Original: Curly brace MC(wechat official account: Huakuohao-MC) Focus on JAVA basic programming and big data, focus on experience sharing and personal growth.
At present, we often say that information encryption technology is two kinds, symmetric encryption and asymmetric encryption.
Symmetric encryption
Symmetric encryption means that encryption and decryption use the same key. Symmetric encryption has the advantage of fast encryption speed, but it also has obvious disadvantages. You must save the key. If the key is lost, it will bring great security risks. And if there are many clients communicating with the server, the server will have to manage many different keys.
Asymmetric encryption
In order to solve the shortcomings of symmetric encryption, asymmetric encryption is proposed, and asymmetric encryption is the most widely used encryption technology at present. Asymmetric encryption is the generation of a pair of keys, public and private. The private key is kept and the public key is published. The information encrypted with the private key can be decrypted only with the public key, and the information encrypted with the public key can be decrypted only with the private key.
For example
Let’s say your best friend, Iron Egg, buys online a lot. In order to ensure the safe transmission of information, shopping websites decide to generate a pair of keys, the private key is kept by themselves, and the public key is sent to iron eggs. The information sent by Tiedan to the shopping website is encrypted with public key. After receiving the information, the shopping website decrypts it with its own private key. That way, even if the message is intercepted in transit, it can’t be decrypted, because there’s no private key.
There is a loophole
This time there is a hacker, made a fake shopping website, the page and the real website are exactly the same, even the address is very similar. At the same time, a pair of keys were generated. Most importantly, the hacker secretly replaced the public key of the real shopping site with the fake one.
When iron egg opens the fake website for shopping operation, it will encrypt with the fake public key and then send the message to the fake website. The whole communication process, Iron egg did not realize that he was cheated.
Iron Egg was cheated because he did not know that the real public key in the computer had been replaced with a false one. To solve this problem, a certification authority emerges, which encrypts and signs the public key of the website and forms a certificate, which is often referred to as a CA certificate. This authority is CA.
As long as the computer installed in the CA certificate, when accessing, the browser will display a small lock, indicating that it is safe to access, if not authenticated, the browser will inform the computer is risky.
Iron eggs often shop on multiple websites. Do you need to keep a certificate for each website? In fact, there is usually a CA root certificate in your computer. As long as you have this certificate, all websites that have been certified by CA are safe.
Yes, that’s how HTTPS works, and it’s a typical use of asymmetric encryption.
Two-way authentication
Another application scenario of asymmetric encryption is two-way authentication. Two-way authentication means that not only the server authenticates the client, but also the client authenticates the server. To put it bluntly, the client and the server generate a key pair respectively. The private key is kept by the client and the public key is sent to the other side. This situation is generally used for system to system interfacing.
Why is two-way authentication required
Assume that system C needs to access the services of system S. The data provided by system S is of a high security level, and only trusted systems can access the data. Assume that only system C is currently allowed access.
In order to ensure the secure transmission of information, SYSTEM S decides to generate a pair of keys. The private key is kept and the public key is sent to system C. When C accesses S, the public key of S encrypts the message and sends it to S. S decrypts the message using the private key.
If the stealer B secretly obtains the public key that S provides to C, and then B encrypts the message with the public key of S and sends it to system S to obtain the corresponding data, S cannot determine whether the requested message is from C or stealer B.
How do you ensure that the message comes from trusted system C? After negotiation, SYSTEM C also generates a pair of keys, the private key is kept by itself, and the public key is sent to system S.
When C sends a request to S, C performs a Hash operation on the message to be sent first, let’s say M, to get a fixed length Hash value, which is usually called a numeric digest. C then encrypts the digital digest with its own private key, and the encrypted value is called a digital signature, which is actually the same meaning as the handwritten signature in the real file.
The system C encrypts the digital signature and the message M to be sent together with the public key of S and sends it to system S.
After receiving the message, S uses its own private key to decrypt the message. After decryption, S obtains C’s digital signature and message M. At this time, the key step comes, which is to verify whether the message is sent by C.
First, S uses C’s public key to decrypt the signature. After decryption, a summary value will be obtained, which is called D. If we can unlock it, it’s from C. S will also Hash message M using the same Hash algorithm as C, which will yield a summary value, which we call D ‘. If D and D ‘are the same, the message has not been tampered with.
conclusion
The above two-way authentication process is also flawed, but it reduces the risk of being deciphered compared to one-way authentication. Note that there is no such thing as a foolproof system, not even the biometrics that are becoming increasingly popular. All the security measures we put in place only reduce the risk of the system being cracked.
Just like the security door at home, can only prevent the gentleman can not prevent the villain.
Recommended reading
1. Java concurrent programming stuff (10) — Final summary
2. A short article will take you into the world of RabbitMQ
3. Do you know how to use Awk
4. Teach you how to build a set of ELK log search operation and maintenance platform
, END,
Curly braces MC
Java· Big Data · Personal growth
Wechat id: Huakuohao-MC