Table of contents
Security Issues of Http Protocol
Characteristics of one-way hash values
Symmetric and Asymmetric Encryption
The key distribution problem of symmetric encryption
Solution to the key distribution problem
In digital signature technology, there are the following two behaviors
The role of digital signatures
Asymmetric Encryption and the Role of Signature Public Key and Private Key
The legitimacy of the public key
Certificate registration and download
1.client Hello (direction: client to server)
2.server Hello (direction: server to client)
3. certificate (direction: server to client)
4.server key exchange (direction: server to client)
5.server Hello Done (direction: server to client)
6.client key exchange (direction: client to server)
7.change cipher spec (direction: client to server)
8.finished (direction: client to server)
9.change cipher spec (direction: server to client)
10.finished (direction: server to client)
Security Issues of Http Protocol
Preface: The HTTP protocol uses clear text transmission by default, so there will be great security risks
A common method to improve security: encrypt the communication content before transmission
Common Encryption Methods
- Irreversible: one-way hash functions (MD5, SHA)
- Reversible: symmetric encryption (DES, 3DES, AES, etc.), asymmetric encryption (RSA)
- Others: hybrid cryptographic systems, digital signatures, certificates
prevent eavesdropping
Understanding: The sender and the receiver agree on the encryption and decryption method in advance. The sender encrypts the plaintext and turns it into ciphertext for transmission on the Internet. After receiving the ciphertext, the receiver decrypts it to obtain the plaintext.
one-way hash function
Preface: One-way hash function, which can calculate the hash value according to the content of the message, which is also called message digest function or hash function, and the output hash value is also called message digest or fingerprint
Note: The length of the hash value has nothing to do with the length of the message. Regardless of whether the message is 1bit, 10M, or 100G, the one-way hash function will calculate a fixed-length hash value, but the previous data cannot be pushed back when the hash value is obtained. content (one-way)
Characteristics of one-way hash values
- Calculate a fixed-length hash value based on a message of any length
- The calculation speed is fast, and the hash value can be calculated quickly
- Different messages have different hash values (even if there is only a 1-bit difference, it will produce completely different hash values)
- One-way
encryption and decryption
process:
- Encryption: use a key to encrypt plaintext into ciphertext through an algorithm
- Decryption: use a key to convert ciphertext into plaintext through an algorithm
Symmetric and Asymmetric Encryption
- Symmetric encryption: the key in encryption and the key in decryption are the same key
- Asymmetric encryption: the key used in encryption and the key used in decryption are different
The key distribution problem of symmetric encryption
Summary: In the process of symmetric encrypted message transmission, the encrypted information and key are easy to be eavesdropped by hackers, which eventually leads to the leakage of the message
Solution to the key distribution problem
- Implement a shared secret (privately shared)
- Key Distribution Center (KDC)
- Diffie-Hellman key exchange
- asymmetric encryption
asymmetric encryption
Foreword:
- In asymmetric encryption, the key is divided into encryption key and decryption key, they are not the same key
- The encryption and decryption speed of asymmetric encryption is very slow compared to symmetric encryption
public key and private key
- Public key: It is generally used publicly for encryption, so the key is also called a public key, so asymmetric encryption is called public key cryptography
- Private key: It is kept by the recipient of the message for decryption and cannot be made public, so it is also called a private key
Asymmetric encryption process
- A pair of public key and private key is generated by the recipient of the message
- Send the public key to the sender of the message
- The sender of the message encrypts the message using the public key
- The recipient of the message decrypts the message using the private key
Notice:
- There is a one-to-one correspondence between the public key and the private key and cannot be generated separately
- A pair of public and private keys is collectively called a key pair
- The ciphertext encrypted by the public key must be decrypted by using the private key corresponding to the public key, and the ciphertext encrypted by the private key must be decrypted by using the public key corresponding to the private key
hybrid cryptosystem
Foreword:
- Symmetric encryption cannot solve the key distribution problem very well
- Asymmetric encryption and decryption are relatively slow
Meaning: A hybrid cryptosystem is a method that combines the advantages of symmetric and asymmetric encryption
Note: SSL/TLS used for encrypted communication on the network uses a hybrid cryptosystem
Hybrid Cipher - Encryption
Session key: The temporary key randomly generated during communication is used as a symmetric encryption key to encrypt information to increase speed
encryption steps
- First, the message sender needs to have the public key of the message receiver
- Generate a session key to encrypt information as a key for symmetric encryption
- Encrypt the session key with the public key of the recipient of the message
- Send the encryption results generated in the first two steps to the message receiver
Hybrid Cipher - Decryption
Decryption steps
- The receiver of the message decrypts the session key with his own private key
- Then use the session key decrypted in the first step to decrypt the message
digital signature
foreword
In the following scenario, alice sends a message to bob (I like you) but the following situation occurs
The content posted by Alice here may have been tampered with, or someone faked it, or it was originally posted by Alice, but it can be denied, so how does Bob determine the authenticity of this message?
