Shulou(Shulou.com)06/02 Report--

This article shows you an example analysis of the encryption, decryption and authentication principles of the development platform, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

A website to ensure security, encryption, tamper-proof, identification and so on are the minimum requirements.

There are a few questions:

Https Why does the public network have to use https?

What is the principle of https?

Why does https use symmetric encryption + asymmetric encryption?

Will https slow down requests?

Why can't we just use asymmetric encryption?

Why do I need digital certificates?

With https, can encryption, tamper-proof and identification be achieved?

How to do authentication? ...

First of all, why do you use https, pure http, tcpdump,wirehsark and other software to grab packets? according to the http protocol specification, you can easily see each data packet and easily tamper with data, which is very dangerous for dynamic websites. Therefore, it is very necessary to encrypt the transmitted data, so there is https.

What is the principle of https?

The conclusion is that symmetric encryption is much faster than asymmetric encryption, while asymmetric encryption is very slow. If https uses pure asymmetric encryption, if the packet is too large, it will be difficult to accept. Can https take advantage of the security of asymmetric encryption and the speed of symmetric encryption? This is OK. What exactly is the principle of https? Refer to the figure:

The public key An and private key A'of asymmetric encryption on the server side.

The client initiates the request, and the server returns the public key A plaintext to the client.

The client randomly generates a key X for symmetric encryption, encrypts it with public key An and transmits it to the server.

After getting it, the server decrypts the key X with the private key A', and returns the sessionId to the client after saving it.

In this way, both parties have key X, and no one else can know it. After that, all data of both parties are encrypted and decrypted with key X.

Understanding the principle of https, we can know that not every body is encrypting and decrypting with an asymmetric encryption algorithm, but using a symmetric encryption algorithm in encryption and decryption (some browsers will have a file that can be used to grab packets), and then symmetric encryption and decryption is very fast, a little slower than pure http, but not much slower.

Why should there be a digital certificate?

The server gives the public key to the client, not directly to the public key, but to the certificate. Why? Because the public key may be tampered with by the middleman, in order to make the public key credible, the certificate will have a public key and private key to encrypt the public key hash after a digital signature. The server holds the public key to decrypt the digital signature. If it is paired with the public key hash, it means that the public key is reliable.

How to authenticate?

Can https identify it? In fact, we can only achieve one-way identification, want to authenticate, in fact, it is not enough, we also need other ways. What are the common authentication methods?

Md5-like authentication

The client and the server use the same signature method, and the server can authenticate by comparing the result of the request calculation with the value passed by the client. Here access key is used to identify the user, and secret key is salt, which can also be understood as a password. Many open cloud platforms here use similar encryption algorithms, such as the TC3-HMAC-SHA256 signature method adopted by Tencent Cloud

The simplest way to verify the signature is to use md5 for one-way encryption: md5 (msg), but the disadvantage of this rough encryption is that it can be cracked violently. Then the way to upgrade is to add salt, the principle is as follows:

Import hmacmessage = 'messege' # and url, timestamp and other fixed parameters are related to key =' sdfsdfwfahesdfsdfsdfgwgdfgd' # random string h = hmac.new (key, message, digestmod='MD5') sign = h.hexdigest ()

The client and server agree to use the same random string as salt, so that after sign is passed to server, server uses the same algorithm to do the same operation on the extracted parameters, and then sign can be obtained. As a comparison, you can know whether authentication is passed. The secret key we commonly use is usually salt. After we can authenticate the interface, there is a question: when different customers have different permissions, how does server identify different customers? Here access key works. Server maintains a dictionary, and each access key corresponds to a secret key, which can distinguish customers.

The principle of server is similar:

Dict = {access_key1: secrect_key1, access_key2: secrect_key2} # A dictionary maintained in customer dimension, which is similar to session in nature: import hmacaccess_key = req.header.get (access_key) key = [access _ key] message = req.body.get (msg) h = hmac.new (key, message, digestmod='MD5') # to add complexity, here, message will be mixed with timestamps Fixed parameters such as uri sign = h.hexdigest () if sign = = req.header.get ('sign'): return trueelse: return falsersa authentication

And you can use rsa to sign, encrypt with the other party's public key, send it to the other party, encrypt it with your own public key, and decrypt the data sent by the other party with your own private key. This method has disadvantages when body is very large, because asymmetric encryption and decryption will be very slow, and the advantage is that it is relatively safe. It is understood that some large manufacturers will use this method.

In fact, is it possible to learn from https and use a way of asymmetric + symmetric encryption to authenticate? At present, there are more ways of using the first kind of md5.

The above content is an example analysis of the encryption, decryption and authentication principles of the development platform. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.