1.1 CIA 原则
数据保密性(confidentiality)窃听加密(encrypt)数据完整性(integrity)篡改损坏数据可用性(availability)冗余故障转移RAID高可用集群1.2 加密与解密
密码学明文(plaintext)密文(ciphertext)加密(encrypt)解密(decrypt)如果直接传输明文(比如 HTTP 协议),则数据在网络传输的过程中,所经过的每一个路由节点时,都可能被查看,黑客可以很简单地就能截获你的登录用户名和密码:
如果对数据进行加密后,传输密文(比如 HTTPS 协议),则黑客截获到密文也无济于事:
Ciphers对称加密(symmetric encryption)私钥加密(private-key cryptography)加密(encrypt)解密(decrypt)对称加密分组密码(block ciphers)流密码(stream ciphers)2.1 Block Ciphers
Block CipherspaddingBlock CiphersDES3DESAESBlowfishRC5Initialization Vector (IV)
Initialization Vector (IV)Cipher Block Chaining (CBC)异或(XOR)IVIVIV2.2 Stream Ciphers
Stream Ciphers伪随机(pseudo-random)序列counter modeCipher Block Chaining (CBC)Stream CiphersRC4CHACHA202.3 Block Cipher Operation Modes
模式AES-128-CCMAES-GCMAEAD(1) Electronic Code Book (ECB)
ECBIVECB(2) Cipher Block Chaining (CBC)
CBCIVCBC(3) Cipher Feedback (CFB)
CFB(4) Output Feedback (OFB)
OFB(5) Counter Mode (CTR)
CTROFBcounternonce(在加密通信中仅使用一次的密钥,这个值必须唯一)(6) Counter mode with CBC-MAC (CCM)
CCMAES-128-CCMCTRnonce密钥(7) Galois/Counter Mode (GCM)
AEADAES-GCM对称加密Diffie–Hellman key exchange共享秘密(shared secret)Diffie–Hellman 密钥交换公开密钥密码学DHRSA非对称加密(asymmetric encryption)公钥加密(public-key cryptography)私钥(Private Key/Security Key)公钥(Public Key)公钥私钥公钥私钥公钥加密对称加密ECC(Elliptic Curve Cryptography,椭圆曲线密码学)ECDSA数字签名| Symmetric Key length | RSA key length | ECC key length |
|---|---|---|
| 80 | 1024 | 160 |
| 112 | 2048 | 224 |
| 128 | 3072 | 256 |
| 192 | 7680 | 384 |
| 256 | 15360 | 521 |
ECCRSA密钥交换身份验证/数字签名DHECDHECDHE密钥交换DSAECDSA身份验证RSA密码套件(Cipher suites)ECDHEECDSA公钥加密对称加密