Sensitive message exchange has relatively strong requirements for correctness and security.
Using a message digest algorithm to calculate and verify the digest of the message body prevents the message from being tampered with during transmission as an illegal message value; using an encryption algorithm to encrypt the message body prevents the message from being intercepted and read during transmission. The combination of the two can achieve a strong secure message exchange.
Ensure correct message exchange
The message may be tampered with by a man-in-the-middle during transmission. For example, if A sends a message to transfer money to B, a man-in-the-middle intercepts the message during transmission, decrypts the message body and tampers with it to transfer money to C, and tampers with the amount of the transfer, resulting in potentially irreversible damage.
Message digest ensures the correctness of the message transmission. The main idea is relatively simple: a message digest algorithm (such as md5, sha256, sha1, hashMAC, etc.) is used to calculate the digest value for the message body to be sent, and the receiver receives the message, uses the same digest algorithm to calculate the digest value for the message body, and compares it with the received digest value to verify if it is consistent.
The key point to note in this process is to guarantee the confidentiality of the digest algorithm.
Encrypted transmission for message exchange
The symmetric encryption algorithm uses a common ciphertext to encrypt the message body, which is characterized by high speed and efficiency, but the disadvantage is that the secret key needs to be shared between the sender and the receiver, and the encryption will be invalid if either party leaks the ciphertext and the encryption algorithm. Asymmetric encryption algorithm uses public-private key pair, the sender uses the public key to encrypt the message body, the receiver uses the private key to decrypt the message body (or vice versa), and the receiver only needs to keep his own unique secret key to protect the encrypted message from being leaked. However, its encryption speed is slow and inefficient, so it is generally not used for encrypting large message bodies.
The combination of symmetric encryption algorithm and asymmetric encryption algorithm can achieve relatively feasible and effective message exchange and encryption transmission. In the following, RSA is used as an example of asymmetric encryption algorithm and AES is used as an example of symmetric encryption algorithm.
The main idea is: encrypt the key used in AES algorithm by RSA algorithm, encrypt the message body by AES algorithm, and then send the encrypted key and message body to the other party; after the other party receives the message, decrypt the AES key by RSA algorithm, decrypt the message body with the decrypted key, and get the decrypted message; the receiver repeats the similar process in the process of replying the message, thus realizing the message exchange and encrypted transmission.
Let’s take the client-server message communication as an example, the detailed process is outlined as follows.
Preparation:
- The client generates the local RSA public-private key clientPublicKey and clientPrivateKey.
- the server generates the remote RSA public-private key remotePublicKey and remotePublicKey
Message exchange process.
- public key exchange: the client initiates the request, sends the local RSA public key localPublicKey, and obtains the server’s RSA public key remotePublicKey, which is used to encrypt the key of the symmetric algorithm (AES)
- the client generates a random 16-bit character aesKey, which is used as the key of the symmetric algorithm (AES)
- the client uses the public key remotePublicKey obtained from the server to RSA encrypt the aesKey and obtains the encrypted value aesKeyEncrypted
- the client encrypts the body of the message to be sent with the aesKey, and gets the bodyAesEncrypted
- The client sends the message body {aesKeyEncrypted, bodyAesEncrypted } using http post method. The localPublicKey is used to encrypt the message returned by the server.
- the server receives the message body and decrypts the aesKeyEncrypted with its RSA private key remotePrivateKey to get the AES algorithm key aesKey
- the server decrypts the bodyAesEncrypted with the AES key aesKey to get the body, and the encrypted message from the client to the server is transmitted.
- The server uses localPublicKey to repeat the above 1-5 process to encrypt and send the reply message, and the client repeats the above 6-7 process to decrypt the received message.
Through the above process, the messages are encrypted and unreadable throughout the transmission, provided that the RSA secrets of both parties are not compromised. In addition, if the message digest algorithm is added to sign the message body, the intermediary cannot forge a valid message without knowing the digest algorithm. Therefore, combining the message digest algorithm and the message encryption algorithm can further enhance the message delivery process. Of course, in peer-to-peer messaging, the other party is not necessarily trusted, and there is still a risk of digest algorithm leakage.
The above process can guarantee the security of the message, but not its authenticity, because the middleman can also send a forged message body (forged message body and sender’s public key) without decrypting the message and using the intercepted public key to encrypt the message. The solution is to introduce a third-party authoritative middleman organization, so that the message receiver can first authenticate the public key from the message sender through the middleman organization when receiving the message.
The above process defaults to a peer-to-peer relationship between the client and the server. In fact, the process can be simplified: the client does not maintain the local RSA public-private key, but caches the randomly generated RES secret key; the server, after getting the message, replies to the message using the same RES algorithm and decrypts the client RES secret key to encrypt the message body, and the client receives the message and decrypts it using the RES secret key. In fact, the simplified process plus the authentication process of the third-party authority that issues the certificate is the basic principle of typical HTTPS message encryption transmission.
Example of encrypted transmission for nodejs-based message exchange
Generate asymmetric encryption RSA algorithm public and private keys
Using the crypto module.
|  |  | 
Using the node-rsa library.
Generate and save RSA public and private keys.
|  |  | 
RSA Algorithm Encryption and Decryption
Example of using the crypto module that comes with Node.js.
|  |  | 
Using the node-rsa library.
|  |  | 
AES algorithm encryption and decryption
AES encryption and decryption is relatively simple, just pass in the corresponding data and decryption text.
Example of using the crypto module that comes with Node.js.
|  |  | 
Combine AES and RSA encryption algorithms to encrypt and decrypt message bodies
Data encryption and decryption implementation.
|  |  | 
Encryption of message sender’s data and decryption of receiver’s data.
|  |  | 
Summary
This article introduces a typical scheme that combines the use of symmetric encryption algorithm (AES) and asymmetric encryption algorithm (RSA) to encrypt the transmission of messages on both sides of the message exchange, and demonstrates the implementation of the main processes using nodejs code. In a browser/server (B/S) based service, there is no nodejs interface capability on the browser side, and the encryption and decryption algorithms can be implemented with the help of APIs provided by third-party libraries such as crypto-js and jsencrypt.