https://www.cryptomathic.com/news-events/blog/differences-between-hash-functions-symmetric-asymmetric-algorithms
Cryptographic algorithms can be categorized into three classes: Hash functions, Symmetric and Asymmetric algorithms. This article sheds light on their differences, purpose and main fields of application.
Cryptographic algorithms可以被分成三类:hash function,对称加密和非对称加密。本文将揭示三种加密算法的不同,目的和主要的应用领域。
-
Security Services
A lot of security services such as confidentiality, integrity, authentication, and non-repudiation can be provided by using cryptographic algorithms.很多的安全服务比如 机密性(confidentiality)、完整性(integrity)、身份验证(authentication)和不可抵赖性(non-repudiation)都可以由加密算法提供支持。
1.1 Confidentiality(机密性)
Confidentiality serves the purpose that information is not revealed to unauthorized entities. Confidentiality is accomplished by transforming the understandable information to a state that is unintelligible except by authorized entities. This transformation mechanism is called encryption. Decryption of unintelligible data is performed to restore it to its original state. Both symmetric and asymmetric algorithms can provide encryption. Confidentiality is not only important for data at rest but also for the network communication data.
机密性的目的是不向未经授权的实体透露信息。机密性的实现是通过将一种本来可以理解的信息转换成除授权实体以外的不可理解的信息。这种转换机制叫做"加密 ”(encryption)。不可理解数据的解密是执行恢复操作来恢复到原始状态。对称加密和非对称加密都可以提供加密。机密性不只是对静态数据很重要,对于网络通信的数据也一样重要。
1.2 Data Integrity
Integrity is a mechanism that assures that the data has not been altered in an unapproved way. The integrity of data is maintained at the creation, transmission and storage phases. Alteration of data includes insertion, deletion and substitution breaches. Digital signatures and message authentication codes (MAC) are the cryptographic mechanisms which can be used to notice both intentional & accidental alterations.
数据的完整性是指数据没有被未经批准的方式进行修改。在数据的创建、传输、和存储阶段都要维持其完整性。数据的更改包括插入追加、删除、和替换破坏。数字签名和MAC (Digital signatures and message authentication codes (MAC))能够用户感知有意或无意的修改。
1.3 Authentication
There are 2 types of authentication services which can be achieved using cryptography i.e. Source and Integrity authentication. Source authentication assures identity of the entity that originally generated/crafted the information. Integrity authentication validates that data has not been modified and the integrity of data is protected.
通过使用加密(cryptography)有两种签定服务。比如 源(source)签定睛 和完整性(Integrity)签定。源签定来保证信息最初被创建和制作 的实体的身份。完整性签定验证数据是否已经被修改和数据的完整性是否被保护。
1.4 Non-Repudiation
Non-repudiation is the guarantee that no one can deny a transaction. The terminology of non-repudiation is frequently used for digital signatures and email messages. When a data hashing algorithm is combined with public/private keys, data origination authentication can be achieved. The well-known technique of data origin authentication is using digital certificates.
不可抵赖性是保证谁都不能否认一笔交易。不可抵赖的术语通常被用作数字签名和电子邮件消息。将hash 算法和public/private keys组合可以完成初始的数据认证。这个被大家熟知的数据原始认证叫做数字证书。
- Importance of Guidance on Cryptographic Algorithms
The proper approach to incorporate security services for applications and protocols dealing with data security is the use of cryptographic methods.
合并应用的安全服务和具备数据安全的协议处理的适当的方法是对加密算法的使用。
A lot of public/open source and proprietary algorithms are available.
很多开源的和具有专利的算法都可以使用。
Users and developers are presented with many new choices in their use of cryptographic mechanisms.
用户和开发者提出了很多新的选择在他们加密机制的使用中。
Adoptions of obsolete or less known/indigenous algorithms may result in a security breach of data and information.
采用过时的或不太为人所知的算法可能会导致数据和信息的安全漏洞。
Public and NIST approved algorithms have undergone rigorous security testing and cryptanalysis prior to their approval, to assure that the algorithms provide satisfactory security.
开源的和NIST[美国国家标准技术研究所(National Institute of Standards and Technology)]所提供的算法在它们被批准使用之前,都经历了严格的测试和密码分析。以保证这些算法提供另人满意的安全性。
The document “NIST Special Publication 800-57 Part 1 Revision 4” provides background information and establishes frameworks to support appropriate decisions when selecting and using cryptographic mechanisms.
