Related blog: https://www.cnblogs.com/chentianwei/p/9374341.html (speak more clearly, have pictures)
- 7.2 HTTP + Encryption + authentication + integrity protection = HTTPS
- 7.23 Public-key cryptography Public key cryptography algorithm
- HTTPSHybrid encryption mechanism:
- 7.24Certificate for proving correctness of public key
- 7.25 HTTPSSecure communication mechanism
- Using plaintext, content will be eavesdropped.
- If you do not verify the identity of the communication party, you will encounter camouflage.
- It is impossible to prove the integrity of the message and may be tampered with.
7.11 The communication was wiretapped.
There are risks of being eavesdropper in every corner of the Internet.
Packet Capture, SnifferGrab and sniffer, such as widely used.WiresharkTools.
- Communication encryption: HTTP over SSLIt’s HTTPS。 IncreasedSecure Socket LayerSecure sockets layer SSL。
- Content Encryption: The body of the message is encrypted algorithmically (not the entire communication line is encrypted, with the risk of being cracked)
7.12 No verification, encounter camouflage
httpBecause the protocol is not authenticated, anyone can send a request, leaving behind all sorts of hidden dangers.
- Camouflage server. Unable to determine whether the request was sent to the real target server, the request might be intercepted and the response returned using the disguised server.
- Similarly, clients may also be camouflaged.
- Unable to determine where the request came from, (no certificate).
- The server also receives meaningless requests and is unable to prevent massive DoS attacks.
It is a kind of security guarantee to verify identity by certificate issued by certificate authority.
7.13 Unable to prove the integrity of the message, man in the middle attack.
Man-in-the-Middle attachMan-in-the-middle attack: An attacker can tamper with requests and responses so that communication between the server and the client still looks normal, but is actually under control.
How to prevent tampering:
The commonly used hash value checking methods such as MD5 and SHA-1, and the digital signature method used to confirm files, still can not fully guarantee security.
(See blog: 6.66 Content-MD5 first)
MD5Is a hash value generated by one-way functions. It may still be tampered with itself. Therefore, HTTPS must be used.
SSLProvides authentication and encryption processing, summary function.。
7.2 HTTP + Encryption + authentication + integrity protection = HTTPS
7.23 Public-key cryptography Public key cryptography algorithm
The encryption algorithm is open, but the key is confidential. Only through the key can we decrypt the password.
Both sides use this algorithm to encrypt and decrypt the contents of communication, so as to ensure the security of information. But,
How to pass the key safely to the other side?
Answer: use the public key encryption algorithm. It’s also calledAsymmetric key encryption algorithm。
The public key consists of a private key and an arbitrary number of public key. The party who receives the ciphertext holds private key, and the party sending the ciphertext holds the public key. Messages encrypted through public key can be untied only by private key.
Therefore, the server only needs to provide the public key to the client.
HTTPSHybrid encryption mechanism:
- Key Exchange: The client obtains the public key and transfers the symmetric key to the server by asymmetric encryption algorithm.
- Communication exchange message link: the two sides use symmetric key encryption to exchange messages.
7.24Certificate for proving correctness of public key
The public key obtained by the client may be transferred by the hacker. The client gets the false public key. What should we do?
Answer: the public key certificate issued by the digital certificate authority.
The business process of server operators applying for digital certificates:
Apply – & gt; Identify – & gt; Sign the public key of the application – & gt; Assign the public key of the signature and bind the key to the certificate.
- The server sends the public key and certificate to the client.
- The client uses the public key of the digital certificate authority to verify the digital signature on the certificate.
- Once verified, the client can safely use the public key of the server.
⚠️： Most browsers will have public keys for commonly used certification bodies.
The client can also use digital certificates. In areas with high security: Internet banking’s online banking login uses client certificates.
Extension: the credibility of certification bodies is the first, and certification bodies have been hacked.
7.25 HTTPSSecure communication mechanism
HTTPSThe cost does not lead to the continued use of the website.
- Encryption consumes more CPU, cache
- The purchase of certificates is also an expense, a certificate of 600 yuan / year.
SSLIt leads to slow communication and slow processing speed. 2-100 times slower than http.
There are specialized servers to improve the problem, but that is the cost.