DES encryption goes through the following steps
1. Provide the plaintext and key, and divide the plaintext into 64-bit blocks (corresponding to 8 bytes). If it is less than 8 bytes, it can be done. Padding (multiple padding methods), the key must be 8 bytes ***64bit
Padding method:
When the plaintext length is not an integer multiple of the packet length, it is required Pad some data into the last packet to make it full of one packet length.
* NoPadding
The API or algorithm itself does not process the data. The encrypted data is padded by the encryption algorithm agreed upon by both parties. For example, if you are encrypting or decrypting string data, you can add \0 or spaces, and then trim
* PKCS5Padding
Before encryption: The data byte length is modulated by 8, and the remainder is m , if m>0, then 8-m bytes are supplemented, and the byte value is 8-m, that is, if the difference is a few bytes, just a few bytes are supplemented. The byte value is the number of supplemented bytes. If it is 0 Then add 8 bytes of 8
After decryption: take the last byte, the value is m, then delete m bytes from the end of the data, and the remaining data is the original text before encryption.
For example: if the encrypted string is AAA, the padding is AAA55555; if the encrypted string is BBBBBB, the padding is BBBBBB22; if the encrypted string is CCCCCCCC, the padding is CCCCCCCC88888888.
* PKCS7Padding
The padding method of PKCS7Padding is the same as that of PKCS5Padding. Only the number of bytes of the encrypted block is different. PKCS5Padding clearly defines the encryption block to be 8 bytes, and the PKCS7Padding encryption block can be between 1-255.
2. Select encryption mode
**ECB mode** Full name Electronic Codebook mode, translated as Electronic Codebook mode
**CBC mode** Full name Cipher Block Chaining mode, translated as ciphertext group linking mode
**CFB mode** full name Cipher FeedBack mode, translated as ciphertext feedback mode
**OFB mode** full name Output Feedback mode, translated as output feedback mode.
**CTR mode** The full name is Counter mode, translated as counter mode.
3. Start encrypting the plaintext (internal principle - encryption steps, encryption algorithm implementation will not be explained)
image
1. Divide the 64bit into blocks Group encryption, one group is listed: perform initial replacement (IP replacement) on this group, the purpose is to recombine the input 64-bit data block bit by bit, and divide the output into two parts, L0 and R0, each part has a length 32 bits.
2. Start the 16 conversions of the Feistel structure. The first conversion is: the right data R0 and the subkey are generated through the round function f to generate the bit sequence used to encrypt the left data, and the left data L0 XOR operation,
The operation result is output as the encrypted left L0, and the right data is directly output as the right R0. Since a Feistel round does not encrypt the right side, it is necessary to swap the left and right sides after the previous round of output before officially completing a Feistel encryption.
3. The DES algorithm is performed a total of 16 times Feistel round, the left and right sides do not need to be swapped after the last round of output. The subkeys encrypted each time are different, and the subkeys are calculated from the secret key.
4. The final permutation is the reverse process of the initial permutation. After the last round of DES, the left and right halves are not exchanged, but the two halves are merged to form a group as the input of the final permutation< /p>
DES decryption goes through the following steps
1. Get the ciphertext and encryption key
2. Decryption: The processes of DES encryption and decryption are the same. Implemented using Feistel network, the only difference is that when decrypting, the ciphertext is used as input and the subkeys are used in reverse order.
3. Explain the padding of the decrypted plaintext to obtain the plaintext
Golang implements DES encryption and decryption
package main
< p>import ("fmt"
"crypto/des"
"bytes"
"crypto/cipher"
)
func main() {
var miwen,_= DESEncode([]byte("hello world"),[]byte("12345678") )
fmt.Println(miwen) // [11 42 146 232 31 180 156 225 164 50 102 170 202 234 123 129], ciphertext: the last 5 bits are two's complement
var txt,_ = DESDecode(miwen,[]byte("12345678"))
fmt.Println(txt) // [104 101 108 108 111 32 119 111 114 108 100]Clear code
fmt.Printf("%s",txt) // hello world
}
// encryption function
func DESEncode(orignData , key []byte)([]byte,error){
// Create a cipher block
block ,err:=des.NewCipher(key)
if err!=nil{ return nil,err}
// Plain text grouping, add padding to the missing parts
txt := PKCS5Padding(orignData,block.BlockSize())< /p>
// Set the encryption mode. For convenience, the initial vector is directly used as the key (in actual projects, it is best not to do this)
blockMode := cipher.NewCBCEncrypter(block, key)
// Create a slice of ciphertext length to store ciphertext bytes
crypted :=make([]byte,len(txt))
< p> // Start encryption, use txt as the source and crypted as the destination slice inputblockMode.CryptBlocks(crypted,txt)
// Return the encrypted slice
return crypted,nil
}
//padding required for encryption
func PKCS5Padding(ciphertext []byte,size int)[]byte {
padding := size - len(ciphertext)%size
padTex := bytes.Repeat([]byte{byte(padding)},padding)
< p> return append(ciphertext,padTex...)}
//Decryption function
func DESDecode(cripter, key []byte) ([ ]byte,error) {
// Create a cipher block
block ,err:=des.NewCipher(key)
if err!=nil{ return nil,err}
//Set the decryption mode. The encryption mode and decryption mode must be the same
blockMode := cipher.NewCBCDecrypter(block,key)
/ / Set the slice length to store plaintext bytes
originData := make([]byte,len(cripter))
// Use decryption mode to decrypt and convert the decrypted Put the plaintext bytes into the originData slice
blockMode.CryptBlocks(originData,scripter)
// Remove the encrypted padding part
strByt := UnPKCS5Padding(origenData )
return strByt,nil
}
//Unpadding required for decryption
func UnPKCS5Padding(origin []byte) [ ]byte{
// Get the last digit and convert it to an integer, and then intercept the length of the integer number based on this integer
// If this number is 5, then subtract Remove the last 5 digits after converting the plaintext, which is the plaintext we input
var last = int(origin[len(origin)-1])
return origin[:len( origin)-last]
}
Note: When setting the encryption mode to CBC, we need to set an initialization vector. The meaning of this amount is in the symmetric encryption algorithm. If only If a key is used to encrypt data, the same text in the plaintext will be encrypted into the same ciphertext, so that the ciphertext and plaintext have exactly the same structure and are easy to crack. If an initialization vector is given, the first plaintext The initialization vector is used to mix and encrypt. The second plaintext is mixed and encrypted with the encrypted ciphertext of the first plaintext and the second plaintext. In this way, the structure of the encrypted ciphertext is completely different from that of the plaintext, making it more secure and reliable. The CBC mode diagram is as follows
CBC
3DES
A common variant of DES is triple DES, which uses a 168-bit key to encrypt data three times. mechanism; it usually (but not always) provides extremely strong security. Triple DES is backwards compatible with DES if all three 56-bit subelements are the same.
Comparing DES, I found that NewTripleDESCipher was just replaced. However, it should be noted that the key length must be 24 bytes, otherwise an error will be returned directly. Regarding this point, this is not the case in PHP, as long as it is more than 8byte; in Java, the requirement must be more than 24byte, and the first 24byte (equivalent to 24byte) will be taken internally. In addition, the length of the initialization vector is 8byte (this is currently the case in all languages, and there will be problems if it is not 8byte)