Shulou(Shulou.com)06/02 Report--

This article comes from the official account of Suyan, the original address: tell the story through https

The leading actor in the story:

Xiaohua is a freshman this year. This is the first time she left her parents and went to school in Beijing alone. Today, on my mother's birthday, I thought about giving my mother a blessing, so I sent a message to my mother:

The mother was very happy to receive the news. The daughter was so busy that she could remember her birthday, so the two began to talk. Knowing that her daughter had been living frugally, the mother decided to transfer some money to her daughter.

Blackie is a *, specializing in "sneaking around" things, he has monitored the conversation between mother and daughter. I've been watching them talk at home, and I'm almost asleep.

Until seeing that mother and daughter mentioned money, they immediately cheered up and decided to make a sum of money. Then he intercepted Xiaohua's message and sent it to Xiaohua's mother with his own carefully prepared content.

Xiaohua's mother then called Xiaohua, unexpectedly that the chat between mother and daughter was under the control of Xiaohei. Blackie got the money and ran away.

HTTP protocol is based on TCP. Whether TCP is secure or not determines whether HTTP is secure or not. The content of the HTTP message is not encrypted and is easy to be monitored and tampered with. Xiao Hei monitored the chat content of the mother and daughter, and tampered with the content, pretending to be a daughter to chat. So HTTP has the following three problems:

1. The content is unencrypted, easy to monitor, and is transmitted in clear text.

two。 The integrity of the content cannot be verified and it is easy to be tampered with, that is to say, we do not know whether the message has been modified.

3. Unable to verify the identity of the other party, who am I talking to now? is it reliable?

After Xiaohua was cheated, she felt very sad and told her computer teacher Wang Daqiang about it. When Mr. Wang heard the experience of being cheated, he was very surprised. Why did the news be tampered with? Immediately check the chat software they use, it turns out that this software directly uses the TCP protocol, there are no security measures.

After studying the software, Daqiang said to Xiaohua, "there is something wrong with this software. Don't use it in the future. Use software with security measures, such as software that uses the TLS/SSL protocol."

Xiaohua said, "what is TLS/SSL?" . Seeing Xiaohua's sincere expression, Daqiang decided to tell her the principle of HTTPS, but thought that she might not understand it, and then decided to analyze the scene in which she and her mother were deceived.

Since the chat between Xiaohua and her mother is transmitted in clear text, it's over to encrypt the content directly. Xiaohua and her mother agreed on a password through which all the content is encrypted and decrypted.

This kind of encryption is called symmetrical encryption, and encryption and decryption are all operated through the same password, so it is necessary to ensure the security of the password. Once disclosed, the consequences will be very serious.

Xiaohua immediately sensed that something was wrong. How could the password be passed on to her mother? Only the two sides can meet and agree on a password. But she thought that her father, who was far away in the United States, would need to fly to the United States to give him the password if he asked him for money. This is too much trouble.

Teacher Wang Daqiang said, "Don't worry, there is a better way." Then use two keys, one for encryption (called the public key) and the other for decryption (called the private key). Content encrypted with the public key can only be decrypted with the private key. Only you own the private key, and the public key can be thrown to others.

Xiaohua and his mother just give the public key to each other. When Xiaohua sends a message to his mother, he encrypts it with his mother's public key, and only his mother has the private key, which means that only his mother can decrypt it.

This kind of encryption is called asymmetric encryption, there are two keys, and the content encrypted by one key can only be decrypted by the other key. As for why it is said that public key encryption and private key decryption, although both keys can be encrypted and decrypted, but public key encryption and private key decryption is not a better understanding of this statement? The public key is known to everyone, but the private key is known only to oneself.

Xiaohua thought about it and felt that it was still a bit unsafe if she was bugged by Xiao Hei when exchanging public keys with her mother.

Xiaohua sent his public key xiaohua_pub to his mother and was swapped by Xiaohei. Xiaohei sent his public key xiaohei_pub to Xiaohua's mother. In this way, Xiaohua's mother uses Xiaohei's public key to encrypt the message, and Xiaohei gets the message table and can decrypt it with her own private key.

When my mother sent her public key to Xiaohua, she was also swapped by Xiaohei, so Xiaohei had the public keys of both sides.

Hearing the news that Xiaohua asked his mother to transfer money, the little black prison tampered with the news.

After hearing Xiaohua's misgivings, teacher Wang Daqiang gave a thumbs up and said, "Don't worry, let me explain slowly."

The problem now is that it was switched by Blackie when exchanging the public key, so this problem needs to be solved next. How to safely deliver the public key to the other party.

This seems to be a problem that can never be solved, after all, the public key is always transmitted. This seems to be a problem of laying eggs and raw chickens. Later, when Xiaohua thought about his usual online shopping, he was always afraid of payment, and the merchants ran away and did not deliver the goods. Since Taobao, a third-party organization, after all, the Ali family is big and trustworthy, even if the merchants run away, they can find Taobao.

Later, there were authentication bodies about the public key, which are very few, but very authoritative. They will reach a trust relationship with computers, browsers and other manufacturers, and install the public key of the certification authority into the system in advance, so that the problem of transmission will not be involved.

In the process of chatting, Xiaohua found that the message was sent and received very slowly, and later found that it was because the encryption algorithm took a long time. Xiaohua thought that when using symmetric encryption, the only disadvantage is that it is troublesome to exchange keys, but the speed is very fast. Then the symmetric encryption key can be transmitted through asymmetric encryption, and after the key transmission is successful, symmetric encryption is used to encrypt the message.

HTTP belongs to the application layer protocol, HTTPS is not a new protocol, it just has one more layer (TLS/SSL) than the HTTP protocol to ensure the security of data transmission. TLS/SSL also belongs to the protocol, and its main function is to ensure the security of data transmission. Most of them are implemented by OpenSSL. For example, TLS in Node is based on OpenSSL.

In the form of a story, this paper introduces the insecurity of HTTP and the back support to ensure the security of HTTPS, including the concepts of digital certificate, digital signature, symmetric encryption and asymmetric encryption. Come on, everybody.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.