Shulou(Shulou.com)05/31 Report--

Most people do not understand the knowledge points of this article "basic knowledge of Kubernetes Certificate", so the editor summarizes the following contents, detailed contents, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "what are the basics of Kubernetes certificate" article.

When using HTTPS to communicate, the server needs to provide a certificate, such as using a browser to visit the website, the browser will verify the certificate of the website to ensure that the website is secure and reliable. In Web application system, when the client accesses the server, the server can also require the client to provide a certificate to ensure that the client is legal.

Why is HTTP not safe?

HTTP protocol is located in the application layer of the TCP/ IP four-layer model, and it does not provide any data encryption mechanism.

The communication between the client and the server is all plaintext. If a middleman grabs the network packet, it will cause information disclosure, and even tamper with the data and fake the identity of the server for the purpose of phishing, as shown in the following figure:

HTTPS

HTTPS protocol is introduced to solve the security problem of HTTP. In order to enhance the confidentiality of data, data will be encrypted when using HTTPS. Encryption algorithms can be divided into two categories: symmetric encryption and asymmetric encryption.

Symmetrical encryption

In the symmetric encryption algorithm, the data encryption and decryption use the same password, so even if the data is stolen by the middleman, it cannot be decrypted because there is no password.

In some film and television works of the Anti-Japanese War, it is common to use radio to communicate, which is a typical symmetrical encryption scene. The operational instructions are translated into a series of codes suitable for transmission by the radio station through the codebook, and the receiver translates the original operational instructions according to the codebook. In this process, even if the enemy steals the code sent through the radio, it cannot crack the contents, but if the password book is obtained by the enemy, then the information will be cracked.

In the network, if the client and the server also use the symmetric encryption algorithm to encrypt the data, the two sides need to negotiate a password first, and the subsequent data are encrypted and decrypted using the password, which can improve the data security to a certain extent, but the process of negotiating the password is still plaintext, and the middleman can still get the password, so the information can be easily cracked.

So, how to ensure that the password negotiation process is also secure? Then you need to use an asymmetric encryption algorithm.

Asymmetric encryption

A pair of keys, namely public key and private key, are required in asymmetric encryption algorithms. Data encrypted with the public key needs to be decrypted with the corresponding private key, and data encrypted with the private key needs to be decrypted with the corresponding public key.

In network communication, the server sends the public key to the client, the client uses the public key to encrypt the data and sends it to the server, and the server receives the data and decrypts it with the private key. In this process, even if the middleman steals the data, the private key cannot be cracked without the server, which ensures that the data sent by the client to the server is secure.

Considering that the public key of the server is sent with the network, and the middleman can also get the public key of the server, the middleman can still crack the data sent by the server to the client. therefore, the server cannot use private key encryption when sending data to the client, but can only use the symmetric key negotiated with the client. In addition, the efficiency of symmetric encryption algorithm is much higher than that of asymmetric encryption algorithm.

The client and server use asymmetric encryption algorithm to ensure that the process of negotiating a symmetric key is secure. Once there is a symmetric key, subsequent communications can use the symmetric key to encrypt the data, as shown in the following figure:

However, there is still a loophole in this communication process. The middleman may intercept the server's public key and replace it with the middleman's public key, and the middleman can use his private key to crack the negotiated symmetric key, as shown in the following figure:

The core of this vulnerability is that the client does not know whether the received public key of the server is real or tampered with. In real life, when we receive a document, we may not be able to tell whether it is true or false, but if it is stamped with the official seal of a government department, it will be easier to tell, because we can go to the government department to check the authenticity. When using HTTPS protocol to communicate, the function of certificate is to prove the legitimacy of public key.

Certificat

In the field of cryptography, a certificate is an electronic document that proves the ownership of a public key, which is sometimes called a digital certificate. The certificate contains public key information, public key owner information, and the signature of the authority.

Authoritative CA (Certificate Authority) institutions can issue certificates, and the server needs to provide its own identity information and public key when applying for the certificate. For the certificate used by the website, its own identity information includes the website domain name, company name, city, province and country, and the public key is generated by the webmaster in advance.

The process of issuing a certificate by a CA authority is as follows:

The digital signature in the certificate is similar to the official seal of the government in daily life, which is the key to identify the authenticity of the certificate.

When the CA mechanism generates a digital signature, the public hash algorithm is used to hash the identity information and the public key to get the summary information of the certificate, and then the private key of the CA mechanism is used to encrypt the summary information, as shown in the following figure:

The reason why digital signature is the key to identify the authenticity of a certificate is that the client can use the public key of the CA institution to decrypt the digital signature to get the certificate digest, and the client can also extract identity information and public key from the certificate, and hash it to get a certificate digest. If the two certificate abstracts are the same, the certificate content has not been tampered with.

If the identity information and the public key are tampered with, the certificate digest will change, and if the digital signature is tampered with, it cannot be decrypted using the public key of the CA institution.

To sum up, the certificate is used to prove the trustworthiness of the public key, which solves the problem that the client cannot tell the authenticity of the public key.

When the client and the server negotiate a symmetric key, they no longer send the public key directly to the client, but send a certificate containing the public key. The client verifies the authenticity of the certificate first, and only when the certificate is true will the public key be extracted from the certificate. The complete communication process is as follows:

The above is about the content of this article "what are the basics of Kubernetes certificates?" I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.