1. Encrypted communication
Encrypted communication: The communication process in which a message is encrypted into ciphertext before being sent and then decrypted into a message by the receiver.
The main technologies of encrypted communication include symmetric encryption and asymmetric encryption.
Symmetric encryption: encryption and decryption using the same set of keys.
** Common: **DES, AES (Advanced Encryption Standard)
Advantages and disadvantages: ** high efficiency, fast encryption speed. Key management and distribution are difficult and insecure.
Asymmetric encryption: encryption and decryption using different keys, one as the public key and the other as the private key. Public key encrypted information, only the private key can decrypt. Conversely, only the public key can decrypt the information encrypted by the private key.
**RSA
Advantages and disadvantages: ** Higher security. Encryption and decryption take a long time, slow speed, suitable for a small amount of data encryption.
Hybrid encryption: The recipient of the generated public key Shared with a sender, the sender using this public key will generate the session to encrypt the secret key, at the same time the sender use session secret key encryption, the content of the plaintext encrypted finished, will be two encrypted content together sent to the receiver, the receiver receives the message, by matching the first private key to decrypt the session key, Then use the session secret key to decrypt the ciphertext and get the plaintext.
Two, at this stage encryption
The communication between the client and the server is indeed encrypted, but the server itself has access to clear text, meaning that both sides must trust the server-side operator.
By taking down a server, an attacker can gain access to large amounts of important private data.
End-to-end encryption
End-to-end encryption is called end-to-end encryption, or E2EE. A message is encrypted on a device and can be decrypted only by the receiving device. The message is encrypted throughout its transmission.
The message is encrypted on the sender’s client, such as Alice’s phone, while the ciphertext can be decrypted only on the receiver, such as Bob’s phone. The server does not store the key, so it cannot decrypt the ciphertext at all. When an attacker takes down the server, he gets nothing. The server has no key. The attackers were able to master a single person’s phone and only access chat records from that person. End-to-end encryption plays an important role in secure instant messaging applications, email messaging.
Key technologies:
1. AES symmetric encryption algorithm
AES supports three lengths of key: 128-bit, 192-bit, and 256-bit
AES encryption function: C = E(K, P)
AES decryption function: P = D(K, C)
2, Diffie-Hellman Key exchange algorithm
Diffie-hellman (DH) key exchange is a special key exchange method. DH enables two parties to obtain a shared key over an insecure channel in the absence of each other’s (private) information. This key is used for symmetric encryption of subsequent information exchanges.
G: public root P: public prime a: Alice private key A: Alice public key B :Bob private key B :Bob public key K: shared key, symmetric key
Threats to end-to-end encryption
1. Man-in-the-middle attack (impersonating the recipient and replacing the public key published by the recipient with its own => authentication (digital authentication certificate or trusted network))
2. Terminal security
3. Backdoor procedures
NGINX conflicts with NGINX
Nginx can implement HTTPS two-way authentication, which consists of two steps: signing a trusted SSL certificate and configuring HTTPS
To configure HTTPS, you need a private key file (ending with.key) and a certificate file (ending with.crt) issued by a third-party ca. To get a third-party CA to issue a certificate file, you need to provide them with a certificate signing request file (ending with.csr).
Nginx configures local Https– SSL certificates
server { listen 443; server_name localhost; ssl on; # enable SSL functionality ssl_certificate/etc/nginx/keys/server. The CRT. # configuration position certificate CRT ssl_certificate_key/etc/nginx/keys/server. The key; Ssl_client_certificate /etc/nginx/keys/ca.crt; Ssl_verify_client on; Ssl_session_timeout 5m; Ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ecdhe-rSA-aes128-GMM-sha256 :HIGH:! Ssl_ciphers ecdhe-rSA-aes128-GMm-sha256 :HIGH:! aNULL:! MD5:! RC4:! DHE; Ssl_prefer_server_ciphers on; # root html; index index.html; location / { try_files $uri $uri/ =404; }}Copy the codescenario
1. Connect directly to the application using HTTPS from the browser, and you will be prompted for the client certificate, and everything will be fine.
2. Disable HTTPS and use proxy_pass to run as an HTTP server behind HTTPS enabled Nginx (using the same server key and certificate) without prompting for client certificates.
3. With HTTPS enabled on the node application, it seems impossible to pass it from the Nginx agent. When nginx acts as a TLS (SSL) endpoint, it is not possible to pass client certificates through Nginx to the application server behind Nginx. This is because TLS is an end-to-end encryption system between a TLS client (browser) and a TLS finalizer (Nginx or application server). All TLS operations (client/server authentication, encryption, etc.) must be performed on both the client and server.
Treatment: The client connects to the exposed application server or uses Nginx to proxy the actual TCP connection to the back-end Stream module.
Reference: cloud.tencent.com/developer/a…
Cn.gbtwireless.com/958097-how-…
Serverfault.com/questions/5…
Server.51cto.com/sOS-608663….
End to end encryption scheme
1. End-to-end encryption scheme: Use the CA authentication center to realize the end-to-end encryption service.
Reference: docs-im.easemob.com/start/490in…
Nextcloud: End-to-end Encryption server API supports end-to-end Encryption, based on PHP and JavaScript.
- Create and synchronize identity authentication
- Encrypt folders and add files
In summary, Nextcloud creates an end-to-end encrypted folder by marking an empty folder for end-to-end encryption, creating metadata, encrypting, and uploading. The process is protected by a lock, which the client requests from the server and is released again after all changes have been made and uploaded. Each file is encrypted with its own unique key, which is stored in the metadata file. All data in the metadata file in turn is securely encrypted, and the file name and directory structure are also hidden from the server, using a unique UUID as the name of each file.
Reference: github.com/nextcloud/e…
www.orgleaf.com/2884.html
ZeroDB: An open source end-to-end database based on ZODB and Python.
In ZeroDB, the client is responsible for the database logic. Data encryption, decryption and compression also occur on the client side. Therefore, the server never knows anything about the data, its structure, or order.
The client also has an adjustable cache that stores the most frequently used parts of the data structure, even if they are small (say, 1 Megabyte), which can greatly speed up queries.
Reference: github.com/nucypher/ze…
Github.com/nucypher/ze…
4. OpenPGP: Based on JavaScript developed by Google, it supports key generation, encryption, decryption, digital signature and signature verification.
Extension application: E2EMail,Freedom JS,uProxy,Google End-tp-end Extension,Yahoo end-tp-end Extension
Reference: github.com/google/end-…
Ockam: A tool for mutual authentication and end-to-end encrypted messaging between distributed applications based on Rust and Elixir that makes it easy to build devices for secure, private and trusted communication with cloud services and other devices.
Features
-
End-to-end encrypted, mutually authenticated secure channels.
-
Key Lifecycle and Credential Exchange protocols.
-
Attribute-based Access Control with Credentials that support Selective Disclosure.
-
Add-Ons for a variety of transport protocols, hardware cryptography, and enterprise integrations.
-
Libraries for multiple languages – Rust, Elixir (more on the roadmap)
Reference: www.ockam.io/
Github.com/ockam-netwo…