Symmetric encryption
- Single key encryption, the same encryption and decryption key
- Representative algorithms: DES, 3DES, AES, RC2, RC4
- Advantages: high encryption and decryption efficiency, simple algorithm, suitable for encrypting large amounts of data.
- Disadvantages: complex key maintenance, there is no security after leakage
Asymmetric encryption
- Asymmetric encryption public and private keys, one key is used for encryption and the other is used for decryption
- Representative algorithms: RSA, ECC
- Advantages: high security, the private key cannot be derived from the public key, adapting to network transmission scenarios
- Disadvantages: low encryption efficiency
HTTP/HTTPS
HTTP/HTTPS request and anti-capture
APP network application scenarios
- Using http, not doing any encryption is equivalent to streaking, junior engineers can easily snoop on all your business data.
- Use http, but all traffic is encrypted by AES with the key embedded in the client, the traffic is basically safe, but once the client code is decompiled and the key is stolen, it will go to the streaking state
- Use http, but the key used by AES is temporarily generated by the client in GUID mode. In order to ensure that the key can be safely delivered to the server, it is necessary to use the server's public key for encryption, so the server certificate must be embedded, and the certificate expires The mechanism is updated, and the symmetric encryption algorithm used cannot be negotiated dynamically, and the security is still flawed.
Encrypted transmission security recommendations
- Try to use https
- Do not transmit passwords in clear text
- Request to bring data signature to prevent tampering
- http request uses temporary key
- AES uses CBC mode
- Post is not more secure than get, it must be encrypted and signed
https certificate verification
-
CA (Certificate Authority). CA uses its own private key to issue a digital certificate, and the digital certificate contains A's public key. Then B can use the public key in the CA's root certificate to decrypt the certificate issued by the CA, thereby obtaining the legal public key
-
Intermediate CA: Most CAs do not directly sign the server certificate, but instead sign an intermediate CA, and then use the intermediate CA to sign the server certificate. In this way, the root certificate can be stored offline to ensure security, and when there is a problem with the intermediate certificate, the intermediate certificate can be resigned with the root certificate.
-
Certificate verification: After the HTTPS handshake starts, the server will send the entire certificate chain to the client for verification. The verification process is to find such a certificate chain. For each adjacent node in the chain, the public key of the upper level can be verified to pass the certificate of the lower level. The root node of the chain is the anchor point of trust for the device.
https configuration
Server
- The server generates a public and private key pair
- Configure https for Tomcat server
- Export certificate
Client
- Integrate the certificate into the APK file
- Send network request, obtain certificate, read data of https website
https API
HttpsURLConnection
URL url = new URL("https://google.com");
HttpsURLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
SSLSocketFactory
private synchronized SSLSocketFactory getDefaultSSLSocketFactory() {
try {
SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, null, null);
return defaultSslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new AssertionError();
}
}
TrustManager
public interface X509TrustManager extends TrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException;
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException;
public X509Certificate[] getAcceptedIssuers();
}
https verification certificate problem
SSLHandshakeException
- The CA that issued the server certificate is unknown
- The server certificate is not signed by the CA, but self-signed
- Server configuration is missing an intermediate CA
Custom trust strategy
// 取到证书的输入流
InputStream stream = getAssets().open(“server.crt");
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null);
Certificate certificate =
CertificateFactory.getInstance("X.509").generateCertificate(stream);
// 创建Keystore包含我们的证书 keystore.setCertificateEntry(“ca", certificate);
// 创建TrustManager,仅信任keyStore中的证书
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);
//用TrustManager初始化一个SSLContext
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL(path);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(context.getSocketFactory());
指示HttpsUrlConnection信任指定CA
InputStream in = urlConnection.getInputStream();