安全系列之——數據傳輸的完整性、私密性、源認證、不可否認性

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡通訊過程中,爲了保證信息安全,需要考慮多方面的因素。比較重要的幾個關鍵點:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"完整性(Integrity):確保信息在傳輸過程中,沒有被篡改。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"私密性(Confidentiality):也就是通過加密,確保只有可信的實體可以看到這些信息。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"源認證(Authenticity):確保是可信的源發送了這些信息,而不是僞裝源發送的消息。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不可否認性(Nonrepudiation):不能事後否認發送過這條信息。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這一期就從數據傳輸的完整性、私密性、源認證、不可否認性四個方面說明信息安全。具體的代碼在前幾期的【安全系列】中已經講過來,這裏主從實際的場景談談如何使用"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一、優雅的發送文件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在之前的文章中關於散列函數,有過專門的介紹,可以參考。散列函數的主要任務就是驗證數據的完整性。通過散列函數計算得到的結果叫做散列值,這個散列值也常常稱爲數據的指紋(Fingerprint)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"指紋在實際生活中用處很多,比如在刑偵案件的處理時,將犯罪現場的指紋到指紋庫中比對,指紋庫中的指紋可能是我們辦理身份證時公安局採集的,如果指紋一樣,則說明指紋庫中的這個人就是犯罪現場的這個人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/50/50fd64c0e9b3e863ced2cd690e1a2309.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在網上下載文件時,也可以使用這種技術。比如之前文章介紹的在mysql官網下載mysql的軟件包。mysql官方將軟件包上傳到官網時,同時會使用相應的hash散列函數(比如MD5)生成相應散列值,並將散列值也放在官網上。當一個用戶到官網下載mysql軟件包後,也會使用相同的hash算法對下載的文件生成散列值,通過比較官網的散列值和生成的散列值,就可以確認是不是相同的文件了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ff/ff48d3d4e5cd13e93b330e938592a669.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,在網上發文件給其他人時,也可以使用這種技術。用戶A要給用戶B發一個文件,可以將文件和文件的散列值一起發給對方,對方收到後,使用相同的散列函數生成新的散列值,並和收到的散列值進行比較,確定文件是否發生變化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/66/66e19041a06d866fc1e460ab0dee433a.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在上面的介紹中,雖然可以保證文件或信息在網絡傳輸中的完整性,但是信息被人劫持後,會泄露敏感信息,也就是沒有加密解密。關於加密解密,之前的文章中已經說過如何做對稱加密和非對稱加密,可以自行查看。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如在網上發送機密文件時,可以使用對稱加密將文件加密後,發送給對方;對方收到文件後可以使用相同的祕鑰解密文件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c0/c0977c18a70d3fd4c04126efaf001da8.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱加密解密常用的是AES算法和DES算法,AES更安全。對稱加密的優點是,加解密速度快,發送大文件時體驗更好。但是由於加密解密使用的是同一把祕鑰,如何將祕鑰安全的發送給對方是一個問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這時可以考慮使用非對稱加密,用戶A可以通過網絡獲取用戶B的公鑰,公鑰的網絡傳輸不會有問題,這樣就可以解決對稱加密的祕鑰共享問題。至於爲什麼使用公鑰加密參考之前的文章。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cc/ccc96bbf9f283a6b937628e843c8f1b5.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非對稱加密雖然解決了祕鑰共享問題,但是非對稱加密解密的速度要低於對稱加密解密的速度,那麼如何解決大文件發送的體驗問題呢?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個優雅的解決方案就是,加密文件時使用對稱加密,祕鑰使用生成的隨機數;然後使用B的公鑰對隨機數做非對稱加密。然後將對稱加密的文件和非對稱加密的隨機數祕鑰發給用戶B。用戶B收到後,先使用自己的私鑰非對稱解密獲得隨機數,然後在使用隨機數和對稱解密算法,解密文件。這樣既可以保證祕鑰的傳輸,也可以保證解密的速度。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8e/8e41fd581c6bcaf6472f4923071e7878.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" ## 二、優雅的發送報文"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在網絡通訊中,更多時候,通訊雙方會通過文字進行交流。和發送文件一樣,也需要保證通訊的安全。爲了更好的理解這裏的內容,牆裂建議先看一下之前的文章《安全系列之——RSA的公鑰私鑰有多少人能分的清楚?RSA的簽名驗籤與加密解密如何使用公私鑰?》。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如用戶A需要通過網絡,將自己的用戶名、銀行賬號、密碼發送給用戶B,"},{"type":"text","marks":[{"type":"strong"}],"text":"用戶A爲了自己安全"},{"type":"text","text":",保證賬號密碼不泄露,發送的數據只能B看到,即使信息被劫持別人也看不到,用戶A就需要使用用戶B的公鑰對發送的部分數據或整個報文加密,用戶B收到信息後,使用自己的私鑰解密,這樣就安全了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d3/d341746b4724c7c77b5d8711408d8b74.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面是站在用戶A的角度考慮安全性。如果"},{"type":"text","marks":[{"type":"strong"}],"text":"用戶B爲了自己的安全"},{"type":"text","text":",防止有人惡意的調用自己的接口,只能讓合法的用戶調用,那麼用戶B就要求調用方使用自己的私鑰做簽名,然後用戶B使用對方的公鑰驗籤,驗籤通過,就相當於源認證成功,而且用戶A還不能否認自己沒有發送過信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ed/ed94586fb13706e91f0510c1cf85aef1.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這裏可以看到,簽名使用的是A的私鑰,加密使用的是B的公鑰。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果同時保證AB雙方的安全,A要求B解密,B要求A簽名,可以將上面的兩種方式結合起來。下面這個圖也是一個優雅的解決方案。用戶A給用戶B發信息,A使用B的公鑰加密可以保證數據只能被B解密;加密後的數據使用消息摘要技術計算散列值,然後使用A的私鑰簽名,這樣B既可以做驗籤,也可以保證數據的完整性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8d/8d6de9bed1b9eefbbeca283d955ec852.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種方式在實際的網絡通訊中應用非常廣泛。比如對接支付寶、微信等各大開發平臺時,都會有相關的簽名驗籤、加密解密。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然這是一個完美的解決方案,就沒有缺點了嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然有,隨着通訊的人數增多,祕鑰也會急劇增加,祕鑰如何管理也是一個問題。同時,使用非對稱加密算法,雖然被調用方驗籤通過,說這個請求是一個合法的用戶發送的請求,但是這個用戶是誰依然不知道,只能知道這個用戶是私鑰的持有者。關於這問題的進一步說明還需要引入數字證書,CA等相關機制,以後有時間再詳細說明這個問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關注公衆號,輸入“"},{"type":"text","marks":[{"type":"strong"}],"text":"java-summary"},{"type":"text","text":"”即可獲得源碼。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"完成,收工!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/77/77e2a53cabfaaac7d98ee0a860144e29.gif","alt":null,"title":"","style":[{"key":"width","value":"50%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"【"},{"type":"text","marks":[{"type":"strong"}],"text":"傳播知識,共享價值"},{"type":"text","text":"】,感謝小夥伴們的關注和支持,我是【"},{"type":"text","marks":[{"type":"strong"}],"text":"諸葛小猿"},{"type":"text","text":"】,一個彷徨中奮鬥的互聯網民工。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6a/6acafea3f4c9b96373b3f566ec7078e2.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章