HTTP (HyperText Transfer Protocol, Hypertext Transfer Protocol) is used to transfer information between Web browsers and web servers in the application layer in TCP / IP. Mention here TCP / IP hierarchy is divided into four layers: the application layer, transport layer, network layer, data link layer ; hierarchical object: stratification can be decoupled, dynamic substitution layer protocol
Content of the individual layers comprising:
Application Layer : communications activity (ftp, dns, http) when providing an application service to a user
transport layer : data transmission network connecting two computers (tcp, udp)
Network layer : processing data packets flowing on a network, how by the transmission path of the packet transfer to the other party (ip)
data link layer : card-related hardware, device drivers, etc.
However, HTTP also has the following significant disadvantages:
- Using plaintext communication, the content may be intercepted
- Does not verify the identity of the communicating parties, it is likely to encounter disguise
- Unable to prove the integrity of the message, so there may have been tampered with
In this way, HTTPS will debut. HTTPS S denotes the TLS or SSL, HTTP is on the basis of the original with a layer used for data encryption, decryption, authentication security layer, i.e.,
- The HTTP Authentication + + + encrypted integrity protection = HTTPS
Prior knowledge related to encryption: symmetric encryption and asymmetric encryption.
-
Symmetric encryption: encryption and decryption of data using the same key. This characteristic is very fast encryption, symmetric encryption algorithms are commonly the AES;
- Asymmetric encryption: encryption and decryption use different keys, and both keys are formed only unique pairing, called the public and private keys. It must be decrypted using the private data with the public key encrypted with the private key to decrypt data encrypted with the public. Generally retained their own private good, public key open to others (general public will not be alone, but will be written in the certificate), let others take after his public key to encrypt data sent to their own, so that only their own It can decrypt. Features of this encryption method is slow, large CPU overhead, common asymmetric encryption algorithm RSA.
Knowledge CA certificate: CA certificates are issued by the CA (Certification Authority) digital certificates institutions. Its contents include: information e-visa authorities, public user information, the public key, signature and expiration date. A public key server Here, the signature here means: calculates a message digest of the information disclosed by the plaintext hash hash function, and then using the private key of the CA message digest is encrypted, the ciphertext is encrypted finished signature. Namely: certificate signature + + = public information the applicant and the issuer . Client because the operating system on the preset CA's public key, it decrypts the signature support (because private key encryption using the signature of the CA)
With these preliminaries after, since you can take a look at how to do is how to secure HTTPS authentication.
HTTPS-way authentication
Let's look at the one-way authentication process:
As can be seen from the figure, the server has one pair of asymmetric keys: a public key and B_ B_ private key. Detailed procedure is as follows:
(1) a client initiates an HTTPS request, transmits the SSL protocol version information to the server.
(2) the server to the CA to apply for a CA certificate in the previous mentioned, there are certificate server public key and signature . CA certificate will be sent to the client
(3) The client reads the plaintext CA certificate, using the same hash function hash computed message digest (hash Objective: Verify prevent content from being modified), and then an operating system with CA's public key to decrypt the signature (as Signed with the CA private key encryption), message digest in comparison certificate. If they are consistent, then the proof certificate is trusted, then remove the server public key
(4) The client generates a random number (key F.), Just wait until a server public key to encrypt B_ random number encrypted form, it is sent to the server.
(5) Server B_ with their private key to decrypt the ciphertext to obtain the key F
(6) the server and the client uses the F key in the subsequent communication process of the communication. Different before and asymmetric encryption, an encryption is here symmetrical manner
HTTPS mutual authentication
Two-way and one-way authentication authentication basic principle is similar to one-way authentication client needs to authenticate the server, while increasing the server authentication to the client in a two-way authentication
双向认证详细过程如下:
(1)客户端发起HTTPS请求,将SSL协议版本的信息发送给服务端。
(2)服务端去CA机构申请来一份CA证书,在前面提过,证书里面有服务端公钥和签名。将CA证书发送给客户端
(3)客户端读取CA证书的明文信息,采用相同的hash散列函数计算得到信息摘要(hash目的:验证防止内容被修改),然后用操作系统带的CA的公钥去解密签名(因为签名是用CA的私钥加密的),对比证书中的信息摘要。如果一致,则证明证书是可信的,然后取出了服务端公钥
(4)客户端发送自己的客户端证书给服务端,证书里面有客户端的公钥:C_公钥
(5)客户端发送支持的对称加密方案给服务端,供其选择
(6)服务端选择完加密方案后,用刚才得到的C_公钥去加密选好的加密方案
(7)客户端用自己的C_私钥去解密选好的加密方案,客户端生成一个随机数(密钥F),用刚才等到的服务端B_公钥去加密这个随机数形成密文,发送给服务端。
(8)服务端和客户端在后续通讯过程中就使用这个密钥F进行通信了。和之前的非对称加密不同,这里开始就是一种对称加密的方式
HTTPS基本思路总结
HTTPS在保证数据安全传输上使用对称加密和非对称加密相结合的方式来进行的,简单来说就是通过一次非对称加密算法进行了最终通信密钥的生成、确认和交换,然后在后续的通信过程中使用最终通信密钥进行对称加密通信。之所以不是全程非对称加密,是因为非对称加密的计算量大,影响通信效率。
抓包原理
HTTPS即使安全,也是能够被抓包的,常见的抓包工具有:Charles、fildder等。
HTTPS capture commonly used way is acting as an intermediary, the client disguised as a server on the server disguised as a client. simply put:
- Intercept HTTPS client's request, disguised as an intermediary client destination server sends an HTTPS request
- Accepted back end services, with its own certificate disguised as an intermediary server sends content data to the client.
FIG using the following procedure:
Anti-capture strategy
SSL-pinning in two ways: locking certificate (Certificate Pinning) and public key lock (Public Key Pinning).
- Certificates need to lock in the client code built to accept only the specified domain name of the certificate, without accepting the operating system or browser's built any certificates corresponding CA root certificate, authorized by this way, to protect the APP and server communicate the uniqueness and communication between the security, the client and server (such as API gateway) can guarantee absolute safety. But there are valid CA signed certificate issue, the disadvantage is the need for certificate renewal certificate re-built into the APP .
- Lock extracted public key certificate and the public key built into the client to verify the correctness of the public key by comparing the value of the connection with the server. When you create the certificate key, public key certificate renewal before and after can remain unchanged (ie the same key), so the problem can be avoided certificate is valid, generally recommended.
Breakthrough SSL-Pinning capture
In the reverse circles, mountain higher than a mountain. The idea is this: when the built-in certificate or public key, often have proven contrast function, the direct control of this function returns the result of verification by not enough to make it. So there will be a breakthrough SLL-Pinning classic operation: The Xposed + justTrustme module. This program is used JustTrustMe the Xposed module, what it does is to various known HTTP request repository API certificate for verification are performed Hook, regardless of whether the case is a trusted certificate, check the results are returned to a normal state, in order to achieve the effect of bypassing the inspection certificate