Network: TCP, IP protocol family (3) digital signature and HTTPS

Fang Zhipeng 2020-11-13 06:44:29
network tcp ip protocol family

A few previous blogs talked about HTTP Something about , Let's talk today HTTPS Things that are . because HTTP There is plaintext transmission in the protocol itself 、 Can't verify the identity of the communication party and the integrity of the message and other security aspects , That's why HTTPS The defects of .HTTPS It's not exactly an agreement , It is HTTP + SSL (TSL) The combination of .HTTP The message went through SSL The layer is encrypted and delivered to TCP Layer to transmit .SSL( Condom layer ) The main measures are RSA( Asymmetric encryption ) And AES( Symmetric encryption ) Combined encryption . Through the first RSA Interaction AES The key of , And then through AES Encrypt and decrypt messages . This blog is mainly about HTTPS The specific working process .

RSA And AES sketch

In the first part of this blog , Let's talk first RAS And AES These two encryption strategies , If you've done something about payment in the company , The security requirements for data transmission are relatively high , At this time, it is necessary to take some encryption measures to encrypt the transmitted message , Do it when necessary MD5 attestation . Of course, this part talks about RAS And AES It's simpler , About the specific content of these two , Please help yourself. Google Well . because HTTPS In the process of transmission RSA And AES encryption algorithm , So I'm talking about HTTP+SSL Before that , Let's have a brief talk AES And RSA.

Advanced Encryption Standard (AES: Advanced encryption standard )

AES, Full name :Advanced Encryption Standard---- Advanced encryption standard . The encryption algorithm has a key , The key can be used to encrypt , It can also be used to decrypt , therefore AES It's symmetric encryption . This is below AES The process of encryption and decryption .Client End and Server There is a common Key, This Key It's for encryption and decryption . If a message is stolen in transit , Without this key, It is very difficult to crack the encrypted content , Of course, if the thief has key Words , It's easy to decrypt . So in AES in ,key Is the key . This is equivalent to the door key of your house , Whoever gets the key can open your door . Even if the door lock is strong , Safe again , Not in front of the key .

So for AES Encryption strategy for this Key We need to do a lot of secrecy , If you have time later, you can share some specific AES Encryption strategy . For example, every time you encrypt Key They are generated dynamically from a codebook , And this password book server and client have the same , Every time we transmit some parameters . These parameters are mapped by some algorithms , Take out the corresponding password from this key To decrypt . thus , It's equivalent to giving AES Added a layer of security door , It's harder to crack . The advantage of this is that it's encrypted every time key It's all different , And it needs the support of codebook and mapping algorithm .


RSA Public key encryption algorithm

RAS The name , It's the combination of the initials of the three inventors of the algorithm .RAS It's asymmetric encryption , In the process of encryption and decryption , You need two Key, A public key (public key), One is the private key (private key). The public key is responsible for encryption , And the private key is responsible for decryption . You can tell by the name , Public keys can be opened up , Anyone can hold a public key to encrypt . And the private key has to be protected , Because it's for decryption .

thus , Encryption and decryption can be handled with different keys . For encrypted playback , Even if you can encrypt messages , If there is no private words, you can not encrypt the content of the decryption . It's like a box , There is a lock on the box . You can put things in , And then lock the box . But if you don't have a key , I can't open the lock .

The diagram below is the one-way verification of the server RAS Asymmetric encryption algorithm ,Client Built in a public key , The public key is similar to Server The private key of the end is paired , therefore Client The client can use this built-in Public key encryption , And the server can use this private key To decrypt . At present, the most commonly used one-way authentication mechanism on the server side .


CA certificate

If you go through RAS The algorithm generates a private key and a public key , In the process of sending the public key to the client, it may be tampered with other public keys , The client does not know whether the public key is the public key corresponding to the private key of the server without other measures . This kind of self-made RAS The public key and private key may be tampered with in the process of public key distribution . Below is the Client from Server When the client gets the public key, it is tampered with by the middle , take public Instead of your own fake public key, Again, the middleman holds the fake public key The corresponding pseudo private key. If the client uses the fake public key For encrypted transmission , So the middleman can use his own private key To decrypt .

Let me give you an example of this problem .

