[Computer Network] Application Layer Protocol Https

Enterprise 2023-09-09 20:55:57 views: null

Article directory

Preface

In the previous article, we mentioned that http is insecure. Although the cookie and session schemes are adopted, user information may still be taken away midway. In view of the insecure feature of http, https was born.

Http

During the transmission process of http, it is completely transmitted in plain text, so the information is likely to be tampered with and stolen. https adds a layer of encryption on the basis of http to ensure that the data is safe and reliable, and will not be tampered with.

Since our data packets will pass through the network equipment of the operator/hacker, the network equipment of the operator can parse out any data we transmit and directly tamper with it.

Encryption method

Transmitting clear text over the Internet is very dangerous, so we'd better encrypt the data. Common encryption methods are as follows

Symmetric encryption

  • Using 单密钥systematic encryption, the same key can both encrypt and decrypt
  • The algorithm is open, the amount of calculation is small, and the efficiency is high

asymmetric encryption

  • Two keys are required for encryption, the public key and the private key.
  • The algorithm strength is high, and the encryption speed is very slow.

After the public key encrypts the data, it forms ciphertext.
After the private key decrypts the ciphertext, it forms plaintext.

After the private key encrypts the plaintext, it forms ciphertext.
After the public key decrypts the ciphertext, it forms plaintext.

Data Digest (Data Fingerprint)

Data fingerprint (data summary): literally, it uses a one-way hash function to operate on information to generate a string of fixed-length digital summaries. This process is irreversible.

Data fingerprint is not an encryption mechanism, but it can determine whether the data has been tampered with, because any modification will significantly change the data fingerprint.

digital signature

After the digital digest is encrypted, a digital signature is formed.

The digital digest must also be encrypted, otherwise the middleman can recalculate the hash value and fool us.

encryption scheme

Use only symmetric encryption

It is unsafe to only use option one, because we still have to transmit it in plain text when exchanging keys, and the middleman is fully capable of getting the key. At the same time, the server needs to maintain the key relationship corresponding to each client, which is also very troublesome.
Insert image description here

Use only asymmetric encryption

The server still has to send its public key in plain text to the client, which gives the middleman an opportunity to secretly replace it with its own public key B.
Insert image description here

Both sides use asymmetric encryption

This method can still be hijacked by middlemen, and it also creates efficiency issues.
Insert image description here

Symmetric + asymmetric

Option 4 improves efficiency based on 3, but still cannot avoid safety issues. A man-in-the-middle can still replace public key A.
Insert image description here

Certificate

Based on the above solutions, we found that even if the intermediary cannot intervene later, we cannot ensure that the public key received by the client must be sent by the client!

Before using HTTPS, the server needs to apply for a digital integer from the CA organization. The server will give the certificate to the browser, and the browser will directly obtain the public key from the certificate. The certificate must be authoritative.

CA certification process:
Insert image description here
signature and verification:
Insert image description here

Isn’t the public key of the CA organization afraid of being intercepted by an intermediary? Because the CA organization is an authoritative organization, in order to ensure legality, the public key of the CA is generally built into the browser and operating system when it is downloaded from the factory.

  • Changing the data will change the hash value, which is different from the correct hash value
  • Changed signature cannot be correctly decrypted by the correct CA public key
  • Can't replace the certificate yourself because only the CA has the private key

In summary, symmetric + asymmetric + CA-certified certificates jointly ensure that https is a secure protocol!

Public key private key generation

other problems:

  • Why is the hash value encrypted? To prevent man-in-the-middle from recalculating the hash

  • Why do you need hashing? Just encrypt the signature directly? To save time.

Guess you like

Origin blog.csdn.net/m0_73209194/article/details/132187873
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com