Using the encryption method of a single-key cryptosystem, the same key can be used for encryption and decryption of information at the same time. This encryption method is called symmetric encryption, also known as single-key encryption.
Table of contents
1 Definition
2 Working process
3 Commonly used algorithms
4 Advantages and disadvantages
Definition
An encryption algorithm that requires the use of the same key for encryption and decryption. Due to its speed, symmetric encryption is often used when the sender of a message needs to encrypt large amounts of data. Symmetric encryption is also called key encryption.
The so-called symmetry means that both parties using this encryption method use the same key to encrypt and decrypt. Keys are instructions that control the encryption and decryption process. An algorithm is a set of rules that dictate how encryption and decryption are performed.
Therefore[1] The security of encryption not only depends on the encryption algorithm itself, but the security of key management is even more important. Because the same key is used for encryption and decryption, how to safely transfer the key to the decryptor becomes a problem that must be solved.
Working process
The following is an example to briefly explain the working process of symmetric encryption. A and B are business partners who live in different cities. Due to business needs, they often mailed important goods to each other. In order to ensure the safety of the goods, they agreed to make a safe box and put the items in it. They created two identical keys and kept them separately so that they could use the key to open the safe when receiving the package and use the key to lock the safe before mailing the goods.
The above is a traditional way to safely deliver important resources to the destination. As long as A and B keep the key carefully, even if someone gets the safe, they will not be able to open it. This idea is used in information encryption for modern computer communications. In symmetric encryption, the data sender processes the plaintext (original data) and the encryption key together with a special encryption algorithm, turning it into a complex encrypted ciphertext and sending it out. After the receiver receives the ciphertext, if it wants to decipher the original text, it needs to use the encryption key and the inverse algorithm of the same algorithm to decrypt the ciphertext in order to restore it to readable plaintext. In a symmetric encryption algorithm, only one key is used, and both the sender and the receiver use this key to encrypt and decrypt data.
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-k password] [- S salt] [-salt] [-md] [-p/-P]
Option description:
-ciphername: Specify the symmetric encryption algorithm (such as des3), which can be directly independent of enc Use, like openssl des3 or openssl enc -des3. It is recommended to use it after enc, so that it does not depend on the hardware.
-in filename: input file, the default is stdin if not specified
-out filename: output file, the default is stdout# if not specified
##-e: Encrypt the input file. If not specified, this option will be used by default. -d: Decrypt the input file. Decryption will only be performed if this option is explicitly specified. -pass: Pass the plaintext password for encryption and decryption. If the public key or private key file used when verifying the signature is encrypted, the password needs to be passed for decryption. For the password format, see "openssl password format"
