Encryption and Security
Common encryption algorithms and protocols include symmetric encryption, public key encryption, one-way encryption and authentication protocols.
Symmetric encryption
Symmetric encryption, using the same key when encrypting and decrypting
Common symmetric encryption: DES,3DES,AES,Blowfish,Twofish,IDEA,RC6,CAST5
The process of symmetric key encryption and decryption:
Data sender A and data receiver B agree on the key through some channel before sending data, then A encrypts the plaintext data with symmetric key, and then sends the encrypted data to B. After receiving the data, B decrypts the data with the same key and obtains the corresponding data.
Through the above-mentioned encryption and decryption process, we can understand that this encryption method has the following characteristics:
1. Use the same set of keys when encrypting and decrypting data
2. Short time and high efficiency in data encryption and confidentiality
3. Divide the original data into fixed size blocks and encrypt them one by one.
It is not difficult to see that the shortcomings of symmetric encryption are also very obvious:
1. Too many keys: Every data correspondence needs to be encrypted with a different key, generating too many keys.
2. Key Distribution: There are security problems in the process of key distribution
3. The source of data can not be confirmed: because everyone can add the same key to the data, the source of data can not be confirmed.
Asymmetric encryption
Asymmetric cryptographic keys occur in pairs, which are divided into public and private keys.
Public key: Publicly available to everyone
Secret key: Keep it private and keep it private
Common asymmetric encryption algorithms are RSA (encryption, digital signature), DSA (digital signature), ELGaml.
Encryption and decryption of asymmetric encryption and digital signature:
Each sender A and receiver B generates a group of keys: A public key Pa, private key Sa, B public key Pb, and private key Sb.
Before transmitting plaintext data, Party A encrypts the data with its own private key (Sa), then encrypts the encrypted data again with Party B's public key (Pb), and then transmits the data to Party B. After Party B receives the data, it decrypts the encrypted data with its own private key (Sb), and then decrypts the data again with A's public key (Pa) to confirm that the data is actually issued by Party A. Send it.
Through this process, we can find that asymmetric encryption has the following characteristics:
Data encrypted with public key can only be decrypted by the corresponding private key, and vice versa.
Through its characteristics, the following functions can be achieved:
1. Digital signatures can be implemented so that acceptance can confirm the identity of the data sender.
2. Symmetric key exchange can be achieved. The sender can encrypt a symmetric key with the other party's public key and send it to the other party.
3. Because asymmetric encryption takes a long time to decrypt, it is only suitable for smaller data encryption.
It can be seen that its shortcomings are very obvious:
1. The length of the asymmetric key is very long.
2. The efficiency of asymmetric encryption in decryption is very low.
One-way hash (hash algorithm)
hash algorithm, also known as data summary, can not be retrieved to ensure the integrity of the data, to ensure that the data is not tampered with, used for integrity checking. hash algorithm is similar to fingerprint.
Common algorithms: md5: 128bits, sha1: 160bits, sha224, sha256, sha384, sha512
Example:
Directing a character to file1, then performing a series of operations on file1 and using md5sum to extract fingerprint information for viewing.
[root@centos7 ~]# echo abcdefg > file1 [root@centos7 ~]# md5sum file1 020861c8c3fe177da19a7e9539a5dbac file1 #Extract data summary from newly created file1 file [root@centos7 ~]# cp file1 file2 [root@centos7 ~]# md5sum file2 020861c8c3fe177da19a7e9539a5dbac file2 #Duplicate file 1 named file 2 and extract data digest to compare with file 1 [root@centos7 ~]# echo 1 >> file2 [root@centos7 ~]# md5sum file2 7f01eb26bac5f3a716b77cb702d85184 file2 #Add point data to file2 and extract the data digest. Compare the data digest of file2 with the previous one again.
Through the above examples, it can be found that the change of file name has no effect on the summary information of data, but when the content of data changes, the extracted data summary will undergo a tremendous change. Data integrity verification is achieved by this method.
So unidirectional hashing has the following characteristics:
1. Arbitrary Length Input, Fixed Length Output
2. If data is modified, fingerprints will also change.
3. Data cannot be regenerated from fingerprints
According to its characteristics, it can realize the function of data integrity.
digital signature
Through the characteristics of the three encryption methods mentioned above, we can realize a method which can encrypt and ensure the efficiency of decryption, and the integrity of data is not guaranteed. This method is called digital signature.
The realization method of digital signature:
The sender generates a data digest from the data with hash algorithm, and then encrypts the digest with his private key. The encrypted digest will be sent to the receiver as a digital signature and message. The receiver first calculates the data digest from the received original data with hash algorithm like the sender, and then uses the sender's public secret. The key decrypts the digital signature attached to the data. If the digests are the same, the receiver can confirm that the digital signature is the sender.
Digital signature has two functions:
1. We can confirm that the data is actually signed by the sender and sent out, because others can not fake the sender's signature.
2. Digital signature can determine the integrity of data. Because digital signature represents the characteristics of data, the value of digest will change if the data changes. Different data will be digested differently. A digital signature involves a hash algorithm, the sender's public key and the sender's private key.
Asymmetric Key Experiment
The purpose of the experiment is:
Asymmetric Encryption and Decryption of Files
Experimental preparation:
| Host | OS | IP |
|---|---|---|
| A | CentOS7 | 192.168.172.134 |
| B | CentOS7 | 192.168.172.134 |
1. Generating public and private keys on two hosts respectively
1. Generating public and private keys on host A
[root@hostA ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 #Select the asymmetric key type to be generated
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024 #Length of preferred key
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) #Duration of validity of specified key
Key does not expire at all
Is this correct? (y/N) y #Confirmation key validity is permanent
GnuPG needs to construct a user ID to identify your key.
