[Notes] [HTTP] Chapter 7 of "Graphic HTTP" to ensure web security https

Language 2023-09-06 08:37:31 views: null

foreword

  • Where there is input, there must be output. This note is a summary of the knowledge involved in each chapter after I read "Graphic HTTP"
  • The blog will publish each chapter of the book as an article, and the next blog will be published at an uncertain time
  • Some of the notes in the notes have been sorted out after personal understanding, and there may be deviations. Readers are also kindly requested to help point out, thank you.

disclaimer

  • This blog is my notes after studying "Graphic HTTP", which is intended to facilitate review and review, not for commercial purposes.
  • For the sake of convenience, some pictures on the blog are consistent with those in the book, so I didn’t take screenshots by myself, but quoted the picture addresses of other people’s blogs, and thanked these bloggers for their picture beds.
  • This note is used to record my summary of this knowledge. To facilitate future work and study.
  • The content is not complete with the original book, please read it in conjunction with the original book
  • If there is any infringement, please inform and delete it immediately.

Chapter 7 Securing the Web with HTTPS

7.1 Disadvantages of HTTP

1. Communication using clear text may be eavesdropped

  • Cause: HTTP itself does not have encryption function, so it is impossible to encrypt the communication as a whole

    • Communication manipulative:
      • The overall communication here refers to the content of the request and response using the HTTP protocol communication

  • Eavesdropping location: TCP/IP is a network that can be eavesdropped

    • Even if the communication has been encrypted, the content of the communication can be peeped, which is the same as the unencrypted one.
    • To eavesdrop on the communication method on the same segment:
      • Just collect the packets (frames) flowing on the Internet.
      • Use a packet capture or sniffer tool to analyze the collected data packets.

  • Protection against eavesdropping: encrypted processing

    • Encryption of communication (that is, encrypted HTTP communication content )

      • Method: HTTP protocol is used in combination with SSL or TLS

        • SSL (Secure Socket Layer) : Secure Socket Layer
        • TLS (Transport Layer Security) : Security layer transport protocol

        • HTTP used in combination with SSL is known as HTTPS

          • HTTPS
            • Hypertext Transfer Security Protocol
            • After establishing a secure communication line with SSL, HTTP communication can be performed on this line.

    • Encryption of content (that is, the content contained in the encrypted HTTP message )

      • The client needs to encrypt the HTTP message before sending the request.
      • Prerequisites for effective encryption implementation :
        • Both the client and the server are required to have encryption and decryption mechanisms .

2. Without verifying the identity of the communication party, there may be masquerading

  • Cause: The request and response in the HTTP protocol will not confirm the passing party .

  • Fake location: anyone can make a request

    • As long as the server receives the request, no matter who the other party is, it will return a response.

  • Hidden dangers:

    • There is no way to determine whether the web server to which the request was sent was the one that returned the response as it was actually intended.

      • Possibly a masquerading web server .

    • There is no way to determine whether the client to which the response was returned was the one that received the response as it was actually intended.

      • Possibly a masquerading client .

    • It cannot be determined whether the other party being communicated has access rights.

      • Because important information is saved on some web servers, only the permission to send specific users to communicate is desired.

    • It is impossible to determine where and by whom the request came from. Even meaningless requests are accepted.

      • Unable to prevent DoS attacks under massive requests

        • DoS attack : (Denial of Service, denial of service attack).

  • Preventing masquerading: Find out your adversary's certificate.

    • Use SSL

      • Provide encryption

      • A means known as a certificate is also used to identify parties.

        • Certificate :
          • Issued by a trusted third-party agency.
          • It is used to prove that the server and client actually exist .
          • Forging certificates is technically extremely difficult.

3. The integrity of the message cannot be proved, it may have been tampered with

  • Cause: HTTP cannot prove the integrity of the communication message

    • Completeness : The accuracy of information.

  • Hidden dangers: the received content may be wrong

  • Tamper location: the period after the request or response is sent until the other party receives it

    • Even if the content of the request or response has been tampered with, there is no way to know. (i.e. there is no way of confirming that the request/response sent and the request/response received are the same back and forth.)

      • Man-in-the-Middle attack (MITM) :
        • An attack in which a request or response is intercepted and tampered with by an attacker during transmission.

  • To prevent tampering:

    • MD5 and SHA-1 hash value verification

      • MD5
        • A hash value generated by a one-way function.

    • PGP digital signature

      • PGP (Pretty Good Privacy) perfect privacy :
        • A digital signature used to prove the creation of a file.

    Notice

    • Both methods all need the user who manipulates the client to personally check whether the downloaded file is the file on the original server.

      • The browser cannot automatically check for the user.

    • There is still no 100% guarantee that the confirmation result is correct.

      【reason】

      • If PGP and MD5 are rewritten, the user has no way to realize it.

      【therefore】

      • It is necessary to use HTTPS.
        • SSL provides authentication and encryption processing and digest functions.

7.2 HTTP+encryption+authentication+integrity protection=HTTPS

1. HTTPS

  • After HTTP plus encryption and integrity protection

    • Encryption processing : prevent wiretapping
    • Integrity protection : prevent messages from being tampered with

  • use format

    https://

  • Not a new protocol at the application layer. (That is, HTTPS is actually HTTP in the shell of the SSL protocol.

    • Only the HTTP communication interface part is replaced by SSL and TLS protocols.

      usually Use SSL
      HTTP communicates directly with TCP 1. First communicate with SSL
      2. Then communicate with SSL and TCP

    • SSL:
      • After HTTP adopts SSL, HTTP has the functions of HTTPS encryption, certificate and integrity protection.
      • A protocol independent of HTTP.
      • It is the most widely used network security technology in the world today.
        • Not only the HTTP protocol, but other protocols such as SMTP and Telnet running on the application layer can be used in conjunction with the SSL protocol.

