Password Security: A Comprehensive Overview of Common Encryption Algorithms

1. Overview of Encryption Algorithms

Encryption is a technology frequently used in front-end and back-end development, with applications including but not limited to user login, data transactions, and information communication. Different application scenarios may require different signature encryption algorithms or combinations of various signature encryption algorithms to achieve business objectives. Generally, encryption algorithms can be categorized into three types: hash algorithms, symmetric encryption algorithms, and asymmetric encryption algorithms. The common encryption algorithms and their classifications are shown in the table below:

Type of Encryption

Domestic Commercial Encryption

International Commercial Encryption

Hash Algorithms

SM3

MD5, SHA-1, SHA-2, MAC

Symmetric Encryption Algorithms

SM1, SM4, SM7, ZUC, SSF446

DES, 3DES, AES, RC5, RC6, RC4

Asymmetric Encryption Algorithms

SM2, SM9

RSA, Rabin, DH, DSA, ECC

Encryption-related concepts:

Plaintext: Plaintext refers to the original data that has not been encrypted.

Ciphertext: Plaintext becomes ciphertext after being encrypted by a certain encryption algorithm, ensuring the security of the original data. Ciphertext can also be decrypted to obtain the original plaintext.

Key: A key is a parameter that is input into the algorithm when converting plaintext to ciphertext or vice versa. Keys can be symmetric or asymmetric, used in symmetric and asymmetric encryption respectively.

Common scenarios in daily development that require encryption algorithms:

  • Passwords stored in databases need to be salted and then encrypted using a hash algorithm (e.g., BCrypt).

  • Sensitive data such as bank card numbers and identity numbers stored in databases need to be saved using symmetric encryption algorithms (e.g., AES).

  • Sensitive data transmitted over the network, such as bank card numbers and identity numbers, need to use HTTPS + asymmetric encryption algorithms (e.g., RSA) to ensure the security of transmitted data.

2. Hash Algorithms

Hash algorithms, also known as hash functions or digest algorithms, serve to generate a fixed-length unique identifier from data of any length, referred to as a hash value, hash code, or message digest (collectively referred to as hash value hereafter).

Characteristics include:

  1. No key is required for encryption
  2. Irreversible
  3. Transforms any length into a fixed length

Common hash algorithms include:

Domestic: SM3, MD5

International: SHA-1, MAC, SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256)

Application scenarios include: password storage, file integrity verification, signature generation.

Algorithm implementation process:

Password Security: A Comprehensive Overview of Common Encryption Algorithms

Password Security: A Comprehensive Overview of Common Encryption Algorithms

Hash algorithms can be simply divided into two categories:

  1. Cryptographic hash algorithms: These are hash algorithms with higher security that can provide a certain level of data integrity protection and tamper resistance, capable of resisting certain attack methods, but with poorer performance, suitable for scenarios with high security requirements. Examples include SHA2, SHA3, SM3, RIPEMD-160, BLAKE2, SipHash, etc.
  2. Non-cryptographic hash algorithms: These are hash algorithms with relatively lower security, susceptible to brute force and collision attacks, but with higher performance, suitable for business scenarios with no security requirements. Examples include CRC32, MurMurHash3, SipHash, etc.

Below is an introduction to the main hash algorithms:

  1. MD (Message Digest) algorithms: MD2, MD4, MD5, etc., are no longer recommended for use.
  2. SHA (Secure Hash Algorithm): The SHA-1 series has low security, while the SHA2 and SHA3 series have higher security. National secret algorithms include SM2, SM3, SM4, where SM2 is an asymmetric encryption algorithm, SM4 is a symmetric encryption algorithm, and SM3 is a hash algorithm (with security and efficiency comparable to SHA-256, but more suitable for domestic application environments). Bcrypt (password hash algorithm): A password hash algorithm based on the Blowfish encryption algorithm, specifically designed for password encryption, with high security and classified as a slow hash algorithm. MAC (Message Authentication Code): HMAC is a hash-based MAC that can be combined with any secure hash algorithm, such as SHA-256. CRC (Cyclic Redundancy Check): CRC32 is a CRC algorithm characterized by generating a 32-bit checksum, commonly used for data integrity checks and file verification.

2.1 MD Algorithms

MD algorithms have multiple versions, including MD2, MD4, MD5, among which MD5 is the most commonly used version, capable of generating a 128-bit (16-byte) hash value. In terms of security: MD5 > MD4 > MD2. Besides these versions, there are also some algorithms based on improvements to MD4 or MD5, such as RIPEMD, HAVAL, etc.

Even the most secure MD5 algorithm can be cracked through brute force or rainbow table attacks, finding the same hash value for the original data.

To increase the difficulty of cracking, salting is often chosen. Salt in cryptography refers to inserting a specific string at any fixed position in the password, making the hashed result differ from the hash result of the original password. This process is called “salting.” This does not mean it cannot be cracked; the MD5 algorithm itself has a weak collision problem, where multiple different inputs produce the same MD5 value. The MD algorithm is no longer recommended for use; it is advised to use more secure hash algorithms like SHA-2 or Bcrypt.


