Total Pageviews

Monday, 14 March 2016

理解SSL(https)中的对称加密与非对称加密

在网站通过SSL来与用户建立安全的通信中,对称加密算法和非对称加密算法起到了很大作用.
  


密码学最早可以追溯到古希腊罗马时代,那时的加密方法很简单:替换字母。
早期的密码学


古希腊人用一种叫 Scytale 的工具加密。更快的工具是 transposition cipher—:只是把羊皮纸卷在一根圆木上,写下信息,羊皮纸展开后,这些信息就加密完成了。
虽然很容易被解密,但它确实是第一个在现实中应用加密的例子
Julius Caesar 用了另外一个类似的加密方法:把字母往右或往左移动几位;此法称为Caesar’s cipher. 比如“GEEK” 加密后就是“JHHN”.
Plain:  ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
因为只有信息接受者知道如何解密,对其他人来说,那就是一段无意义的信息了。
还有像如下图的加密方法:每个字母放在坐标系里

这样 “G”就是 “23”,  “GEEK”就是 “23 31 31 43”.
Enigma Machine



加密算法
  
加密算法有很多种,区别和衡量他们的方法就是看他们是否容易被破解的程度和加密的速度
如下图可见AES 是最快的强加密算法

当然有更快或比较慢的算法了,他们都有用处。如果你只是加密一段信息,也不是经常需要,那你可以用最强的加密算法,甚至也可以用不同的算法加密两次。如果想要加密速度快点,那就用AES.
加密类型
之前说过的加密算法绝大部分都属于以下两种加密类型之一:
  • 对称加密:加密解密用的是同样的“钥匙”
  • 非对称加密:加密解密用的是不同的“钥匙”
对称加密
用邮局的例子来解释下对称加密
Alice 在盒子里放有信息,盒子上有挂锁,她有钥匙。通过邮局她把这个盒子寄给Bob。Bob收到盒子后,用相同的钥匙打开盒子(钥匙之前就得到了,可能是Alice面对面给他的)。然后Bob可以用同样的方法回复。

对称加密可以分为两种:一种是一个一个加密信息,另一种是分块加密信息,通常分为64位加密为一块。块 TwofishSerpentAES (Rijndael), BlowfishCAST5RC4TDES, and IDEA.
非对称加密
Bob和Alice各有自己的盒子。Alice要跟Bob秘密通信,她先让Bob把开着的盒子通过邮局发给她。Alice拿到盒子后放入信息锁上,然后发给Bob。Bob就可以用他自己的钥匙打开了。回复的话就用同样的方法。

  
此法最大的好处是你不必得到对方的“钥匙”,以防别人在钥匙发送过程中偷偷复制钥匙,进而窃取信息。。而且就算Bob的钥匙被窃取复制了,Alice跟别人的通信也是安全的,因为Alice用的是别人的钥匙。
非对称算法在加密和解密时用的是不同的钥匙。信息接受者有两把钥匙:一把“公匙”,一把“私匙”。公匙是给信息发送者用来加密的,私匙是自己用来解密的
这样最大的好处是:不必通过不安全的渠道发送私密的东西。公匙本来就是给别人用的,不用藏好。你的私匙在你产生私匙的电脑里保存着
网站如何通过加密和用户安全通信
SSL (Secure Sockets Layer) 是用来保障你的浏览器和网站服务器之间安全通信,免受网络“中间人”窃取信息。
SSL原理很简单。当你的浏览器向服务器请求一个安全的网页(通常是 https://)

服务器就把它的证书和公匙发回来


浏览器检查证书是不是由可以信赖的机构颁发的,确认证书有效和此证书是此网站的。



使用公钥加密了一个随机对称密钥,包括加密的URL一起发送到服务器


服务器用自己的私匙解密了你发送的钥匙。然后用这把对称加密的钥匙给你请求的URL链接解密。


服务器用你发的对称钥匙给你请求的网页加密。你也有相同的钥匙就可以解密发回来的网页了

本文翻译得很不完整。
在网站通过SSL来与用户建立安全的通信中,对称加密算法和非对称加密算法起到了很大作用。

看了此文我才弄懂,所以我把它翻译出来。

from http://article.yeeyan.org/view/90729/174903
---------------
 英文原文

What is Encryption and How Does It Work?


Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key. Join us for a quick history lesson and learn more about how encryption works.
In today’s edition of HTG Explains, we’ll give you a brief history of encryption, how it works, and some examples of different types of encryption—make sure you also check out the previous edition, where we explained why so many geeks hate Internet Explorer.