Suppose you were in ancient times , You're out there , The wife has a son at home . You have a box in your house , There is a lock on the box , This is the tool you and your wife use to communicate . Your daughter-in-law is responsible for putting things in the box , Then lock it . You have a unique key , You're responsible for unlocking , Take things . But in the process of sending the box to the escort agency , By the escort agency “ Little black ” It's switched , The appearance of the box is the same , Locks look the same , But it's not your case anymore . Because it's a long way , There was nothing in ancient times iPhone What? , Your daughter-in-law can't tell if the box is original . Then I put some things in the box , Then the lock was handed over to the escort agency “ Little black ”.

because “ Little black ” The box that was replaced , So Xiaohei has the key to the box , And then you can open the box , Got something . The original box is in Xiaohei again , Xiaohei can put some worthless things into the original box for you . When you find that the contents of the box are not what you want , Finished , Xiao Hei resigned from the escort agency , We can't find anyone . Find someone from the escort agency to talk about it , But the escort agency said “ Little black ” It's a temporary worker in the escort agency , The responsible escort agency said , We can't afford to . Since you are powerless , That's it .( The story is pure fiction , It's a coincidence )

For more stories about cheaters, please move to the online drama 《 A hairtrick 》 Season 123 .


In order to prevent “ Little black ” Again , So issue an impartial agency to prove that the box your daughter-in-law receives is the one you sent out . stay RAS There is also a third party agency in encryption to play this role , Responsible for proving that the certificate received by the client is the certificate you sent , There is no tampering in the middle . This intermediate certification authority , It's array certification authority , The certificate it issues is what we often say CA certificate (CA , Certificate Authority).

Let's describe the certificate signature in detail , The whole process of certificate distribution and certificate verification .

  • 1、 Server side personnel use RSA The algorithm generates two keys , One for encryption and one for decryption . Publish the key responsible for encryption , So we call it the public key (Public Key), And the key used to decrypt , You can't make it public , Only the server holds , So we call it the private key (Private Key). The server will Public Key Before you can distribute the certificate to CA The agency applies for digital signature of the public key to be distributed .( The server public key is responsible for encryption , The server private key is responsible for decryption )
  • 2、 Generate digital signature public key certificate : about CA For institutions , It also has two keys , Let's call it CA Private key and CA Public key .CA The organization will service the Public Key As an input parameter, convert it to a unique Hash value . And then use CA The private key will be this Hash Value is encrypted , And with the server side Public Key Bind together , Generating a digital signature certificate . In fact, the essence of digital signature certificate is the public key of the server +CA Private key encrypted Hash value .(CA The private key is responsible for signing ,CA The public key is responsible for verifying )
  • 3、 The server obtains the certificate that already contains the digital signature and the public key , Send the certificate to the client . When the client receives the public key digital certificate , Will verify its effectiveness . Most clients are pre installed CA The public key of the organization , That is to say CA Public key . Client side usage CA The public key verifies the signature on the digital certificate , The process of verification is to use CA Public key for CA The encrypted content of the private key is decrypted , Will decrypt the content and server side of Public Key The generated Hash Value to match , If the match is successful , The certificate is sent from the corresponding server . Otherwise, it's an illegal certificate .
  • 4、 After verifying the validity of the server public key , The public key can be used for encrypted communication .


The screenshot below is some information about Apple's root certificate , As can be seen from below ,CA The content of the certificate includes encryption algorithm , Public key and digital signature .


Below is the details of public key and digital signature , When verifying the public key below , You need to use the built-in CA The public key decrypts the digital signature . And then the decrypted content , Generated with the public key Hash Value comparison , If the match is successful , So the certificate is CA A legal certificate issued by an organization .


HTTPS The establishment of secure communication mechanism

We finished talking about it AES And RSA Encryption strategy , Then we talked about public keys with digital signatures . The above two parts are for HTTPS Make bedding , Let's take a look at HTTP+SSL How data is transmitted .

HTTPS brief introduction

It was also said at the beginning ,HTTPS It's not a new communication protocol , It is HTTP And SSL( or TSL) The combination of .SSL– Condom layer (Secure Socket Layer), TSL(Transport Layer Security Secure transport layer ) In order to SSL Protocols developed for prototypes ,IETF With SSL3.0 After setting the benchmark, we formulated TLS1.0、TLS1.1 and TLS1.2, The current mainstream version is SSL3.0 And TLS1.0.

HTTPS Is in the HTTP And TCP Add a... In the middle of the layer SSL layer . because HTTPS By HTTP With this layer of encryption process , therefore HTTPS It's faster than HTTP It's much slower .