Real name: hostA #Host name corresponding to input asymmetric key
Email address:
Comment:
You selected this USER-ID:
"hostA"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o #Confirmation key information
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/4B9A0B62 2019-04-12
Key fingerprint = E128 AD1F E1D5 5B0D C66C FD45 4786 0C63 4B9A 0B62
uid hostA
sub 1024R/DD37BA59 2019-04-12
#Completion of Asymmetric Dense Generation
[root@hostA ~]# cd .gnupg/
[root@hostA .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg #Public key file
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg~ #Backup of public key
-rw------- 1 root root 600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg #Private key file
srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg2. Generating Public and Private Key on B Host
[root@hostB ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: hostB
Email address:
Comment:
You selected this USER-ID:
"hostB"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/77A790ED 2019-04-12
Key fingerprint = 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
uid hostB
sub 1024R/3108F051 2019-04-12
[root@hostB ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root 6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root 600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root 0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
//Public-Private Key File GeneratedII. Exchange of Public Key Files between Host A and B
1 Export host A public key to B
[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey #Export the public key file. [root@hostA .gnupg]# cat hostA.pubkey -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8 2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0 BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj rkRjxcSdDrQgIYZgH84hXZU= =4MIm -----END PGP PUBLIC KEY BLOCK----- [root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupg The authenticity of host '192.168.172.138 (192.168.172.138)' can't be established. ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME. ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.172.138' (ECDSA) to the list of known hosts. root@192.168.172.138's password: hostA.pubkey 100% 984 808.9KB/s 00:00
2 Export host B public key to A
[root@hostB ~]# gpg -a --export -o hostB.pubkey [root@hostB ~]# cat hostB.pubkey -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0 BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5 Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c tt+3WYpY9rNUVeuLcHVd7vQ= =/T8O -----END PGP PUBLIC KEY BLOCK----- [root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/ The authenticity of host '192.168.172.134 (192.168.172.134)' can't be established. ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME. ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.172.134' (ECDSA) to the list of known hosts. root@192.168.172.134's password: hostB.pubkey 100% 984 861.8KB/s 00:00
3. Host A and B import public keys separately
1. Host A imports public keys
[root@hostA .gnupg]# gpg --import hostB.pubkey #Importing the public key of hostB gpg: key 77A790ED: public key "hostB" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [root@hostA .gnupg]# gpg --list-key #View the public key list /root/.gnupg/pubring.gpg ------------------------ pub 1024R/4B9A0B62 2019-04-12 uid hostA sub 1024R/DD37BA59 2019-04-12 pub 1024R/77A790ED 2019-04-12 uid hostB sub 1024R/3108F051 2019-04-12
2. Host B imports public keys
[root@hostB ~]# cd .gnupg/ [root@hostB .gnupg]# gpg --import hostA.pubkey gpg: key 4B9A0B62: public key "hostA" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [root@hostB .gnupg]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 1024R/77A790ED 2019-04-12 uid hostB sub 1024R/3108F051 2019-04-12 pub 1024R/4B9A0B62 2019-04-12 uid hostA sub 1024R/DD37BA59 2019-04-12
Four, test
1. Asymmetrical encryption of files using host A is sent to host B.
[root@hostA data]# echo "hello,i am hostA" > file1
[root@hostA data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user
pub 1024R/3108F051 2019-04-12 hostB
Primary key fingerprint: 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA 74A5 2091 0199 3108 F051
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@hostA data]# scp file1.gpg root@192.168.172.138:/data
root@192.168.172.138's password:
file1.gpg 100% 225 87.2KB/s 00:00 2. Decrypt to view its contents
[root@hostB data]# gpg -o file1 file1.gpg
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
"hostB"
[root@hostB data]# cat file1
hello,i am hostAV. About Clearance Key
1. Clear the public key
[root@hostA data]# gpg --delete-key hostB #Delete the public key of hostB gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024R/77A790ED 2019-04-12 hostB Delete this key from the keyring? (y/N) y [root@hostA data]# gpg --list-key #Look at the key list and there is no hostB at this time. /root/.gnupg/pubring.gpg ------------------------ pub 1024R/4B9A0B62 2019-04-12 uid hostA sub 1024R/DD37BA59 2019-04-12 [root@hostA ~]# ll .gnupg/ total 40 -rw------- 1 root root 649 Apr 13 05:48 192.168.172.138 -rw------- 1 root root 7680 Apr 13 05:36 gpg.conf -rw-r--r-- 1 root root 984 Apr 13 06:02 hostA.pubkey -rw-r--r-- 1 root root 984 Apr 13 06:06 hostB.pubkey drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d -rw------- 1 root root 649 Apr 13 06:32 pubring.gpg -rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~ #The key of hostB is cleared, but it can still be restored with this file. -rw------- 1 root root 600 Apr 13 06:15 random_seed -rw------- 1 root root 1313 Apr 13 05:37 secring.gpg srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent -rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2. Delete your own public and private keys
To delete your own public key, you must first clear the private key
[root@hostA ~]# gpg --delete-secret-key hostA #Delete your private key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 1024R/4B9A0B62 2019-04-12 hostA Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y [root@hostA ~]# gpg --delete-key hostA #Delete your private key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024R/4B9A0B62 2019-04-12 hostA Delete this key from the keyring? (y/N) y [root@hostA ~]# rm -rf .gnupg/ #Delete the / root/.gnupg directory