Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to understand the security problems of HTTP". In daily operation, I believe many people have doubts about how to understand the security problems of HTTP. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to understand the security problems of HTTP"! Next, please follow the editor to study!

01 、 HTTPS

HTTPS is a popular form of HTTP security. It was pioneered by Netscape and is supported by all major browsers and servers.

Let's take a look at this picture.

The URL of the HTTPS scheme begins with https://, instead of http://, so you can tell that a Web page is accessed through HTTPS instead of HTTP (some browsers also display some iconic security tips)

When using HTTPS, all HTTP request and response data is encrypted before it is sent to the network. HTTPS provides a transport-level password security layer under HTTP.

We can take a look at the layers about HTTP and HTTPS.

Most of the difficult encoding and decoding work is done in the SSL or TLS library, so Web clients and servers do not need to modify their protocol processing logic too much when using secure HTTP. In most cases, you just need to replace the TCP call with the SSL input / output call, and add a few other calls to configure and manage the security information.

02. Digital encryption

With regard to digital encryption, it is easy to understand. Have you seen some "magic dramas"? During the Anti-Japanese War, the telegram passwords were all in the form of a book, and then the different letters of the code book corresponded to different data information, and then the corresponding numbers were stitched together. This is just our simple understanding of digital passwords, to put it officially:

Aren't the encoders and decoders in the "magic drama" the existence of the codebook? Passwords have been used to generate confidential information for thousands of years. Legend has it that Julius Caesar (Julius Caesar) used a three-character cyclic shift cipher in which each character in the message was replaced by a character after three positions in the alphabet. In modern alphabets, "A" should be replaced by "D", "B" should be replaced by "E", and so on.

Let's take "rotation 3" as an example.

The password can encode the message "meet me at the pier at midnight" into the ciphertext "phhw ph dw wkh slhu dw plgqljkw".

1 by decoding and rotating-3 characters in the alphabet, the ciphertext can be decrypted back to the original plaintext message.

But at the same time, we can also think that the password book is easy to be obtained by the other party, and the coding machine is also easy to be obtained by the enemy. In times of war, the password book is a must.

So most machines have plates that can be set to a large number of different values to change the way passwords work. Even if the machine is stolen, the decoder will not work without the correct dial setting (key value).

These password parameters are called key. Only by entering the correct key in the cipher machine can the decryption process proceed correctly. Password keys make a cryptographic machine look like multiple virtual cryptographic machines, each with a different key value, so its behavior is different.

The above picture is a rotating N-character password using different keys. no, no, no. The longer the key, the more coding combinations, and the more difficult it is to crack the code by randomly guessing the key.

Given a plaintext message P, an encoding function E and a digital encoding key e, an encoded ciphertext C can be generated as shown in the following figure. Through the decoding function D and the decoding key d, the ciphertext C can be decoded into the original plaintext P. Of course, the encoding / decoding functions are inverse functions of each other, and decoding the encoding of P will return to the original message P.

03. Symmetric key encryption

Let's take a more detailed look at how keys and passwords work together. Many digital encryption algorithms are called symmetric key (symmetric-key) encryption because they are encoded with the same key value as when decoding. Let's call it the key k.

In symmetric key encryption technology, the sender and receiver have to share the same key k before they can communicate. The sender encrypts the message with a shared key and sends the resulting ciphertext to the receiver. The receiver receives the ciphertext and applies the decryption function and the same shared key to it to recover the original plaintext. Look at the following picture:

Symmetric key encryption algorithms use the same key for encoding / decoding. Popular symmetric key encryption algorithms include DES, Triple-DES, RC2 and RC4.

3.1, key length and enumeration attacks

In many cases, the encoding / decoding algorithm is well known, so the key is the only secret.

A good encryption algorithm forces an attacker to try every possible key to crack the code. Trying all key values with violence is called an enumeration attack (enumeration attack). If there are only a few possible key values, unscrupulous people can finally crack the code by traversing all values by force. But if there are a large number of possible key values, it may take him days, years, or even infinitely long time to traverse all the keys to find the one that can crack the password.

The number of available key values depends on the number of bits in the key and how many of the possible keys are valid.

An 8-bit key has only 256 possible key values, a 40-bit key can have 240 possible key values (about one trillion keys), and a 128-bit key can produce about 340 000 000 000 possible key values.

However, there are exceptions. Not all key values in all encryption techniques are effective. For example, in the best-known asymmetric encryption algorithm, RSA, valid keys must be related to prime numbers in some way. Only a small number of keys have this feature among the possible key values.

In traditional symmetric key encryption techniques, a 40-bit key is sufficient for small, less important transactions. But it can be cracked by today's high-speed workstations, which can perform billions of calculations per second. In contrast, for symmetric key encryption, a 128-bit key is considered to be very powerful.

