This is the fourth day of my participation in the August Challenge. For details, see:August is more challenging

The HTTP protocol

HTTP is a stateless hypertext transfer protocol.

Host name: localhost.com Port: 8080 Object path: /index.htmCopy the code

Set-cookie field properties:

NAME=VALUE: Specifies the NAME and VALUE of the Cookie. Expires =DATE: Expires of a Cookie; Path =PATH: The directory on the server is used as the applicable object of cookies. If the path is not specified, the default path is the file directory where the document resides. Domin = Domain name: specifies the domain name that Cookies are applicable to. If this parameter is not specified, the default domain name of the server that creates Cookies is used. Secure: Cookies are sent only in HTTPS Secure communications. HttpOnly: makes cookies not accessible by JS scripts;Copy the code
Some features of GET requests:
  • GET requests can be cached
  • GET requests are kept in the browser history
  • GET requests can be bookmarked
  • GET requests should not be used when working with sensitive data
  • The length of the GET request is limited
  • GET requests should only be used to fetch data (not modify)
POST request features:
  • POST requests are not cached
  • POST requests are not retained in the browser history
  • POST cannot be bookmarked
  • POST requests have no requirement on data length
The main format for the body of a POST request made by the browser
  • Application/X-www-form-urlencoded is used to transmit simple data in formats such as “key1=value1&key2=value2”.
  • Multipart /form-data is used to transfer file contents.
  • Application/JSON tells the server that the message body is a serialized JSON string.
  • Text /plain Specifies the plain text format
HTTP reply status code
Status code category describe
1xx Informational status code The request is being processed
2xx Success status code Request processed successfully
3xx Redirection(Redirection status code) Redirection is required
4xx Client Error(Client status) The server could not process the request
5xx Error(Server status code) The server failed to process the request
HTTP shortcomings
  • Communication is in plain text and may be eavesdropped
  • If the identity of the communicating party is not verified, it may be disguised
  • The integrity of the packet cannot be proved and may be tampered with

I believe you are already familiar with HTTP, no longer too much details!

The HTTPS protocol

HTTP transmits information in plaintext, which may cause information eavesdropping, information tampering, and information hijacking. However, TLS/SSL provides the functions of identity authentication, information encryption, and integrity check to avoid such problems.

HTTPS Encryption Principle

Encryption type

Encryption algorithms can be divided into symmetric encryption and asymmetric encryption:

  • Symmetric encryption: Two parties use the same key, both can encrypt and decrypt, this encryption method is called symmetric encryption, also known as single-key encryption.

    • AES encryption algorithm: The length of the secret key can be 128, 192, or 256 bits.
    • DES algorithm: the length of the secret key is 64 bits, 8 bytes; Block encryption (data is divided into fixed length blocks, fast, suitable for large amounts of data encryption)
    • 3DES algorithm: On the basis of DES, three different secret keys are used to encrypt three times to improve the ciphertext strength.
    • RC2 and RC4: Use variable-length keys to encrypt large amounts of data, which is faster than DES.

Advantages: High speed. Symmetric encryption is usually used when the message sender needs to encrypt a large amount of data. The algorithm is open, the computational amount is small, the encryption speed is fast, and the encryption efficiency is high.

Disadvantages: Before data is transmitted, the sender and receiver must agree on the secret key, and then both parties can keep the secret key. Secondly, if one party’s secret key is exposed, then the encrypted information is not safe.

  • Asymmetric encryption: A pair of keys consists of a public key and a private key (many pairs can be used). The private key decrypts the public key to encrypt the data, and the public key decrypts the private key to encrypt the data (private keys and public keys can encrypt and decrypt each other). Examples include RSA, Elgamal, knapsack algorithm, DSA, ECC (Elliptic Curve Encryption Algorithm).

    • RSA algorithm: Generate a pair of public and private keys to encrypt and decrypt each other. Its security depends on the length of the secret key. At present, the main optional secret key length is 1024 bits, 2048 bits, 4096 bits, etc.
    • DSA algorithm: Different from RSA, DSA can only be used for digital signature and cannot encrypt and decrypt data. Its security is similar to RSA, but its performance is faster than RSA.

The most widely used is the RSA algorithm, and Elgamal is another commonly used asymmetric encryption algorithm.