Note: Digital signatures are not used for data encryption, but to ensure data reliability
In digital signature technology, there are the following two behaviors
- Generating a signature: done by the sender of the message, generated through a "signature key"
- Verifying the signature: done by the receiver of the message, through the "verification key" to verify
digital signature process
the whole process:
- The sender generates a pair of key pairs, and at the same time makes the public key known to the receiver
- The sender encrypts the message to be sent with his own private key, and then becomes a signature
- The sender sends the message and signature to the message receiver
- After receiving the message and signature, the receiver uses the sender's public key to decrypt the signature to obtain the data
- Compare the decrypted data with the message, if they are consistent, the signature verification is successful
Note: Generally, digital signatures do not encrypt and decrypt the entire message, so the efficiency is too slow
process improvement
the whole process:
- The sender generates a pair of key pairs, and at the same time makes the public key known to the receiver
- The sender calculates the hash value of the message through a one-way hash function
- The sender encrypts the hash value with his own private key to get the signature
- The sender sends the message and signature to the receiver
- The recipient decrypts the signature with the public key to get the hash value 1
- The receiver hashes the message to get the hash value 2
- The receiver compares the two hash values, and if the hash values are consistent, the signature verification is successful
The role of digital signatures
- Confirm message integrity
- Identify whether a message has been tampered with
- Prevent message sender from denying
Asymmetric Encryption and the Role of Signature Public Key and Private Key
- Since it is encrypted, I definitely don’t want others to know my information, so only I can decrypt it (the public key is responsible for encryption. The private key is responsible for decryption)
- Since it is a signature, I definitely don’t want someone to pretend to be me and send a message, so only I can sign (the private key is responsible for signing, and the public key is responsible for signature verification)
The legitimacy of the public key
Preface: If a man-in-the-middle attack is encountered, the public key can be forged. How to verify the legitimacy of the public key (certificate)
Simple understanding: the middleman Mallory hijacks the recipient's public key and the sender's ciphertext, sends his own public key to the sender, receives the ciphertext sent by the sender, and sends the ciphertext tampering to the recipient (here public key has been tampered with)
Certificate
foreword
When it comes to certificates, the first thing you think of is a driver's license, graduation certificate, English level 4 or 6 certificate, etc., all of which are certified by an authoritative organization, and the certificate in cryptography is called a public key certificate. It is similar to a driver's license. It contains name, Personal information such as email address, as well as the person's public key and digitally signed by a certificate authority
Notice:
- A CA is an individual or organization that can determine that "the public key really belongs to this person" and can generate a digital signature
- The public keys of some certificate authorities have been integrated into the browser
Use of certificates
Certificate registration and download
HTTPS
foreword
Meaning: HTTPS (hyperText transfer protocol secure), translated as hypertext transfer security protocol, often called HTTP over TLS, HTTP over SSL, HTTP Secure; it was proposed by Netscape in 1994, and its goal is security The HTTP channel is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, and the security basis of HTTPS is SSL, so the detailed content of encryption requires SSL.
Notice:
- The default port number for HTTPS is 443
- The HTTPS protocol requires ca to apply for an integer number. Generally, there are few free certificates and a fee is required.
- HTTPS uses SSL/TLS to encrypt messages on the basis of HTTP, which provides reasonable protection against eavesdropping and man-in-the-middle attacks
- SSL/TLS can also be used on other protocols (FTP - FTPS, SMTP - SMTPS)
SSL/TLS
- SSL: ( Secure Socket Layer, Secure Socket Layer), a protocol layer between a reliable connection-oriented network layer protocol and an application layer protocol. SSL achieves secure communication between client and server through mutual authentication, digital signatures for integrity, and encryption for privacy. The protocol consists of two layers: SSL record protocol and SSL handshake protocol
- TLS: (Transport Layer Security) transport layer security protocol, formerly SSL
SSL/TLS works at which layer
SSL protocol function
- Guarantee the confidentiality of transmitted data
- Guarantees the integrity of transmitted data
- Realize mutual identity authentication of communication parties
HTTPS communication process
- TCP three-way handshake
- TLS connection
- HTTP request and response
TLS 1.2 connection
Note: Some ACK confirmations generated in the middle are omitted in the picture
1.client Hello (direction: client to server)
- TLS version number used
- List of supported encryption components (encryption components refer to the encryption algorithm used and key length, etc.)
- a client random number
2.server Hello (direction: server to client)
- TLS version number
- Select a good encryption component from the client encryption component
- A server random number
3. certificate (direction: server to client)
- The server's public key certificate (signed by a CA)
4.server key exchange (direction: server to client)
- Used to implement a parameter in the ECDHE algorithm (a key exchange algorithm) (Server Params - in order to prevent forgery, this parameter has been signed by the server private key)
5.server Hello Done (direction: server to client)
- Inform the client that the negotiation part is over
So far, the client and the server have shared client random, server random, and server params in plain text (the client uses the server's public key for verification), and the client has also obtained the server's public key certificate, and then the client begins to pass The browser's built-in CA public key is used to verify the validity of the certificate. If the certificate is ok, you can get the server public key in the certificate.
6.client key exchange (direction: client to server)
- Another parameter (client params) to implement the ECDHE algorithm
So far, both the client and the server have two parameters required by the ECDHE algorithm: server params, client params; at this time, both the client and the server can use the ECDHE algorithm; at this time, a random key string is calculated based on these two parameters : Pre-master secret, then combine client random, server random, and Pre-master secret to generate a master key, and finally use the master key to derive other keys: session key for client sending, session key for server sending key, etc. (symmetrical encryption method - the data sent by the client is encrypted with the client's session key, and the server receives the ciphertext and decrypts it with the client's session key, and vice versa)
7.change cipher spec (direction: client to server)
- Inform the server that subsequent communications will be encrypted using the calculated client session key
8.finished (direction: client to server)
- Tell the server that the TLS connection is almost done
- Contains the overall verification value (summary) of all messages connected so far, encrypted (with the client session key) and sent to the server
Note: Whether this handshake negotiation is successful depends on whether the server can correctly decrypt the message as a criterion
9.change cipher spec (direction: server to client)
- Inform the client that subsequent communications will be encrypted using the calculated server session key
10.finished (direction: server to client)
- Inform the client that the TLS connection is almost done
- The server encrypts the data with the server session key and sends it to the client
So far, the client server has verified that the encryption and decryption are no problem, and the handshake is officially over; the transmission (session key) encrypted HTTP request and response will start later