Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to ensure the security of HTTPS". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I. Security features

In this article on what is HTTP, we learned that HTTP has the following problems in the process of communication:

Communications are in clear text (unencrypted), and the content may be eavesdropped

The identity of the communicating party is not verified, so it is possible to encounter camouflage

The emergence of HTTPS is to solve these problems. HTTPS is based on SSL, and its security is guaranteed by SSL.

After adopting SSL, HTTP has the encryption, certificate and integrity protection functions of HTTPS.

SSL (Secure Sockets Layer secure Sockets Protocol) and its successor Transport layer Security (Transport Layer Security,TLS) are security protocols that provide security and data integrity for network communications.

Second, how to do it

The implementation of these functions of SSL mainly depends on three means:

Symmetric encryption: encrypt data using a negotiated key

Asymmetric encryption: identity authentication and key negotiation

Abstract algorithm: verify the integrity of information

Digital signatures: authentication

Symmetrical encryption

Symmetric encryption means that encryption and decryption use the same key and are symmetrical. As long as the security of the key is ensured, the whole communication process can be said to be confidential.

Asymmetric encryption

In asymmetric encryption, there are two keys, one is called public key and the other is called private key. The two keys are different, the public key can be made public to anyone, and the private key needs to be kept secret.

Both public key and private key can be used for encryption and decryption, but public key encryption can only be decrypted with private key, and conversely, private key encryption can only be decrypted with public key.

Hybrid encryption

In the process of HTTPS communication, symmetrical encryption + asymmetric encryption, that is, hybrid encryption, is adopted.

As mentioned in symmetric encryption, if the security of the key can be ensured, then the whole communication process can be said to be confidential.

HTTPS uses asymmetric encryption to solve the problem of secret key exchange.

The specific way is that the party who sends the ciphertext uses the other's public key to encrypt the "symmetric key", and then the other party decrypts the "symmetric key" with his own private key.

This ensures that symmetric encryption is used to communicate on the premise that the exchanged keys are secure.

For example:

The website keeps the private key secretly and distributes the public key on the Internet at will. If you want to log on to the website, just encrypt it with the public key. The ciphertext can only be decrypted by the holder of the private key. Because the hacker doesn't have a private key, he can't crack the ciphertext.

The above method solves the data encryption, in the process of network transmission, the data may be tampered with, and the hacker can forge the identity to release the public key, if you get the fake public key, then hybrid encryption is not very useful. your data is thrown and solved by hackers.

Therefore, on the basis of the above encryption, we still need to add the characteristics of integrity and authentication to achieve real security, and the realization of this function is the summary algorithm.

Abstract algorithm

The main means to achieve integrity is digest algorithm, that is, hash function and hash function.

It can be understood as a special compression algorithm, which can "compress" any length of data into a fixed length and unique "summary" string, as if generating a digital "fingerprint" for this piece of data.

The algorithm ensures that the "digital abstract" is completely equivalent to the original text. Therefore, as long as we attach its summary to the original text, we can ensure the integrity of the data.

For example, you send a message: "transfer 1000 yuan" and then add a summary of SHA-2. After receiving it, the website also calculates the summary of the message and compares the two "fingerprints". If the two "fingerprints" are consistent, it means that the message is complete and credible and has not been modified.

Digital signature

A digital signature determines that the message is indeed concurrently signed by the sender, because no one else can fake the sender's signature.

The principle is actually very simple, that is, encryption with private key and decryption with public key.

The signature is as public as the public key and can be obtained by anyone. But this signature can only be unlocked with the public key corresponding to the private key. After getting the abstract, and then verifying the integrity of the original text, you can prove that the message was sent by you just like signing a document.

Like the message itself, because anyone can publish the public key, we still lack the means to prevent hackers from forging the public key, that is to say, how to judge that the public key is your public key.

At this time, we need a third party, that is, the certificate verification authority.

CA verification agency

The digital certificate certification authority is in the position of a third party that can be trusted by both the client and the server.

The signature authentication requirements of CA to the public key include serial number, purpose, issuer, validity time, etc., and then sign these into a package to completely prove all kinds of information associated with the public key to form a "digital certificate".

The process is shown in the following figure:

The operator of the server applies for a public key to the digital certificate certification body.

After determining the identity of the applicant, the digital certificate certification authority will digitally sign the applied public key.

Then assign the signed public key and put the public key into the public key certificate and bind it together

The server will send the digital certificate issued by the digital certificate authority to the client for asymmetric encryption.

The client receiving the certificate can use the public key of the digital certificate authentication authority to verify the digital signature on that certificate. Once the verification is passed, it will prove:

The public key of the authentication server is a real and effective digital certificate authentication authority.

The server's public key is trustworthy

This is the end of the content of "how to keep HTTPS safe". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.