Interviewer: Why is HTTPS more secure than HTTP? How does HTTPS ensure security?

Language 2023-09-06 08:25:07 views: null

Interviewer: Why is HTTPS more secure than HTTP? How does HTTPS ensure security?

1. Security features

In the previous article, we learned that HTTPin the communication process, there are the following problems:

  • Communication uses clear text (not encrypted), the content may be eavesdropped
  • Does not verify the identity of the communicating party, so there is a possibility of spoofing

And HTTPSthe emergence of the new technology is to solve these problems, HTTPSit is built on SSLtop of it, and its security is guaranteed SSLby

Once adopted SSL, features such HTTPas HTTPSencryption, certificates, and integrity protection

SSL (Secure Sockets Layer Secure Sockets Protocol), and its successor, Transport Layer Security (TLS), is a security protocol that provides security and data integrity for network communications

insert image description here

Two, how to do it

SSL The realization of these functions mainly depends on three means:

  • Symmetric Encryption: Data is encrypted using a negotiated key
  • Asymmetric Encryption: Implementing Identity Authentication and Key Agreement
  • Digest Algorithm: Verifies the integrity of the message
  • Digital Signatures: Authentication

Symmetric encryption

Symmetric encryption means that both encryption and decryption use the same secret key, which is symmetrical. As long as the security of the key is guaranteed, the entire communication process can be said to be confidential

insert image description here

asymmetric encryption

In asymmetric encryption, there are two secret keys, one is called the public key and the other is called the private key. The two secret keys are different, the public key can be disclosed to anyone, and the private key needs to be kept secret

Both the public key and the private key can be used to encrypt and decrypt, but the public key can only be decrypted with the private key after encryption
, and conversely, the private key can only be decrypted with the public key

insert image description here

hybrid encryption

In HTTPSthe communication process, symmetric encryption + asymmetric encryption is used, that is, hybrid encryption

As mentioned in symmetric encryption, if the security of the key can be guaranteed, the entire communication process can be said to be confidential

Asymmetric encryption is HTTPSused to solve the problem of key exchange

The specific method is that the party sending the ciphertext uses the other party's public key to encrypt the "symmetric key", and then the other party uses its own private key to decrypt to obtain the "symmetric key"

insert image description here

This ensures that the exchanged keys are secure and communicate using symmetric encryption

for example:

The website keeps the private key secretly, and distributes the public key arbitrarily on the Internet. If you want to log in to the website, you only need to encrypt it with the public key. The ciphertext can only be decrypted by the holder of the private key. The hacker cannot decrypt the ciphertext because he does not have the private key.

The above method solves data encryption. In the process of network transmission, data may be tampered with, and hackers can forge their identities to issue public keys. If you obtain fake public keys, hybrid encryption is of little use. Your data Throwing was solved by hackers

Therefore, on the basis of the above encryption, it is still necessary to add the characteristics of integrity and identity verification to achieve real security. This function is realized by the digest algorithm

digest algorithm

The means to achieve integrity is mainly the digest algorithm, which is often referred to as the hash function, hash function

It can be understood as a special compression algorithm, which can "compress" data of any length into a fixed-length and unique "summary" string, as if generating a digital "fingerprint" for this piece of data

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-71LlZJYB-1692843595219)(https://github.com/linwu-hi/code-interview/assets/137023716 /467b2ace-0423-4d30-bc8a-0b74908c2add)]

The abstract algorithm guarantees that the "digital abstract" is completely equivalent to the original text. Therefore, as long as we attach its abstract to the original text, we can ensure the integrity of the data

For example, you send a message: "Transfer 1000 yuan", and then add a SHA-2 digest. After receiving it, the website also calculates the summary of the message, and compares the two "fingerprints". If they are consistent, it means that the message is complete and credible and has not been modified.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-IJDB694M-1692843595219)(https://github.com/linwu-hi/code-interview/assets/137023716 /86aad0a2-f9bf-4e70-b9dc-3de4cdccec1f)]

digital signature

Digital signature can confirm that the message is indeed signed and sent by the sender, because others cannot fake the sender's signature

The principle is actually very simple, that is, use the private key to encrypt and the public key to decrypt

The signature is completely public like the public key, and anyone can get it. But this signature can only be unlocked with the public key corresponding to the private key. After getting the abstract, you can verify the integrity by comparing the original text, and you can prove that the message is indeed sent by you just like signing a document.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-YiZzVTzL-1692843595220)(https://github.com/linwu-hi/code-interview/assets/137023716 /c2620ba8-80ef-4da6-9568-5150c12b36c4)]

Like the message itself, because anyone can publish the public key, we still lack the means to prevent hackers from forging the public key, that is, how to judge that the public key is your public key

At this time, a third party is needed, which is the certificate verification agency.

CA certification authority

The digital certificate certification authority is in the position of a third-party organization trusted by both the client and the server

CA's signature certification requirements for public keys include serial number, purpose, issuer, valid time, etc., and these are packaged into a package and then signed to completely prove the various information associated with the public key to form a "digital certificate"

The process is as follows:

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-emo3l9A9-1692843595220)(https://github.com/linwu-hi/code-interview/assets/137023716 /d601cf43-0e74-46c3-81af-d81dbd1801ae)]

  • The operator of the server submits an application for the public key to the digital certificate certification authority
  • After the digital certificate certification authority determines the identity of the applicant, it will digitally sign the applied public key
  • Then distribute the signed public key, and put the public key into the public key certificate and bind it together
  • The server will send the digital certificate issued by the digital certificate certification authority to the client for asymmetric encrypted communication

The client receiving the certificate can use the public key of the digital certificate certification authority to verify the digital signature on that certificate. Once the verification is passed, it proves:

  • The public key of the authentication server is a real and effective digital certificate certification authority
  • The server's public key is trustworthy

3. Summary

It can be seen that HTTPSalthough HTTPthere is only one difference between the two SSL, the communication security has been greatly guaranteed, and the four major characteristics of the communication have been solved. The solution is as follows:

  • Confidentiality: Hybrid Algorithms
  • Integrity: Digest Algorithms
  • Authentication: digital signature
  • Non-repudiation: Digital Signatures

At the same time, a third-party certificate authority is introduced to ensure the security of the public key

references

  • https://zhuanlan.zhihu.com/p/100657391
  • https://juejin.cn/post/6844903830987997197#heading-7
  • https://cloud.tencent.com/developer/article/1748862

Guess you like

Origin blog.csdn.net/weixin_52898349/article/details/132468385
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com