Cue August 12, 2021

This article was written in 2020, and this year I updated it with some new content that you can read directly: Encryption, digest, signature, certificate, once and for all!

Like attention, no more lost, your support means a lot to me!

🔥 Hi, I’m Chouchou. GitHub · Android-Notebook has been included in this article. Welcome to grow up with Chouchou Peng. (Contact information at GitHub)

preface

  • The analysis of HTTPS involves the problem of secure data transmission. In fact, not only HTTPS, but also data security transmission in many scenarios, such as application signatures.
  • In this article, I will take a global look at the principles of secure data transmission, including the three requirements of secure data transmission (encryption & authentication & verification integrity) and corresponding security technologies. Please be sure to like and follow if you can help, it really means a lot to me.

series

  • The cryptography | truth! What do you think is the Base64 encryption algorithm?”
  • Say the cryptography | ready! What is the hash algorithm?”
  • The cryptography | sense! From the global to understand the message digest, encryption, signature and digital certificate”

Related articles

  • “Computer network | graphic DNS & HTTPDNS principle”
  • The Android | mountain, can offend jade! Read an article/v1 / v2 v3 signature mechanism”

directory

1. Overview of cryptography

1.1 Important nodes of cryptography development

time The event describe
Classical cryptography / Confidentiality depends on the confidentiality of the algorithm, and if the encryption algorithm is compromised, the confidentiality is immediately lost
In the 19th century Kerckhoffs’Principle The security of the system depends on the key, which is secret, and the encryption algorithm is public
/ Symmetric cryptosystem Encryption and decryption use the same key
In 1976, Asymmetric cryptography/public key cryptography Encryption and decryption use different keys
In 1999, Decrypted the DES key Electronic Frontier Foundation
In 2004, MD5 collisions are implemented Professor Wang Xiaoyun
In 2005, Sha-1 collisions are implemented Professor Wang Xiaoyun
In 2008, Forged SSL certificate. Procedure Researchers at the Technical University of Eindhoven in the Netherlands generated forged SSL certificates using MD5 collisions, which allowed the server to forge some root CA signatures in HTTPS

1.2 Problems of insecure Channels

  • Prevent eavesdropping — encryption (channel encryption or content encryption)
  • Tamper-proof — verify integrity
  • Prevent camouflage – authentication

1.3 Secure Communication model

According to Kirchhoff principle, the modern secret communication model is a secret model based on key. In this model, encryption and decryption use the same key, which is symmetric encryption cryptosystem; On the contrary, encryption and decryption using different keys, asymmetric cryptography.

2. Message digest algorithm (verify integrity)

In this section we discuss message digest algorithms, which are often used to verify data integrity and are at the heart of the digital signature algorithm in Section 5.

2.1 an overview of the

Message (Message Digest) algorithm is the essence of hash algorithm, on the hash algorithm before I wrote an article said: “the cryptography | what is a hash algorithm?” . There are many hashing algorithms, but they all have the following properties & requirements:

The nature of the describe
unipolarity Input data cannot be extrapolated from hashed values
consistency For the same input data, the computed hash value is always the same
High efficiency The hashing process is as fast and efficient as possible
randomness The distribution of hash values in the output range is as random as possible
Input sensitivity The calculated hashes of similar data vary greatly

Because of the unidirectional and consistent characteristics of message digest, it can verify message-data integrity, that is, data is not tampered with during the whole process from generation to acceptance.

2.2 Message digest & Validation model

Here is a minimalist message digest generation & validation model:

  • 1. The sender uses the message digest algorithm to generate the digest
  • 2. The sender sends the message and message digest to the receiver (note that the message and message digest may be listened to and tampered with over an insecure channel)
  • 3. After receiving the message, the receiver uses the same message summarization algorithm to generate a summarization
  • 4. The receiver verifies that the two digests are the same

2.3 Algorithm Implementation

The realization of message digest algorithm can be divided into MD, SHA and MAC. Editting…

3. Symmetric encryption algorithm (confidentiality)

3.1 an overview of the

Symmetric encryption refers to encryption algorithms that use the same key for encryption and decryption. Although these algorithms are not as secure as asymmetric encryption, they have an advantage in encryption/decryption speed.

3.2 Symmetric encryption model

3.3 Algorithm Implementation

Examples: DES, DESede, AES, IDEA, and PBE Editting…

4. Asymmetric encryption algorithm (confidentiality)

4.1 an overview of the

Asymmetric encryption refers to encryption and decryption using different encryption algorithms. The public key is called public key, and the private key is called private key. Therefore, asymmetric encryption is also called public key encryption algorithm/two-key encryption algorithm.

Compared with symmetric encryption algorithm, the core differences are as follows:

  • 1. Solve the key distribution problem in symmetric encryption algorithm and prevent the private key from being transmitted
  • 2. Only the private key can be used to decrypt data encrypted with a public key. Conversely, data encrypted with the private key can only be decrypted using the public key
  • 3, encryption/decryption efficiency is far lower than symmetric encryption algorithm.
  • 4. The private key is held only by the sender and has authentication/repudiation resistance (this feature is applied in the digital signature algorithm in Section 5).

