Research on SECURITY Mechanism based on HTTPS (I).

2.3 Mixed encryption

Next we explore the use of symmetric encryption + asymmetric encryption mixed encryption.

According to the analysis in 2.1 Symmetric encryption mode, we know that the biggest problem in this mode lies in the security of the key. Once the key is obtained by an attacker, the transmission will be plaintext transmission. 2.2 Asymmetric Encryption We know that asymmetric encryption is only one-way secure data transmission, that is, only client-server transmission is secure.

Combining the characteristics of the two, we propose that all the data transmission of communication parties adopts symmetric encryption mode, and the key transmission adopts asymmetric encryption mode.

A typical scenario is:

  • The server generates public and private keys and sends the public key to the client.
  • The client generates a symmetric encryption key, encrypts the key with the public key, and sends the key to the server. All subsequent data transmission is encrypted with the key.
  • After receiving the data encrypted with the public key from the client, the server decrypts it using the private key to obtain the key of the client. Then, all the data from the client is decrypted using the key.

This hybrid method of encryption can improve the security of data transmission to some extent, but is it necessarily secure? If the proxy server forges the public key from the real server and sends it to the client, then all subsequent transmission will also be plaintext transmission.

Therefore, the core problem with hybrid encryption is that there is no way to confirm that the public key is from a real server, rather than a proxy server.

2.4 the certificate

In hybrid encryption, the client requests the public key directly from the server, and the public key may be forged. Let’s improve this by introducing the concept of certificates.

A certificate contains three parts of information:

  • Plaintext information such as the public key of the server;
  • In this paper.
  • Digital signature;

Digest = hash(plaintext information);

Digital signature = Encryption (digest) of the certificate’s issuing authority private key;

A typical scenario is:

  • The client requests a certificate from the server.
  • Find the certificate authority’s certificate, get the public key, and decrypt the digital signature to get digest A;
  • Hash (plaintext) = digest B;
  • Compare A and B to verify the validity of the certificate.

Does this verify that the certificate was indeed issued by a certificate authority, but that authority is necessarily legitimate? So it needs to be validated again.

The same method is used to verify the validity of the authority, one layer at a time, until the client browser is pre-installed with the certificate of a globally trusted CA, which we call the root certificate.

Therefore, each server certificate is authenticated by the certificate authority at the highest level. If the certificate is authenticated by the root certificate, the certificate is valid.

Future blogs will explore the details of HTTPS implementation, but stay tuned if you’re interested.

reference

[1]. Tencent Bugly all came HTTPS. [EB/OL]. [2016-12-09]. Segmentfault.com/a/119000000…

The appendix

Common hash algorithms are MD5 SHA1 SHA256

Common symmetric encryption algorithm: DES 3DES TDEA Blowfish RC5 IDEA

Common asymmetric encryption algorithm: RSA ECC Elgamal

If you are interested in algorithms or programming, please scan the qr code below and follow the public account “Beauty of Algorithms and programming” to explore the mystery of algorithms and programming with you, and give you different solutions and analysis ideas.