Combination of RSA, AES128, MD5— mobile terminal and server in the communication layer encryption processing

It’s nice to be able to use RSA, AES128, and MD5 in your project to ensure communication security between the Client and the server (Server). Next, we will try our best to describe the process of this use. Specific details about algorithms, self Wiki. Originally just for encryption this piece of very simple understanding, such as only know some symmetric encryption, asymmetric encryption, MD5 one-way encryption, etc.. Through this study, it is amazing how many kinds of encryption can be combined so perfectly. Make the whole communication process so wonderful. Although the increase in the workload of the server and the client, but to ensure the consistency of data export, consistent entrance, only need to exit and entrance in logic plus, it can be very good to avoid disturbing the original logical trouble.

Simple concepts, the article may touch on

  1. RSA – asymmetric encryption generates both public and private keys. The public key is on the client and the private key is on the server. The public key is used for encryption, and the private key is used for decryption.
  2. AES – symmetric encryption, directly using the given secret key encryption, decryption using the given key. (encryption and decryption using the same key)
  3. MD5 – a one-way encryption scheme that can only be encrypted and cannot be decrypted
  4. Base64 encoding – the encoding of a byte array into a string

Client side, server-side communication logic

Prior to: plaintext transmission communications

  1. The client uploads the data to be uploaded in a dictionary (Map) and the Post is submitted to the server.
  2. The server receives the submitted packets and obtains the client submitted values in Key-Value form for processing.
  3. When the processing is finished, the data is packaged in the form of a dictionary (Map) and returned to the client.

Encrypted transport communication

The whole process is:

The client uploads data encryption ==> the server acquires data to decrypt the ==> the server returns data encryption ==> the client acquires the data decryption

  • Client to upload data encryption A client generates a random 16 bit string by the secret key encryption to AES, AESKey. The use of RSA AESKey for public key encryption, RSAKey (here some important interfaces need to sign a deal, the follow-up to explain, don’t omit the processing steps and sign) will express to upload data packets (/Map to Json string dictionary), using AESKey encryption, JsonAESEncryptedData. Packaged as {key: RSAKey, value: JsonAESEncryptedData} dictionary upload server, the server only needs to go through key and value, and then parse to get data.
  • Server to obtain data decryption, B access to RSAKey, using the server private key decryption, access to AESKey, access to JsonAESEncriptedData, using AESKey decryption, to obtain plaintext upload data from the client. (if the client performs a signed process, a check is needed here to ensure that the data has been tampered with during network transmission)
  • The server returns the data encryption C will return to the client (data dictionary /Map) into a Json string, AESKey encryption processing (here can also sign a package data processing) {data: value} is returned to the client
  • The client obtains the data decryption D client access to the data obtained by key have been encrypted AESEncryptedResponseData data returned by the server to decrypt the AESEncryptedResponseData using AESKey data to get the plaintext data returned by the server.

Endorse and verify

In the second section, the communication logic of client and server has basically finished the communication logic of client and server. As for the “signature and verification”, mainly for data transmission process, to prevent data tampering is an approach.

Data was tampered with chestnuts:

For a movement type of APP, the number of steps to upload movement is a common interface operation. For example, the interface will have several fields, step (steps), time (time of step generation), and memberId (user ID).

Suppose a user grabbed the packet you uploaded, and then successfully cracked your previous encryption. Get the corresponding plaintext, the user can freely modify your data, such as step, and encrypted in the same way, post to your server, then the server will think this is a normal request, accepted the revised number of steps. In fact, the data at this point is wrong. So God knows nothing…

To prevent this, we can do it by signing

  • Tag processing (data promoters can be signed, here is the client), we usually take the key field (other people may modify the field), such as at this time step, and time and memberId are more sensitive. After the second step in the A above, get step, time, memberId, spliced into a string (order and server Convention), then use MD5 encryption, and use the base64 encoding (encoding format and Service Convention). Get the signData, then save the resulting signData in the form of key-value to the original plaintext packet, and then proceed to the third step of the A
  • A sign of treatment (data receiving party can sign here, server) above, to the third step B, this has been the clear data upload client in accordance with the field stitching drink will be agreed by the client, step, time, memberId splicing, md5_base64 is used to process the same data packet, then compare the signature whether sign and client then signature. If consistent, accept the data. Inconsistent, discard data, terminate this operation

After assuming the signature of the packet was intercepted, and then decryption success, get plaintext packets. However, signature MD5 encryption is not decrypted (one-way encryption). At this point, the step is modified immediately, and then post to the server, the server through the modified step, time, memberId string obtained by MD5 encryption, it will certainly be inconsistent with the client’s signature. Thus the data is discarded.

Flow chart description above

Combination of RSA, AES128, MD5--- mobile terminal and server in the communication layer encryption processing
client server communication encryption logic.Png

Sample code

About AES, and RSA encryption and decryption, only the iOS side of the code. Linux on how to generate RSA public key and private key certificates, with reference to the RSA public key and private key generation, explained in detail, a lot of Online

GitHub’s demo address –CAAdvancedTech

Run as follows

The Combination of RSA, AES128, MD5--- mobile terminal and server in the communication layer encryption processing
home page selects the encryption module
Combination of RSA, AES128, MD5--- mobile terminal and server in the communication layer encryption processing,
, AES, RSA encryption and decryption page

RSA public key – generation of self signed certificates

/ / generate 1024 bit private key OpenSSL genrsa -out private_key.pem 1024 / CSR OpenSSL req according to the private key generation file -new -key private_key.pem -out rsaCertReq.csr / / according to the generated CRT file and CSR file OpenSSL x509 private key -req -days 3650 -in rsaCertReq.csr -signkey private_key.pem -out rsaCert.crt IOS / / der file OpenSSL x509 generates the public key -outform der -in rsaCert.crt -out public_key.der / / key export for the p12 OpenSSL pkcs12 -export -out private_key.p12 -inkey file private_key.pem -in rsaCert.crt

Discussion on asymmetric encryption and decryption of RSA

Recommendation tool

  1. On the flow chart before the painting, relatively bitter, on the Mac, which is easy to use, you can draw the flow chart, UML tools, and even considered Keynote. Finally, I found this online tool very good. The above figure is the first one to be painted with this tool. The effect is good. The export PNG image resolution is not very good. What is the best flow chart software used on processOn Mac?
  2. About AES encryption, decryption, online tools, online AES encryption and decryption