2.2 SHA Algorithms

SHA (Secure Hash Algorithm) series algorithms are a set of cryptographic hash algorithms used to map data of any length to a fixed-length hash value. The SHA series algorithms were designed by the National Security Agency (NSA) in 1993, and currently include SHA-1, SHA-2, and SHA-3.

The SHA-1 algorithm maps data of any length to a 160-bit hash value. However, the SHA-1 algorithm has some serious flaws, such as low security and susceptibility to collision attacks and length extension attacks. Therefore, the SHA-1 algorithm is no longer recommended for use. The SHA-2 family (such as SHA-256, SHA-384, SHA-512, etc.) and the SHA-3 series are alternatives to the SHA-1 algorithm, providing higher security and longer hash value lengths.

The SHA-2 family is an improvement over the SHA-1 algorithm, employing more complex operations and more rounds, making it more difficult for attackers to find collisions through precomputation or coincidence.Since the SHA-2 algorithm has not yet encountered significant security vulnerabilities and is more efficient in software, most people still prefer to use the SHA-2 algorithm.

Compared to the MD5 algorithm, the SHA-2 algorithm is stronger for two main reasons: longer hash value length: for example, the hash value length of the SHA-256 algorithm is 256 bits, while the hash value length of the MD5 algorithm is 128 bits, which increases the difficulty for attackers to perform brute force or rainbow table attacks. Stronger collision resistance: The SHA algorithm employs more complex operations and more rounds, making it more difficult for attackers to find collisions through precomputation or coincidence. Currently, no two different pieces of data have been found to have the same SHA-256 hash value.

The SHA-2 algorithm is also at risk of brute force or rainbow table attacks.

3. Symmetric Encryption

Symmetric encryption algorithms refer to algorithms that use the same key for both encryption and decryption, also known as shared key encryption algorithms. In symmetric encryption, both the encrypting and decrypting parties use the same key. Specifically, the sender encrypts the information to be sent using the corresponding encryption algorithm and key; for the receiver, the decryption algorithm and the same key are used to unlock the information, allowing them to read the information.

Characteristics:

1. The same key is used for encryption and decryption

2. Reversible

3. Encryption speed is faster than asymmetric encryption algorithms

Common algorithms:

Domestic: SM1, SM4, SM7, ZUC, SSF446

International: DES, 3DES, AES, RC5, RC6, RC4

Application scenarios: encrypted transmission, passwords, configuration file encryption

Password Security: A Comprehensive Overview of Common Encryption Algorithms

Common symmetric encryption algorithms include DES, 3DES, AES, etc.

3.1 DES and 3DES Algorithms

DES (Data Encryption Standard) uses a 64-bit key (with an effective key length of 56 bits and 8 bits for parity) and 64-bit plaintext for encryption. Although DES can only encrypt 64 bits at a time, we can encrypt plaintext of any length by dividing it into blocks of 64 bits. If the plaintext length is not a multiple of 64 bits, padding must be performed, with common modes including PKCS5Padding, PKCS7Padding, NOPADDING.

The basic idea of the DES encryption algorithm is to divide the 64-bit plaintext into two halves, then perform multiple rounds of transformations on each half, and finally merge them into a 64-bit ciphertext. These transformations include permutation, XOR, selection, and shifting operations, with each round using a subkey generated from the same 56-bit master key. The DES encryption algorithm performs a total of 16 rounds of transformations, followed by one final inverse permutation to obtain the final ciphertext.

Password Security: A Comprehensive Overview of Common Encryption Algorithms

DES also has significant flaws,namely that the 56-bit key is insufficiently secure and has been proven to be crackable in a short time.

To enhance the security of the DES algorithm, some variants or alternatives have been proposed, such as 3DES (Triple DES). 3DES is an encryption algorithm transitioning from DES to AES, using 2 or 3 56-bit keys to perform triple encryption on the data. 3DES effectively applies the symmetric encryption algorithm of DES three times to each data block.

To maintain compatibility with standard DES, 3DES does not directly use the encrypt->encrypt->encrypt method, but instead employs the encrypt->decrypt->encrypt method. When all three keys are the same, the first two steps cancel each other out, effectively achieving only one encryption, thus ensuring compatibility with the standard DES encryption algorithm. 3DES is more secure than DES, but its processing speed is not high.

3.2 AES Algorithm

AES (Advanced Encryption Standard) is a more advanced symmetric key encryption algorithm that uses 128-bit, 192-bit, or 256-bit keys to encrypt or decrypt data. The longer the key, the higher the security. AES is also a block cipher, with a block length of 128 bits, meaning each block is 16 bytes.

AES encryption algorithms have various modes of operation, such as ECB, CBC, OFB, CFB, CTR, XTS, OCB, GCM (currently the most widely used mode). Different modes have different parameters and encryption processes, but the core remains the AES algorithm.

