Recently the company share will talk a piece of content, so they learn a bit.
Mischief in the client and server is nothing more than a middleman to do three things:
eavesdropping, counterfeiting, tampering with
https is to prevent the emergence of middlemen mischief.
Here to introduce two concepts:
- Symmetric encryption: symmetric encryption private key encryption also known, i.e., the sender and recipient information using the same key to encrypt and decrypt data. Symmetric encryption algorithm is disclosed features, fast speed encryption and decryption, suitable for encrypting large amounts of data, a common symmetric encryption algorithms are DES, 3DES, TDEA, Blowfish, RC5 and IDEA.
Encrypting process is as follows: + plaintext private key encryption algorithm + => ciphertext decryption process is as follows: The ciphertext decryption algorithm + + private key => plaintext
symmetric encryption key is called the private key used in private key secret private individuals represents key, namely the key can not be compromised.
Its private key encryption and decryption process used in the process is the same private key, which is citing encryption is called a "symmetry". Since symmetric encryption algorithm is public, so once the private key is compromised, then the ciphertext is easy to be cracked, the symmetric encryption key security management drawback is difficult. - Asymmetric encryption: asymmetric encryption is also called public key encryption. Asymmetric encryption compared with symmetric encryption, security better. Symmetric encryption communicating parties use the same key, if the key party was leaked, the entire communication will be cracked. Instead of using a pair of symmetric encryption key, i.e., public and private, and the two in pairs. The private key is saved himself, not leaked outside. Key is a public key, anyone can get the key. Private key encrypted with a public key or any, to be decrypted by the other.
Encrypted through public key ciphertext can only be decrypted private key, as follows: + a public key encryption algorithm plaintext + => ciphertext, the ciphertext decryption algorithm + + private key => plaintext
is encrypted private key ciphertext only public key can be decrypted as follows: + plaintext private key encryption algorithm + => ciphertext, the ciphertext decryption algorithm + + public key => clear text
because the encryption and decryption using two different keys, which asymmetric encryption the reason "asymmetric" is.
Asymmetric encryption to encrypt and decrypt the disadvantage that it takes a long time, slow, suitable only for small amounts of data to be encrypted.
The main algorithm used in asymmetric encryption has: RSA, Elgamal, Rabin, DH , ECC ( elliptic curve cryptography) and the like.
Start
Think about it, if the two sides communicate directly transmitted in the clear, the equivalent of driving a speaker phone, barabara, the neighbors can hear, there is the chance of dangerous self-evident.
So we have to encrypt, what means it, due to the asymmetric encryption time-consuming and resource-consuming too large , natural symmetric encryption is enough. Have each two symmetric algorithm only they know, access to the private key, use this to post plaintext encryption for transmission, is the best solution.
So how can you determine just part of their proprietary symmetric algorithm yet.
A random number . Generating a random number by a symmetric algorithm.
That the two sides to communicate how good random number which is it?
If the random algorithm is captured middleman not to fall short it?
This number would naturally have to be encrypted. With the kind of encryption it?
Here we think, if also used symmetric encryption, then the symmetric encryption public key, what is it? Then create a random number? That is not to cycle of death thing?
That here we have to use the asymmetric encryption.
Is generated by the private key of the server, and the public key to each of the service request to its client, the client generates a random number, encrypted with the public, another anti sent to the server, the server with the private key to decrypt , the two parties will have the private key generated by a random number.
This ensures that the client sends to the information server is secure , after no intermediate server private key to decrypt the symmetric encryption algorithm such that the subsequent transmission is secure.
Think about it, this process is still a problem.
If the server's public key is a middleman begin to create their own, and that the next dialogue is not that the client and the intermediary two parties yet?
Here we can not, and have to have third-party authority (CA) involved in it, or else the two parties will never want to prove the opposite is true own transmission.
This third party is to have credibility, by his proof, to prove that "I am I," as the role of identity in general. Third party may have a number, but the top must be the only one, namely root CA , if other companies also want to be a third party, must apply to the top.
So on the introduction of digital certificates + digital signature
can prove that the information on the server's authenticity at the time of issuance of public key server to the client.
To verify that the client how it?
The answer is that the certificate itself has to tell the client how to verify the authenticity of the certificate.
That is, how to generate a certificate written on the certificate number based on the contents of the certificate. Clients get the certificate generation method according to the certificate yourself a certificate number, certificate number on the same certificate number and certificate if generated, then that the certificate is real.
Visible, in fact, this third-party certificate is encrypted before, but this decryption method is published. And is not asymmetric encryption like.
In fact, the case, when the server application for a certificate when the third party will use its own private key to encrypt it, its public key is published, each browser will have when the client receives the certificate sent by the server , will traverse the decryption algorithm in their own third party to decrypt the place, you can go on.
Then I re-haircut process
- The client makes a request to the server
- The server has an asymmetric encryption public and private keys generated, will leave his private, public and third parties will use asymmetric encryption private keys generated by encrypting the digital certificate to prove their identity and signature to send to the client
- View client to third parties digital signature certificate belongs to, with the public key to decrypt the third-party organizations, information services that end, that is what you want the requesting party. Then generates a random number, the random number generating a public key of a symmetric encryption algorithm with a random number, then use the public key sent by the server public key encryption, is sent to the server.
- Server-side with their own private key to decrypt, to come up with a symmetric encryption public key, so that the two sides have been unique to both sides, the public consultation is completed, after which the content encrypted with this public / decryption can be transmitted
Reference: https://www.wandouip.com/t5i334824/
