What is symmetric encryption?
Using the encryption method of a single-key cryptosystem, the same key can be used for encryption and decryption of information at the same time. This encryption method is called symmetric encryption, also known as single-key encryption.
Table of contents
1 Definition
2 Working process
3 Commonly used algorithms
4 Advantages and disadvantages
Definition
An encryption algorithm that requires the use of the same key for encryption and decryption. Due to its speed, symmetric encryption is often used when the sender of a message needs to encrypt large amounts of data. Symmetric encryption is also called key encryption.
The so-called symmetry means that both parties using this encryption method use the same key to encrypt and decrypt. Keys are instructions that control the encryption and decryption process. An algorithm is a set of rules that dictate how encryption and decryption are performed.
Therefore[1] The security of encryption not only depends on the encryption algorithm itself, but the security of key management is even more important. Because the same key is used for encryption and decryption, how to safely transfer the key to the decryptor becomes a problem that must be solved.
Working process
The following is an example to briefly explain the working process of symmetric encryption. A and B are business partners who live in different cities. Due to business needs, they often mailed important goods to each other. In order to ensure the safety of the goods, they agreed to make a safe box and put the items in it. They created two identical keys and kept them separately so that they could use the key to open the safe when receiving the package and use the key to lock the safe before mailing the goods.
The above is a traditional way to safely deliver important resources to the destination. As long as A and B keep the key carefully, even if someone gets the safe, they will not be able to open it. This idea is used in information encryption for modern computer communications. In symmetric encryption, the data sender processes the plaintext (original data) and the encryption key together with a special encryption algorithm, turning it into a complex encrypted ciphertext and sending it out. After the receiver receives the ciphertext, if it wants to decipher the original text, it needs to use the encryption key and the inverse algorithm of the same algorithm to decrypt the ciphertext in order to restore it to readable plaintext. In a symmetric encryption algorithm, only one key is used, and both the sender and the receiver use this key to encrypt and decrypt data.
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-k password] [- S salt] [-salt] [-md] [-p/-P]
Option description:
-ciphername: Specify the symmetric encryption algorithm (such as des3), which can be directly independent of enc Use, like openssl des3 or openssl enc -des3. It is recommended to use it after enc, so that it does not depend on the hardware.
-in filename: input file, the default is stdin if not specified
-out filename: output file, the default is stdout# if not specified
##-e: Encrypt the input file. If not specified, this option will be used by default. -d: Decrypt the input file. Decryption will only be performed if this option is explicitly specified. -pass: Pass the plaintext password for encryption and decryption. If the public key or private key file used when verifying the signature is encrypted, the password needs to be passed for decryption. For the password format, see "openssl password format"
