Knowledge on set point summary:
Recap:
Bat era, below the epidemic. For two Ah access Jingdong shopping, only to pop up safety tips, then find Ermao find out. After the meal Ermao investigation began in plain language to explain in simple terms the role of HTTP and the advantages and disadvantages to two Ah, the functional role of HTTPS ......
Not seen part one can enter the portal:
Two Ah hang up the phone, for Ermao Xiemei smile ...
Before we start, we first understand the technology front.
Front Technology
A symmetric encryption
Definition: An encryption algorithm, there is only one key , the key may be used to encrypt the data, but also can be used to decrypt the data.
Advantages: fast speed encryption and decryption.
Cons: Because there is only one key, the scenario is not widespread.
2 asymmetric encryption
Definition: is an encryption algorithm, there are two keys , one called the public key and the other called the private key . Which can be widely advertised public key, the private key needs its own properly preserved. Public key to encrypt data, and decrypted with the private key; in turn, the private key data may be encrypted with the public key to decrypt.
Pros: Because of public and private keys can encrypt and decrypt each other, wide application scenarios.
Disadvantages: slower encryption and decryption.
3 message digest:
Definition: By a hash function, the message is a message of arbitrary length becomes shorter fixed length and a fixed content regardless of how many times the results obtained through the hash is still fixed, called a message digest.
Scenario: Long messages can be shortened, encrypted faster to process.
4 digital certificate:
Definition: by the CA (the authority of a certification body) one kind of certificates issued, which may contain information to identify your identity, similar to our identity.
Note: The CA certificate must take the initiative to apply by the end of the service. Server (assumed to be the site) to provide their own information such as domain name, then CA will use their private key to encrypt the content, and then returned to the server as a digital certificate.
Scenario:
personal I.D. Because CA is authoritative, they will be strictly private saving, public key will be widely open, so once the server site to produce a digital certificate, we can according to the CA that issued the certificate, find the corresponding public key, and then decrypt digital certificate to obtain domain name information inside, and are consistent with the domain name than the domain name to get access to current, in order to determine the true and false.
5 digital signatures:
Definition: only the sender of the information can be generated, others can not fake a string.
There are two main steps to generate:
First, the content to be transmitted message digest obtained short strings.
The sender then uses its own private key to encrypt the short string, you get a digital signature . (Of course, you can also do the entire information digital signature, but after processing the message digest information will be less, faster encryption.)
Scenario:
Integrity protection : As long as we use the sender's public key to decrypt the digital signature to obtain a summary of the original content, and talking to our own content message digest comparison, it can determine if the same, then the content is not tampered had destroyed.
Non-repudiation : As the sender's private key that only they know the sender, so long as the information is consistent comparison, we can prove that this information is written by the sender.
See here, the reader may be a bit ignorant, that digital signatures with digital certificates What is the difference ?
Usually the user digital signature using his private key encrypted digest generated, the purpose is to protect the data integrity and non-repudiation.
A digital certificate is using the CA's private key to encrypt your information form, the purpose is to prove your identity.
HTTPS technical implementation
In the example of Part , Xiaoming pass notes to red, but the plaintext communication Xiaoming fourth row of students may be eavesdropping, tampering, destruction, camouflage , and the corresponding solution is that the communication rule can have three functions : encrypted data, data integrity protection, authentication .
Then how to make the communication rule has three functions? Xiao Ming After studying the contents of the pre-technology, was inspired to so dry:
(It is assumed that the school has a captain (ie CA) for students to be able to do notary information, that issue digital certificates, Xiao Ming red have already applied for its own digital certificate digital certificate contains your name, your public key and other information )
1 pass before starting the conversation, Xiao Ming on the first pass notes of red request a digital certificate , the request also own digital certificate pass in the past.
2 red after receiving the information, the public key to decrypt the captain to get information, that is Xiao Ming passing notes to her request, so she faces the prospect of his own digital certificate of return in the past.
After 3 Xiaoming obtain a digital certificate to return, but also with the public key to decrypt the captain to get information (information containing red red name and public key), comparing the information to see if the name is red. Red, if not, no communication, and if so, the next step.
4 Bob randomly generates a string of characters, and then out Alice's public key , and a character string of encrypted with the public key, returns to the red.
5 red information is received with its private key to decrypt, and then remove a character, then the red content "consent to pass notes" as a key for a character with a symmetric encryption writing paper, the ciphertext obtained . In addition, red is also the content of "consent passing notes" in the message digest , followed by a summary of its own private key to encrypt been digitally signed , written note bylines.
