When was the first encryption algorithm born? After the computer appeared? No, as early as the 7th century BC, the ancient Greeks were already using encryption algorithms. They use a stick called scytale to transmit encrypted information. When encrypting, they first roll a piece of paper around the stick, write the information in the horizontal direction of the stick, and rotate it one word until it is finished. After unraveling, the text message on the note is messy, this is the ciphertext. After wrapping it around another rod of the same size, you can see the original message. If you don't know the thickness of the stick, you can't decrypt the content inside.
Encryption methods have developed to this day. Compared with the simple principle of scytale, there has been an unimaginable huge development. We are now encrypting based on more complex mathematical processes, that is, more complex algorithms. Many mature cryptosystems created using modern methods are basically considered to be unbreakable. How complicated is an unbreakable encryption method? Let's take a look at it below.
What is encryption?
What we usually call encryption refers to the method of using a key to convert plain text into an incomprehensible sequence, which usually consists of two basic parts: an algorithm and a key.
Algorithm is the step of combining ordinary text (or understandable information) with a string of numbers (key) to produce an incomprehensible ciphertext. The key is an algorithm used to encode and decode data. Encryption can be described as a method by which the plaintext and the key are passed through a cryptographic algorithm to generate a secret text.
When expected, the content of the encrypted text can only be accessed by users who have the corresponding key. In addition to text messages, modern encryption can also be applied to other electronic transmission of information, such as voice messages, image files, or program codes.
Encryption method classification
In modern times, we mainly use two encryption methods: symmetric encryption (private key encryption) and asymmetric encryption (public key encryption).
Symmetric encryption method
Symmetric encryption originated from ancient encryption methods such as the Caesar cipher. The main principle is that the same key is used for file encryption and decryption. If two communicating parties want to exchange encrypted data, both the sender and the receiver need to have copies of the same key, and a way to secretly transmit the shared key needs to be found. In order to protect encrypted information from being accessed by a third party, the key is kept secret, and the length of the key also determines the security of the encryption algorithm.
The symmetric encryption algorithm is simple and quick to use, the key is short, and it is difficult to decipher. Well-known symmetric encryption methods include the more typical Data Encryption Standard (DES) and its Advanced Encryption Standard (AES).
Data Encryption Standard (DES)
DES is a symmetric encryption method developed by IBM in the 1970s and standardized by the National Institute of Standards and Technology (NIST) in 1977. According to the standards at the time, DES was a secure computer-assisted encryption method and the foundation of modern cryptography. The key is 64 bits long, but actually only 56 bits are involved in the operation (the 8, 16, 24, 32, 40, 48, 56, and 64 bits are the check digits, so that each key has an odd number of 1s). It's basically out of date now. Today's technology uses brute force attacks to crack the DES key in just a few hours.
The algorithm consists of permutation and replacement. The whole process requires 16 rounds. The principle structure diagram is as follows:
The first is the initial replacement. The 64-bit block is divided into 32-bit blocks; the left half of L0 and the right half of R0 are created. Then, after 16 rounds of the same operation (here, the function f), the data and the key are combined. After 16 rounds, the left and right pieces are recombined, and after the final replacement, the ciphertext is obtained. The decryption of DES encrypted ciphertext follows the same scheme, but in reverse order.
The main disadvantage of DES is that the 56-bit key length is relatively small and cannot withstand the brute force attacks that are available today in computing power. A variant of DES is Triple-DES (3DES), where the encryption method is executed in three consecutive rounds. However, the effective key length of 3DES is still only 112 bits, which is still lower than the current minimum standard of 128 bits. Therefore, DES has been largely replaced. The AES (Advanced Encryption Standard) algorithm replaces DES, and it is also a symmetric encryption method.
Advanced Encryption Standard (AES)
By the 1990s, it was obvious that the most commonly used encryption standard, DES, had fallen out of date, and a new encryption standard was needed to replace it. Thus, AES was born. Because of its higher security and flexibility, it is also a block encryption standard adopted by the US federal government.
AES also divides the encrypted plaintext into blocks, so it is based on block encryption like DES. The standard supports 128, 192, and 256-bit keys. But AES does not use 64-bit blocks, but uses much larger 128-bit blocks, which are encrypted using Substitution-Permutation Network (SPN) in successive rounds. The encryption process is roughly divided into four steps:
1. KeyExpansion: AES, like DES, uses a new round key for each encryption cycle. In this process, the length of the output key is also extended to generate the 128-bit round key required for mapping. Each round key is based on a part of the extended output key. The number of round keys required is equal to the number of rounds (R), including the key round, plus the round keys of the initial round (number of keys = R + 1).
2. Initial round: In the initial round, the 128-bit input block is transferred to a two-dimensional table (Array), and the bitwise exclusive OR (AddRoundKey) is used to link to the first round key. The table consists of four rows and four columns. Each unit contains one byte (8 bits) of the block to be encrypted.
3. Number of encryption rounds: number of encryption rounds depends on the key length used: AES128 is 10 rounds, AES192 is 12 rounds, and AES256 is 14 rounds. Each round of encryption uses the following operations:
- SubBytes (byte substitution): a non-linear substitution step in which each byte is replaced with another byte according to a lookup table.
- ShiftRows: a transposition step in which the last three rows of the state are cyclically shifted by a certain number of steps.
- MixColumns (column confusion): a linear mixing operation that operates on columns of states, combining the four bytes in each column.
- AddRoundKey (round key plus): At the end of each round of encryption, another AddRoundKey occurs. Just like the initial round, it is based on the exclusive OR link between the data block and the current round key.
