HTTP problems
That might be what we usually online risks exist?
-
Leaks, personal privacy, passwords and other account may be stolen.
-
Tampering, data received from third parties may be modified, or implanted advertising.
-
Fake, non-target sites visited server site. Such as domain spoofing, domain name hijacking, phishing sites and so on.
You may live next door to wear sandals, the words are slightly shy Wang, one to the dead of night began peeping your every move!
Accompany you to watch a movie together in a community of 91 Fortunately, various shopping sites in case of theft or login information on other sites ...... is not afraid to think about some of it!
Why do people get the data you can access it? There have been some network based on how many friends are on the TCP / IP and some understanding of the various handshake waving long to recite, the HTTP protocol as early as clear in mind.
HTTP is an application layer protocol, the uppermost located TCP / IP Reference Model. After the user data encapsulation layer application layer, transport layer, network layer, link layer via the physical layer to the target machine.
In these layers, the data is not encrypted, so once people get to your packet, you can easily get to the information data.
In order to protect data privacy, so that data is no longer "naked." The data to be transmitted is encrypted it is very necessary.
For now, the encryption algorithm can be divided into two categories, one is a symmetric encryption algorithm, there is a class of asymmetric encryption algorithms.
Symmetric encryption
Encryption and decryption are symmetric encryption algorithms use the same key. Under certain conditions, symmetric encryption can solve the problem of the security of the data transmission.
For example, when I log on to a Web site, you need to fill in the account name and password, the client information log on to form the symmetric encryption before transmission, this time even if Wang can capture packets, he can not get the content data, because data has been encrypted.
But after receiving the data server is also a look ignorant to force you to send encrypted data packet server does not know the decryption key!
It is not the client and server before the key communication should first consult it? The client can inform the server required data is turned on, and then the server tells the client, we use it after encryption and decryption keys xxxx this!
Such content can be encrypted transmission, but the process is the first step in the figure above key negotiation and there are also security issues!
Wang intercepted data in case of a negotiated key, that encrypted transmission of data subsequent to Wang is tantamount to an unencrypted! So, there is a problem symmetric encryption key negotiation!
Asymmetric encryption
Based on symmetric encryption problems, there has been asymmetric encryption. Asymmetric encryption algorithm requires a set of key pairs, respectively public and private keys, two keys are paired.
Need to use public key encryption private key to decrypt the content, the private key to decrypt the encrypted content needs with the public! By the server private key save themselves, the public key is sent to the client.
After the client to get the public key can encrypt after a request is sent to the server, and this time even was intercepted Wang, Wang did not send the private key can not decrypt the content, so make sure that the client sends to the server data "security"!
However, since the public key need be sent to the client via the network, the same can be intercepted by Wang, the contents so that the server private key encryption can still be intercepted and decrypted Wang, and asymmetric encryption efficiency is low.
Symmetric encryption and asymmetric encryption problem exists key transport, but at least asymmetric encryption ensures that the client is transmitted to the content server can not be "cracked" and the symmetric encryption algorithm performance and better, that we can not be like this it.
When the first communication server sends the public key to the client, the client generates a symmetric key by the terminal to the service by the end of the public key encryption server, the subsequent interactions are transmitted encrypted symmetric key.
That first symmetric key by asymmetric key encryption, symmetric key encryption content actually requested.
The above program looks perfect, Wang get the data seemingly can not start, but really perfect yet?
We take a look at the following figure:
That Wang can masquerade as the server communicates with the client. More like a middleman between you and the server! That key negotiation process is still loopholes!
Brain hurt a little wide! I can not allow safe access to the Internet! There would be no more secure mechanism yet? In the process of key negotiation, the client can determine how the other side is the real target server? How to prove the identity of the server do? We first look at the digital certificate!
Digital Certificates
We live in a variety of cards, have to prove that he is the identity of the person's identity card, he has to prove himself read the book a few years diploma.
These certificates are certified by certain organs of authority, it can not be forged, to prove their identity credentials.
That server is not it also can have a similar identity something to prove when communicating with the server itself is indeed the target server instead of Wang forged it?
In real life, these documents are able tangible, and the certificate in the computer is virtual, visible but intangible, is recorded in the form of data, so called digital certificates!
