Interesting talk about HTTPS

Others 2022-05-18 21:52:51 views: 0
HTTPS is a mixture of our common HTTP protocol and an encrypted protocol, that is, HTTP+S. This S can be TLS (Transport Layer Security) or SSL (Secure Sockets Layer), but I agree with another abstract statement, HTTP+Security. First of all, HTTPS is not the official name of this encryption technology. HTTPS stands for "HTTP protocol implemented over TLS/SSL", so the encryption is actually implemented by the TLS/SSL layer below HTTP. Let's take a look at several main mechanisms implemented by TLS/SSL:
1. Certificate: Verifies and guarantees the identity of the website through a third-party authoritative certificate authority (such as VeriSign), preventing others from forging the identity of the website and establishing encrypted connections with unsuspecting users.
2. Key exchange: A common session key is negotiated between the website server and the user through public key (asymmetric) encryption. 3. Session encryption: Encrypt the content of the session with a symmetric encryption algorithm through the session key negotiated in mechanism (2).
4. Message verification: The message verification algorithm is used to prevent encrypted information from being tampered with during transmission. Through the above mechanism, the transmission content between the user and the website is protected, so a high level of security can be obtained.
However, any cryptographic method is not absolutely safe, and there are actually possible risks in the above mechanisms: 1. Certificate: If someone forges a certificate, the browser will issue a warning to remind the user that the certificate of the website may be forged. Access should be stopped, but if you ignore your browser's warning, your session information is at risk of being stolen by forgers. In addition, if a third-party certificate authority is attacked, and the attacker steals the issued certificate key, the corresponding website certificate can be forged and the browser's security mechanism can be completely fooled. Such an example has indeed happened. 2. Key exchange: RSA, which is the most commonly used public key encryption algorithm, is generally very secure. 3. Session encryption: AES-256 (CBC Mode), which is a very widely used encryption algorithm. Using a 256-bit key means its security is very high. If a 128-bit key (AES-128) is used, it is more secure. Just a little bit. 4. Message verification: SHA1, which is a hash algorithm, SHA1 is more secure than MD5, but if SHA256 is used, the security will be better. The above is very abstract, isn't it? Let's use the "passing notes", which everyone did when they were young, to illustrate it vividly. HTTP Suppose you are sitting in a classroom now, and now you really want to say something to the charming TA by the aisle, usually at this time you will communicate by "passing a note". This method is very similar to the basic working mode of the TCP/IP protocol: attract the attention of the other party through small movements; the other party responds to you in a variety of possible ways (gaze, body language, etc.); after you confirm that the other party perceives you, put the note Pass it to the other party; the other party reads the note; the other party gives you the reaction after reading; how, is this process familiar? What if the TA you want to pass the note to is far away from you? The HTTP protocol means that you write on the note who the TA you want to pass to, or where the TA's seat is, and then you only need to pass the note to the classmates who pass the note in turn according to the instructions on the note. Just OK. At this time, the problem comes: the students in the pathway can watch and know what you wrote on the note. This is one of the problems faced by HTTP transmission: man-in-the-middle attack, which means that during the process of message transmission, an attacker in the transmission path can sniff or eavesdrop on the content of the transmitted data. HTTPS HTTPS solves this problem by using "encryption". The most famous and original encryption method is the symmetric encryption algorithm, that is, the two parties agree on a secret code, which letter to replace with which letter and so on. Now generally use a symmetric algorithm called AES (Advanced Encryption Algorithm). Symmetric encryption algorithm means that the key required for encryption and decryption is the same. AES mathematically guarantees that as long as the key you use is long enough, cracking is almost impossible (unless a photonic computer is built). Let's assume that the ciphertext cannot be cracked without the key, and then Back to this classroom again. You wrote the content encrypted with AES on a note, and when you were about to send it out, you suddenly thought, how can the TA decrypt the content without the key, or in other words, how should the key be given to the TA? If the key is also written on the note, then the middleman can still crack the eavesdropping~listen the content of the note. Maybe in the real world you have other ways to send the key to TA through some secure channel However, it is more difficult to implement on the Internet, after all, the data must go through those routes no matter what. So smart people invented another encryption algorithm - asymmetric encryption algorithm. This encryption algorithm generates two keys (key1 and key2). For all data encrypted by key1, key1 itself cannot be decrypted, but key2 can be decrypted; all data encrypted by key2 cannot be decrypted by key2 itself, but only by key1. There are many such algorithms, the most commonly used is RSA. It is based on the mathematical principle that the product of two large prime numbers is easy to calculate, but it is very complicated to use this product to calculate which two prime numbers are multiplied. Fortunately, with the current technology, it is indeed difficult to decompose the prime factors of large numbers, especially when the large number is large enough (usually using 2 to the 10th power of binary digits), even for supercomputers, decryption requires a lot of effort. long time. Now apply this asymmetric encryption method to the scene of passing notes in our classroom. You use RSA technology to generate a pair of keys k1 and k2 before writing the contents