? Cryptography is divided into coding and cryptanalysis. Cryptography mainly studies the coding of information and realizes the concealment of information. Cryptanalysis mainly studies the decoding of encrypted messages or the forgery of messages. They are independent and interdependent, developing in the struggle of contradictions and in the unity of opposites.
? The development history of cryptography can be roughly divided into three stages:
secret
Only the sender and the designated receiver can understand the content of the sent message. The eavesdropper can intercept the encrypted message, but can't restore the original information, that is, can't get the message content.
distinguish
Both the sender and the receiver should be able to prove that the other party involved in the communication process really has their claimed identity. That is, the third party can't pretend to be the other party you communicate with, but can identify the other party's identity.
Message integrity
Even if the sender and receiver can verify each other, they still need to ensure that their communication content has not been changed during transmission.
undeniable
If a person receives a message from the other party, he should also confirm that the message really comes from the claimed sender. After the sender sends it, he can't deny that he sent it himself.
? Cryptosystem is a protocol that enables both parties to communicate secretly. A cryptographic system consists of five elements: P (plaintext set), C (secret set), K (key set), E (encryption algorithm) and D (decryption algorithm), and meets the following characteristics:?
& ltscript type = " math/tex; mode = display " id = " math jax-Element- 1 " >P∈P & lt; /script & gt;
& ltscript type = " math/tex; mode = display " id = " math jax-Element-2 " >C∈C & lt; /script & gt;
& ltscript type = " math/tex; mode = display " id = " math jax-Element-3 " >k 1 ∈ K,k2∈K & lt; /script & gt;
& ltscript type = " math/tex; mode = display " id = " math jax-Element-6 " >E_{k 1}(p) = c,D _ { k2 }(c)= p & lt; /script & gt;
? The basic principles of encryption and decryption are the same whether it is a classical cryptographic system completed by hand or machine or a modern cryptographic system completed by computer software or electronic circuit hardware. Are based on the replacement or replacement of plaintext information, or through the combination of the two.
? Replace password: systematically replace a group of letters with other letters or symbols;
? For example,' help me' becomes' ifmqnf' (each letter is replaced by the next letter).
? Transposition password: rearrange the alphabetical order without changing the letters;
? For example, "help me" became "ehplem".
? Cryptographers usually use the following methods to attack cryptographic systems:
? Known plaintext analysis method:?
Know part of plaintext and its corresponding ciphertext, analyze and find the key.
? Choose plaintext analysis method:?
Try to let the opponent encrypt a plaintext he chose and get the corresponding ciphertext, and then analyze and find the key.
? Differential comparative analysis method:?
Try to let the other party encrypt a set of subtle plaintext, and analyze the key by comparing their encryption results.
? Unconditional security:?
No matter how strong the calculation ability of the decipherer is, no matter how many ciphertexts are intercepted, it is impossible to decipher the plaintext.
? Computational security:
? The cost of decryption exceeds the value of the information itself, and the time required for decryption exceeds the validity period of the information.
? The application of any cryptographic system needs to strike a balance between security and operational efficiency. As long as the cryptographic algorithm meets the requirements of computational security, it has practical conditions and does not need to achieve absolute security in theory. From 65438 to 0945, Claude E. Shannon, an American mathematician, strictly proved that the one-time codebook or Vernam cipher is unconditionally safe in his mathematical principles of cryptography. However, this absolutely safe encryption method needs to consume a lot of resources in actual operation and does not have the feasibility of large-scale use. In fact, the only widely used cryptographic system at present is computational security.
? A good cryptographic system should meet the following two conditions:
Given the plaintext and key, it is easy to calculate the ciphertext according to the encryption algorithm. Given the ciphertext and decryption key, it is easy to calculate plaintext.
Without knowing the decryption key, it is impossible to calculate plaintext from ciphertext, or the cost of calculating plaintext from ciphertext exceeds the value of information itself.
Common encryption algorithms include:
? Symmetric cryptosystem is also called single-key or private-key cryptosystem, and its encryption key and decryption key are the same or substantially equivalent, that is, it is easy to deduce one from the other.
? Advantages: high confidentiality, fast encryption speed, suitable for encrypting a large number of data, and easy hardware implementation; ?
Disadvantages: the key must be transmitted in a safe and reliable way, and the distribution of the key is the key factor to ensure security;
Common symmetric cryptographic algorithms: DES (key length =56 bits), 3DES (three different keys with 56 bits each), AES (key length 128/ 192/256 optional), IDEA (key length 128 bits), RC5 (.
? According to different encryption methods, symmetric ciphers can be divided into block ciphers and sequence ciphers.
? The plaintext is divided into fixed-length groups, each block is encrypted with the same key and algorithm, the output is also fixed-length ciphertext, and the decryption process is the same.
? Also known as stream cipher, plaintext is encrypted one bit or one byte at a time, and a pseudo-random number generator is used to generate a pseudo-random sequence (key stream) with excellent performance. The plaintext message sequence is encrypted with this sequence to obtain a ciphertext sequence, and the decryption process is the same.
