Basicinformation
Introduction
Thedataencryptiontechnologyusedinconjunctionwiththefirewallistoimprovethesecurityandconfidentialityofinformationsystemsanddata,andpreventsecretdatafrombeingOneofthemaintechnicalmeansusedforexternaldeciphering.Technically,measuresweretakenfrombothsoftwareandhardwareaspects.Accordingtodifferentfunctions,dataencryptiontechnologycanbedividedintodatatransmissionencryptiontechnology,datastorageencryptiontechnology,dataintegrityauthenticationtechnologyandkeymanagementtechnology.
Thepurposeofdatatransmissionencryptiontechnologyistoencryptthedatastreamintransmission.Thereareusuallytwotypesoflineencryptionandend-to-endencryption.Lineencryptionfocusesonthelinewithoutconsideringthesourceandsink,andprovidessecurityprotectionforconfidentialinformationthroughtheuseofdifferentencryptionkeysforeachline.End-to-endencryptionmeansthattheinformationisautomaticallyencryptedbythesenderandencapsulatedbyTCP/IPindatapackets,andthenpassedthroughtheInternetasunreadableandunrecognizabledata.Whentheinformationreachesthedestination,itwillbeautomaticallyreorganizedanddecrypted.Becomereadabledata.
Thepurposeofdatastorageencryptiontechnologyistopreventdatalossinstorage.Datastorageencryptiontechnologycanbedividedintociphertextstorageandaccesscontrol.Theformerisgenerallyachievedthroughencryptionalgorithmconversion,additionalpasswords,encryptionmodules,etc.;thelatteristoreviewandrestrictuserqualificationsandpermissionstopreventillegalusersfromaccessingdataorlegitimateusersfromunauthorizedaccesstodata.
Thepurposeofdataintegrityauthenticationtechnologyistoverifytheidentityofthepersoninvolvedininformationtransmission,accessandprocessingandrelateddatacontent,whichgenerallyincludesauthenticationofpasswords,keys,identities,anddata.Thesystemrealizesthesafetyprotectionofdatabycomparingandverifyingwhetherthecharacteristicvalueinputbytheobjectmeetsthepresetparameters.
Keymanagementtechnologyincludessecuritymeasuresinvariouslinkssuchasthegeneration,distribution,preservation,replacementanddestructionofkeys.
Basicconcepts
Termsofdataencryptioninclude:
Plaintext,thatis,originalorunencrypteddata.Encryptitwithanencryptionalgorithm.Theinputinformationoftheencryptionalgorithmistheplaintextandthekey;
Ciphertext,theformatoftheplaintextencrypted,istheoutputinformationoftheencryptionalgorithm.Theencryptionalgorithmispublic,butthekeyisnotpublic.Theciphertextshouldnotbeunderstoodbyuserswithoutthekeyandusedfordatastorageandtransmission;
Thekeyisastringcomposedofnumbers,lettersorspecialsymbols,whichisusedtocontroldataencryptionanddecryptionProcess;
encryption,theprocessofconvertingplaintextintociphertext;
encryptionalgorithm,thetransformationmethodusedinencryption;
decryption,theprocessofciphertextTheprocessofimplementingtheinversetransformationofencryptiontoobtaintheplaintext;
Decryptionalgorithm,thetransformationmethodusedfordecryption.
Encryptiontechnologyisatechnologytopreventinformationleakage.Itscoretechnologyiscryptography.Cryptographyisadisciplinethatstudiescryptographicsystemsorcommunicationsecurity.Itisdividedintocryptographyandcryptanalysis.
Anyencryptionsystemiscomposedofplaintext,ciphertext,algorithmsandkeys.Thesenderencryptsthedatawithanencryptionkeythroughanencryptiondeviceorencryptionalgorithmandsendsitout.Afterreceivingtheciphertext,thereceiverusesthedecryptionkeytodecrypttheciphertextandrestoreittoplaintext.Inthetransmissionprocess,eveniftheciphertextisstolenlyobtainedbyillegalelements,onlytheunrecognizableciphertextisobtained,whichplaysaroleindataconfidentiality.
