概述:
两个计算机在互联网上通信时,它们之间发送的信息如果不经过特殊的处理,即加密机制,很容易被其他人给获取到,如果是普通的信息,那倒是无所谓,但是如果涉及到个人的私密信息,那这样岂不是很糟糕,本篇来说一下这个安全和加密机制。
加密算法 和协议:
对称加密:数据加密(保密性)(3DES,AES)
公钥加密:身份认证、密钥交换、数据加密(不常用,比对称加密要慢3个数量级)( RSA ,DSA)
单项加密:数据完整性(MD5,SHA)
密钥交换:RSA、DH(迪菲-赫尔曼)、ECDH(椭圆曲线DH)、ECDHE(临时椭圆曲线DH)
一 、对称加密:加密和解密使用同一个密钥
DES:Data Encryption Standard,56bits
3DES:
AES:Advanced (128, 192, 256bits)
Blowfish,Twofish
IDEA, RC6 ,CAST5
特性:
缺陷:
1、密钥过多
2、密钥分发
3、数据来源无法确认
二 、非对称加密算法:即公钥加密
公钥加密:密钥是成对出现
公钥:公开给所有人;public key
私钥 :自己留存,必须保证其私密性;secret key
特点:
用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
功能:
1 数字签名:主要在于让接收方确认发送方身份
2 对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
3数据加密:适合加密较小数据
缺点:
密钥长,加密解密效率低下
算法:
RSA(加密,数字签名),DSA(数字签名),ELGamal
具体实现:
基于一对公钥/密钥对: 用密钥对中的一个加密,另一个解密 接收者 生成公钥/密钥对:P和S 公开公钥P,保密密钥S 发送者 使用接收者的公钥来加密消息M 将P(M)发送给接收者 接收者 使用密钥S来解密:M=S(P(M))
三、单项加密:将任意数据缩小成固定大小的“指纹”
特点:
1 任意长度输入
2 固定长度输出
3 若修改数据,指纹也会改变(“不会产生冲突”)
4 无法从指纹中重新生成数据(“单向”)
功能:
数据完整性
常见算式:
md5: 128bits、sha1: 160bits、sha224
sha256、sha384、sha512
常用工具:
md5sum | sha1sum [ –check ] file
openssl、gpg
rpm -V
密钥交换:IKE(Internet Key Exchange )
公钥加密:
DH (Deffie-Hellman):
DH: 1、A: a,p协商生成公开的整数a,大素数p B: a,p 2、A:生成隐私数据:x (x<p ),计算得出a^x%p,发送给B B:生成隐私数据:y,计算得出a^y%p,发送给A 3、A:计算得出(a^y%p)^x = a^xy%p,生成为密钥 B:计算得出(a^x%p)^y = a^xy%p, 生成为密钥 此时,A和B便生成了一个相同的密钥,注意这个密钥交换协议算法只能用于密钥的交换,而不能用于消息的加密处理,当双方确定要用的密钥后,要使用其他的对称加密操作实际加密和解密数据
注意:
以上所说的加密算法和协议虽然能够实现两个两个计算机之间的加密通信,可是保证不了其他计算机的干预消息。
例如:A和B是互联网上的两台主机,A拥有自己的私钥,B拥有自己的私钥,此时如若A要给B发送消息,但是第一次它并不知道谁是B,如果此时有另一台机器C告诉A说我就是B,然后把自己的公钥发送给A,A此时还以为和它通信的真的是B,然而却是A和C在通信。 那么问题来了,如何确定B的身份呢?如果此时有一个双方都信任的第三方机构,由它来确认B的身份,那么问题就可以解决了,随之而来的是谁来确定这个第三方机构的身份呢,如果是一个假的机构呢?所以还需要这个机构的上级来确定它,知道到了顶层。当然这个顶层是我们所有人在心底都默认知道和了解的。
说了这么多,这个所谓的第三方机构就叫做CA,当CA每确认一台机器的时候,就会给它颁发一个证书,具体如下:
CA和证书
PKI: Public Key Infrastructure
签证机构:CA(Certificate Authority)
注册机构:RA
证书吊销列表: CRL
证书存取库:
X.509:定义了证书的结构以及认证协议标准
版本号
序列号
签名算法
颁发者
有效期限
主体名称
主体公钥
CRL分发点
扩展信息
发行者签名
证书类型:
证书授权机构的证书
服务器
用户证书
获取证书两种方法:
使用证书授权机构
生成签名请求(csr)
将csr发送给CA
从CA处接收签名
自签名的证书
自已签发自己的公钥
证书签发过程:如下图所示
- 1、A将自己的公钥发送给CA
- 2、CA在确定A的身份后,会将证书颁发给A,其中过程如下
1)CA会将应有内容整合到证书上,证书的内容结构如上。 2)然后将此内容使用单向加密算法生成特征码(用于验证证书完整性) 3)最后,CA会使用自己的私钥来对此特征吗进行加密,生成数字签名(用来验证是否为CA签署的证书),然后发给A
- 3)B的过程与A相同
当B验证A的身份时,就是通过证书来验证的,步骤如下
- 1 使用CA的公钥来解密数字签名,如果成功,则验证了CA身份
- 2 利用相同的单项加密算法来计算证书内容结构的特征码,与原来的特征码相比较,如果相同,则保证了证书的完整性
- 3 从证书内容中取出A的公钥
加密通信过程详解
第一阶段:ClientHello:客户端向服务器端发起加密通信的请求
1 向服务器发送自己支持的协议版本,比如tls1.2 2 客户端生成一个随机数,稍后用户生成”会话密钥“ 3 自己支持的各种加密算法,比如AES,RSA等 支持的压缩算法;
第二阶段:ServerHello(回应)
1 确认使用的加密通信协议版本,比如tls1.2;(如果版本不一样,则拒绝通信) 2 服务器端生成一个随机数,主要在稍后用户生成”会话密钥“ 3 确认使用的加密方法 4 发送服务器证书 5 索要客户端证书(不过一般服务器端都不会验证客户端)
第三阶段:
1 验证服务器证书,确认无误后,取出其公钥;(验证发证机构、证书签名、证书完整性、证书持有者、证书有效期、吊销列表) 2 发送一下信息给服务器端 3 一个随机数:用于服务器公钥加密 4 编码变更通知:表示随后的信息都将用双方商定的加密方法和密钥发送 5 客户端握手结束通知
第四阶段:
1 收到客户端发来的第三个随机数-pre-master-kty后,计算生成本次会话用到的会话密钥 2 向客户端发送如下消息 3 编码变更通知:与上相同 4 服务器端握手结束通知
此时双方已经彼此确认了对方的身份,并且建立一条安全的通道,接下来就可以传输信息了。此过程如下图所示:
(1)A–>B
1)使用单向加密算法计算要传输的数据的特征码(并没有对原数据内容加密)
2)使用自己的私钥来加密这段特征码生成数字签名
3)使用 对称加密算法 加密上面的所有数据(包括原数据,特征码,数字签名),将生成的对称加密的密码附加在加密过的数据后面
4)使用B的公钥来加密这段对称加密的密码,并将以上所有数据发送给B
(2)B收到A发送的数据后
1)使用B的要来解密对称加密的密码(如果可以解密,则保证接收放是B) 2)利用解密过的对称加密密码来解密这段数据 3)解密后通过利用A的公钥来解密数字签名(如果可以,则保证了数据是从A发的) 4)此时,呈现在B的有两样东西,一个是原数据,还有一个是特征码。且原数据是没有加密的。此时B需要使用相同的单项加密算法对此时的原数据计算特征码,与A发送过来的特征码相比较,如果相等,则保证了原数据的完整性。
至此。信息的加密与解密过程完成。
总结:
在以上所述的过程中,个人认为有几点需要强调:
1)单项加密并不加密原数据,只是为了计算原数据的特征码。用于数据的完整性校验
2)对称加密算法加密和解密都是用同一个密钥。用于加密数据
3)公钥加密加密的是特征码。用于生成数字签名
4)证书的颁发和验证过程和数据的传输过程是两个过程
Xinqi Dong, Ruijia Chen, Terry Fulmer, Melissa A
The total number of specimens included 200, out of which 125 62
RNA was isolated and reverse transcription was performed as previously described 41
2 Nitronaphthalene 581 89 5 1989
Coadministration of bupropion hydrochloride extended release tablets XL with ticlopidine or clopidogrel is not recommended see Clinical Pharmacology 12 The substance, a dietary staple in some Asian cultures, is definitely quite potent
It s been a decade since Comcast has been able to NOT screw up customer accounts, fail to correct their mistakes even as they admit it is Comcast at fault, arbitrarily jack up services, as well as surreptitiously slap services not ordered onto billing that never gets fixed
There does not appear to be any additional benefit when OS is combined with chemotherapy, although there is a suggestion that there may be an effect in the subgroup of young women aged younger than 40 years who are least likely to experience chemotherapy induced cessation of ovarian function
Some users also advocate tapering the dose of cyclofenil during the last few weeks of administration Monitor Closely 2 ritonavir will increase the level or effect of teniposide by P glycoprotein MDR1 efflux transporter
Taxotere Aventis Pharmaceuticals was dissolved in DMSO to make a 4 Ојmol L stock solution
com 20 E2 AD 90 20Buy 20Viagra 20Plus 20Baikal 20Pharmacy 20 20En 20Iyi 20Viagra 20Muadili en iyi viagra muadili Chudzinski said an MRI taken Friday showed Hoyer tore the anterior cruciate ligament in his right knee
This therapy is less effective in cases of retrograde ejaculation associated with pelvic nerve hypogastric plexus damage and surgical scarring at the level of the bladder neck 2000 Apr; 58 Suppl 203 8
Department of Molecular and Cellular Physiology, LSU Health Sciences Center, 1501 Kings Highway, Shreveport, LA, 71130 3932, USA