? Asymmetric cryptosystem is also called double-key or public-key cryptosystem, and its encryption key and decryption key are different, so it is difficult to deduce the other from one. Encryption keys can be made public, referred to as public keys or public keys. The decryption key must be kept secret, which is called the private key.
? Advantages: key exchange can be conducted through open channels without confidentiality. It can be used for encryption and signature. ?
Disadvantages: the encryption speed is not as fast as symmetric cipher, so it is not suitable for encrypting a large number of data, and the encryption operation is difficult to realize with hardware.
? Asymmetric cryptosystem not only endows communication with confidentiality, but also provides message authentication. Information can be transmitted safely through insecure channels without exchanging keys, which simplifies the workload of key management, adapts to the needs of communication networks, and opens up broad prospects for the application of cryptography technology in the commercial field.
? Common asymmetric cryptographic algorithms: RSA (based on factorization of large integer prime numbers) and ECC (based on elliptic curve discrete logarithm problem).
Misunderstanding of asymmetric cryptography?
Asymmetric passwords are more secure than symmetric passwords? ?
The security of any algorithm depends on the length of the key and the workload of deciphering the password. From the perspective of anti-analysis, no one is superior.
? Asymmetric encryption makes symmetric encryption an outdated technology? ?
Public key algorithm is very slow, and is generally used for key management and digital signature. Symmetric cryptography will exist for a long time, and the combination of symmetric cryptography and asymmetric cryptography is adopted in practical engineering.
Hash function maps an arbitrarily long message to a fixed-length hash value, also known as message digest. The message digest can be used as a verifier to complete the message verification. ?
Hash is a one-way function, so it is extremely difficult to infer the original message from the message digest. The security of hash function is determined by collision probability. If an attacker can easily construct two different messages with the same message digest, then such a hash function is unreliable.
? Common hash functions are: MD5, SHA 1, HMAC.
? Digital signature is a typical application of public key cryptography, which can provide the effect similar to handwritten signature in reality, and it is guaranteed both technically and legally. It is an important technology to provide message integrity, confirm identity and ensure message source (non-repudiation) in network environment.
? Digital signature and verification process:
? The sender uses a hash function to generate a hash value (or message digest) of 128 bits from the message text, and the sender encrypts the hash value with his own private key to form his own digital signature. Then, the digital signature will be sent to the recipient as an attachment with the mail. After receiving the message, the receiver uses the same hash function to calculate the hash value (or message digest) from the original message, and then uses the sender's public key to decrypt the digital signature attached to the message to obtain another hash value. If the two hash values are the same, the receiver can confirm that the digital signature belongs to the sender. The integrity and non-repudiation of messages can be realized by digital signature. ?
? In network security, keys play an important role.
. How to distribute and manage keys safely, reliably, quickly and efficiently has always been an important topic in the field of cryptography.
? Key generation can be achieved through online or offline interactive negotiation, such as encryption protocol. The key length should be long enough. Generally speaking, the longer the key length, the larger the corresponding key space, and the more difficult it is for an attacker to guess the password by exhaustive method. When choosing a key, we should avoid choosing a weak key. Most key generation algorithms use random processes or pseudo-random processes to generate keys.
? Using symmetric encryption algorithm for secure communication requires * * * sharing the same key. Usually, one member of the system first selects a secret key and then transmits it to another member or other members. X9. 17 standard describes two kinds of keys: key encryption key and data key. Key encryption key encrypts other keys that need to be distributed; The data key only encrypts the information flow. Key encryption keys are usually distributed manually. In order to enhance confidentiality, the key can be divided into many different parts and then sent out through different channels.
? Some error detection and correction bits are appended to the key for transmission. When an error occurs in key transmission, it can be easily detected and the key can be retransmitted if necessary. The receiver can also verify whether the received key is correct. The sender encrypts a constant with a key, and then sends the first 2-4 bytes of the ciphertext together with the key. At the receiving end, do the same work. If the decryption constant of the receiver can match the original constant, the transmission is error-free.
? When the key needs to be changed frequently, it is really difficult to distribute new keys frequently. A simpler solution is to generate a new key from an old key, sometimes called a key update. You can use the one-way function to update the key. If both parties share the same key and operate with the same one-way function, the result is the same.
? Keys can be stored in brains, magnetic stripe cards and smart cards. The key can also be divided into two parts, half of which is stored in the terminal and the other half is stored in the ROM key. You can also use a method similar to the key encryption key to encrypt and save the key that is difficult to remember.
? The backup of key can adopt the methods of key escrow, secret division and secret sharing.
? Key escrow:
? Key escrow requires all users to give their keys to the key escrow center, which will back up their keys (such as locking them in a safe somewhere or encrypting them with the master key). Once the user's key is lost (for example, the user forgets to bring the key or the user dies unexpectedly), according to certain rules and regulations, the user's key can be obtained from the key escrow center. Another backup scheme is to use smart card as temporary key hosting. For example, Alice stores the key in a smart card and gives it to Bob in Alice's absence. Bob can use this card to do Alice's work. When Alice came back, Bob returned the card. Bob doesn't know what the key is because it is stored in the card.