Example:Theplaintextisastring:
ASKINGFISHERSCATCHFIRE
(Forsimplicity,itisassumedthattheprocesseddatacharactersareonlyuppercaselettersandspaces).Assumethatthekeyisastring:
ELIOT
Theencryptionalgorithmis:
1)Dividetheplaintextintomultipleblockswiththelengthofthekeystring(Spacecharacterisrepresentedby"+")
AS+KINGFISHERS+CATCH+FIRE
2)Replaceeachcharacterintheplaintextwithanintegerintherangeof0~26,spacecharacter=00,A=01,...,Z=26:
3)Replaceeachcharacterofthekeyasinstep2:
0512091520
4)Foreachblockoftheplaintext,replaceeachcharacterwiththeintegercodeofthecorrespondingintegercodeandthevalueaftermodulo27(integercode)ofthecharacteratthecorrespondingpositioninthekey:
Example:Thefirstintegercodeis(01+05)%27=06
5)Replacetheintegercodeintheresultofstep4withitsequivalentcharacter:
FDIZBSSOXLMQ+GTHMBRAERRFY
Ifthekeyisgiven,thedecryptionprocessinthisexampleisverysimple.Thequestionishowdifficultisitforamaliciousattackertoobtainthekeywithmatchingplaintextandciphertextwithoutknowingthekey?Forthesimpleexampleabove,theanswerisquiteeasy,noteasy,butcomplexencryptionmodesarealsoeasytodesign.Theidealsituationisthattheencryptionmodeadoptedmakesthepricepaidbytheattackerforcrackingfarexceedthebenefitsobtained.Infact,thispurposeappliestoallsecuritymeasures.Theacceptableultimategoalofthisencryptionmodeisthateventheinventorofthismodecannotobtainthekeythroughmatchingplaintextandciphertext,andthuscannotcracktheciphertext.
Dataencryptionstandard
Therearetwotraditionalencryptionmethods,replacementandreplacement.Theaboveexampleusesthereplacementmethod:usethekeytoconverteachcharacterintheplaintexttoacharacterintheciphertext.Thereplacementonlyrearrangesthecharactersoftheplaintextinadifferentorder.Usingeitherofthesetwomethodsaloneisnotsafeenough,butcombiningthesetwomethodscanprovideafairlyhighdegreeofsecurity.TheDataEncryptionStandard(DES)usesthiscombinationalgorithm.ItwasformulatedbyIBMandbecametheofficialencryptionstandardintheUnitedStatesin1977.
TheworkingprincipleofDESis:theplaintextisdividedintomany64-bitblocks,andeachblockisencryptedwitha64-bitkey.Infact,thekeyconsistsof56bitsofdataand8bitsofparity.Checkthebitcomposition,sothereareonly56possiblepasswordsinsteadof64.Eachblockisfirstencryptedwiththeinitialreplacementmethod,then16complexreplacementsareperformedconsecutively,andfinallytheinverseoftheinitialreplacementisappliedtoit.ThereplacementinstepiisnotdirectlyusingtheoriginalkeyK,butthekeyKicalculatedfromKandi.
DEShasthecharacteristicthatitsdecryptionalgorithmisthesameastheencryptionalgorithm,exceptthattheapplicationorderofthekeyKiisreversed.
Publickeyencryption
Formanyyears,manypeoplehavethoughtthatDESisnotreallysecure.Infact,evenwithoutusingsmartmethods,withtheadventoffast,highlyparallelprocessors,itispossibletoforceDEStobecracked.The"publickey"encryptionmethodmakesDESandsimilartraditionalencryptiontechniquesobsolete.Inthepublickeyencryptionmethod,boththeencryptionalgorithmandtheencryptionkeyarepublic,andanyonecanconverttheplaintextintociphertext.However,thecorrespondingdecryptionkeyisconfidential(thepublickeymethodincludestwokeys,whichareusedforencryptionanddecryption),andcannotbederivedfromtheencryptionkey.Therefore,eveniftheencryptorisnotauthorized,itcannotbeexecuted.Decryptaccordingly.