of the note. You send k1 in plaintext, and someone may intercept it, but it is useless. The data encrypted by k1 needs k2 to be cracked, and k2 is in your own hands. When k1 is passed to the destination, the destination will prepare a transmission key key to be used for symmetric encryption (AES), and then encrypt the key with the received k1 and send it to you. After you solve the key with k2 in your hand, only you and your target person in the whole classroom have this symmetrically encrypted key, and the two of you can chat freely without fear of eavesdropping~ Listen~ Maybe you will have problems here, why not use it directly Asymmetric encryption to encrypt the information, but what about encrypting the AES key? Because the average consumption time of asymmetric encryption and decryption is relatively long, in order to save time and improve efficiency, we usually only use it to exchange keys instead of directly transmitting data. But does using asymmetric encryption really prevent man-in-the-middle attacks? Although it looks safe, it can't actually stop the hateful man-in-the-middle attack. Suppose you are A, your destination is B, and now you have to pass a malicious classmate M. The malicious thing about the man-in-the-middle is that it pretends to be your target. When you are about to complete the first key exchange with B, M takes the note, pretends to be B and forges a key, then encrypts the key with the k1 you sent and sends it back to you. Do you think you and B After completing the key exchange, you actually completed the key exchange with M. Colleague M and B complete a key exchange, let B think that you have completed the key exchange with A. Now the overall encryption process becomes the situation of A (encrypted link 1) -> M (plaintext) -> B (encrypted link 2). At this time, M can still know all the messages transmitted by A and B. This time is to reflect the difference between HTTPS and passing notes. In the classroom, you are communicating with an object whose identity is almost equal to yours; and when visiting a website, the other party is often a relatively large (or well-known) server who has abundant resources, perhaps they can Prove their legitimacy to you. At this time, we need to introduce a very authoritative third party, an organization specially used to certify the legitimacy of the website, which can be called CA (Certificate Authority). Each website service provider can apply for a certificate from the CA, so that they can bring the CA's signature when establishing a secure connection. The security of the CA is certified by the operating system or the browser. Your Windows, Mac, Linux, Chrome, Safari, etc. will bring a list of CA certificates that they consider safe during installation. Only when the website that establishes a secure connection with you has the signature of these CAs, the operating system and browser will Consider this link secure, or risk a man-in-the-middle attack. Once a certificate issued by a CA is used in an illegal way, all certificates issued by this CA before will be regarded as insecure, which makes all CAs very careful when issuing certificates, so CA certificates are usually The following is trustworthy. In the case of B (encrypted link 2), at this time, M can still know all the messages transmitted by A and B. This time is to reflect the difference between HTTPS and passing notes. In the classroom, you are communicating with an object whose identity is almost equal to yours; and when visiting a website, the other party is often a relatively large (or well-known) server who has abundant resources, perhaps they can Prove their legitimacy to you. At this time, we need to introduce a very authoritative third party, an organization specially used to certify the legitimacy of the website, which can be called CA (Certificate Authority). Each website service provider can apply for a certificate from the CA, so that they can bring the CA's signature when establishing a secure connection. The security of the CA is certified by the operating system or the browser. Your Windows, Mac, Linux, Chrome, Safari, etc. will bring a list of CA certificates that they consider safe during installation. Only when the website that establishes a secure connection with you has the signature of these CAs, the operating system and browser will Consider this link secure, or risk a man-in-the-middle attack. Once a certificate issued by a CA is used in an illegal way, all certificates issued by this CA before will be regarded as insecure, which makes all CAs very careful when issuing certificates, so CA certificates are usually The following is trustworthy. In the case of B (encrypted link 2), at this time, M can still know all the messages transmitted by A and B. This time is to reflect the difference between HTTPS and passing notes. In the classroom, you are communicating with an object whose identity is almost equal to yours; and when visiting a website, the other party is often a relatively large (or well-known) server who has abundant resources, perhaps they can Prove their legitimacy to you. At this time, we need to introduce a very authoritative third party, an organization specially used to certify the legitimacy of the website, which can be called CA (Certificate Authority). Each website service provider can apply for a certificate from the CA, so that they can bring the CA's signature when establishing a secure connection. The security of the CA is certified by the operating system or the browser. Your Windows, Mac, Linux, Chrome, Safari, etc. will bring a list of CA certificates that they consider safe during installation. Only when the website that establishes a secure connection with you has the signature of these CAs, the operating system and browser will Consider this link secure, or risk a man-in-the-middle attack. Once a certificate issued by a CA is used in an illegal way, all certificates issued by this CA before will be regarded as insecure, which makes all CAs very careful when issuing certificates, so CA certificates are usually The following is trustworthy.

Original link: http://www.jianshu.com/p/be7a20cc8468

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326662296&siteId=291194637
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com