Reference: https://blog.51cto.com/11883699/2160032
The above said is well, I am here to be a simple summary:
We do online data exchange when the http protocol is typically used, but this approach will make clear cultural interactive content, very safe, then people wanted to talk about the encryption process.
1) symmetric encryption and have a symmetric encryption algorithm for the encryption algorithm, if a symmetric encryption algorithm to encrypt the client and server exchange information, mode: the client to the server requesting, the server to the client A reply using a symmetric secret key A , the client receives the symmetric keys a reply know, after the client a to use symmetric encryption keys a and server interaction information; the same server will send the client B B symmetric keys, this analogy. But there is a problem in this process: For this secret key negotiation process, plain text, if intercepted by a third party, the third party after the operation in the face of all the plaintext
2) In order to solve the plaintext negotiation procedure 1) in the acquired secret key vulnerable to interception, the need to find a way encryption process, and thus we can use an asymmetric encryption algorithm secret key ( the private key encrypted ciphertext, as long as are well key, you can decrypt, but after the turn, public key encryption cipher text, only the private key can decrypt the private key there is only one person, while the public key can be distributed to all people. ) to handle this process, specific programs: customer a sends to the server side requests the server to the client a sends a public key of an asymmetric encryption algorithm, yourself a private key, the public key is obtained after the client transmits information to the server using the public key (symmetric encryption comprising algorithm, symmetric keys and other information), the server decrypts the message received message object is obtained, and a symmetric encryption algorithm with the received information transmitted to the client received, then a symmetric encryption algorithm on the client to decrypt the encrypted information exchange between the two. Here seemingly it was perfect, but the middle there is a process of interaction and if the plaintext intercepted by a third party, or for a third party expressly interaction, and this place is: The client asked the server to obtain asymmetric secret process key public key. Assumptions: If the client sends a request to the server to obtain the public key, intercepted by a third party, the third party disguised as a server, the client sends a false public key to the client, and the server sends a request to the real get real public key, for a third party such as the interaction with the plaintext
3) In order to solve 2) client and server interaction expressly issue of access points symmetric encryption algorithm in the public key is intercepted, where we used the ultimate weapon password "SSL certificates need to purchase and CA certificate" to ensure that the client gets the public key is secure, details of which are included in the SSL certificate authority certificate is valid, the public key, the certificate holder, signed by a third party verification to ensure that the legal status, to solve the public acquisition security. DETAILED DESCRIPTION: The client sends a request to the server, the server returns a SSL package (the specific contents of the certificate authority, validity period, a public key, certificate holders, the signature), the client verification process:
To the browser as an example of the entire verification process:
(1) First, the browser reads the certificate of the certificate owner, expiration date information one by one check
(2) Find your browser in the operating system has built-in certificate issuing authority trusted CA, the server certificate sent by the issuer CA alignment, calibration certificate is issued for a legitimate institution
(3) If you do not, the browser will be incorrect report, indicating sent from the server certificate can not be trusted.
(4) If found, then the browser will remove the issuer CA's public key from the operating system, and then there's the signature certificate sent from the server to decrypt
(5) the browser uses the same hash algorithm to calculate the certificate sent from the server hash value, this hash value with the calculated signature certificate do comparison
(6) Comparison results are consistent, then sent from the server certificate to prove legitimate, not posing
(7) At this time, the browser can read the public key certificate, encrypted for subsequent