preface
Recently in view of the Internet company interview asked knowledge points, summed up the Java programmer interview involves most of the interview questions and answers to share with you, I hope to help you review before the interview and find a good job, but also save you on the Internet to search for information time to learn.
Content covers: Java, MyBatis, ZooKeeper, Dubbo, Elasticsearch, Memcached, Redis, MySQL, Spring, SpringBoot, SpringCloud, RabbitMQ, Kafka, Linux and other technology stacks.
Full version Java interview questions address: Java backend questions integration
1. The HTTP protocol
Before we talk about HTTPS, let’s review the concept of HTTP.
1.1 Introduction to HTTP
HTTP protocol is a text-based transport protocol, which is located in the application layer of OSI network model.
HTTP protocol is used to communicate through the request response of the client and the server. The current protocol is split from the previous RFC 2616 into six separate protocols (RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235). The communication packets are as follows:
request
POST http://www.baidu.com HTTP/1.1 Host: www.baidu.com Connection: keep-alive Content-Length: 7 user-agent: Mozilla / 5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 wd=HTTP copy codeCopy the codeThe response
HTTP/1.1 200 OK Connection: keep-alive content-encoding: gzip content-type: text/ HTML; charset=utf-8 Date: Thu, 14 Feb 2019 07:23:49 GMT Transfer-Encoding: chunked <html>... </ HTML > Copy the codeCopy the code1.2 HTTP man-in-the-middle Attack
The HTTP protocol is indeed very convenient to use, but it has a fatal disadvantage: it is not secure.
We know that HTTP packets are transmitted in plaintext mode without any encryption. What problems can be caused by this? Here’s an example:
Xiao Ming posted on JAVA Post bar, the content is “I love JAVA” :
Attacked by a middleman and modified to say I love PHP
It can be seen that during HTTP transmission, middlemen can see and modify all requests and responses in HTTP communication, so using HTTP is very insecure.
Full version Java interview questions address: Java backend questions integration
1.3 Preventing man-in-the-middle Attacks
At this point, some people may think, since the content is in clear text, I use symmetric encryption to encrypt the packet so that the middleman can not see the clear text, so the modification is as follows:
Both parties agree on the encryption mode
Use AES to encrypt packets
If the first communication is intercepted, the secret key will be leaked to the middleman, who can still decrypt the subsequent communication:
So, in that case, we certainly want to think can we encrypt the key so that the middleman can’t see it? The answer is yes, with asymmetric encryption, which we can do with RSA.
The server generates a pair of public and private keys when the encryption mode is specified. The server returns the public key to the client. The client locally generates a string of private keys (AES_KEY) for symmetric encryption and encrypts them (AES_KEY_SECRET) with the public key sent from the server. The server decrypts the AES_KEY_SECRET message sent by the client using the private key to obtain the AEK_KEY. Finally, the client and server use the AEK_KEY to encrypt packets. The modification is as follows:
It can be seen that in this case the middleman can not steal the secret key used for AES encryption, so for the subsequent communication is certainly unable to decrypt, so it is absolutely safe to do so?
So-called while the priest climbs a post, the devil climbs, while the priest climbs a post, the broker in order to correspond the encryption method and came up with a new decoding scheme, since can’t get AES_KEY, then I can simulate them as a client and the server, in the process of user – > middleman intermediary and simulate the behavior of the server, so that we can get the user requests cleartext, In the man-in-the-middle -> server process, the man-in-the-middle emulates the client behavior so that it can get the clear text of the server response for a man-in-the-middle attack:
This time, the communication is intercepted by a middleman, who himself creates a forged pair of public and private keys and sends the public key to the user to steal the AES_KEY generated by the client. After obtaining the AES_KEY, it can be easily decrypted.
Is there no way to punish the middleman for doing what he wants? Of course there is. Let’s see how HTTPS solves the problem of communication security.
2. The HTTPS protocol
2.1 introduction of HTTPS
HTTPS is actually short for SSL+HTTP. Of course, SSL has been replaced by TLS, but SSL is still used for short. SSL is not only applied to HTTP, but also applies to various application layer protocols, such as FTP and WebSocket.
In fact, THE SSL protocol is basically the same as asymmetric encryption in the previous section. The handshake is mainly used to exchange secret keys, and symmetric encryption is used to communicate with each other. The process is as follows:
I’m just sketching here, but a real SSL handshake is much more complex than this, but it’s still pretty much the same, and we need to focus on how HTTPS protects against man-in-the-middle attacks.
As can be seen from the figure above, the server passes the public key through an SSL certificate, which is verified by the client. The certificate authentication system is the key to ensuring SSL security. Next, we will discuss the CA authentication system and see how it prevents man-in-the-middle attacks.
2.2 CA certification System
In the previous section, we saw that the client needs to verify the security of the SSL certificate returned by the server.
Certification authority
In the CA authentication system, all certificates are issued by the authority, and the CA certificates of the authority are built-in in the operating system. We call these certificates CA root certificates:
Certificate issued by
Our application server if you want to use SSL, need the CA certificate issued by authoritative certification body, we will server to generate a public key and site information sent to the CA issued by institutions, issued by the CA again institutions through the relevant information with the CA server sends the signature of the issuing authority, thus we get the application server’s certificate, The certificate generates the signature of the corresponding certificate content, encrypts the signature with the private key of the CA authority to obtain the certificate fingerprint, and generates a relationship chain with the upper-layer certificate.
Here we download baidu’s certificate to have a look:
It can be seen that Baidu is trusted by GlobalSign G2, and GlobalSign G2 is trusted by GlobalSign R1. When the client (browser) does certificate verification, it will check the certificate level by level up until the root certificate. If there is no problem, the server certificate can be trusted.
How do I verify the server certificate
So the client (browser) is how to verify the server certificate, first through the hierarchy to find the superior certificate, through the superior certificate public key to decrypt the server certificate fingerprint signature (SIGN1), and then through the signature algorithm to calculate the server certificate signature (SIGN2), by comparing sign1 and SIGN2, If it is equal, the certificate has not been tampered with or forged.
The interesting thing here is that RSA uses the private key to encrypt the certificate signature and the public key to decrypt to subtly verify the validity of the certificate.
In this way, through the certificate authentication system, we can avoid middlemen stealing AES_KEY to initiate interception and modification of HTTP communication packets.
conclusion
First of all, through the HTTP man-in-the-middle attack to understand why HTTP is not secure, and then from the security attack and defense technology evolution has been to the PRINCIPLE of HTTPS summary, hoping to let everyone have a deeper understanding of HTTPS.
Full version Java interview questions address: Java backend questions integration