2. Public key encryption technology for mutual key exchange

1. Public key encryption

  • Encryption algorithms are public.
  • key is kept secret
    • Encryption and decryption will use the key
    • The cipher cannot be decrypted without the key. (that is, anyone who holds the key can decrypt it)
  • Disadvantage: The key is obtained by the attacker , and the encryption is meaningless.

2. Shared key encryption (symmetric key encryption)

  • Encryption and decryption use the same key
  • The key must also be sent to the other party.
  • Disadvantage: If [communication is monitored] (# 1. Communication using plaintext may be eavesdropped) the key may fall into the hands of the attacker, and encryption is meaningless.

3. Public key encryption using two keys

  • public key encryption

    • Difficulty with shared key encryption resolved

  • Use a pair of asymmetric keys

    • private key:
      • Do not allow others to know
    • public key:
      • It can be released at will, and anyone can get it.

  • Encryption method: use public key encryption method

  • process:

    1. The party sending the ciphertext uses the other party 's public key for encryption
    2. After receiving the encrypted information , the other party uses its own private key to decrypt it .


4. HTTPS uses a hybrid encryption mechanism

  • HTTPS uses a hybrid encryption mechanism that uses both a shared key and a public key .

  • process:

    • Use public key encryption in key exchange
    • In the subsequent stage of establishing communication and exchanging messages , the shared key encryption method is used .


3. To prove the correctness of the public keyCertificate

1. Can prove the authenticity of the organizationEV SSL certificate

  • effect:
    1. Prove whether the server as a communication party is regulated
    2. Confirm whether the company running behind the other party's server exists .

2. To confirm the client'sclient certificate

  • Role: to authenticate the client
    • Proof that the server is always communicating with the intended client.
  • Existing problems:
    1. When obtaining a certificate, the user has to install the client certificate by himself. (that is, you need to install it at your own expense)
    2. It can only be used to prove the actual existence of the client, but not to prove the authenticity of the user himself.
      • As long as you have the right to use the computer on which the client certificate is installed, you also have the right to use the client certificate.

3. Issued by a self-certifying bodyself-signed certificate

  • Self-Certifying Body : Independently constructed certification body
    • Effect: It is equivalent to the extent of declaring "I am XXX" to the outside world.
    • It is necessary to allow a trusted third-party organization to access the certification, so that the public key issued by the certification authority can be used to prove the authenticity of the server.
  • Possess certificate characteristics:
    • When the browser accesses the server, warning messages such as '"The security of the connection cannot be confirmed" or "There is a problem with the website's security certificate" will be displayed.

4. Secure communication mechanism of HTTPS

1. Communication steps

1. Brief steps

  1. Client: Send Client Hello message to start SSL communication

    • Client Hello message :
      • Contains:
        • The specified version of SSL supported by the client
        • List of encryption components (encryption algorithm used, key length, etc.).

  2. Server: When SSL communication is available, it will respond with a Sever Hello message .

    • Server Hello message :
      • Contained content: the meaning of the content contained in the Client Hello message.
        • It's just that the content of the encryption component of the server is filtered out from the received encryption component of the client.

  3. Server: Send Certificate message .

    • Certificate message :
      • Contains: public key certificate.

  4. Server: Sends a Server Hello Done message to notify the client that the initial phase of the SSL handshake negotiation is over .


  5. Client: After the end of the first SSL handshake, respond with a Client Key Exchange message .

    • Client Key Exchange message :
      • Contains:
        • A random password string called Pre-master secret used in communication encryption.
      • The message is encrypted with the public key in step 3.

  6. Client: Continue to send Change Cipher Spec message .

    • Change Cipher Spec message :
      • The server will be prompted that the communication after this message will be encrypted with the Pre-master secret key.

  7. Client: Send Finished message .

    • Finished message :
      • Contains:
        • The overall check value of all packets connected so far.
      • Whether the handshake negotiation can be successful this time depends on whether the server can correctly decrypt the message as a criterion.

  8. Server: also send Change Cipher Spec message .

  9. Server: Send the Finished message as well .

  10. Server and client: After the Finished message is exchanged, the SSL connection is established.

    • Communications are protected by SSL.
    • From here, the communication of the application layer protocol starts, that is, the HTTP request is sent.

  11. Application layer protocol communication, that is, sending HTTP responses.

  12. Client: Finally disconnected.

    • Send close_notify message : disconnect
    • Send TCP FIN message : close the communication with TCP.

2. MAC message
  • When the application layer sends data, the attached message
  • Function: It can check whether the message has been tampered with, thereby protecting the integrity of the message.

3. The entire HTTPS communication process


2. SSL and TLS

  • HTTPS uses two protocols, SSL and TLS.

  • TSL is a protocol developed by SSL as a prototype, and sometimes the protocol is collectively referred to as SSL

  • When HTTPS uses SSL, the processing speed will be slower .

    • SSL is slow :
      • Slow refers to:
        1. slow communication
        2. Slow speed: caused by a large consumption of resources such as CPU and memory.
      • Workaround: Use SSL accelerator (dedicated server) hardware

3. Reasons not to use HTTPS all the time

  1. Encrypted communication consumes more CPU and memory resources .
  2. Use it for encrypted communication only if it contains sensitive data such as personal information.
  3. For websites with a large number of visits, the load is too large and resources are wasted. Not using HTTPS can save resources.
  4. Buying certificate authentication is too expensive.

Guess you like

Origin blog.csdn.net/weixin_45944495/article/details/130573174
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com