In the previous article, we talked about symmetric cryptography, public key cryptography, message authentication code, digital signature and other cryptography technologies, in which a key is used.
So what is a key? A key is a key through which the final plaintext can be obtained. So the key is actually equivalent to the plaintext.
For example, there’s 100000 dollars in the safe. The safe is locked and has a key. So the person with the key is equivalent to having 100000 dollars.
Summary of various keys
In previous articles, we talked about symmetric cryptography, public key cryptography, message authentication code and digital signature. Let’s review it here.
- Symmetric cipher
Symmetric cryptography uses the same key to encrypt and decrypt plaintext.
- Public key cryptography
Public key cryptography uses different keys to encrypt and decrypt messages.
- Message authentication code
The message authentication code uses the same key to authenticate the message.
- digital signature
Digital signature uses different keys to sign and verify messages.
Symmetric cipher and public key cipher are used to encrypt plaintext directly to ensure the confidentiality of messages.
The message authentication code and digital signature are used for message authentication. They are not used to encrypt the plaintext, but mainly to verify the legitimacy of the message.
Other key categories
The above four types are classified according to the encryption method and usage. In fact, the number of times the installation key is used can be divided into session key and master key.
The session key is only used in one session, and it will be discarded after use. The master key is a fixed key, which has been used repeatedly.
Friends who are familiar with SSL / TLS protocol must be familiar with this protocol. In this protocol, each session will create a separate key to encrypt the session message, that is, each session will create a session key.
In addition, whether the installation encryption object is the content or the key, we can divide it into the key of encrypting message (CEK) and the key of encrypting key (KEK). The key of encrypted message is very easy to understand. The previous symmetric key and public key are CEK. The key of encryption key is mainly to reduce the number of keys saved.
We mainly explain the key management from the following aspects:
- Generate key
There are two ways to generate the key, random number and password.
Random numbers must have properties that cannot be inferred. Generally speaking, we need to use pseudo-random generator to generate them.
In Java code, we usually use the random class, but this class cannot be used to generate keys. We can use it java.security.SecureRandom To generate a password safe random number.
Here are two common uses of securerandom:
SecureRandom random = new SecureRandom(); byte bytes = new byte; random.nextBytes(bytes);
byte seed = random.generateSeed(20);
In addition to random numbers, another way is password.
Password is a password that human beings can remember. In order to ensure that the key generated by password will not be cracked violently, we need to add salt to the password.
To put it simply, add a random number to the password, and then hash the added number, and the result can be used as the key.
- Distribution key
In order to distribute the key, we can share the key in advance, use the key distribution center, use the public key password and so on. Of course, there are other ways of delivery.
- Update key
Sometimes, in order to ensure the security of the key, we need to update the key from time to time. The general way is to use the current key as a benchmark and calculate the new key through a specific algorithm.
- Save key
Those who have studied blockchain should know that there is a paper key. In fact, the key is written on paper and saved.
When there are too many keys, it is very difficult to save the key offline. At this time, you can use the key KEK of the key. These keys are encrypted and saved.
In this way, we don’t need to consider the security of the encrypted key, because even if it is stolen, we can’t restore the previous key. We just need to keep the key that encrypts these keys.
- Void key
It’s very complicated to void the key, because the key is the key. Even if you delete it, other people may hold its backup. Therefore, the key invalidation should be fully considered in the design.
In the previous certificate article, we can save the discarded key through the CRL list.
For more information, please visit http://www.flydean.com/key/