TheideaofpublickeyencryptionwasoriginallyproposedbyDiffieandHellman,andthemostfamousisthemethodproposedbyRivest,ShamirandAdleman,usuallycalledRSA(namedafterthefirstlettersofthethreeinventors),Thismethodisbasedonthefollowingtwofacts:
1)Thereisafastalgorithmfordeterminingwhetheranumberisaprimenumber;
2)ThereisnowaytodeterminetheprimefactorofacompositenumberFastalgorithm.
TheworkingprincipleoftheRSAmethodisasfollows:
1)Choosetwodifferentlargeprimenumberspandqarbitrarily,andcalculatetheproductr=p*q;
2)Choosealargeintegerearbitrarily,eand(p-1)*(q-1)arerelativelyprime,andtheintegereisusedastheencryptionkey.Note:Theselectionofeiseasy,forexample,allprimenumbersgreaterthanpandqareavailable.
3)Determinethedecryptionkeyd:
(d*e)modulo(p-1)*(q-1)=1
Accordingtoe,Pandqcaneasilycalculated.
4)Publicintegersrande,butnotpublicd;
5)EncryptplaintextP(assumingPisanintegerlessthanr)intociphertextC,calculationmethodIs:
C=P^emodulor
6)DecryptciphertextCintoplaintextP,thecalculationmethodis:
P=C^dmodulor
However,itisimpossibletocalculatedbasedonrande(notpandq).Therefore,anyonecanencrypttheplaintext,butonlyauthorizedusers(knowingd)candecrypttheciphertext.
Thefollowingisasimpleexampletoillustratetheaboveprocess,obviouslywecanonlychooseasmallnumber.
Example:Choosep=3,q=5,thenr=15,(p-1)*(q-1)=8.Choosee=11(aprimenumbergreaterthanpandq),andpass(d*11)modulo(8)=1.
Calculated=3.
Assumethattheplaintextistheinteger13.ThentheciphertextCis
C=P^emodulor
=13^11modulo15
=1,792,160,394,037modulo15
=7
TorestoretheplaintextPis:
P=C^dmodulor
=7^3modulo15
=343modulo15
=13
Becauseeanddaremutuallyinverse,thepublickeyencryptionmethodalsoallowstheuseofthismethodto"sign"theencryptedinformationsothatthereceivercanconfirmthesignatureNotforged.AssumingthatAandBwanttousepublickeyencryptionmethodsfordatatransmission,AandBrespectivelydisclosetheencryptionalgorithmandthecorrespondingkey,butdonotdisclosethedecryptionalgorithmandthecorrespondingkey.TheencryptionalgorithmsofAandBareECAandECBrespectively,andthedecryptionalgorithmsarerespectivelyDCAandDCB,ECAandDCAarereciprocal,andECBandDCBarereciprocal.IfAwantstosendaplaintextPtoB,insteadofsimplysendingECB(P),itfirstappliesitsdecryptionalgorithmDCAtoP,andthenencryptstheresultwiththeencryptionalgorithmECBandsendsitout.
TheciphertextCis:
C=ECB(DCA(P))
AfterBreceivesC,itsuccessivelyappliesitsdecryptionalgorithmDCBandencryptionAlgorithmECA,gettheplaintextP:
ECA(DCB(C))
=ECA(DCB(ECB(DCA(P))))
=ECA(DCA(P))/*DCBandECBcanceleachotherout*/
=P/*DCBandECBcanceleachotherout*/
ThiswayBcandeterminethatthemessageisindeedfromA,becauseonlywhentheencryptionprocessusestheDCAalgorithm,ECAcangetP,onlyAknowstheDCAalgorithm,noone,evenBcan’tforgeA’ssignature.
Thestateoftheencryptionindustry
Foreword
Withtherapiddevelopmentofinformationtechnology,people’sdemandforinformationsecurityhasfollowed.Talentcompetition,marketcompetition,financialcrisis,enemyagencies,etc.havebroughthugeriskstothedevelopmentofenterprisesandinstitutions.Internaltheft,hackerattacks,unconsciousleaksandothersecrettheftmethodshavebecomebetweenpeople,enterprisesandenterprises,andcountries.SecurityhazardsbetweenChinaandothercountries.