The History of Modern Encryption

Lets face it: modern encryption techniques can be an extremely boring subject, so instead of just explaining them with words, we’ve put together a comic strip that talks about the history of encryption, inspired by Jeff Moser’s stick figure guide to AESNote: clearly we cannot convey everything about encryption’s history in a comic strip.
Back in those days, people do not have a good encryption method to secure their electronic communication.

Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM.

The Data Encryption Standard (DES) is a block cipher (a form of shared secret encryption) that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally.

Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL




The Rijndael encryption algorithm was adopted by the US Government as standard symmetric-key encryption, or Advanced Encryption Standard (AES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable encryption algorithm.

Encryption Algorithm Performance

Many encryption algorithms exist, and they are all suited to different purposes—the two main characteristics that identify and differentiate one encryption algorithm from another are its ability to secure the protected data against attacks and its speed and efficiency in doing so.
As a good example of the speed difference between different types of encryption, you can use the benchmarking utility built into TrueCrypt’s volume creation wizard—as you can see, AES is by far the fastest type of strong encryption.
image
There are both slower and faster encryption methods, and they are all suited for different purposes. If you’re simply trying to decrypt a tiny piece of data every so often, you can afford to use the strongest possible encryption, or even encrypt it twice with different types of encryption. If you require speed, you’d probably want to go with AES.
For more on benchmarking different types of encryption, check out a report from Washington University of St. Louis, where they did a ton of testing on different routines, and explained it all in a very geeky write-up.

Types of Modern Encryption

All the fancy encryption algorithm that we have talked about earlier are mostly used for two different types of encryption:
  • Symmetric key algorithms use related or identical encryption keys for both encryption and decryption.
  • Asymmetric key algorithms use different keys for encryption and decryption—this is usually referred to as Public-key Cryptography.

Symmetric key encryption

To explain this concept, we’ll use the postal service metaphor described in Wikipedia to understand how symmetric key algorithms works.
Alice puts her secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice’s key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and read the message. Bob can then use the same padlock to send his secret reply.
symmetric_encryption_diagram
Symmetric-key algorithms can be divided into stream ciphers and block ciphers—stream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits, often in blocks of 64 bits at a time, and encrypt them as a single unit. There’s a lot of different algorithms you can choose from—the more popular and well-respected symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.

Asymmetric Encryption

In an asymmetric key system, Bob and Alice have separate padlocks, instead of the single padlock with multiple keys from the symmetric example. Note: this is, of course, a greatly oversimplified example of how it really works, which is much more complicated, but you’ll get the general idea.
First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice’s open padlock to lock the box before sending it back to her.
asymmetric_encryption_diagram
The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were careless and allowed someone else to copy his key, Alice’s messages to Bob would be compromised, but Alice’s messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.
Asymmetric encryption uses different keys for encryption and decryption. The message recipient creates a private key and a public key. The public key is distributed among the message senders and they use the public key to encrypt the message. The recipient uses their private key any encrypted messages that have been encrypted using the recipient’s public key.
There’s one major benefit to doing encryption this way compare to symmetric encryption. We never need to send anything secret (like our encryption key or password) over an insecure channel. Your public key goes out to the world—it’s not secret and it doesn’t need to be. Your private key can stay snug and cozy on your personal computer, where you generated it—it never has to be e-mailed anywhere, or read by attackers.

How Encryption Secures Communication on the Web

For many years, the SSL (Secure Sockets Layer) protocol has been securing web transactions using encryption between your web browser and a web server, protecting you from anybody that might be snooping on the network in the middle.
SSL itself is conceptually quite simple. It begins when the browser requests a secure page (usually https://)

The web server sends its public key with its certificate.

The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.

The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.

The web server decrypts the symmetric encryption key using its private key and uses the browser’s symmetric key to decrypt its URL and http data.

The web server sends back the requested html document and http data encrypted with the browser’s symmetric key. The browser decrypts the http data and html document using the symmetric key and displays the information.

And now you can securely buy that eBay item you really didn’t need.

Did You Learn Anything?

If you made it this far, we’re at the end of our long journey to understanding encryption and a little bit of how it works—starting from the early days of encryption with the Greeks and Romans, the rise of Lucifer, and finally how SSL uses asymmetric and symmetric encryption to help you buy that fluffy pink bunny on eBay.

We’re big fans of encryption here at How-To Geek, and we’ve covered a lot of different ways to do things like:
from http://www.howtogeek.com/howto/33949/htg-explains-what-is-encryption-and-how-does-it-work/