-k : has been replaced by "-pass" and is still retained for compatibility with older versions of openssl-base64: Base64 encoding or decryption after encryption and before decryption. If not specified, the default is binary. Note that encoding is not part of encryption and decryption, but the "organizing" of the data format before and after encryption and decryption -a: Equivalent to -base64-salt: Use salt for one-way encryption Complicates the results of one-way encryption. This is the default option and uses a random salt value. -S salt: Do not use a random salt value, but a custom salt value, but it can only be in the hexadecimal range. A combination of characters, that is, any one or more combinations of "0-9a-fA-F"-p: Print the salt value, key value and IV initialization vector value during encryption and decryption (also complex encryption) A way), the decryption result is also output when decrypting, see the example below-P: has the same effect as the -p option, but exits the tool directly when printing, without performing encryption or decryption operations-md: Specify one-way encryption algorithm, default md5. This algorithm is used to encrypt the key part, see the analysis below. The supported one-way encryption algorithms are:-md4 to use the md4 message digest algorithm-md5 to use the md5 message digest algorithm-ripemd160 to use the ripemd160 message digest algorithm-sha to use the sha message digest algorithm-sha1 to use the sha1 message digest algorithm-sha224 to use the sha224 message digest algorithm-sha256 to use the sha256 message digest algorithm-sha384 to use the sha384 message digest algorithm-sha512 to use the sha512 message digest algorithm-whirlpool to use the whirlpool message digest algorithm
-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc -id-aes128-GCM -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-GCM -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-GCM -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -idea -idea-cbc -idea-cfb -idea-ecb -idea-ofb -rc2 -rc2-40-cbc -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb
在给出openssl enc命令用法示例之前,先解释下对称加密和解密的原理和过程。
对称加解密时,它们使用的密码是完全相同的,例如"123456",但这是密码,且是明文密码,非常不安全,所以应该对此简单密码进行复杂化。最直接的方法是使用单向加密计算出明文密码的hash值,单向加密后新生成的密码已经比较安全(称之为密钥比较好),可以作为对称加密时的对称密钥。另外,由于同一单向加密算法对相同明文密码的计算结果是完全一致的,这样解密时使用相同的单向加密算法就能计算出完全相同的密钥,也就是解密时的对称密钥。如果想要更安全,还可以在对称加密后对加密文件进行重新编码,如使用"base64"、二进制或hex编码方式进行编码,但对应的在解密前就需要先解码,解码后才能解密。
所以,将对称加、解密的机制简单概括如下:
对称加密机制:根据指定的单向加密算法,对输入的明文密码进行单向加密(默认是md5),得到固定长度的加密密钥,即对称密钥,再根据指定的对称加密算法,使用对称密钥加密文件,最后重新编码加密后的文件。即单向加密明文密码结果作为对称密钥、使用对称密钥加密文件、对文件重新编码。
对称解密机制:先解码文件,再根据单向加密算法对解密时输入的明文密码计算得到对称密钥,依此对称密钥对称解密解码后的文件。
因此,解密过程中使用的解码方式、单向加密和对称加密算法都必须一致,且输入的密码必须是正确密码。但需要注意的一点是,解密时可以不指定salt,因为加密时使用的salt会记录下来,解密时可以读取该salt。
如下图所示,分别是加密和解密过程示意图。
示例:
以加密/etc/fstab的备份文件/tmp/test.txt为例。
(1).首先测试openssl enc的编码功能。由于未指定密码选项"-k"或"-pass",所以仅仅只进行编码而不进行加密,因此也不会提示输入密码。
[root@xuexi tmp]# openssl enc -a -in test.txt -out test_base64.txt [root@xuexi tmp]# cat test_base64.txt CiMKIyAvZXRjL2ZzdGFiCiMgQ3JlYXRlZCBieSBhbmFjb25kYSBvbiBUaHUgTWF5 IDExIDA0OjE3OjQ0IDIwMTcKIwojIEFjY2Vzc2libGUgZmlsZXN5c3RlbXMsIGJ5 IHJlZmVyZW5jZSwgYXJlIG1haW50YWluZWQgdW5kZXIgJy9kZXYvZGlzaycKIyBT ZWUgbWFuIHBhZ2VzIGZzdGFiKDUpLCBmaW5kZnMoOCksIG1vdW50KDgpIGFuZC9v ciBibGtpZCg4KSBmb3IgbW9yZSBpbmZvCiMKVVVJRD1iMmE3MGZhZi1hZWE0LTRk OGUtOGJlOC1jNzEwOWFjOWM4YjggLyAgICAgICAgICAgICAgICAgICAgICAgeGZz ICAgICBkZWZhdWx0cyAgICAgICAgMCAwClVVSUQ9MzY3ZDZhNzctMDMzYi00MDM3 LWJiY2ItNDE2NzA1ZWFkMDk1IC9ib290ICAgICAgICAgICAgICAgICAgIHhmcyAg ICAgZGVmYXVsdHMgICAgICAgIDAgMApVVUlEPWQ1MDUxMTNjLWRhYTYtNGMxNy04 YjAzLWIzNTUxY2VkMjMwNSBzd2FwICAgICAgICAgICAgICAgICAgICBzd2FwICAg IGRlZmF1bHRzICAgICAgICAwIDAK
再以base64格式进行解码。
[root@xuexi tmp]# openssl enc -a -d -in test_base64.txt # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
实际上,上述编码和解码的过程严格地说也是对称加密和解密,因为openssl enc默认会带上加密选项"-e",只不过因为没有指定输入密码选项,使用的加密密码为空而已,且单向加密算法使用的也是默认值。解密时也一样。
(2).测试使用des3对称加密算法加密test.txt文件。
[root@xuexi tmp]# openssl enc -a -des3 -in test.txt -out test.1 -pass pass:123456 -md md5
加密后,查看加密后文件test.1的结果。
