation algorithm

  • Two prime numbers P1, P2, P1 * P2 = n, randomly select an integer e (1 < e < [(P1-1) (P2-1)]). The formula in [] is Euler function, and E and [] must be mutual prime
  • Public key: N and e
  • Private key: D = (k * (P1-1) (P2-1) + 1) / E, K is a random positive integer
  • Original m, ciphertext C
  • Encryption process: (m ^ E) mod n = C
  • Decryption process: (C ^ D) mod n = m

(2) Key pair usage

Generate key pair: self = > public key a, private key a, opposite party = > public key B, private key B
Exchange key pair: self = > public key B, private key a, opposite party = > public key a, private key B
Use key pair:

a. The data is transmitted to the other party through public key B encryption, and the other party obtains the data through private key B decryption
  --Encryption data to ensure security, public key encryption, private key decryption
  b. The other party encrypts the summary information (partial information) of the data through private key B, and decrypts the digest with public key B after receiving the data
  --Successful decryption proves that the source of the data is the other party, public key decryption, private key encryption

The above is the process of using a pair of keys. The encryption only takes effect in one direction, so two pairs of keys are needed to complete the encryption.

2. Symmetric encryption (key)

AES principle: encryption algorithm can be reversed.

(1) ComponentsKey, encryption and decryption algorithm, original ciphertext

(2) Classification

AES-128, aes-192, AES-256, the original text is a group of 16 bytes. Here, the 128 bit key length (AES-128) is taken as an example to illustrate the algorithm, and the number of 128 key encryption rounds is 10

(3) Introduction of encryption algorithm

*The original text is divided into 16 bytes into a group, forming a 4 × 4 matrix with 1 byte in each cell
*The key is divided into 16 bytes (128 bits is 16 bytes) to form a 4 × 4 matrix with 1 byte in each cell. Each column of the matrix has 4 bytes as a group of unit expansion of 44 groups
*First, the plaintext and the original key are XOR encrypted
*The key 44 group is used to perform byte substitution, row displacement, column mixing and round key addition operations for each group of original texts for 10 rounds. The first nine rounds of operation are the same, and the last iteration does not perform column mixing
*Finally get the ciphertext

(4) Introduction of decryption algorithm

The decryption process is the reverse operation of the encryption process, which will not be repeated here.
2、 How to ensure the source of the published public key? (certificate)
Certificate is the certification of the public key issued by the authority (CA). The CA has a key pair and can be encrypted to publish the public key.

1. Certificate generation
Use the private key to encrypt your personal information and public key into a digital certificate to generate a CRS file,
This uses private key encryption and public key decryption to ensure the source of public key,
You may wonder why CA certification authority can guarantee the source?
CA certification authority has authority, and its public key source is more secure.

2. Example description:
The HTTPS protocol configures encryption certificate, which involves two roles: server and client browser
The server:

The website applies for a key pair certificate and configures the file to the web server

browser:

Request the server to obtain the private key encrypted web page and digital certificate,
Then there are generally two kinds of data validation
Is the public key in the digital certificate in the browser's built-in certificate list
The digital certificate contains a web address that is inconsistent with the current one