Disadvantages: Slow speed

Advantages: Safety

Can also be divided into unidirectional encryption and bidirectional encryption:

Monomic encryption is unsolvable after encryption, while bidirectional encryption is solvable after encryption; For example, some signature algorithms are monomial encryption algorithms:

MD5: Used to verify data integrity, data (message) digest, and data encryption.

SHA1: THE SHA algorithm series is a data digest algorithm. Because the data digest is longer, it is slower than MD5. SHA1 is mainly used in CA and digital certificates. In addition, it is also used to verify files in BT software popular on the Internet.

The digital certificate

Before establishing an HTTPS connection, the client needs to authenticate the server to ensure that the public key is obtained legally. A third-party CA is required to verify the identity information of the owner and issue a certificate. The basic idea is to encrypt key information with a private key and publish the public key publicly. The client can then verify the signature with the public key.

A CA certificate includes the authority, version, user, public key, validity period, hash value of digital signature, and hash algorithm of signature.

How do I verify a CA certificate on a client?

The client uses the public key to decrypt the hash value encrypted by the private key of the certificate, and obtains a hash -A. Then reuse h6666666666666666666666666ash certificate within the signature algorithm to generate a hash – b, if the two values are equal, then the certificate is correct. The server can be trusted; otherwise, the browser will prompt you accordingly. Of course, the verification process not only verifies the hash value (digital signature), but also verifies the validity time, domain name match, and so on.

The SSL handshake process is explained in detail:
  1. First, when the client accesses the server, it generates a random number of 1, and then sends the random number to the server along with the supported SSL version number and encryption algorithm.
  1. After receiving the information, the server B first checks the encryption algorithms of the two parties. Then the server generates a random number 2 and returns it to the client together with the certificate issued by the CA.
  1. After obtaining the CA certificate, the client checks the validity of the CA certificate. After the verification, the client generates a random number 3 and encrypts it with the public key and transmits it to the server.
  2. The server obtains the encrypted ciphertext of the random number 3, and then decrypts it with the private key to obtain the plaintext random number 3.
  3. Finally, both the client and the server have random numbers 1,2, and 3 at the same time, and both sides use these three random numbers to generate a symmetric dialogue key. Later transmissions are encrypted and decrypted using this secret key, known as symmetric encryption. The general use of the AES algorithm.
  4. The client then notifies the server of the subsequent communication using the symmetric key and tells him that his handshake is over.
  5. The server also notifies the client that this symmetric key will be transferred later and tells him that the handshake is over.
  6. We’re ready to start transferring data.
A digital signature

In the process of data transmission, if the hackers can not get access to the actual data transmitted, they will think of other methods, such as altering the content or forging a copy of the data to send to the recipient, the losses may be incalculable. To prevent this from happening, digital signatures are in place. A digital signature is the sender sends data through the one-way encryption algorithm encryption memory, and then sent to the receiver with data, after obtaining the data receiver, with the corresponding encryption algorithm to encrypt data, judgment, and the value of the digital signature are equal, if not equal to that has been tampered with, and can be found in time, put forward the solution.

Note that a hacker cannot forge a digital signature when he cannot decode the encrypted data, because he does not know the plaintext. How can he forge a digital signature?

What are digital certificates really for?

Some people think that asymmetric encryption, digital certificates can be redundant, with a digital signature can ensure that the data is not tampered with! And with the security of asymmetric encryption, you can rest easy! It’s not!

Assume that no digital certificate is used for verification. When the server transmits the public key to the client again, the hacker hijacks the data and finds that it is the public key transmitted by the server. At this time, he sends the public key generated by himself to the client and keeps his own private key. So, once the server sends the data to come over, will be hijacked, then decrypt the contents, then, he used his private key will generate a and the other content related to but not correct cipher is sent to you, and you have the hacker’s public key, is a natural solved he sends ciphertext, also the success of the rose to the bait!

From the above analysis, the existence of digital certificate is to verify whether the public key is reliable, whether the server is trustworthy.

So is it possible that digital certificates can be forged or tampered with?

The CA certificate contains the CA’s digital signature and encrypts the digest of the certificate with the private key. The certificate is public. Even if the contents of the certificate are tampered with, the signature cannot be forged and the client can detect the tampering in time.