Shulou(Shulou.com)06/02 Report--

Today, I would like to talk to you about how to achieve Https in Android, many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

1. Client provides supported encryption algorithms to Server

First, Client sends a message to Server, including Client's supported encryption algorithms, protocol versions, and compression algorithms. The purpose is to inform Server to select one of the algorithms given to facilitate the encryption and decryption of subsequent communications.

At the same time, Client will generate a random number on the local side as the private key of symmetric encryption. Now let's briefly explain the private key of symmetric encryption and Client. Take the usual chestnut, you must share the password of your bank card with your girlfriend (don't ask why). Suppose you are Client, your girlfriend is Server, the bank card is the ciphertext transferred later, and the password you set is the key. You quietly tell your girlfriend the password at home. God knows that you know your girlfriend knows. At this time, even if the bank card is lost, because there is no third person to know the password (key), so the money (confidential information) will not be stolen. This is symmetric encryption.

2. Server responds to Client and transmits certificates and confirmation messages

When Server receives a message from Client, it responds. The reply message mainly contains three parts in the picture, of which the certificate is the most important part. Now let's talk about what the certificate contains and what its purpose is. There is a lot to say in this part, so be prepared psychologically.

First of all, talk about what information is contained in the certificate: some personal information, such as the user's name, organization, email address, etc., in addition to the public key generated by the server. The public key is one of the components of public key encryption (asymmetric encryption), and part of it is the private key. Now continue the chestnut in the previous section on what public key encryption is.

One day, when you tell your girlfriend your bank card password at home, the wall happens to have ears (the attacker stole the key), so your money is threatened because that person may swipe your bank card at any time. Then how to solve it? You have a good idea. You buy a lock (public key) with only two keys (private key). You and your girlfriend each hold one. Then you say to your girlfriend, I will write a password bar (symmetrically encrypted key) in the cupboard at the bedside every week, which is the password of our bank card. In this way, no one but you can open the cabinet and get the password, which ensures security.

So public key encryption is that Server generates a pair of keys (public key and private key), and then the private key is kept by itself, which is equivalent to a key, and the public key is equivalent to a lock, which anyone can get, but there is only one key, so what is locked with this lock is absolutely safe.

Now that we understand what public key encryption is, we are faced with another problem. When Server sends the public key to Client, the public key is switched by the attacker. That is, Client mistakenly uses the attacker's lock, so the key is taken away by the attacker, and the communication is completely exposed. Therefore, Client needs to know whether the lock is transmitted from Server, so it needs to put the lock (public key) in the certificate and submit the certificate to the CA for authentication. Only the lock Client certified by CA will be used.

So the next question is, how does CA convince Client that the public key is secure? Is to use digital signature technology, now to briefly explain what a digital signature is.

To put it simply, a digital signature is the reverse use of public key encryption. As I just said, there is only one key (only one private key) in public key encryption, so a digital signature uses a lock to try the key if the lock is opened.

Prove that the lock must be yours, because only you have the key, it is useless to default.

Specifically, CA uses its own private key to Hash the public key in the Server certificate through some Hash algorithm to get a Hash string, and then writes the Hash string in the certificate and gives it to Client to facilitate Client authentication. Client uses the public key provided by CA (lock, which anyone can get) to get a Hash string through Hash operation. Compared with the certificate, if the same, it proves that the certificate must be CA-certified and secure. This is the process of using locks to test keys.

III. The legality of the Client inspection certificate

In fact, the previous section has already talked about how Client authenticates the validity of the certificate. If the certificate verification fails, the program will generally throw an exception, and you can choose to disconnect from Server when handling the exception. This section focuses on what Client did after the certificate was certified.

After the certificate is successfully authenticated, Client will first Hash the random number generated in the first step, and then encrypt the random number using the public key in the certificate. A message is then generated, and the Hash string and ciphertext are placed in the message and sent to Server.

In the process of message delivery, only Server has the decrypted private key, so the ciphertext is absolutely secure in the process of transmission. There is also a risk that an attacker may tamper with the message, and the role of the Hash string becomes apparent. The tamper-proof technology through Hash strings is the message digest, so let's talk about it briefly now.

To put it simply, the message digest is to generate a Hash string through an irreversible algorithm, that is, once the Hash string is generated, it cannot be restored to its original form by other means. So if the Hash value of the original content is determined, it proves that the content is complete and reliable, and once the content is modified, the Hash string must be different.

4. Server decrypts the random number and sends a handshake message to Client

After receiving the message sent by Client, Server decrypts the ciphertext with a private key to get a random number. Then we need to use the same message digest algorithm to calculate the random number, and compare the calculated Hash string with the Hash string in the message. If the content is exactly the same, then continue the following process. If it is inconsistent, the connection will be disconnected.

If the random number is correct, Server prepares a handshake message and encrypts the message using the symmetric encryption algorithm previously confirmed with Client, and the key is a random number. Similarly, to prevent the message from being tampered with, the message needs to be processed with a message digest.

The key is passed through public key encryption, and then every message is encrypted with this key, thus ensuring the security of the content.

5. Summarize the complete process

Steal a picture here.

I believe that after reading the previous content has a general understanding of the https process, look at the above? The process can be roughly summarized as follows:

Transport random key securely by public key encryption

After that, random key is used as the key for symmetric encryption to ensure the security of the communication content.

Some students here are bound to have such questions:

Since public key encryption is already secure, why not use public key encryption for all communications? This actually talks about a fatal disadvantage of public key encryption, that is, the efficiency of public key encryption is very low, so public key encryption is only used once. The efficiency of symmetric encryption is higher than that of public key encryption, so it will be frequently used in subsequent communications.

After reading the above, do you have any further understanding of how to implement Https in Android? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.