Manyfactorssuchasmarketdemand,humansecurityawareness,andtheenvironmenthavepromotedtherapiddevelopmentofinformationsecurityinourcountry.Theoldthreefirewalls,intrusiondetection,anti-virussoftwaretodiversifiedinformationsecurityprotection,fromtraditionalexternalnetworkprotectiontointernalnetworksecurity,hostsecurity,etc.
Analysisoftraditionaldataencryptiontechnology
Theoldthreetraditionalinformationsecurity(firewall,intrusiondetection,anti-virus)havebecomethenetworkconstructionofenterprisesandinstitutions.Theinfrastructureisfarfrommeetingthesecurityneedsofusers,andnewsecurityprotectionmethodshavegraduallybecomethemainforceinthedevelopmentofinformationsecurity.Forexample,hostmonitoring,documentencryptionandothertechnologies.
Inthequeueofnewsecurityproducts,hostmonitoringmainlyadoptsperipheralchaseandinterceptiontechnicalsolutions.Althoughtheinformationsecurityhasbeenimprovedtoacertainextent,becausetheproductitselfdependsontheoperatingsystem,thereisnoeffectivesecurityforthedataitself.Protection,sotherearemanysecurityvulnerabilities,suchas:themostbasicmeanstoremovetheharddisk,winpeCDboot,USBboot,etc.canstealdatawithoutleavinganytraces;thistechnologycanbemoreunderstoodascorporateassetsManagementsoftware,asingleproductcannotmeettheuser'srequirementsforinformationsecurity.
Documentencryptionisthemainforceofinformationsecurityprotectiontoday.Transparentencryptionanddecryptiontechnologyisadoptedtoenforcedataencryptionwithoutchangingtheuser’soriginalhabits;thistechnologyencryptsthedataitself,regardlessofwhetheritisoutofoperationThesystemisstillillegallyseparatedfromthesecurityenvironment,andtheuserdataitselfissafe,andthedependenceontheenvironmentisrelativelysmall.Themaintechnologiesfordocumentencryptiononthemarketaredividedintodiskencryption,application-levelencryption,drive-levelencryptionandothertechnologies.Application-levelencryptionishighlydependentonapplicationsandhasmanycompatibilityandsecondarydevelopmentissues.Eliminatedbyvariousinformationsecurityvendors.
Thetwomainstreamdataencryptiontechnologiestoday
Themainthingswecanseearediskencryptionanddrive-leveldecryptiontechnologies:
FullDiskEncryptionTechnologyismainlytoencryptthedisk,andadoptotherprotectionmethodssuchashostmonitoring,waterproofwall,etc.foroverallprotection.Diskencryptionmainlyprovidesuserswithasafeoperatingenvironment,andthedataitselfWithoutencryption,oncetheoperatingsystemisstarted,thedataitselfexistsinplaintextontheharddisk,anditismainlyprotectedbymeanssuchaschasing,blocking,andinterceptionbyawaterproofwall.Themaindrawbackofthediskencryptiontechnologyisthatthetimeperiodforencryptingthediskislonger,whichresultsinalongerprojectimplementationcycle,whichusersgenerallycannotbear;thediskencryptiontechnologyistoencryptthediskinfull,oncetheoperatingsystemhasproblems.Theneedtorestoredataisalsoaheadacheforusers.Normally,ittakes3-4hourstodecrypta500Gharddiskonce;themainmethodonthemarketisnottoencryptthesystemdisk,buttouseperipherals.Technologyforsecureaccesscontrol.Everyoneknowsthattheversionoftheoperatingsystemisconstantlyupgraded,Microsoft’sownsecuritymechanismisgettinghigherandhigher,andpeople’scontroloverthesystemisgettinglowerandlower.Everythingwillbeexposed.Inaddition,diskencryptiontechnologyisthesecuritymanagementandcontroloftheentirediskinformation,includingsystemfiles,whichwillgreatlyaffecttheefficiencyandperformanceofthesystem.