[root@xuexi tmp]# cat test.1U2FsdGVkX1+c/d4NsXnY6Pd7rcZjGSsMRJWQOP0s5sxH6aLE5iCYjKEAbGac//iRwkUUh6a57OpUA3+OOCKB4z+IxBcKo67BUDGR9vYeCfkobH9F+mSfVzZbXBrJmxwf 921tJ+8K+yKB6DjJfufpW+DWXmH8MFyvK60wnYHsfUQOp81EvaUtEfqEKIS8hgg7 4NTOyww+/VMDdc2wmkf08XNQUPlVtLaSx3vuBisxRdu8raiKWGGOB7qCwELCxDqu NaRCIh0VjjffGohAOMMsAQ2kFCDUKx0Z4Df5fvifhPXoHfsj2lI216BPG5Cy88K2 KV78DoBm4pnMAymo/HRRF95LjvWYZIN88hIVN67u2j9zqSGeuyJakMyDVhYYmrHl sMr2YTbTwus2DiO6qAzt/0a9nocTVKfGR81Xsh0a0ZudjtrMl5H36YJawpldvUCa DzXPsbpQrp0VGi2HvJ4EVKKEx2uh8XYWmJ4ytj1s1wtCR6wQhmERtInGwULWTyI+agXStSB5XzsvAJRJvexsaNycj5lAoQ8O6YXEj7B0inB7nBQTFbwkXyvJqXpr1179 i67leYc59OvlhRMA+GLW4g/Mg5dN5SBmgt1ChOJs4887zAUyLYrLvR4zDK6IQN/M P6F15c9V+m9pw2t32sUQQmYrYqOV/AQf0t0EwvA0Myjmfqtvmp555Q==
解密文件test.1。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -out test.2 -pass pass:123456 -md md5 [root@xuexi tmp]# cat test.2 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
(3).加密时带上点盐salt。其实不写时默认就已经加入了,只不过是加入随机盐值。使用-S可以指定明确要使用的盐的值。但是盐的值只能是16进制范围内字符的组合,即"0-9a-fA-F"的任意一个或多个组合。
[root@xuexi tmp]# openssl enc -a -des3 -S 'Fabc' -in test.txt -out test.1 -pass pass:123456 -md md5
解密。解密时不用指定salt值,即使指定了也不会影响解密结果。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -pass pass:123456 -md md5 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
[root@xuexi tmp]# openssl enc -a -des3 -d -S 'Fabcxdasd' -in test.1 -pass pass:123456 -md md5 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
(4).在测试下"-p"和"-P"选项的输出功能。小写字母p不仅输出密钥算法结果,还输出加解密的内容,而大写字母P则只输出密钥算法结果。
加密时的情况。
[root@xuexi tmp]# openssl enc -a -des3 -S 'Fabc' -in test.txt -out test.1 -pass pass:123456 -md md5 -psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
其中key就是单向加密明文密码后得到的对称密钥,iv是密码运算时使用的向量值。
再看解密时的情况,此处加上了salt。
[root@xuexi tmp]# openssl enc -a -des3 -d -S 'Fabc' -in test.1 -pass pass:123456 -md md5 -Psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
若解密时不指定salt,或者随意指定salt,结果如下。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -pass pass:123456 -md md5 -P salt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
[root@xuexi tmp]# openssl enc -a -des3 -S 'FabM' -d -in test.1 -pass pass:123456 -md md5 -Psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
可见,解密时,只要指定和加密时相同编码格式和单向加密算法,密钥的结果就是一样的,且解密时明确指定salt是无意义的,因为它可以读取到加密时使用的salt。
甚至,解密时指定不同的对称加密算法,密钥结果也是一样的。
[root@xuexi tmp]# openssl enc -a -desx -d -in test.1 -pass pass:123456 -md md5 -p salt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
由此,能推理出对称加密时使用的对称密钥和对称算法是毫无关系的。
The above is the detailed content of What is symmetric encryption?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1670
14
1428
52
1329
25
1274
29
1256
24
Enable 256-bit Bitlocker encryption on Windows 11 for increased security
Nov 26, 2023 am 11:21 AM
Bitlocker is the default encryption technology for Windows operating systems. It is widely used on Windows, but some users prefer third-party solutions such as VeraCrypt. What many users of Bitlocker don't know is that it defaults to 128-bit encryption, even though 256-bit is available. Without going into too much detail about the differences; the core difference between AES 128-bit and 256-bit encryption is the length of the security key. Longer keys make brute force attacks more difficult. While the default is 128-bit, even Microsoft recommends 256-bit for better security. The problem is, most users probably don't know about the weaker defaults or how to change them. First, you might want to know W
Win11 encrypted dns detailed tutorial
Dec 25, 2023 am 10:13 AM
Microsoft previously provided dns encryption services for win11, but many users do not know how to use win11 encrypted dns. In fact, we only need to open the dns settings under network settings. Detailed tutorial on win11 encrypted dns: 1. First enter the disk and find the folder you want to encrypt. 2. Then open "Ethernet" on the right 3. Then find the DNS server allocation below and click "Edit" 4. After changing "Auto (DHCP)" to "Manual", open "IPv4" below 5. After turning it on, enter "8.8.8.8" in the preferred DNS 6. Then change the preferred DNS encryption to "Encryption only (DNS over HTTPS)" 7. After the changes are completed, click "Save" and you will find
Does Win10 Home Edition support folder encryption?