The first time a client communicates with the server, the server needs to produce their own digital certificate, to prove his identity and its own public key, similar to the following (in fact, a bunch of data, here for intuitive):
The digital certificate that how to generate it? You can not build a server yourself, right? Mentioned above, the certificate of our lives are issued by the authorities, it can not be forged.
Such as identity card is certified by the police, diploma certified by the Ministry of Education, if you need to verify the true and false, just enter the number on the systems of the inquiry can be found! Digital certificates that we should have these two characteristics, issued by the authority, security!
CA agency
CA authority is the digital certificate issued by the agency responsible for issuing the legality certificate and verification certificate.
If the server needs to be the identity of the server, you need to submit the application to the CA, of course, the money to do the job, you pay in order to obtain a permit ......
Server applications submitted to the CA, need to submit information sites such as domain name, company name, public key, etc., after approval correct CA can issue a certificate to the server!
Clients get the certificate server, you need to verify that the certificate number CA can be found in the corresponding institutions, and basic information such as the domain name verification certificate on the certificate is consistent with the current visit of the domain name, etc., can also get certificate public key information server for negotiating a symmetric key!
Certificate, but, how to prevent forgery, how to ensure not been tampered with during transmission it? Wang case to intercept digital certificates, public key into their own that still can not guarantee the security is not it? This requires a digital signature!
digital signature
The company signed a labor contract with the friends should all know, fill in the information in the contract, there can not be altered, or need to re-fill! And the signature and stamp Finally Party and Party.
Once the contract is signed and sealed after it has the force of law, the contract can no longer be modified. Signature and stamp operation is to prevent forgery contract provisions can not be modified to prevent the contract from being tampered!
In real life, the signature and seal operation is real action, acting on a specific object!
But our digital certificate itself is virtual, how to give a virtual certificate signed and sealed it? Digital signature is what mechanism?
We are doing the privilege system when storing the user password is going to be through MD5 After calculating summary storage, digest MD5 digest and database storage computing users to fill in at the time of login password comparison, if consistent with the password is correct, otherwise the login fails !
MD5 is not reversible, and different data calculated digest is not the same (of course, there will be a very small probability of collision Hash), based on this feature, there is a digital signature of ideas.
Basic information server submit their application to the CA, the CA when issuing certificates to the server will be sent together with a summary based on digital certificates and certificate to the server computing together, and this summary is to go through their own institutions CA private key Encrypted.
The application process is as follows:
What? Not intuitive? Then we come straight view! We can see by the chart below server certificate issued by CA to have their own exclusive "seal" of.
CA agency for which a client is said to be the authority or approved it? We open the IE browser can see the information of the client built-in CA agencies, including the CA's public key, signature algorithm, validity period and so on ...
Server when communication with the client, they will be digital certificates and digital signatures to present to the client.
After the client to get a digital certificate and digital signature, first built trust by operating system or browser CA agencies to find the corresponding public key of the CA to decrypt the digital signature, and then using the same calculation digest digital certificate digest algorithm.
Abstract and server computing if they sent a summary of the agreement, the certificate is not tampered with!
This prevents tampering! Third-party CA can not get private institutions and are unable to digest is encrypted, if a third-party forged signatures nature will not be able to decrypt the client, which prevents forgery!
Therefore, the digital signature is through this mechanism to ensure that the digital certificate has been tampered with, and be forged. Specific process is as follows:
What? Yet intuitive enough? Then we continue ...
It should be noted that a CA public key institutions, built-in client, used to decrypt the digital signature! Another is the public key of the target server, the content in the digital certificate, used to negotiate a symmetric key!
HTTPS
The title of this article is HTTPS, HTTPS but so far nothing about! In fact, HTTPS = HTTP + SSL, between HTTP and TCP layer plus a SSL / TLS layer.
As shown below:
SSL (Secure Sockets Layer) Chinese called "Secure Sockets Layer", due later after extensive application, SSL standardization will be renamed TLS (Transport Layer Security) a.
HTTPS is solved by means of the above mentioned those data leaks that may exist on the network, tampering, counterfeiting of these problems and ensure secure network transmission of your friends!
Here you see, whether the principle of HTTPS understand it, anyway, my grandmother read've got it! Manual dog's head (* ¯)¯)
-END-