Driver-leveltechnologyisthemainstreamtechnologyofinformationencryption.Itadoptstheprocess+suffixmethodforsecurityprotection.Userscanflexiblyconfigureaccordingtotheactualsituationofenterprisesandinstitutions.Carryingoutmandatoryencryptiongreatlyimprovestheoperatingefficiencyofthesystem.Thebiggestdifferencebetweendrive-levelencryptiontechnologyanddiskencryptiontechnologyisthatthedrive-leveltechnologyprotectstheuser'sdataitself.Thedrive-levelencryptionusestransparentencryptionanddecryptiontechnology.Theuserdoesnotfeeltheexistenceofthesystemanddoesnotchangetheuser'soriginaloperationanddata.Onceoutofthesecurityenvironment,theuserwillnotbeabletouseit,whicheffectivelyimprovesthesecurityofthedata;inaddition,thedrive-levelencryptiontechnologycanbemoregranularthanthediskencryptiontechnologymanagement,effectivelyrealizesthefulllifecyclemanagementofthedata,andcancontroltheusetimeandfrequencyofthefile,Copy,screenshot,videoandotheroperations,andcancarryoutfine-grainedauthorizationmanagementanddataoutgoingaccesscontroltotheinsideofthefile,soastoachieveall-rounddatamanagement.Drive-levelencryptiontechnologybringssecuritytotheuser’sdata,butalsobringscertainproblemstotheuser’sconvenience.Drive-levelencryptionusesprocessencryptiontechnologytoencryptallsimilarfiles,whichcannoteffectivelydistinguishpersonalfilesfromenterprises.Classificationmanagementoffiledata,paralleloperationofpersonalcomputersandcorporateoffices,etc.
Dataencryptionmethod
XOR
TheadvantageoftheXORalgorithmisthatafterthenumberAandthenumberBareXOR,theTheresultcanbeXORedwithnumberAtogetB,orXORwithnumberBcangetdataAagain.ThisfeatureofXORcanbeusedtoeasilyimplementdataencryptionanddecryptionalgorithms.
BuildingEncryptionMachineEncryption
TheEncryptionMachineisactuallyoneofthenumbersintheXOR,andyoucanconstructitatwillaccordingtoyourneeds.
Encryptiontechnology
Symmetricencryptiontechnology
Symmetricencryptionusessymmetriccryptographicencodingtechnology,whichischaracterizedbytheuseofthesamekeyforfileencryptionanddecryption,namelyTheencryptionkeycanalsobeusedasadecryptionkey.Thismethodiscalledasymmetricencryptionalgorithmincryptography.Thesymmetricencryptionalgorithmissimpleandquicktouse,thekeyisshort,anditisdifficulttodecipher.Inadditiontothedataencryptionstandard(DES),anotherThesymmetrickeyencryptionsystemistheInternationalDataEncryptionAlgorithm(IDEA),whichhasbetterencryptionperformancethanDESanddoesnotrequiresomuchcomputerfunction.TheIDEAencryptionstandardisusedbythePGP(PrettyGoodPrivacy)system.
Asymmetricencryptiontechnology
In1976,AmericanscholarsDimeandHenmanproposedanewkeyexchangeprotocoltosolvetheproblemofpublictransmissionofinformationandkeymanagement.Thecommunicationpartiesonthesecuremediaexchangeinformationandsecurelyreachanagreedkey.Thisisthe"publickeysystem".Comparedwith"symmetricencryptionalgorithm",thismethodisalsocalled"asymmetricencryptionalgorithm".Unlikesymmetricencryptionalgorithms,asymmetricencryptionalgorithmsrequiretwokeys:publickeyandprivatekey.Thepublickeyandtheprivatekeyareapair.Ifthepublickeyisusedtoencryptdata,onlythecorrespondingprivatekeycanbeusedtodecrypt;iftheprivatekeyisusedtoencryptthedata,thenonlythecorrespondingpublickeycanbeusedtoencryptthedata.Decrypted.Becauseencryptionanddecryptionusetwodifferentkeys,thisalgorithmiscalledanasymmetricencryptionalgorithm.