Simple organization of network security 2

Others 2020-09-23 11:06:28 views: null


Previous: Simple finishing of network security 1

digital signature

  • To prove the authenticity. The digital signature must guarantee the following three points:
    (1) Message authentication-the receiver can verify the sender's signature on the message (proving the source);
    (2) The integrity of the message-the sender cannot deny the message afterwards Signature (anti-repudiation);
    (3) Non-repudiation-the receiver cannot forge the signature of the message (anti-forgery).
  • There are many ways to implement various digital signatures. But it is easier to implement using public key algorithms.

Realization of digital signature based on public key

Insert picture description here

  • Because no one other than A can have A's private key, no one other than A can generate this ciphertext. Therefore, B believes that the message X was sent by A with the signature. If A wants to deny that it has sent a message to B, B can show the plaintext and the corresponding ciphertext to a third party. A third party can easily use A's public key to verify that A really sent X to B. Conversely, if B fakes X into X', then B cannot show the corresponding ciphertext before the third party. This proves that B has forged the message.
    Insert picture description here

Identify

In the field of information security, encryption is an important measure to deal with passive attacks, and authentication (authentication) is used to deal with tampering and forgery in active attacks . Message authentication enables the receiver of the communication to verify the authenticity of the received message (sender and message content, sending time, sequence, etc.). Use encryption to achieve the purpose of message authentication. However, in network applications, many messages do not need to be encrypted. Should enable the receiver to use a very simple method to identify the authenticity of the message

Authentication is different from authorization

  • Authentication and authorization (authorization) are different concepts. The question involved in authorization is whether the process being performed is allowed (for example, whether a file can be read or written).

Identify classification

  • Message authentication: It means that the received message is indeed sent by the sender of the message, and not forged or tampered with by others. This includes endpoint authentication and message integrity authentication.
  • Entity authentication: Only the entity sending the message is authenticated. The entity can be a person or a process (client or server). This is endpoint authentication.

Message authentication

Many messages do not require encryption, but they require digital signatures so that the recipient of the message can verify the authenticity of the message. However, digitally signing very long messages will increase the burden on the computer (it will take a long time for calculations) . When we transmit a message that does not need to be encrypted, the receiver should be able to use a very simple method to verify the authenticity of the message.

Hash function MD5

  1. Append : Calculate the remaining number (64 bits) of any length of message modulo 264, and append it to the end of the message (length item).
  2. Padding : Fill 1~512 bits between the message and the length item, so that the total length after filling is an integer multiple of 512. The first digit of padding is 1, and the following is 0.
    Insert picture description here
  3. Grouping : divide the appended and filled message into 512-bit data blocks, and each 512-bit message data is divided into 4 128-bit data blocks
  4. Calculation : Send 4 128-bit data blocks to different hash functions for 4 rounds of calculation. In each round, complex calculations are performed in small 32-bit data blocks. Until the end, the MD5 message digest code (128 bits) is calculated.

Secure hash algorithm SHA

SHA is more secure than MD5, but it is slower to calculate than MD5.

Message authentication code MAC

The message authentication implemented by MD5 can be tamper-proof, but not forgery, so message authentication cannot be truly realized.

  • The intruder creates a forged message M, then calculates its hash H(M), and sends the extended message with the hash spliced ​​to A as A and sends it to B.
  • B received extension packet (M, H (M)), the calculation by a hash function to calculate the received message M R & lt hash H (M is R & lt ).
  • If the H (M) = H (M R & lt ), B will mistakenly believe that the received packet is forged A transmitted.

To prevent the above attacks, the hash can be encrypted once. The result of the hash encryption is called the message authentication code MAC (Message Authentication Code) . Since the intruder does not have the key K, the intruder cannot forge A's message authentication code MAC, and therefore cannot forge the message sent by A. This completes the identification of the message.
Insert picture description here

Entity identification

Entity authentication is different from message authentication. Message authentication is to identify the sender of the message for each received message. Entity authentication is to verify the counterparty entity communicating with itself only once during the entire duration of system access.