NIST Special Publication 800-57 Part 1 Revision 4这个文档提供了背景信息并建立了一套框架,来支持在选择和使用加密机制时做适当的决策。
- Importance of Keys in an Algorithm
加密算法中key的重要性。
Keys in the field of cryptography are analogous to the pattern/PIN/password or physical key applied to a security locker.
密码学中使用的key类似于pattern/PIN/password或者物理上的安全锁的钥匙。
Appropriate management of cryptographic keys is essential for the operative use of cryptography.
密码学中对key的使用和操作的适当的管理是非常重要。
If an attacker is able to find out the combination of security locker, whatever state-of-the-art and however strong technology, the locker will fail.
如果某个攻击者能找到这个安全锁的密钥,即使是最先进和强大的技术,这个锁都会失败。
A security locker is analogous to an encryption algorithm. If the keys are not managed properly, encryption algorithms will be compromised.
这个安全锁就好比加密算法,如果key管理不当,那么加密算法可能被破坏。
The 1st and last phases in the life of a key are generation and destruction respectively.
这个锁的生命周期中第一个和最后一个阶段分别是生成和释放。
The other phases in the life of a key are securing storage, distribution, modification, renewal, backup/archival, revocation/suspension etc.
密钥生命周期的其他阶段包括保护存储、分发、修改、更新、备份/存档、撤销/挂起等
Keys require protection in all phases of life. The protection may include compromise, modification and unauthorized disclosure.
key在生命周期中的每一个阶段都应该被保护,保护包括危害,修改和未经授权的揭露。
NIST publishes Federal Information Processing Standards (FIPS) and NIST Recommendations that stipulate cryptographic procedures for protecting unclassified and sensitive information.
NISI了布了联邦信息处理标准(FIPS)和NISI建议,这些建议规定了保护非机密和敏感信息的加密程序。
- Classes of Cryptographic Algorithms
加密算法的分类
Cryptographic algorithms can be categorized into three classes. This categorization is defined on basis of the number of cryptographic keys that are required for the algorithm.
加密算法可以被分为三类。这些类别的定义加密需要密钥的数量。
- Hash Functions (HASH 算法)
- Symmetric-Key Algorithms(对称加密)
- Asymmetric-Key Algorithms(非对称加密)
4.1 Hash Functions
Hash functions are the building blocks for modern cryptography.
Hash Functions是现在密码学的基石。
A hash function is a cryptographic algorithm which is used to transform large random size data to small fixed size data.
Hash Function是一个加密算法,这个算法通常被用于将随机大小的数据转换为固定大小的数据。
The data output of the hash algorithm is called hash value or digest.
hash算法的签名值通常被叫做hash value或digest(摘要)
The basic operation of hash functions does not need any key and operate in a one-way manner.
基本的hash操作不需要任何key,并且操作是(单向的方式)不可逆的。
The one-way operation means that it is impossible to compute the input from a particular output. The basic uses of hash functions are:
单向的操作意味着从确定的输出计算出输入的值是不可能的。hash functions的基本用法是:
Generation and verification of digital signatures
数字签名的生成和校验。Checksum/Message integrity checks
消息的完整性验证Source integrity services via MAC
借助于MAC的源的完整性服务Derivation of sub-keys in key-establishment protocols & algorithms
在key 创建协议与算法中子key的来源。Generation of pseudorandom numbers
伪数字的生成。
4.2 Symmetric-key algorithms
对称密钥算法
Symmetric-key algorithms also referred as secret-key algorithms use a single cryptographic key for encryption and decryption purposes.
对称密钥算法也被引用为 密钥算法。这种算法对加密和解密都用单一的密钥。
They convert data in a way that is problematic for an opponent to decrypt the data without the key. Symmetric keys are securely generated and distributed to the sender and receiver and are unknown to any other entity.
它们在对方不用密钥就可以解密的转换方式是有问题的。对称密钥会安全的生成和分发给发送者和接受者而不会给其他任何对象。
But if a symmetric-key algorithm is being used by more than one receiver then the key has to be shared with all entities.
但是如何对称密钥算法被多个接受者使用,那么这个key必须被其他的实体共享。
If the key is compromised from one entity, communication of all the entities will be compromised.
