preface

In order to deepen and consolidate, I have summed up some questions specially to verify whether I really understand. If there are any mistakes in the article, please correct them

The problem

1. What are the disadvantages of Http?

  1. Communications are transmitted in plaintext, not encrypted, and may be monitored
  2. The identity of the communication party cannot be verified (Http has no authentication mechanism) and may be forged
  3. Content integrity cannot be guaranteed and may be tampered with

2. How do I solve the plaintext transmission problem?

Encryption, for communication encryption (TLS), for content encryption (SSL)

3. How do I verify the identity of the communication party?

An authentication mechanism is adopted to verify the identity of the communication party by verifying its certificate, which is issued by a trusted third-party digital certificate authority

4. How to ensure the integrity of the content?

When communication and content are encrypted, and the encryption keys used are secure, the integrity of the content is guaranteed because no one else can decrypt it

5. What are the encryption methods for content encryption?

  1. Shared key encryption, also called shared key encryptionSymmetric key encryption, encryption and decryption use the same key, and the key follows the content transmission in plaintext, so it is easy to be obtained by the middleman, so as to crack the content. The security is low, but the processing speed is fast and the efficiency is high
  2. Public key encryption, also known asAsymmetric key encryption, a pair of keys (public key & private key), using the private key to encrypt the content, only the public key can decrypt, and vice versa; The public key can be given to anyone, and the private key is kept by the server. Although high security, but the processing speed is slow, low efficiency, and the public key uses plaintext transmission, easy to be obtained by the middleman and tampered with, which is the so-called “man-in-the-middle attack” *.

6. Which encryption mode is used for Https?

Mixed encryption: The public key encryption mode is used to transmit the public key, and the public key encryption generates the key, and then the shared key encryption is used to transmit the subsequent content. So is this so-called hybrid encryption secure? The answer: insecure and vulnerable to man-in-the-middle attacks.

7. What is a man-in-the-middle attack?

In man-in-the-middle attack, when the client communicates with the server, the intermediate proxy server, carrier, and gateway may monitor, intercept, or tamper with the communication. The specific process is as follows:

  1. The client sends a request to the server to establish secure communication
  2. The server sends the public key toThe clearSend to the client
  3. The middleman saves the public key and generates a fake public key for the client
  4. The client uses a fake public key to generate random numbers and send them to the server
  5. The middleman decrypts the fake public key to obtain a random number, and then generates a fake random number, encrypts the fake random number with the real public key, and sends it to the server. The purpose of encrypting the fake random number with the real public key is to ensure that the server can decrypt the number with the private key, otherwise the server will fail to decrypt the number
  6. Server using a private key to decrypt the random Numbers, is derived using the random number keys, pushing the way is open, that is to say as long as there is a random number also have the key, so at this time in addition to the client and the server with the random number, also have a middleman, so in a subsequent communication, middlemen can take the decrypted data packets, to tamper with the content

Middlemen in summary: on a false public key replaced the server to send to the client’s public key, cause the client to use fake public-key encryption random number and sent to the server, the middleman decryption get a random number, to deduce the subsequent packets used secret key, after the client and server communication is no secret

8. How do I prevent man-in-the-middle attacks?

In fact, as long as the server sends the public key, the public key will not be obtained by the middleman tampering, then the problem is solved, so how to ensure that the public key will not be obtained by the middleman, the method is to encrypt the public key with a digital certificate

9. How does a certificate encrypt a public key? And how to prove that the certificate is not forged?

First, the digital certificate is issued by a trusted third party organization (CA), which is the premise; The certificate obtained by the server contains the server’s own public key and is encrypted with the CA’s private key. The certificate can only be decrypted and verified by the CA’s public key.

At present, browsers on the market will have some CA public keys built in advance to avoid public keys being leaked during transmission. Therefore, they are built directly instead of being transmitted

When the browser receives the certificate from the server, it authenticates the certificate before using it directly. The browser uses the CA’s public key to verify whether the certificate is valid. If the verification succeeds, the public key in the certificate is also true and valid. Then the browser can use the public key. In this process, the middleman cannot decrypt (because the CA’s public key is built into the browser and not carried in the communication), so the public key cannot be obtained, and it is unnecessary to generate a false public key, because even if it is generated, it will not be verified to the client

10. Is there anything else you’d like to add?

  1. The server can also require a certificate to validate the client, but the client needs to pay for the certificate and require every user to install it, which is unrealistic and has learning costs
  2. generateShared key encryption modeThe use ofThe keyWhen both are adoptedDHAlgorithms, orRSAAlgorithms, they all have one purpose, and that isGenerate complex, high-security keys

reference

  1. Chapter 7 of Illustrated Http: Https for Securing the Web
  2. Does HTTPS prevent middlemen from tampering with content? – zhihu

The original address: guoyunfeng.com/2019/08/22/…