Similar to DES, plaintext that is not a multiple of 128 bits requires padding, with common padding modes including PKCS5Padding, PKCS7Padding, NOPADDING. However, AES-GCM is a stream encryption algorithm that can encrypt plaintext of any length, so the corresponding padding mode is NoPadding, meaning no padding is required. AES is faster than 3DES and more secure.

Password Security: A Comprehensive Overview of Common Encryption Algorithms

A comparison of DES and AES algorithms is as follows:

Password Security: A Comprehensive Overview of Common Encryption Algorithms

4. Asymmetric Encryption

Asymmetric encryption algorithms refer to algorithms that use different keys for encryption and decryption, also known as public key encryption algorithms. These two keys are distinct, one is called the public key, and the other is called the private key. The public key can be shared with anyone, while the private key must be kept secret. If data is encrypted with the public key, it can only be decrypted with the corresponding private key (for encryption); if data is encrypted with the private key, it can only be decrypted with the corresponding public key (for signature). This allows for secure data transmission and identity authentication.

Characteristics:

1. A pair of keys

2. Public key encrypts, private key decrypts; private key signs, public key verifies

Common algorithms:

Domestic: SM2, SM9

International: RSA, Rabin, DH, DSA, ECC

Application scenarios: digital signatures, digital certificates

Password Security: A Comprehensive Overview of Common Encryption Algorithms

Common asymmetric encryption algorithms include RSA, DSA, ECC, etc.

4.1 RSA

RSA (Rivest–Shamir–Adleman algorithm) is an asymmetric encryption algorithm based on the difficulty of large number factorization. It requires selecting two large prime numbers as part of the private key, then calculating their product as part of the public key (finding two large prime numbers is relatively simple, but factoring their product is extremely difficult). For a detailed introduction to the principles of the RSA algorithm, refer to this article: Do You Really Understand RSA Encryption Algorithm? – Xiao Fu Ge. The security of the RSA algorithm relies on the difficulty of large number factorization; currently, RSA public keys of 512 bits and 768 bits have been successfully factored, so it is recommended to use a key length of 2048 bits or more. The advantages of the RSA algorithm are its simplicity and ease of use, applicable for data encryption and digital signatures; its disadvantages include slow computation speed, making it unsuitable for encrypting large amounts of data. RSA is currently the most widely used asymmetric encryption algorithm, utilized in protocols such as SSL/TLS, SSH, etc.

Password Security: A Comprehensive Overview of Common Encryption Algorithms

4.2 DSA

DSA (Digital Signature Algorithm) is an asymmetric encryption algorithm based on the difficulty of discrete logarithms. It requires selecting a prime number q and a multiple of q, p, as part of the private key, then calculating a primitive root g modulo p and an integer y modulo q as part of the public key. The security of the DSA algorithm relies on the difficulty of discrete logarithms; currently, DSA public keys of 1024 bits have been successfully cracked, so it is recommended to use a key length of 2048 bits or more. The advantages of the DSA algorithm include fast digital signature generation, making it suitable for generating digital certificates; its disadvantages include its unsuitability for data encryption and the need for random numbers during the signing process. The DSA algorithm signing process involves using a hash algorithm to encrypt the data to be sent, generating a message digest, which is a short, unique, irreversible representation of the data. The sender encrypts the message digest with their DSA private key, forming a digital signature, which is data that can prove the source and integrity of the data. The original data and the digital signature are transmitted together over the internet to the receiver. The receiver uses the sender’s public key to decrypt the digital signature, obtaining the message digest. Simultaneously, the receiver also uses the hash algorithm to encrypt the received original data, obtaining another message digest. The receiver compares the two message digests; if they match, it indicates that the data has not been tampered with or damaged during transmission; otherwise, it indicates that the data has lost its security and confidentiality.

Password Security: A Comprehensive Overview of Common Encryption Algorithms

5. Conclusion

This article introduced three types of encryption algorithms: hash algorithms, symmetric encryption algorithms, and asymmetric encryption algorithms. Hash algorithms are a technique that generates a fixed-length unique identifier for data using mathematical methods, which can be used to verify data integrity and consistency. Common hash algorithms include MD, SHA, MAC, etc. Symmetric encryption algorithms are algorithms that use the same key for both encryption and decryption, which can be used to protect data security and confidentiality. Common symmetric encryption algorithms include DES, 3DES, AES, etc. Asymmetric encryption algorithms are algorithms that use different keys for encryption and decryption, which can be used to achieve secure data transmission and identity authentication. Common asymmetric encryption algorithms include RSA, DSA, ECC, etc.

References:

Summary of Common Encryption Algorithms | JavaGuide

Overview of Common Encryption Algorithms (RSA, SHA-1, SHA-256, National Secret Algorithms, Symmetric Encryption, Asymmetric Encryption) – MuXinu – Blog Garden

Leave a Comment