-k : has been replaced by "-pass" and is still retained for compatibility with older versions of openssl-base64: Base64 encoding or decryption after encryption and before decryption. If not specified, the default is binary. Note that encoding is not part of encryption and decryption, but the "organizing" of the data format before and after encryption and decryption -a: Equivalent to -base64-salt: Use salt for one-way encryption Complicates the results of one-way encryption. This is the default option and uses a random salt value. -S salt: Do not use a random salt value, but a custom salt value, but it can only be in the hexadecimal range. A combination of characters, that is, any one or more combinations of "0-9a-fA-F"-p: Print the salt value, key value and IV initialization vector value during encryption and decryption (also complex encryption) A way), the decryption result is also output when decrypting, see the example below-P: has the same effect as the -p option, but exits the tool directly when printing, without performing encryption or decryption operations-md: Specify one-way encryption algorithm, default md5. This algorithm is used to encrypt the key part, see the analysis below. The supported one-way encryption algorithms are:-md4 to use the md4 message digest algorithm-md5 to use the md5 message digest algorithm-ripemd160 to use the ripemd160 message digest algorithm-sha to use the sha message digest algorithm-sha1 to use the sha1 message digest algorithm-sha224 to use the sha224 message digest algorithm-sha256 to use the sha256 message digest algorithm-sha384 to use the sha384 message digest algorithm-sha512 to use the sha512 message digest algorithm-whirlpool to use the whirlpool message digest algorithmThe supported symmetric encryption algorithms are:
-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc -id-aes128-GCM -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-GCM -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-GCM -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -idea -idea-cbc -idea-cfb -idea-ecb -idea-ofb -rc2 -rc2-40-cbc -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb
在给出openssl enc命令用法示例之前,先解释下对称加密和解密的原理和过程。
对称加解密时,它们使用的密码是完全相同的,例如"123456",但这是密码,且是明文密码,非常不安全,所以应该对此简单密码进行复杂化。最直接的方法是使用单向加密计算出明文密码的hash值,单向加密后新生成的密码已经比较安全(称之为密钥比较好),可以作为对称加密时的对称密钥。另外,由于同一单向加密算法对相同明文密码的计算结果是完全一致的,这样解密时使用相同的单向加密算法就能计算出完全相同的密钥,也就是解密时的对称密钥。如果想要更安全,还可以在对称加密后对加密文件进行重新编码,如使用"base64"、二进制或hex编码方式进行编码,但对应的在解密前就需要先解码,解码后才能解密。
所以,将对称加、解密的机制简单概括如下:
对称加密机制:根据指定的单向加密算法,对输入的明文密码进行单向加密(默认是md5),得到固定长度的加密密钥,即对称密钥,再根据指定的对称加密算法,使用对称密钥加密文件,最后重新编码加密后的文件。即单向加密明文密码结果作为对称密钥、使用对称密钥加密文件、对文件重新编码。
对称解密机制:先解码文件,再根据单向加密算法对解密时输入的明文密码计算得到对称密钥,依此对称密钥对称解密解码后的文件。
因此,解密过程中使用的解码方式、单向加密和对称加密算法都必须一致,且输入的密码必须是正确密码。但需要注意的一点是,解密时可以不指定salt,因为加密时使用的salt会记录下来,解密时可以读取该salt。
如下图所示,分别是加密和解密过程示意图。
示例:
以加密/etc/fstab的备份文件/tmp/test.txt为例。
(1).首先测试openssl enc的编码功能。由于未指定密码选项"-k"或"-pass",所以仅仅只进行编码而不进行加密,因此也不会提示输入密码。
[root@xuexi tmp]# openssl enc -a -in test.txt -out test_base64.txt [root@xuexi tmp]# cat test_base64.txt CiMKIyAvZXRjL2ZzdGFiCiMgQ3JlYXRlZCBieSBhbmFjb25kYSBvbiBUaHUgTWF5 IDExIDA0OjE3OjQ0IDIwMTcKIwojIEFjY2Vzc2libGUgZmlsZXN5c3RlbXMsIGJ5 IHJlZmVyZW5jZSwgYXJlIG1haW50YWluZWQgdW5kZXIgJy9kZXYvZGlzaycKIyBT ZWUgbWFuIHBhZ2VzIGZzdGFiKDUpLCBmaW5kZnMoOCksIG1vdW50KDgpIGFuZC9v ciBibGtpZCg4KSBmb3IgbW9yZSBpbmZvCiMKVVVJRD1iMmE3MGZhZi1hZWE0LTRk OGUtOGJlOC1jNzEwOWFjOWM4YjggLyAgICAgICAgICAgICAgICAgICAgICAgeGZz ICAgICBkZWZhdWx0cyAgICAgICAgMCAwClVVSUQ9MzY3ZDZhNzctMDMzYi00MDM3 LWJiY2ItNDE2NzA1ZWFkMDk1IC9ib290ICAgICAgICAgICAgICAgICAgIHhmcyAg ICAgZGVmYXVsdHMgICAgICAgIDAgMApVVUlEPWQ1MDUxMTNjLWRhYTYtNGMxNy04 YjAzLWIzNTUxY2VkMjMwNSBzd2FwICAgICAgICAgICAgICAgICAgICBzd2FwICAg IGRlZmF1bHRzICAgICAgICAwIDAK