In fact, long keys have a very important impact on password security, and the US government has even imposed export controls on encryption software that uses long keys to prevent potential hostile organizations from creating secret codes that the National Security Agency (National Security Agency,NSA) itself cannot crack.

Applied Cryptography has a table that describes the time it takes to crack a DES password by guessing all the keys in 1995.

Maybe this data is not very applicable now, the speed of the computer is increasing in multiples, but in this picture, we can also multiply by the corresponding multiples, which is still of reference value.

One of the disadvantages of symmetric key encryption is that the sender and receiver must have a shared secret key before talking to each other.

For example, if you want to establish a private conversation with Taobao sellers, you need to establish a private secret key with Taobao before placing an order securely. You need a way to generate a secret key and remember it. If the whole network is like this, it is possible to remember too many things, this is a nightmare existence. As a result, the following appears, please see below:

04. Public key encryption

Instead of using a separate encryption / decryption key for each pair of hosts, public key encryption uses two asymmetric keys: one to encode the host message and the other to decode the host message. The encoding key is well known (which is the origin of the name public key encryption), but only the host knows the private decryption key.

Everyone can find the public key of a particular host, and the establishment of the key becomes easier. But the decoding key is confidential, so only the receiver can decode the message sent to it.

Public key encryption is asymmetric and different keys are used for encoding and decoding.

Then we need to make a comparison between symmetric key encryption and public key encryption.

The common challenges faced by all public key asymmetric encryption systems are:

Public key (is public and available to everyone)

A small piece of intercepted ciphertext (which can be obtained by sniffing the network)

A message and the ciphertext associated with it (you can get it by running the cipher on any piece of text).

Even if you know these three conditions, you can't calculate the secret private key, which is the challenge of the public key asymmetric encryption system.

RSA algorithm is a popular public key encryption system that meets all these conditions. This paper will not delve into the RSA algorithm at first, and then I will read it for you after I have finished reading the book on cryptography.

05. Digital signature

We have already talked about symmetric and asymmetric key encryption / decryption, so let's talk about what digital signatures mean.

Baidu encyclopedia: digital signature (also known as public key digital signature) is a digital string that can only be generated by the sender of the message, which can not be forged by others. This digital string is also an effective proof of the authenticity of the information sent by the sender of the message. It is a method similar to the ordinary physical signature written on paper, but implemented using the technology in the field of public key encryption, which is used to authenticate digital information. A set of digital signatures usually defines two complementary operations, one for signature and the other for verification. Digital signature is the application of asymmetric key encryption and digital digest technology.

In fact, to put it bluntly, a digital signature is a special encrypted check code attached to a message.

Let's use an example to explain. Let's first look at a picture of how node A sends a message to node B and signs it.

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

Node An extracts the variable-length message into a fixed-length summary.

Node An applies a "signature" function to the digest, which takes the user's private key as an argument. Because only the user knows the private key, the correct signature function indicates that the signer is its owner. In the figure, because the decoding function D contains the user's private key, we use it as a signature function.

Once the signature is calculated, node An appends it to the end of the message and sends both the message and the signature to B.

At the receiving end, if node B needs to make sure that the message is indeed written by node An and has not been tampered with, node B can check the signature. Node B receives the signature encoded by the private key and applies the inverse function using the public key. If the unpacked digest does not match node B's own digest version, either the message has been tampered with during transmission, or the sender does not have the private key of node A (that is, it is not node A).

If you understand the picture, is it easy to understand about digital signatures?

06. Digital certificate

Let's take a look at Baidu Encyclopedia's explanation to him: digital certificate refers to a kind of electronic document issued by CA (Electronic Authentication Service). It is a string of numbers that can show the identity information of network users, and provides a way to verify the identity of network users on the computer network, so the digital certificate is also called digital identification. Digital certificate ensures the integrity and security of information and data of network users in the form of encryption or decryption.

In fact, digital certificates are not as difficult as we think. The basic architecture of digital certificates is public key PKI, which uses a pair of keys to encrypt and decrypt. The key includes private key and public key, the private key is mainly used for signature and decryption, is defined by the user, and only the user knows it; the public key is used for signature verification and encryption, and can be shared by multiple users.

After HTTPS establishes a secure Web transaction, modern browsers automatically obtain the digital certificate of the server to which they are connected. If the server does not have a certificate, the secure connection fails. The server certificate contains a number of fields, including:

Name and hostname of the Web site

Public key of the Web site

Name of the signature authority

Signature from signature authority

The browser checks the signing authority when it receives the certificate. 1 if this organization is a very authoritative public signature authority, the browser may already know its public key (the browser will pre-install a lot of signing authority certificates).

If you know nothing about the signature authority, the browser cannot determine whether the signature authority should be trusted, and it usually displays a dialog box to the user to see if he trusts the signature issuer. The signature publisher may be a local IT department or software vendor.

At this point, the study on "how to understand the security of HTTP" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.