如果这个key从某个实体泄露,那么所有通讯的实体都将被泄露。
Symmetric Algorithms are further divided into Block & Stream algorithms.
对称算法又进一步分为块和流算法。
A block algorithm breaks the input into fixed-size blocks and then progresses the crypto operations. Stream algorithms perform “bit-by-bit” crypto operations. Primary purposes of symmetric key algorithms are:
块算法将输入分成固定的块,然后进行加密操作。流算法执行逐位的加密操作。对称算法的主要目的为:
- Confidentiality is achieved as encryption and decryption is performed using single key.
保密性是使用单个密钥执行加密和解密来实现的。
- Integrity and source authentication is achieved by using Message Authentication Codes because the MAC is generated and validated by the same key.
完整性和源身份验证是通过使用消息身体验证代码来实现的。因为MAC是由相同的密钥生成和验证的。
- Generation of pseudorandom random numbers
伪随机数的产生。
4.3 Asymmetric-key algorithms 非对称加密
Asymmetric-key algorithms are commonly referred to as “public-key algorithms”. They use two mathematically associated keys knows as public and private keys.
非对称加密也叫public-key algorithms,它们使用两个数学相关的key,即公钥和私钥。
One key is used for data encryption, and the other is used for decryption of data.
其中一个key用于数据加密,而另一个key用于数据的解密。
The combination of a public and private key is called a key pair.
公钥和私钥的组合叫公钥对。
The private key is always kept secret by the owner.
这个私钥总自己秘密保存。
The public key is distributed to the public and everyone can access it.
公钥可以公开给任何人。
The private key cannot be deduced from the public key.
公钥不能推出私钥。
The public key is mostly bound to an identity by a Certificate Authority.
公钥通常由证书颁发机构(CA)绑定到一个ID。
Asymmetric-key algorithms are mostly based on mathematical problems like integer factorization and discrete logarithm problem. Main uses of asymmetric algorithms are:
非对称加密主要基于数学问题,比如整数的因式分解和离散对数问题。非对称加密的主要用途为:
- Creation of digital signatures
创建数字签名 - To establish/distribute session keys such as in case of TLS protocol
创建分发会话密钥,比如在TLS(传输层安全)协议中。
- Differences between Hash functions, Symmetric, and Asymmetric algorithms
HASH 对称加密与非对称加密的区别
A tabular chart is listed based on some characteristics of the algorithms.
这个二维表列出了算法的一些特征。
| Feature/Algorithm | Hash | Symmetric | Asymmectric |
|---|---|---|---|
| No.of keys | 0 | 1 | 2 |
| NIST recommanded key length | 256 bits | 128 bit | 2048 bits |
| commonly used key | SHA | AES | RSA |
| management/sharding | N/A | Big issue | Easy & Secure |
| Effect of key compromise | N/A | Loss of both sender&receiver | Only loss for owner of Asymmetric key |
| speed | Fast | Fast | Relatively slow |
| complexity | Medium | Medium | High |
| Example | SHA-224,SHA-256,SHA-384 or SHA-512 | AES,Blowfish,serpent,twofish,3des and RC4 | RSA,DSA,ECC,Diff-Hellman |
- Combination of Symmetric and Asymmetric algorithms
Due to the above characteristics, symmetric and asymmetric algorithms are sometimes used in a hybrid approach.
由于上述特点,对称和非对称加密有时会被混合应用。
Asymmetric ciphers are characteristically used for identity authentication performed via digital signatures & certificates,
非对称加密典型地用于通过数字签 名和证书的身份认证。
for the distribution of symmetric bulk encryption key,
用于大块的对称密钥的分发,
non-repudiation services and for key agreement.
不要抵赖服务和密钥协议。
Symmetric ciphers are used for bulk encryption of data due to their fast speed.
对称加密由于加密的速度快而被用于大容量数据的加密。
References and Further Reading
- Selected articles on Key Management (2012-16), by Ashiq JA, Chuck Easttom, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Matt Landrock, Peter Landrock, Steve Marshall, Torben Pedersen, Maria Stokes, John Trankenschuh and more
- NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General (2016), by Elaine Barker, Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology
- 2017 Global Encryptions Trends Study (April 2017)
- Predictions 2017: Customer-Obsessed Enterprises Launch Cloud’s Second Decade (November 2016)
- “Cybersecurity Incidents What Happened.” (2016), the United States Office of Personnel Management.