4. Key round: The key round is the last encryption round. Unlike the previous rounds, it does not include MixColumns conversion, so it only includes SubBytes, ShiftRows, and AddRoundKey operations. The result of the last round is the ciphertext.
Due to its own algorithm, AES has passed a high level of security certification. For a key length of at least 128 bits, brute force attacks are very inefficient. In addition, AES is also used as an encryption standard for WPA2, SSH, and IPSec. This algorithm is also used to encrypt compressed file archives, such as 7-Zip or RAR.
The above two symmetric encryption methods are based on symmetric encryption algorithms, and symmetric encryption algorithms are divided into the following two categories:
- Stream cipher: also called serial cipher, each time encryption is used to generate a key stream, decryption also uses the same key stream, the plaintext and the key stream of the same length are XORed to get the ciphertext, and the ciphertext is the same Perform XOR operation on the key stream to get the plaintext.
- Block cipher: also called block cipher, it divides the encryption and decryption sequence into groups, and finally merges each block sequence together to form plaintext or ciphertext.
asymmetric encryption method
Compared with the two parties using the same key for symmetric encryption encryption, the two parties for asymmetric encryption will generate a key pair for each page. Each participant in the communication has two keys available for use: a public key and a private key. In order to be able to encrypt information, each party must declare their public key in advance, which is called a public key algorithm. This is the advantage of an asymmetric cryptosystem: In contrast to symmetric encryption, the key never leaves the sight of its owner.
Let's use a simple example to understand asymmetric encryption. . Suppose user A wants to send an encrypted message to user B. For this, A needs B's public key, and B's public key allows A to encrypt a message that can only be decrypted by B's private key. In this way, no one except B can read the message, including A can not decrypt it.
The advantage of this is that anyone can use user B's public key to encrypt the message, and then only B's key can decrypt it. Since only public keys are exchanged, there is no need to create a tamper-proof secure channel, because only B can be decrypted.
The most common encryption algorithms for asymmetric encryption are Rivest, Shamir, Adleman (RSA) and ECC.
Rivest、Shamir、Adleman (RSA)
In 1977, mathematicians Rivest, Shamir and Adleman proposed an asymmetric encryption algorithm and named it after the inventor-RSA. RSA is currently generally considered to be one of the most secure and excellent public key methods.
RSA uses an algorithm based on multiplying large prime numbers. If you multiply the prime numbers 14,629 and 30,491, you can get the result 446,052,839. There are only four possible divisors for this number: two of them are 1 and itself, and the other two are the original prime numbers before being multiplied. If you exclude the first two divisors (because each number is divisible by 1 and itself), you will get the initial values of 14,629 and 30,491.
The above is the basis of RSA key generation. Both the public key and the private key represent two pairs of numbers:
N is the product N = pxq of two randomly selected very large prime numbers p and q, and the Euler function φ(N) = (p-1)(q-1) for calculating N.
To generate a public key, you need e, which is a randomly selected number based on some restrictions (conditions are 1<e <φ(N), and e and φ(N) are relatively prime).
To generate a private key, you need to calculate the modulo d of e to φ(N). The so-called "modular inverse element" means that there is an integer d that can make the remainder of ed divided by φ(N) to be 1. Satisfy (ed) modφ(N) = 1, that is, ed = kφ(N) +1, k≥1 is an arbitrary integer; therefore, if you know e and φ(N), it is easy to calculate d.
However, it is impossible to calculate d based only on N and e (note: not p and q). Therefore, anyone can encrypt the plaintext, but only authorized users (knowing d) can decrypt the ciphertext.
The security strength of the RSA algorithm increases as the length of its key increases. However, the longer the key, the longer it takes for encryption and decryption. Therefore, it is necessary to comprehensively consider the sensitivity of the protected information, the cost of the attacker's cracking, and the response time required by the system.
At present, the most commonly used SSL/TLS protocol on the Internet is based on the RSA algorithm. If you want to use a specific public key to encrypt information, you can only use the private key attached to the public key to decrypt it. After the client verifies that the public key can match the private key, a secure connection can be established.
ECC
In the figure above, we can also see another asymmetric encryption algorithm, ECC, the elliptic encryption algorithm. The mathematical basis is the difficulty of calculating the discrete logarithm of the ellipse on the Abel additive group using rational points on the elliptic curve. The main advantage of ECC is that in some cases it uses a smaller key than other methods (such as RSA) and provides a comparable or higher level of security.
Back to asymmetric encryption itself. In addition to the advantage of "no need to create a tamper-proof secure channel", this encryption algorithm also has a disadvantage that cannot be ignored: the identity of the communication partner cannot be confirmed. That is to say, in asymmetric encryption, B cannot be sure that the encrypted message is indeed from A. In theory, the third user C can use B's public key to encrypt and transmit the message. In addition, A can't determine whether the public key really belongs to B. The public key may be created by C and communicated to A, so that messages from A to B can be intercepted.
Therefore, with asymmetric encryption, a mechanism is needed so that users can test the authentication of their communication partners.
Currently we use digital certificates and signatures to solve this problem:
- Digital certificate: In order to ensure the security of the asymmetric encryption method, the communication partner can confirm the authenticity of its public key through an official certification body. For example, TLS/SSL encrypted data transmission via HTTPS.
- Digital signature: Although digital certificates can be used to verify public keys, digital signatures can be used to identify the sender of an encrypted message. The private key is used to generate the signature, and then the receiver uses the sender's public key to verify the signature.
The above is the encryption method we mainly use at present, but the encryption method is not only that. With the continuous development of the Internet, it will definitely become more and more complicated. Although they involve a lot of mathematical knowledge, it is very boring to understand, but it is precisely these Boring mathematics makes our information more and more secure.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。