# What is the principle of symmetric encryption algorithm

### Briefly explain the principle of symmetric encryption and asymmetric encryption and what the difference is

The principle of symmetric encryption is that the sender of the data sends the plaintext (the original data) together with the encryption key through a special encryption algorithm to turn it into a complex encrypted ciphertext. After the receiver receives the ciphertext, if he wants to decipher the original text, he needs to use the encryption key and the inverse algorithm of the same algorithm to decrypt the ciphertext, in order to make it back to readable plaintext.

The principle of asymmetric encryption is that party A first generates a pair of keys, and at the same time uses one of them as the public key; party B, who gets the public key, then uses the key to encrypt the information to be encrypted and sends it to party A; party A then uses the other corresponding private key to decrypt the encrypted information, thus realizing the transmission of confidential data.

The difference between symmetric encryption and asymmetric encryption is that the keys are different, the security is different, and the digital signatures are different.

I. Different keys

1. Symmetric encryption: Symmetric encryption uses the same key for encryption and decryption.

2, asymmetric encryption: asymmetric encryption encryption and decryption is not the same key, you need two keys to encrypt and decrypt.

2. Different security

1. Symmetric encryption: If symmetric encryption is used to transmit encrypted files over a network, then no matter what method is used to tell the key to the other party, it is possible to be eavesdropped.

2, asymmetric encryption: asymmetric encryption because it contains two keys, and only one of the “public key” can be made public, the receiver only needs to use their own private key to decrypt, which can be very good to avoid the key in the process of transmitting security issues.

Three, digital signatures are different

1, symmetric encryption: symmetric encryption can not be used for digital signatures and digital authentication.

2. Asymmetric encryption: asymmetric encryption can be used for digital signatures and digital authentication.

### What is symmetric cryptography

Symmetric encryption algorithm is an early application of encryption algorithms, mature technology. In symmetric encryption algorithm, the principle is: the data sender sends the plaintext (original data) and encryption key (miyao) together with a special encryption algorithm to make it into a complex encrypted ciphertext.

a. When communicating with symmetric ciphers, there is also the problem of key distribution, i.e., how to send the key securely to the receiver. To solve the key distribution problem, public-key cryptography is needed. b. Although confidentiality can be ensured by using symmetric ciphers, this alone does not provide complete peace of mind.

One of the two keys is also kept secret, there is no decryption key, decryption is not feasible, and knowledge of the algorithm and one of the keys and a number of ciphertexts does not determine the other key. Advantages: the advantages of symmetric cryptography are high efficiency, simple algorithms, low system overhead, suitable for encrypting large amounts of data.

### There are several encryption algorithms based on what principle

1, symmetric encryption algorithms

Symmetric encryption algorithms are used to encrypt sensitive data and other information, commonly used algorithms include:

DES (DataEncryptionStandard): data encryption standard, faster, applicable to encrypt a large amount of data occasions.

3DES (TripleDES): is based on DES, a piece of data encrypted three times with three different keys, higher strength.

AES (Advanced Encryption Standard): Advanced Encryption Standard, the next generation of encryption algorithms standard, fast, high security level;

Algorithm Principle

AES algorithm is based on the permutation and substitution operations.

Arrangement is the rearrangement of data, and substitution is the replacement of one data unit with another.

AES uses several different methods to perform the permutation and substitution operations.

2. Asymmetric Algorithms

Common asymmetric encryption algorithms are as follows:

RSA: Invented by the RSA Corporation, it is a public-key algorithm that supports variable-length keys, and the length of the blocks of the file to be encrypted is also variable;

DSA (DigitalSignatureAlgorithm): A digital signature Algorithm, a standard DSS (Digital Signature Standard);

ECC (EllipticCurvesCryptography): Elliptic Curve Cryptography.

Algorithmic principles – puzzles on elliptic curves

The discrete logarithmic problem on elliptic curves ECDLP is defined as follows: given a prime number p and an elliptic curve E, for Q = kP, find a positive integer k less than p, knowing P, Q.

It can be shown that computing Q from k and P is easier, while calculating k from Q and P is more difficult.