HTTPS Communication process of

SSL The encryption process of is RSA And AES Mixed in . In a nutshell , It is through RSA Encrypted way to exchange AES Encryption and decryption key , And then use AES Encrypted way to transmit messages . Below is the SSL Diagram of establishing connections and transferring data . In the figure below, it can be roughly divided into four steps :

  • First step : The first handshake initiated by the client , The main purpose of this handshake is to obtain the digital signature certificate from the server , Before sending the digital signature certificate, the server should first confirm the SSL edition 、 Encryption algorithm and other information .
  • The second step : After the first handshake , Then a second handshake . The second handshake is initiated after the client receives the certificate , The main purpose is to AES Encryption and decryption use Key (Pre-master secret) Send it to the server . Of course, this AES_KEY It is encrypted with the public key obtained by the first handshake . The client receives this encrypted with public key AES_KEY, Use the server's private key to decrypt . In this way, after two handshakes, both the client and the server hold AES Encrypted KEY.
  • The third step : When Client And Server All ends hold AES_KEY after , You can do that. HTTP The message is encrypted .
  • END: Finally, it's disconnected . The details are shown in the following figure :


Code scanning, attention, surprise

( Please indicate the author and source of this article Fang Zhipeng's blog

本文为[Fang Zhipeng]所创,转载请带上原文链接,感谢

  1. [front end -- JavaScript] knowledge point (IV) -- memory leakage in the project (I)
  2. This mechanism in JS
  3. Vue 3.0 source code learning 1 --- rendering process of components
  4. Learning the realization of canvas and simple drawing
  5. gin里获取http请求过来的参数
  6. vue3的新特性
  7. Get the parameters from HTTP request in gin
  8. New features of vue3
  9. vue-cli 引入腾讯地图(最新 api,rocketmq原理面试
  10. Vue 学习笔记(3,免费Java高级工程师学习资源
  11. Vue 学习笔记(2,Java编程视频教程
  12. Vue cli introduces Tencent maps (the latest API, rocketmq)
  13. Vue learning notes (3, free Java senior engineer learning resources)
  14. Vue learning notes (2, Java programming video tutorial)
  15. 【Vue】—props属性
  16. 【Vue】—创建组件
  17. [Vue] - props attribute
  18. [Vue] - create component
  19. 浅谈vue响应式原理及发布订阅模式和观察者模式
  20. On Vue responsive principle, publish subscribe mode and observer mode
  21. 浅谈vue响应式原理及发布订阅模式和观察者模式
  22. On Vue responsive principle, publish subscribe mode and observer mode
  23. Xiaobai can understand it. It only takes 4 steps to solve the problem of Vue keep alive cache component
  24. Publish, subscribe and observer of design patterns
  25. Summary of common content added in ES6 + (II)
  26. No.8 Vue element admin learning (III) vuex learning and login method analysis
  27. Write a mini webpack project construction tool
  28. Shopping cart (front-end static page preparation)
  29. Introduction to the fluent platform
  30. Webpack5 cache
  31. The difference between drop-down box select option and datalist
  32. CSS review (III)
  33. Node.js学习笔记【七】
  34. Node.js learning notes [VII]
  35. Vue Router根据后台数据加载不同的组件(思考->实现->不止于实现)
  36. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  37. 【JQuery框架,Java编程教程视频下载
  38. [jQuery framework, Java programming tutorial video download
  39. Vue Router根据后台数据加载不同的组件(思考->实现->不止于实现)
  40. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  41. 【Vue,阿里P8大佬亲自教你
  42. 【Vue基础知识总结 5,字节跳动算法工程师面试经验
  43. [Vue, Ali P8 teaches you personally
  44. [Vue basic knowledge summary 5. Interview experience of byte beating Algorithm Engineer
  45. 【问题记录】- 谷歌浏览器 Html生成PDF
  46. [problem record] - PDF generated by Google browser HTML
  47. 【问题记录】- 谷歌浏览器 Html生成PDF
  48. [problem record] - PDF generated by Google browser HTML
  49. 【JavaScript】查漏补缺 —数组中reduce()方法
  50. [JavaScript] leak checking and defect filling - reduce() method in array
  51. 【重识 HTML (3),350道Java面试真题分享
  52. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  53. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  54. [re recognize HTML (3) and share 350 real Java interview questions
  55. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  56. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  57. 【重识 HTML ,nginx面试题阿里
  58. 【重识 HTML (4),ELK原来这么简单
  59. [re recognize HTML, nginx interview questions]
  60. [re recognize HTML (4). Elk is so simple