This is the 8th day of my participation in the August More text Challenge. For details, see: August More Text Challenge
Security architecture
The security architecture of information processing system (GB/T 9387.2 — 1995) defines five types of security services, which are authentication service, access control service, data confidentiality service, data integrity service and anti-repudiation service.
Data confidentiality services
The purpose of the data confidentiality service is to ensure that the information is available only to the grantee, and that the protection of the information can be achieved by ensuring that the data is restricted to the grantee, or by presenting the data in a particular way. The confidentiality of information can be achieved in the following two ways:
Provide confidentiality by barring access
That is, confidentiality can be guaranteed through access control, as well as through physical media protection and routing control. Access prohibition is common in our system protection, for example, fortress machines, official libraries and official deployment addresses now require fortress machines to access, effectively ensuring that only authorized developers can access our official environment. At present, our systems are basically deployed on the Intranet and isolated from the Internet. Only by opening the corresponding IP address and port can we communicate with each other, effectively isolating the system and ensuring the confidentiality.
Confidentiality is provided through encryption
That is to prevent data leakage during transmission or storage. The encryption mechanism includes symmetric encryption mechanism and asymmetric encryption mechanism
The evolution of cryptography
The initial stage
The security awareness of the website is still relatively weak, at this time the plaintext password saved in the database. Remember when CSDN will password plaintext saved in the database, and then was off the database, at that time every day is the operation of the database. Passwords saved in plain text may leak users’ passwords. You should know that many users like to use one user name and one password to log in to multiple websites. Password leakage of website A may also affect other websites.
Encryption era
At the time, Yun Yun was still building the security building of the Chinese website (although it has since been shut down). After the CSDN incident, it started using MD5 to encrypt the passwords in its database. However, in 2004, it was proved that THE MD5 algorithm could not prevent collisions, so it was not suitable for security authentication (because the computing power is becoming more and more powerful now), and the MD5 encrypted string could be used to deduce the user’s actual password, so it gradually became obsolete.
Add salt to age
At the moment, people are using salt strings in conjunction with encryption algorithms, stitching together passwords and salt strings, and then encrypting them. This can ensure that the encrypted string in the case of no salt string can not be collided, but also can increase the difficulty of calculation, can ensure the maximum security of the user’s password, is now the mainstream way.