This palm looks extremely ordinary Granulomas are often seen during microscopic examination of infected tissues, but in advanced cases they may be visible to the unaided eye Fig
tenoretic santa rosa pharmacy Passengers also have reported that the plane was rolling from side to side during the approach, which in calm winds is another indication of stalling, said Hans Weber, president of TECOP International Inc and an aerospace consultant who has been an adviser to the FAA
10 483, 458 Restriction Requirement dated Oct
Looking at Rogge s pomp, he is obviously not an ordinary little noble, Carlos has been busy hunting snow foxes does Do Water Pills Cause Constipation clonodine alone lower blood pressure these days, and has not had a chance to learn about the demon incident in Say City
2008; 89 5 1209 12
It s important to have normal thyroid levels since an imbalance could throw off metabolic processes in other areas of the body
Promptly initiate diuretic therapy with furosemide
Really high- quality SARMs, really conveniently packaged, and the purity is very high To address this concern, the Tet ON system was developed, which allows for rapid, inducible gene expression by the addition of doxycycline
The intraperitoneal furosemide injection caused a transient increase in MAP by 25 mmHg, heart rate, and activity in both WT and A1AR mice
33, 34 On the basis of gene expression signatures, most AITLs and 20 of PTCL NOSs are likely derived from follicular helper T Tfh cells, the T cells that facilitate B cell antibody responses by interacting with B cells in the germinal center
We measured the expression of ten well established E2 responsive genes following 1 nmol L E2 treatment for 3 or 24 hours
When compared to littermate controls, longitudinal CVs of iNICD ventricles were significantly increased after 16 week washout Fig
Drago has served as a consultant or advisor to Intellisphere LLC and Biotheranostics; has served on speakers bureaus for Virology Education; and has received research funding from AstraZeneca
He finally made up his mind, when things slowed down a little here, he must go to another world to see Fengyue in person
Including occurrence of new cancers of any type in the definition, which are unlikely to be affected by the randomization, resulted in 35 of the events in the primary end point, greater than the number of distant recurrences
Radiation induced bronchiolitis obliterans organizing pneumonia BOOP syndrome in breast cancer patients is associated with age
Good news is that mum has surpassed the 3 5years life expectancy, it s different for all cases