Corresponding the addition operation in elliptic curves to the modal multiplication operation in discrete logarithms, and the multiplication operation in elliptic curves to the modal power operation in discrete logarithms, we can build the corresponding cryptographic regime based on elliptic curves.

### Cryptography 02-Symmetric Encryption-AES Principle

AES is known as Advanced Encryption Standard (AES). The main purpose of its appearance is to replace the DES encryption algorithm, because the DES algorithm key length is 56 bits, so the theoretical security strength of the algorithm is 2 ^ 56. But the middle and late twentieth century is the rapid development of computers, the advancement of the manufacturing process of the components make the computer’s processing power more and more strong, so it still can’t satisfy the people’s requirements for security. On January 2, 1997, the National Institute of Standards and Technology (NIST) announced a call for advanced encryption standards (AES) to replace DES, and AES received the response of many cryptographers around the world, who submitted their own algorithms. Five candidates made it to the final round: Rijndael, Serpent, Twofish, RC6, and MARS, and the Rijndael algorithm won after a rigorous process of security analysis and hardware and software performance evaluation.

The AES cipher is basically identical to the packet cipher Rijndael, which has a packet size and key size of 128, 192 and 256 bits. However, AES only requires a group size of 128 bits, so only Rijndael with a group length of 128 bits is called the AES algorithm. In this paper, only Rijndael algorithm with group size of 128 bits and key length of 128 bits is analyzed. The key length of 192 bits and 256 bits is handled in a similar way to that of 128 bits, except that the number of loops of the algorithm increases by 2 rounds for every 64-bit increase in the key length, 10 rounds for 128-bit loops, 12 rounds for 192-bit loops, and 14 rounds for 256-bit loops.

Given a 128-bit plaintext and a 128-bit key, a 128-bit ciphertext is output. This ciphertext can be decrypted with the same key. Although AES can only encrypt 16 bytes at a time, we only need to divide the plaintext into blocks of 16 bytes each to realize the encryption of plaintext of any length. If the length of the plaintext is not a multiple of 16 bytes, it needs to be padded, and the current padding method is PKCS7/PKCS5.

The next step is to analyze the encryption and decryption process of 16 bytes, and the following figure shows the framework of the AES algorithm.

Key generation process

G function

On the generation of wheel constants will be described below.

The main effects are: first, to increase nonlinearity in the key arrangement; second, to remove symmetry in AES. Both properties are necessary to resist certain packet cipher attacks.

The next few key steps are explained in detail.

The plaintext matrix and the subkey matrix of the current return are subjected to a different-or operation.

The main function of the byte substitution layer is to accomplish the mapping of one byte to another via the S-box.

Traversing the elements of the 4*4 plaintext matrix P in turn, the higher four values of the elements are the row numbers and the lower four values are the column numbers, and then taking out the corresponding values in the S-box.

The row shift operation is the simplest, it is used to process the input data as a 4*4 byte matrix, and then the bytes of this matrix are positionally displaced.The ShiftRows sublayer belongs to the diffusion layer of the AES manual, and its purpose is to diffuse the transformations on a single bit to affect the entire state when, thus achieving the avalanche effect. It is called row shift because it operates only between rows of a 4*4 matrix with 4 bytes of data per row. In encryption, the first row of the matrix is kept unchanged, the second row is shifted 1 byte to the left, the third row is shifted 2 bytes to the left, and the fourth row is shifted 3 bytes to the left.

The column obfuscation layer is the most complex part of the AES algorithm and belongs to the diffusion layer. The column obfuscation operation is the main diffusion element in the AES algorithm, which obfuscates each column of the input matrix so that each byte of the input affects four output bytes. The combination of the row displacement layer and the column obfuscation layer makes it possible that after three rounds of processing, each byte of the matrix depends on 16 plaintext bytes. In essence, this is a polynomial multiplication over the finite field GF(2^8), also known as multiplication over the Galois field.

Galois domain

Multiplication over Galois domain is often used in encoding and storage encoding, including encryption/decryption, and the AES algorithm uses operations in the Galois domain GF(2^8). In terms of Galois domains of the form 2^n, addition and subtraction are all heterogeneous operations, and multiplication is relatively more complex. The following describes multiplication operations in finite domains on GF(2^n).