再以base64格式进行解码。
[root@xuexi tmp]# openssl enc -a -d -in test_base64.txt # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
实际上,上述编码和解码的过程严格地说也是对称加密和解密,因为openssl enc默认会带上加密选项"-e",只不过因为没有指定输入密码选项,使用的加密密码为空而已,且单向加密算法使用的也是默认值。解密时也一样。
(2).测试使用des3对称加密算法加密test.txt文件。
[root@xuexi tmp]# openssl enc -a -des3 -in test.txt -out test.1 -pass pass:123456 -md md5
加密后,查看加密后文件test.1的结果。
[root@xuexi tmp]# cat test.1U2FsdGVkX1+c/d4NsXnY6Pd7rcZjGSsMRJWQOP0s5sxH6aLE5iCYjKEAbGac//iRwkUUh6a57OpUA3+OOCKB4z+IxBcKo67BUDGR9vYeCfkobH9F+mSfVzZbXBrJmxwf 921tJ+8K+yKB6DjJfufpW+DWXmH8MFyvK60wnYHsfUQOp81EvaUtEfqEKIS8hgg7 4NTOyww+/VMDdc2wmkf08XNQUPlVtLaSx3vuBisxRdu8raiKWGGOB7qCwELCxDqu NaRCIh0VjjffGohAOMMsAQ2kFCDUKx0Z4Df5fvifhPXoHfsj2lI216BPG5Cy88K2 KV78DoBm4pnMAymo/HRRF95LjvWYZIN88hIVN67u2j9zqSGeuyJakMyDVhYYmrHl sMr2YTbTwus2DiO6qAzt/0a9nocTVKfGR81Xsh0a0ZudjtrMl5H36YJawpldvUCa DzXPsbpQrp0VGi2HvJ4EVKKEx2uh8XYWmJ4ytj1s1wtCR6wQhmERtInGwULWTyI+agXStSB5XzsvAJRJvexsaNycj5lAoQ8O6YXEj7B0inB7nBQTFbwkXyvJqXpr1179 i67leYc59OvlhRMA+GLW4g/Mg5dN5SBmgt1ChOJs4887zAUyLYrLvR4zDK6IQN/M P6F15c9V+m9pw2t32sUQQmYrYqOV/AQf0t0EwvA0Myjmfqtvmp555Q==
解密文件test.1。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -out test.2 -pass pass:123456 -md md5 [root@xuexi tmp]# cat test.2 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
(3).加密时带上点盐salt。其实不写时默认就已经加入了,只不过是加入随机盐值。使用-S可以指定明确要使用的盐的值。但是盐的值只能是16进制范围内字符的组合,即"0-9a-fA-F"的任意一个或多个组合。
[root@xuexi tmp]# openssl enc -a -des3 -S 'Fabc' -in test.txt -out test.1 -pass pass:123456 -md md5
解密。解密时不用指定salt值,即使指定了也不会影响解密结果。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -pass pass:123456 -md md5 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
[root@xuexi tmp]# openssl enc -a -des3 -d -S 'Fabcxdasd' -in test.1 -pass pass:123456 -md md5 # # /etc/fstab # Created by anaconda on Thu May 11 04:17:44 2017# # Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info# UUID=b2a70faf-aea4-4d8e-8be8-c7109ac9c8b8 / xfs defaults 0 0UUID=367d6a77-033b-4037-bbcb-416705ead095 /boot xfs defaults 0 0UUID=d505113c-daa6-4c17-8b03-b3551ced2305 swap swap defaults 0 0
(4).在测试下"-p"和"-P"选项的输出功能。小写字母p不仅输出密钥算法结果,还输出加解密的内容,而大写字母P则只输出密钥算法结果。
加密时的情况。
[root@xuexi tmp]# openssl enc -a -des3 -S 'Fabc' -in test.txt -out test.1 -pass pass:123456 -md md5 -psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
其中key就是单向加密明文密码后得到的对称密钥,iv是密码运算时使用的向量值。
再看解密时的情况,此处加上了salt。
[root@xuexi tmp]# openssl enc -a -des3 -d -S 'Fabc' -in test.1 -pass pass:123456 -md md5 -Psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
若解密时不指定salt,或者随意指定salt,结果如下。
[root@xuexi tmp]# openssl enc -a -des3 -d -in test.1 -pass pass:123456 -md md5 -P salt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
[root@xuexi tmp]# openssl enc -a -des3 -S 'FabM' -d -in test.1 -pass pass:123456 -md md5 -Psalt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
可见,解密时,只要指定和加密时相同编码格式和单向加密算法,密钥的结果就是一样的,且解密时明确指定salt是无意义的,因为它可以读取到加密时使用的salt。
甚至,解密时指定不同的对称加密算法,密钥结果也是一样的。
[root@xuexi tmp]# openssl enc -a -desx -d -in test.1 -pass pass:123456 -md md5 -p salt=FABC000000000000 key=885FC58E6C822AEFC8032B4B98FA0355F8482BD654739F3D iv =5128FDED01EE1499
由此,能推理出对称加密时使用的对称密钥和对称算法是毫无关系的。
The above is the detailed content of What is symmetric encryption?. For more information, please follow other related articles on the PHP Chinese website!
