Shulou(Shulou.com)06/02 Report--

This article mainly introduces the relevant knowledge of what is the principle of network request encryption in Android, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe you will gain something after reading this article on the principle of network request encryption in Android. Let's take a look at it.

Asymmetric encryption

I don't know much about encryption, except that there are two algorithms: symmetric encryption and asymmetric encryption.

Symmetric encryption: encryption and decryption keys are the same, for example, 123 encryption is used to decrypt 123, but in practice, passwords are transmitted over the Internet by ordinary data, so the password is intercepted and cracked by the middleman, and the encryption is directly broken.

Asymmetric encryption: divides the key into the public key and the private key. The public key is public and everyone can claim it. Only one person knows that the private key is secret. Suppose A wants to send an Email to B, and he does not want anyone else to see the contents of the Email in the transmission, by encrypting the Email with B's public key, and only B's private key can be decrypted (B's private key ensures that the letter will not be disclosed).

One day there was an accident, a hacker pretended to be A to send Email to B, and also encrypted with B's public key, so that B could not tell whether the e-mail came from A. What shall I do? At this point, A can encrypt it with its own private key, so if B can decrypt the message with A's public key after receiving the message, then prove that the letter must come from A.

OK, through this example, I think you basically understand asymmetric encryption! I summarized the following points:

The role of the public key: encrypt the content itself to ensure that it will not be seen by others.

The function of private key: the source of proof content

Public key and private key are paired, and public key encryption is decrypted with private key, and vice versa. Trying to decrypt with the wrong key will result in an error.

Digital signature

Let's move on to the above example of sending email. Suppose An encrypts Email with its own private key, which has the following problems:

Encrypting the file itself may be a time-consuming process, for example, the Email is large enough, so the private key encrypts the entire file and decrypts the file after getting it is undoubtedly a huge overhead.

Digital signatures can solve this problem:

1.A first hash the Email to get the hash value abbreviated as "abstract", which is named H2.

two。 Then encrypt the digest with your own private key, and the resulting thing is called "digital signature".

3. Add the digital signature to the Email body and send it to B (of course, in order to prevent the email from being eavesdropped, you can use the continued public key encryption, which does not fall into the category of digital signature).

4. After receiving the email, B uses the public key of A to decrypt the digital signature. Success means that Email really comes from A, and failure indicates that someone impersonates it.

5.B perform a hash operation on the email body to get the hash value, which is named h3

6.B will compare the hash value H2 of the digital signature in step 4 with the h3 calculated by yourself, which means that the message has not been tampered with.

After watching this process, do you think that the digital signature is nothing more than that? In fact, it is a piece of data that uses an algorithm (not necessarily an asymmetric algorithm) to encrypt the hash value of the original text and then attach it to the original text. The function of digital signature is to verify data source and data integrity! The decryption process is called digital signature verification.

But don't worry, I have the following doubts when combing the digital signature process. I wonder if you are the same?

1. If the middleman tampers with both the Email text and the digital signature, B will not be aware of the e-mail.

Answer: the generation of a digital signature requires the other party's private key, so it is difficult to forge a digital signature. In case the private key is leaked, I'm sorry, you can lose your private key, then I wrote this article in vain. (the private key is strictly confidential and does not participate in the transmission)

two。 The public key is public and can be imported into the computer on its own. If someone, such as C, secretly replaces A's public key with his own public key on B's computer, and then sends Email to B with his own private key, B receives an email that is actually impersonated by C but he can't detect it.

Answer: this situation does exist! The solution is the digital certificate, one ring set one ring, please read on.

Digital certificate

What is the root cause of the security vulnerability described in point 2 above? That is, the public key of A can be easily replaced! So how is the digital certificate generated? And how to tie in with the work of digital signature?

1. First of all, A goes to the "certificate authority" (CA) to authenticate the public key. The Certificate Authority uses its own private key to encrypt A's public key and some related information to generate a "Digital Certificate":

2.An at the bottom of the body of the message, in addition to the digital signature, add this digital certificate

3.B after receiving the Email, decrypt the digital certificate with the public key of CA, get the public key of A, and then verify the digital signature. The later process is the same as that in figure 1, so I won't repeat it.

Like digital signatures, I have the following doubts when combing through this process:

Suppose the digital certificate was forged?

Answer: yes, the digital certificate may be tampered with in transit. Therefore, the digital certificate is also digitally signed, does it feel like falling into the "chicken egg raw chicken", I guarantee that this is the last egg! As mentioned above, the function of digital signature is to verify data source and data integrity! B after receiving the email, you can first verify the reliability of the digital certificate, and then verify the digital signature.

If 10, 000 people want to email B, does B have to keep 10, 000 different CA public keys?

Answer: no, CA Certification Authority can give B a "root certificate" in which CA public key is stored to verify all digital certificates issued by CA sub-centers. The CA center is a bifurcation tree structure, which is similar to the Ministry of Public Security-> Provincial Public Security Bureau-> Municipal Police Station. No matter which CA branch An applies for the certificate, B can verify the reliability of the subordinate certificate as long as the root certificate is stored in advance.

How to verify the reliability of the root certificate?

Answer: unable to verify. The root certificate is a self-verification certificate, and the CA institution is a third-party organization that is absolutely recognized by the society and has absolute authority, which ensures the absolute reliability of the root certificate. If there is something wrong with the root certificate, then the whole encryption system is meaningless.

Take a chestnut.

The above has been talking about virtual scenarios, the following is a practical example to see how digital signatures + digital certificates verify the source of the file, as well as the integrity of the file. For example, downloading files: in our development, the server usually adds md5 to the file information, and the client verifies the md5 after the download to determine whether the file is damaged. This is actually a simple verification mechanism, while many formal enterprises, such as google, sign digital signatures and certificates for official software, and windows has pre-installed many CA root certificates:

Then take a look at the Chrome.exe I downloaded from the Internet, right-click the property, and verify it with one mouse click:

Google Inc is the digital certificate that google applied for from the CA center. From this point of view, the software does come from the google official, and the document is complete. Next I do something bad, open the exe file with notepad and tamper with the contents (modify the binary data, 09 to 33), and save:

Is the digital signature normal again?

The file has been tampered with so that the digital signature is invalid and there is no problem with the digital certificate.

Https introduction

Digital signatures and certificates can be used for files and, of course, for html web data. I do not have https related development experience, so I do not do in-depth discussion is just a brief introduction.

Security flaws in http:

1. Unable to verify the identity of the server

two。 Unable to guarantee data integrity

3. There is no guarantee that data transmission will not be eavesdropped.

Https is designed to solve these three problems. Https uses digital signatures and digital certificates to solve the first two problems. Many large websites, such as baidu.com, use https protocol, and a green lock logo appears on the left side of the URL:

Click to view the certificate, and browsers have built-in CA root certificates to verify the server certificates of these sites.

Then, the transmission channel is encrypted with SSL protocol to ensure that the data transmission will not be eavesdropped.

This is the end of the article on "what is the principle of network request encryption in Android". Thank you for reading! I believe that everyone has a certain understanding of the knowledge of "what is the principle of network request encryption in Android". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.