Benign polynomial: An irreducible polynomial in a domain is a polynomial that is not capable of factoring, and a benign polynomial is a special kind of irreducible polynomial. When an instanton polynomial over a domain is determined, the operations on that domain are also determined. The instanton polynomial is usually obtained by looking up a table, and there are often multiple instanton polynomials for the same domain. By reducing the elements of the domain to polynomial form, multiplication operations over the domain can be converted to ordinary polynomial multiplication modulo the principal polynomials. For example, if g(x)=x^3+x+1 is an intrinsic polynomial on GF(2^3), then the elements 3*7 on the domain of GF(2^3) can be transformed into polynomial multiplications:

Multiplication-by-two: The multiplication-by-two computation is a very special kind of operation, both for ordinary computations and for operations on Galois domains. Ordinary calculations are realized on computers by shifting to a higher place, and multiplication by two over Galois fields is not complicated, one shift and one differentiation are enough. From a polynomial point of view, Galois multiplication by two corresponds to multiplying a polynomial by x. If the highest exponent of the polynomial does not exceed the highest exponent of the original polynomial, then it is equivalent to a normal computation of multiplication by two, and if the highest exponent of the result is equal to the highest exponent of the original polynomial, then it is necessary to differentiate or or the result of the polynomial by removing the highest term of the original polynomial.

For example: 15*15=85 calculation procedure on GF(2^8)(g(x)=x^8+x^4+x^3+x^2+1).

15 is written in the form 2^3+2^2+2^1+1 for generating elementary exponentials and dissimilarities, then:

Multiplication of two operations Calculation process:

List of confusions: that is, the multiplication of two matrices, and inside the operation, addition corresponds to the dissimilarity operation, and multiplication corresponds to the multiplication on the Galois domain GF(2^8) (the original polynomials are: x^8+x^4+x^3 +x^1+1).

Galois functions are multiplications on Galois domains.

The decoding process is similar to DES decoding and is an inverse process. The basic math is also the same: a number can be recovered by performing the different-or operation twice, S^e^e=S.

Through the properties of the different-or, the original number can be recovered by different-or again.

Inverse ShiftRows Layer

Restores the shift of the ShiftRows layer.

Inverse MixColumn Layer

Matrix recovery by multiplying the inverse of a positive matrix.

A matrix is first multiplied by a positive matrix and then by his inverse matrix, which is equivalent to no operation.

Inverse byte substitution layer

Recovering the substitution operation of the byte substitution layer by substituting again.

For example: 0x00 byte substitution process

Wheel constant generation rules are as follows:

The algorithm principle is the same as AES128, except that each encryption and decryption of the data and key size of 192 bits and 256 bits. The encryption and decryption process is almost the same, except that the number of rounds increases, so the number of subkeys also increases, and the final round constant RC length increases.

In the field of security, the use of key encryption algorithms to encrypt the process of communication is a common security means. The use of this means can guarantee data security communication of three goals:

And common types of key encryption algorithms can be roughly divided into three categories: symmetric encryption, asymmetric encryption, one-way encryption. Below we understand the principles of the relevant algorithms and their common algorithms.

In the encrypted transmission is initially used symmetric key method, that is, encryption and decryption with the same key.

1. Symmetric encryption algorithms use single-key encryption, in the communication process, the data sender will be the original data split into fixed-size blocks, after the key and encryption algorithms encrypted one by one, and then send it to the receiver

2. The receiver receives the encrypted message, and then combines it with a decryption algorithm that decrypts the combination of the same key and comes up with the original data.

Diagram:

The asymmetric encryption algorithm uses two different ciphers, the public key and the private key, for encryption and decryption. Public and private keys exist in pairs, the public key is extracted from the private key to generate public to all, if the public key is used to encrypt the data, then only the corresponding private key (which can not be made public) can be decrypted, and vice versa. n users communicating, 2N keys are needed.

Asymmetric key encryption is suitable for encrypting sensitive information such as keys or identity information, thus meeting the needs of users in terms of security.

1.A encrypts the plaintext using B’s public key and combines it with the appropriate asymmetric algorithm and sends the ciphertext to B.