Nginx如何使用OpenSSL库实现更安全的通信Jun 10, 2023 pm 01:51 PMNginx是一款广泛应用于Web服务器、负载均衡器、反向代理和缓存的软件。在网络传输过程中,数据的加密和安全性越来越受到关注。为了提高通信的安全性,可以使用OpenSSL库来实现SSL/TLS协议,从而保护敏感数据的传输。本文将讲解如何使用Nginx与OpenSSL库实现更安全的通信。安装与配置OpenSSL库首先,需要在服务器上安装OpenSSL库。可以使
Redis作为缓存数据库的数据压缩与加密方案Jun 21, 2023 am 08:48 AMRedis作为一款开源的内存缓存数据库,在应用开发中极度广泛。其强大、高效的性能优势,使得其成为了最常用的缓存数据库之一。然而,在某些特殊场景下,由于数据量过大或安全性需要,我们需要对Redis数据进行压缩和加密处理。本文将从Redis的数据压缩和加密两方面入手,探讨Redis作为缓存数据库在实际应用中的数据压缩与加密方案。一、Redis数据压缩方案Re
如何在 Windows 11 上加密文件和文件夹May 03, 2023 pm 06:46 PM在Windows11上加密文件和文件夹与WindowsBitLocker一样,EFS加密可用于加密您PC上最重要的文件。使用内置加密非常简单,而且触手可及。此外,由于EFS与您的用户帐户相关联,我们将向您展示如何将加密密钥备份到安全位置,这样您就永远不会失去对文件和文件夹的访问权限。注意:要使用EFS,您的PC必须运行Windows11专业版、企业版或教育版。EFS加密在Windows11家庭版上不可用。要加密充满文件的文件夹或单个文件,请使用以下步骤:
如何使用PHP ZipArchive实现对压缩包的文件内容加密和解密?Jul 21, 2023 pm 06:44 PM如何使用PHPZipArchive实现对压缩包的文件内容加密和解密?在进行文件传输或存储时,保护数据安全是非常重要的。使用密码对压缩包的文件内容进行加密和解密可以有效地避免数据泄漏的风险。PHP提供了一个名为ZipArchive的类,它可以用来创建和操作ZIP格式的压缩包。本文将介绍如何使用PHPZipArchive类实现对压缩包的文件内容加密和解密。创
如何使用 OpenSSL 生成 MySQL SSL 证书Sep 09, 2023 pm 02:12 PM如何使用OpenSSL生成MySQLSSL证书简介:MySQL是一种广泛应用的关系型数据库系统,在实际生产环境中使用SSL(SecureSocketsLayer)协议进行加密通信是非常重要的。本文将介绍如何使用OpenSSL工具生成MySQLSSL证书,并提供相应的代码示例。步骤:安装OpenSSL:首先,确保计算机上已安装O
CentOS 7下OpenBLAS安装及CentOS 7 OpenSSL安装Feb 10, 2024 am 11:45 AMLINUX作为一个开源操作系统,有着广泛的应用和用户群体,CentOS7是LINUX的一个分支版本,它是基于RedHatEnterpriseLinux(RHEL)源代码构建的,具有高度的稳定性和安全性,在CentOS7上安装和配置OpenBLAS和OpenSSL是许多开发者和系统管理员的常见需求,本文将详细介绍如何在CentOS7上安装和配置OpenBLAS和OpenSSL。OpenBLAS是一个开源的基于BLAS(BasicLinearAlgebraSubprograms)接口的高性能数学库,
PHP实现SHA加密技术Jun 18, 2023 pm 02:51 PMSHA(SecureHashAlgorithm)加密技术是一种常用的安全加密算法。在PHP开发中,SHA加密技术通常用于加密账户密码以及保护敏感数据。本文将介绍如何在PHP中实现SHA加密技术。SHA算法简介SHA算法是一种信息摘要算法,通常用于数据的完整性保护和身份验证。SHA算法的主要作用是将任意长度的消息转换为一个固定长度的消息摘要(即哈希值),通
windows10家庭版如何加密文件夹Jul 12, 2023 pm 08:33 PMwindows10家庭版如何加密文件夹呢,加密文件夹这个功能一般客户没有使用,但是如果想要设定的话也是可行的,首先在想要加密的文件夹中右键属性进到高级,然后选择缩小加密属性,加密内容维护数据,下面就是具体的windows10家庭版如何加密文件夹方式介绍,大家如果想要学会的话就接着往下看。windows10家庭版如何加密文件夹1.最先,先找到想要加密的文件夹,然后用鼠标右键文件夹,在弹出的菜单中选择底部的“属性”选项,点击查看;2.随后,将打开文件的属性窗口,点击窗口里的“高级”按键进到;3.接着
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
SublimeText3 Linux new version
SublimeText3 Linux latest version
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
Atom editor mac version download
The most popular open source editor
SublimeText3 Mac version
God-level code editing software (SublimeText3)