Jan 09, 2024 am 08:58 AM
File encryption aims to implement professional-level encryption of data to more effectively ensure data security! Only by mastering the correct encryption key can the decryption operation be performed, ensuring the security of information assets. However, the file encryption function of Win10 Home Edition does not yet have this feature. Can Win10 Home Edition encrypt folders? Answer: Win10 Home Edition cannot encrypt folders. Tutorial on encrypting files in Windows system 1. Right-click on the file or folder you want to encrypt (or press and hold for a while), and then select the "Properties" function. 2. In the new expanded interface, look for the "Advanced" option. After clicking to enter, remember to check the "Encrypt content to protect data" option located below. 3. After the setting is completed, click "OK" to
How to generate a MySQL SSL certificate using OpenSSL
Sep 09, 2023 pm 02:12 PM
Introduction to how to use OpenSSL to generate a MySQL SSL certificate: MySQL is a widely used relational database system. It is very important to use the SSL (SecureSocketsLayer) protocol for encrypted communication in actual production environments. This article will introduce how to use the OpenSSL tool to generate a MySQL SSL certificate and provide corresponding code examples. Steps: Install OpenSSL: First, make sure you have OpenSSL installed on your computer
How to encrypt the compressed package in winrar-winrar encrypted compressed package method
Mar 23, 2024 pm 12:10 PM
The editor will introduce to you three methods of encryption and compression: Method 1: Encryption The simplest encryption method is to enter the password you want to set when encrypting the file, and the encryption and compression are completed. Method 2: Automatic encryption Ordinary encryption method requires us to enter a password when encrypting each file. If you want to encrypt a large number of compressed packages and the passwords are the same, then we can set automatic encryption in WinRAR, and then just When compressing files normally, WinRAR will add a password to each compressed package. The method is as follows: Open WinRAR, click Options-Settings in the setting interface, switch to [Compression], click Create Default Configuration-Set Password Enter the password we want to set here, click OK to complete the setting, we only need to correct
How to set a password for folder encryption without compression
Feb 20, 2024 pm 03:27 PM
Folder encryption is a common data protection method that encrypts the contents of a folder so that only those who have the decryption password can access the files. When encrypting a folder, there are some common ways to set a password without compressing the file. First, we can use the encryption function that comes with the operating system to set a folder password. For Windows users, you can set it up by following the following steps: Select the folder to be encrypted, right-click the folder, and select "Properties"
OpenBLAS installation under CentOS 7 and CentOS 7 OpenSSL installation
Feb 10, 2024 am 11:45 AM
As an open source operating system, LINUX has a wide range of applications and user groups. CentOS7 is a branch version of LINUX. It is built based on the RedHat Enterprise Linux (RHEL) source code and has a high degree of stability and security. It can be installed and configured on CentOS7 OpenBLAS and OpenSSL are common needs of many developers and system administrators. This article will detail how to install and configure OpenBLAS and OpenSSL on CentOS7. OpenBLAS is an open source high-performance mathematics library based on the BLAS (BasicLinearAlgebraSubprograms) interface.
Common network communication and security problems and solutions in C#
Oct 09, 2023 pm 09:21 PM
Common network communication and security problems and solutions in C# In today's Internet era, network communication has become an indispensable part of software development. In C#, we usually encounter some network communication problems, such as data transmission security, network connection stability, etc. This article will discuss in detail common network communication and security issues in C# and provide corresponding solutions and code examples. 1. Network communication problems Network connection interruption: During the network communication process, the network connection may be interrupted, which may cause