Tip: Due to the low encryption/decryption efficiency of asymmetric encryption algorithm, the composite method of symmetric encryption combined with asymmetric encryption is often adopted in practice.

4.2 Asymmetric encryption model

4.3 Algorithm Implementation

The security of asymmetric cryptography algorithms depends entirely on problems based on computational complexity, usually from number theory. Editting…

Example: RSA — integer factorization problem; DSA — Discrete logarithm problem; ECC — Discrete logarithm problem.

5. Digital signature algorithm (authentication)

5.1 an overview of the

In Section 2, we discussed message digest algorithms for verifying data integrity. On the basis of data integrity, we often need to authenticate the source of the message and have the function of anti-denial. The Algorithm that can achieve this function is called digital Signature Algorithm.

Tip: Digital signatures are also known as Digital fingerprints.

The data signature algorithm is divided into two main steps: signature-verification, as follows:

  • 1. Signature: The sender generates a digital signature and sends the original message and signature as a whole when sending data (see below for how to sign);

  • 2. Vertify: After receiving the message and signature, the receiver verifies whether the two match (see below for how to verify).

It is important to note that if any organization can do signature processing, there is no way to ensure the source of the message, so private information of the sender must be introduced for signature and public information is used for authentication, which happens to be the same as asymmetric encryption. Therefore, digital signature algorithm often combines message digest algorithm and asymmetric encryption algorithm.

  • Message digest algorithm: used to digest the data itself to ensure data integrity;
  • Asymmetric encryption algorithm: used to sign/verify message digest to ensure data repudiation resistance.

5.2 Digital signature-verification model

Now let’s talk about two operations: signature & validation:

  • 1. Private key signature: first use message digest algorithm to digest the original message, and then use private key to sign the digest;
  • 2. Public key verification: Use public key to verify the signature and check whether it matches the digest value of the message.

Tip: Why not use the private key first to sign the raw data and then digest the signature?

Because message digests are unidirectional, it is impossible to reverse the signature from the digests. Secondly, if the original data is longer, it takes longer to sign it, so the above method is not feasible.

Tip: If you need to encrypt the original message, you should do the signature first, and then do the message encryption. That is, encryption and signature should be processed only for the original message (plain text). Encryption is used to ensure that messages are not cracked during transmission, and signing is used to ensure that messages are valid. The message itself may be an executable file that does not need to be encrypted.

5.3 Algorithm Implementation

For example, RSA, DSA, and ECDSA

RSA algorithm is not only the most common asymmetric encryption algorithm, but also the most common signature algorithm. DSA algorithm is a typical digital signature algorithm, although it is an asymmetric encryption algorithm without the function of data encryption and decryption. Editting…

6. Digital certificates

In Section 4, we discuss asymmetric encryption algorithms, which solve the key allocation problem. In addition to the confidentiality of the private key, we also need to ensure that the source of the public key is legitimate, which requires the use of a digital certificate, which essentially provides an authenticated public key.

The signature file and the certificate file come in pairs and cannot be separated. As you can see from the source code, the names of the two files are the same, but the suffix is different. To ensure reliable communication with digital signatures, two problems must be solved: first, the source of the message must be confirmed by the person it claims to be; Secondly, it is necessary to ensure that information will not be tampered with by a third party in the process of transmission. Even if it is tampered with, it can also be detected. The so-called digital signature is produced to solve these two problems. It is a specific application of the asymmetric encryption technology and digital digest technology mentioned above. For the sender of a message, a public and private key pair is generated and the public key is given to the receiver of the message.

6.1 Digital Certificate Issuing & Authentication Model

Editting…

6.2 Data structure of digital Certificates

Editting…

7. To summarize

  • Asymmetric encryption algorithm is used to encrypt/decrypt data to ensure the confidentiality of data.
  • Message digest algorithm is used to digest the digital certificate itself to ensure the integrity of the digital certificate.
  • Digital signature algorithm is used to sign/verify data to ensure data integrity and authentication.

The resources

  • The Art of Java Encryption and Decryption (chapters 2, 6, 7, 8, 9, 10). By Dong Liang
  • The Beauty of Data Structures and Algorithms — Hashing Algorithms (part 1 / Part 2) — by Wang Zhengzhu, produced by Geek Time
  • An Interesting Discussion of Internet Protocol · HTTPS. By Chao Liu, geek Time
  • Illustrated HTTP (chapters 7 and 8). By Ueno
  • The Definitive GUIDE to HTTP (chapters 12 and 13). David Gourley, Brian Totty, et al

Recommended reading

  • Algorithm | list problem summary
  • | back algorithm framework to solve problems
  • Operating system | interruption & system call is analysed
  • Graphics | new-confucianism. What else do you know about PNG besides lossless compression?
  • Data structure | weibo Top 10 hot search is how calculated? (Binary heap)
  • Computer network | graphic DNS & HTTPDNS principle
  • Android | so-accurately weighed various! Talk about the whole process of loading images
  • Android | food tasteless! App Startup may be easier than you think
  • Android | enough is enough! How does Glide arrange the life cycle clearly

Thank you! Your “like” is the biggest encouragement for me! Welcome to attentionPeng XuruiThe lot!