2. B receives the ciphertext and decrypts it to get the plaintext by combining his private key and asymmetric algorithm to get the initial plaintext.

Diagram:

One-way encryption algorithms can only be used to encrypt data and cannot be decrypted, and are characterized by a fixed-length output and avalanche effect (where changes in a small number of message bits cause many bit changes in the message digest).

One-way encryption algorithms are commonly used to extract data fingerprints, verify data integrity, digital digests, digital signatures, and so on.

1. The sender encrypts the plaintext through a one-way encryption algorithm to generate a ciphertext string of fixed length, which is then passed to the receiver.

2. The receiver encrypts the plaintext used for verification using the same one-way encryption algorithm, resulting in an encrypted ciphertext string.

3. Compare it with the ciphertext string sent by the sender. If the ciphertext strings before and after sending are consistent, it means that the data is not corrupted during the transmission process; if they are not consistent, it means that the data is lost during the transmission process.

Figure:

MD5, sha1, sha224, etc.

InternetKeyExchange (InternetKeyExchange) usually refers to the exchange of keys between the two parties to realize data encryption and decryption

The following two common key exchange methods are used:

Transmit the encrypted public key to the other party for decryption over the network. The disadvantage of this method is that it has a high probability of being intercepted and cracked, so it is not commonly used

DH algorithm is a key exchange algorithm, which is neither used for encryption nor generates digital signatures.

DH algorithm through the two sides of the common parameters, private parameters and algorithms to encrypt information, and then the two sides of the results of the calculations for the exchange, the exchange is completed and belongs to their own private parameters for special algorithms, after the two sides of the calculations are the same, the results of this is the key.

such as:

Security

In the whole process, the third party can only access the p, g two values, AB both sides of the exchange is the result of the calculation, so this way is very safe.

Public key infrastructure is a collection of hardware, software, personnel, policies and protocols

Functions used to implement the generation, management, storage, distribution and revocation of keys and certificates based on public key cryptographic mechanisms

Visa authority CA, registration authority RA, certificate revocation list CRL, and certificate access library CB.

Public key certificates are digitally signed declarations that bind the value of a public key to the identity of a person, device, or service that holds the corresponding private key. The generation of public key certificates follows the X.509 protocol, and its contents include: certificate name, certificate version, serial number, algorithm identification, issuer, validity period, valid start date, valid end date, public key, certificate signature, and so on.

1. Client A prepares the digital information (plaintext) to be transmitted. （Client A prepares the digital information to be transmitted (plaintext)

2. Client A hashes the digital information to obtain a summary of the information. (Prepare the digest)

3. Client A encrypts the message digest with the CA’s private key (SK) to get Client A’s digital signature and attaches it to the digital message. (Digitally sign the digital message with the private key)

4. Client A generates a random encryption key (DES key) and uses this key to encrypt the message to be sent to form a cipher text. (Generate ciphertext)

5. Client A encrypts the randomly generated encryption key just now with the public key (PK) shared by both parties, and transmits the encrypted DES key to B along with the ciphertext. (Asymmetric encryption, encrypting the DES key with the public key)

6. Bank B receives the ciphertext and the encrypted DES key from customer A, and first decrypts the encrypted DES key with its own private key (SK) to get the DES key. (Decrypting DES key with private key)

7. Bank B then decrypts the received ciphertext with DES key to get the digital information in plaintext, and then discards the DES key (i.e., DES key is invalidated). (Decrypted text)

8. Bank B decrypts Customer A’s digital signature with the public key (PK) shared by both parties to get a message digest. Bank B uses the same hash algorithm to perform another hash operation on the received plaintext to get a new message digest. (Decrypting a digital signature with a public key)

9. Bank B compares the received message digest with the newly generated message digest, and if it agrees, the received message has not been modified. （The answer is that there is no way to ensure that the CA’s public key has not been tampered with. Usually operating systems and browsers pre-program some CA certificates locally. So the sender should go to those certified CAs and apply for a digital certificate. This is guaranteed.

But if a malicious CA certificate is inserted in the system, it is still possible to send a fake sender’s public key through a fake digital certificate to verify the fake body message. So the prerequisite for security is that no illegal CA certificate can be inserted in the system.

END