  • The shared symmetric key can be used for entity authentication. The symmetric key KAB is used to encrypt the message sent by A to B. After receiving this message, B uses the shared symmetric key KAB to decrypt it, thus authenticating the identity of entity A. Because the key is only known by A and B.
    Insert picture description here
  • Intruder C can intercept messages sent by A to B from the network. C does not need to decipher the message, but directly sends the intercepted message encrypted by A to B, making B mistakenly believe that C is A. Then B sends a message that should be sent to A to C pretending to be A. This kind of attack is called a replay attack . C can even intercept A's IP address, and then pretend A's IP address as his own IP address (this is called IP spoofing), making B more vulnerable to fraud.

Non-multiple discrimination

Nonce is a large random number that is not reused, that is, "one at a time". Since non-multiple numbers cannot be reused, C cannot reuse the intercepted non-multiple numbers in a replay attack.
Insert picture description here

  • B signs the non-multiple RA with its private key and sends it back to A. A uses B's public key to verify the signature. If you can get the non-multiple RA you originally sent, you can verify that the other party you are communicating with is indeed B. Similarly, A also signs the non-multiple RB with its own private key and sends it to B. B verifies the signature with A's public key and authenticates A's identity. Although the public key cryptosystem does not have to secretly distribute shared keys between users communicating with each other, it is still subject to attack.

For example :

  • C pretends to be A and sends a message to B, saying: "I am A".
  • B chooses a non-multiple number R B and sends it to A, but it is intercepted by C.
  • C uses its private key SKC to pretend to be A's private key, encrypts R B , and sends it to B.
  • B sends a message to A, asking the other party to send the public key used for decryption, but this message is also intercepted by C.
  • C sends his public key PKC to B as A's public key.
  • B uses the received public key PKC to decrypt the received encrypted R B , and the result is of course correct. So B believes that the communication partner is A, and then sends a lot of sensitive data to A, but all of them are intercepted by C.

Man in the middle attack

Insert picture description here

  • A sends a message of "I am A" to B and gives his identity. This message was intercepted by the "middleman" C, and C forwarded the message to B intact. B chooses a non-multiple number R B and sends it to A, but it is also forwarded to A after being intercepted by C.
  • The middleman C encrypts R B with his private key SK C and sends it back to B, making B mistakenly believe that it was sent by A. After receiving R B , A also encrypts R B with its private key SK A and sends it back to B, where it is intercepted by C and discarded. B asks for his public key from A, and this message is intercepted by C and forwarded to A.
  • Own public key to the PK C C pretending to be transmitted A B, and C also intercepts the public key A to B of the PK A .
  • B encrypts the data with the received public key PK C (thinking to be A's) and sends it to A. After intercepting, C decrypts it with its own private key SK C , makes a copy, and then encrypts the data with A's public key PK A and sends it to A.
  • After receiving the data, A uses its private key SK A to decrypt it, thinking that it has conducted confidential communication with B. In fact, the encrypted data sent by B to A has been intercepted and decrypted by the middleman C. But neither A nor B knows

Guess you like

Origin blog.csdn.net/qq1350975694/article/details/106982637
Recommended
Ranking
Enter the root node and an integer of a binary tree, and print out all paths where the sum of the node values in the binary tree is the input integer. Pop explanation in.
HTTP, HTTPS, FTP und TCP im Detail erklärt: die Funktionen und Eigenschaften der Protokolle
[Study notes] Berlekamp-Massey
Some insights as a junior front-end developer
[linux command] echo command and usage tips
Verilig-- state machine
Knowing the center point coordinates, angle, half length, and half width of Retangle2, calculate the four vertex coordinates and the midpoint coordinates of the four line segments
【uniapp】Google Maps
Unity uses Camera to make a small map display, and players can reach any location by clicking the small map
algorithmic analysis
Daily
More
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)
2024-07-14(0)
2024-07-13(0)

Code World

© 2018 codetd.com