6 Xiaoming received information, using the decrypted symmetric key as a character, to give the content of "agree passing notes." In order to identify whether the content is destroyed or tampered with, the use of red Bob's public key to decrypt the signature character, to get the message digest the contents of A , then the additional content "agreed to pass notes" were obtained message digest message digest b , and finally and a digest content summary content b for comparison , if the same, then there is no damage or tampered with.
7 continue communication. .
Thus the above steps, to complete the secure connection and communication : a character using both the content as a symmetric encryption key, further generates a digital signature written in the content side for verification.
Authentication implementation:
Earlier Xiao Ming is not afraid of the fourth row of the students disguised as a red paper information back to you?
Now, with digital certificates function, before beginning to prepare conversations can pass through the CA public key to decrypt the digital certificate, obtain information to identify each other's identity.
Evil fourth row students (middleman) could no longer disguise the goddess red!
Note: HTTPS mechanism is very important that the CA's private key is assumed to be safe, if leaked, HTTPS security mechanisms will fall apart. So CA is generally a large company or organization, because they are better able to protect their private keys, so the browser trusted CA list is often some well-known CA.
Data encryption implementation:
Earlier Xiao Ming is not afraid of the fourth row of the students eavesdropping note the information it?
Now because of the front of authentication, we will ensure a true party's public key, and can use the public key to encrypt transmissions for the upcoming symmetric encryption key contents of the conversation (a character in the example). As long as the secure transmission of the symmetric key, for encrypting note content it will later be efficiently achieved.
Evil fourth row students (middleman) no longer can not peek at my notes a little secret!
Note: There may be students ask, since both sides know each other's public keys after, then why not directly take each other's public key to encrypt information sent to their own? This can indeed, but it ignores efficiency, as already mentioned, an asymmetric encryption algorithm lower than the encryption algorithm is symmetric efficiency, taking into account the frequent subsequent communication, it is preferable to use symmetric encryption to encrypt the communications.
Data integrity protection achieved:
Earlier Xiao Ming is not afraid of the fourth row of the students tampering or destruction of paper information it?
Now, with digital signatures , can be compared with the original information, it can determine whether the contents of the note is changed or destroyed.
Evil fourth row students (middleman) can no longer change or destroy the emotional expression of my goddess!
HTTPS-building process:
Xiao Ming understood the above example of passing notes, come to understand the process of establishing the use of the HTTPS protocol to access the site, it is a breeze!
Establish a secure HTTPS communications, to prevent man in the middle attack, which requires the following steps:
1, the server is configured correctly the corresponding security certificate
2, the client sends a request to the server
3, the server returns the public key and certificate to the client
4, after receiving the client verifies the security credentials, if a random number is randomly generated by, encrypts it with the public key, sent to the server
5, the service will be terminated by its true random number decrypted using the private key of the encrypted random number, then use the random number as a symmetric encryption key for the data to be sent is
6, the data to the client after receiving an encrypted using a key (i.e., the generated random value) to decrypt the data and parses the data presenting the results to the client
7, SSL encryption established. Follow-up data transmission will be used in digital signature technology. .
Note: Examples Xiao Ming passing notes and users access the site a little different: red Xiao Ming passing notes to each other both sides need to authenticate each other; and users access the site, but user authentication site, the site does not validate the user. But in both cases, the use of the underlying technology are above several, but different applications.
Events subsequent eat melon
Click the exclamation point to the left of the domain name, you can view the certificate information provided by the site.
You can see the digital certificate issuer information from the e-mail may know QQ. Follow this QQ master network transmission is still a high school student beginning computer ......
However, the "beginner" speculation is clearly not consistent with common sense, "single-handedly ruining Network" required intelligence, and "take their own QQ-mail signing certificate" corresponding IQ, obviously not in the same place surface. This is not consistent with common sense, something unusual must have a demon.
Recently, the number of the primary speaker also clarified. .
After the evening, Ermao sitting at a computer desk, watching the lighted, imagine two Ah they get to know some computer knowledge, ecstatic, cheering the way, can not help but feel gratified.
He then Qiaoxia title in a row on the computer: a computer with zero-based landlord told her daughter after a middleman hijacking incident Jingdong afternoon, she was moved to tears, I decided to exempt rent.
Hey, programmer happiness, is often so plain, boring and tedious.
Past Wonderful:
Hi, I'm twenty cents, a programmer in a big city wandering
[Story] Why Jay QQ music server will send songs to hang out
Welcome to the programmer Ermao world, where you will see the distinctive characteristics of the characters, ups and downs and interesting storyline, user-friendly technology.
No public concern "programmer Ermao" backstage reply 1024 Cheats receive becomes stronger.