? Secret service:
? Secret segmentation divides the secret into many blocks, each block does not mean anything in itself, but when these blocks are put together, the secret will reappear.
? Secret * * * Enjoy:
? The key k is divided into n blocks, and each part is called its "shadow". If you know any m or more blocks, you can calculate the key K. If you know any m- 1 block or less, you can't calculate the key K. Secret sharing solves two problems: first, if the key is accidentally or intentionally exposed, the whole system will be vulnerable; Second, if the key is lost or damaged, all the information in the system can't be used.
? Encryption keys cannot be used indefinitely for several reasons: the longer the key is used, the greater the chance of leakage; If the key has been leaked, the longer the key is used, the greater the loss; The longer the key is used, the more likely people are to spend energy to decipher it-even using exhaustive attacks.
? Different keys should have different validity periods. The validity period of data key mainly depends on the value of data and the number of encrypted data in a given time. The greater the value and data transmission rate, the more frequent the key changes. For example, key encryption keys do not need to be changed frequently because they are only used occasionally for key exchange. Key encryption keys are either remembered or kept in a safe place. Losing this key means losing all file encryption keys.
? In the application of public key cryptography, the validity period of private key varies according to different applications. The private key used for digital signature and identification must be kept for several years (even for life), and the private key used for coin toss agreement should be destroyed immediately after the agreement is completed. Even if the security of the key is expected to be lifelong, the key needs to be changed every two years. The old key still needs to be kept secret in case the user needs to verify the previous signature. However, the new key will be used as the signature of the new file to reduce the number of signature files that can be attacked by password analysts.
? If the key must be changed, the old key must be destroyed and the key must be physically destroyed.
? PKI is a collection of components, functional subsystems and operating programs designed to manage keys and certificates by using public key encryption technology. Its main task is to manage keys and certificates and establish a secure communication trust mechanism for network users.
? A digital certificate is a file containing user identity information, public key information and the digital signature of a certificate authority (CA).
? Function: Digital certificate is the symbol of information exchange and business activities between various terminal entities and end users on the Internet. In the mitigation of electronic transactions, each party needs to verify the validity of the other party's digital certificate, so as to solve the problem of mutual trust.
? CA, the full name of which is certificate certification, is the authority to apply for and issue digital certificates.
? As the core part of PKI, CA is mainly composed of three parts: registration server group, certificate application acceptance and audit institution and certification center server.
? Registration server: The website established through the Web server can provide customers with 24×7 uninterrupted services. Customers apply for certificates online and fill in the corresponding certificate application form.
? Certificate application acceptance and audit institution: responsible for the application and audit of certificates.
Certificate Authority Server: It is the operating entity that generates and issues digital certificates, and also provides services such as managing and issuing certificates, generating and processing certificate revocation lists (CRL).
? The following functions can be realized through CA:
? 1. Receive the application for verifying the digital certificate of the end user; ?
2. Decide whether to accept the application and approval of the end-user digital certificate; ?
3. Issue or refuse to issue a digital certificate to the applicant; ?
4. Receiving and processing the update of the digital certificate of the end user; ?
5. Accept the inquiry and revocation of digital certificates of end users; ?
6. Generate and publish CRL (certificate revocation list); ?
7. Archiving of digital certificates; ?
8. Key archiving; ?
9. Historical data archiving;
Verb (abbreviation for verb) quantum cryptography
5. 1 quantum computing
? Due to the unexpected rapid development of quantum computing technology, a large number of cryptographic algorithms that can only resist the violent cracking of classical computers are facing the dilemma of being eliminated in advance.
? Asymmetric cryptosystem effectively solves the problem of secure key exchange faced by symmetric cryptosystem, so it is widely used in a large number of network communication activities such as public key infrastructure, digital signature, joint authorization, public channel key exchange, secure e-mail, virtual private network and secure socket layer. Unfortunately, with the development of quantum computing, asymmetric cryptographic algorithms including RSA cryptography, ECC cryptography and DH key exchange technology have been proved to be completely insecure in theory. Compared with symmetric cryptosystem, we can also take upgrading measures to deal with quantum threats, while asymmetric cryptosystem must adopt new methods to rebuild.
5.2 quantum cryptography
? Quantum cryptography is a new cryptographic system based on quantum mechanics and cryptography, which uses the principle of quantum physics to realize the cryptographic system. Different from the most commonly used classical cryptosystem, quantum cryptography is realized by using the physical properties of information carriers. At present, the carriers used to carry information in quantum cryptography include photons, compressed optical signals and coherent optical signals.
? Because the theoretical basis of quantum cryptography is the theorem of quantum physics, which is the conclusion drawn by physicists after years of research and demonstration, it has a reliable theoretical basis and will not change at any time. Therefore, in theory, quantum cryptography based on these physical theorems is also unbreakable, and quantum cryptography is an unconditionally secure cryptographic system.
?