background

Most websites use HTTPS to transmit data. The client and server automatically negotiate keys and encrypt data through certificates.

However, HTTPS certificates are usually charged. Therefore, some websites use HTTP directly during development. In this case, sensitive data such as accounts and passwords need to be encrypted and transmitted. This process is actually an HTTPS protocol transmission process, but the site itself to achieve encrypted transmission logic.

Considering the efficiency of encryption and decryption, only sensitive data of the website can be encrypted and transmitted. This paper discusses the process and important logic of realizing sensitive data encryption transmission based on vue. js + Java Web.

HTTPS Communication Process

To realize encrypted transmission, you need to understand the HTTPS communication process, which is essentially the process of the front and back end negotiating asymmetric encryption public key and symmetric encryption private key pair. For details, please refer to this article:

At present, there are two kinds of asymmetric encryption algorithms for key negotiationRSADHThe algorithm, this is the one that you’re familiar withRSAThe algorithm is used as an example to introduce the negotiation process:

Process description:

  1. The client initiates an HTTPS request.
  2. After receiving the request, the server generates an RSA key pair. The private key is kept and the public key is sent to the client.
  3. The client randomly selects a character string as the data encryption key, encrypts the key with the public key, and sends the key to the server.
  4. After receiving the encrypted key, the server decrypts it using the private key to obtain the key information.

The two then communicate: the client uses the key to encrypt the data, and the server uses the same key to decrypt it. Step 3 and step 4 is the process of exchanging the key between the two parties. It can be seen from this process that once the private key of the server is leaked, the key is also leaked. Why is the server-side private key at risk? The private key is usually in the form of a file, and if the file system is breached and the private key is compromised, then of course the data is not secure.

HTTP encrypted transmission flow

If the site is built directly using HTTPS certificates, the encryption process is automatically completed and all data transfers between the client and the site are automatically encrypted. If you cannot use HTTPS, you can directly follow the HTTPS handshake process to implement key negotiation.

Asymmetric encryption algorithm RSA and symmetric encryption algorithm AES are used in the negotiation. Their functions are as follows:

  • RSA asymmetric encryption: Public key encryption is used to decrypt the private key. It has low encryption efficiency and is used to transmit the key of the AES algorithm
  • Symmetric AES encryption: Encrypts and decrypts the same key, which is efficient and is used for transmitting sensitive data

Java itself provides RSA and AES algorithm support, and the front-end can add the following dependencies to package.json:

"Crypto-js ": "^3.1.9-1", // Implementation of AES symmetric encryption algorithm" jsENCRYPT ": "3.0.0-RC.1 ", // Implementation of RSA asymmetric encryption algorithm.Copy the code

The background needs to provide three parts of logic:

  1. GetPublicKeys: indicates the request to obtain the RSA encryption public key
  2. Handshake: Decrypts the AES key in the front end and stores it in the global session
  3. Decrypt: Decrypts request parameters with encrypted data using the key received in the Handshake phase

The entire process is consistent with the HTTPS protocol in Part 2:

  1. Browser sendgetPublicKeysRequest to background
  2. An RSA public key pair is generated in the background and the public key is returned to the browser.
  3. The browserGenerate an AES key string randomlyAnd encrypt it with the public key received in step 2handshakeRequest to background
  4. The background uses the private key retained in step 2 to decrypt, and the AES private key is used here to encrypt the private key, and the encryption result is transmitted to the front end;
  5. The front end decrypts the received fingerprint with the AES key and compares the OBTAINED AES key with the key in step 3. If the obtained AES key is the same, communication can be carried out without tampering. Otherwise, the key fingerprint is abnormal.

conclusion

In the case of cost compression, it is not complicated to implement HTTPS protocol. After understanding the PROCESS of HTTPS protocol, you can realize the encrypted transmission process of Vue. Js + JavaWeb background.