• 周四. 12月 1st, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

Network: friends interview: the encryption process of HTTPS authentication

[db:作者]

1月 6, 2022

Preface

Last time my friend talked about TCP/IP Follow up to the interview , Mainly https Interview points related to , Please see below

Official account , Communicate together , Search on wechat : Sneak forward

github Address , thank star

interviewer :HTTPS What’s the authentication and encryption process , How does it guarantee that the content won’t be tampered with

  • friend :1,https Is based on tcp Agreed , The client will initiate the link establishment with the server first
  • friend :2, Then the server will return its certificate to the client , The certificate contains the public key S.pub、 Information about the issuing authority and validity period
  • friend :3, Get the certificate through the browser’s built-in root certificate ( contains C.pub) Verify its validity
  • friend :4, The client generates a random symmetric encryption key Z, Through the public key of the server S.pub Encrypt and send it to the server
  • friend :5, The client and server use symmetric secret key Z Encrypt data to do http signal communication

interviewer : How does that certificate guarantee that the issued certificate is safe and effective

  • friend :1- The server generates an asymmetric encryption key in advance , Private key S.pri keep ; And the public key S.pub Issued to CA It’s a signature verification
  • friend :2-CA An asymmetric encryption key is also generated in advance , Its private key C.pri The public key to the server S.pub Make signature generation CA certificate
  • friend :3-CA The agency will generate the signature CA The certificate is returned to the server , That’s the certificate that the server gave to the client just now
  • friend :4- because CA( Certification authority ) Comparative authority , So many browsers have built-in public keys (C.pub) Certificate , Call it the root certificate . Then you can use the root certificate to verify the validity of the certificate it issued

    interviewer : If there’s an infinite set of Dolls , What if the root certificate has been tampered with ?

  • friend : unsolvable , This needs to be CA The root certificate is accurate , It’s OK not to modify the local root certificate manually , Because a certificate that is not authenticated by the original root certificate cannot be added to the root certificate automatically

interviewer : You speak a little fast , Take a look at the picture below

  • friend :https The encryption process
  • friend : Server certificate passed CA The process of institutional signature authentication is as follows

interviewer : Earlier you said CA The organization will sign the server’s public key with the key , Signing and encryption , How do you understand

  • friend : When using asymmetric encryption algorithms , A signature is used to represent the encryption process using a private key
  • friend : If you encrypt data with a public key , It’s encryption
  • friend : On the contrary, use the private key to encrypt the data , It’s called a signature

interviewer : that CA What is the certificate ?

  • friend :CA Certificate is to ensure that the public key of the server is accurate , Not modified
  • friend : Certificates usually contain these things (1) The public key of the server ;(2) Certificate issuer (CA) Digital signature of certificate ;(3) The signature algorithm used for the certificate ;(4) Certification authority 、 The period of validity 、 Owner information and other information

interviewer : You talked about it HTTPS The encryption algorithm is used , What are the types of encryption algorithms , tell us your opinion

  • friend : Encryption algorithms fall into three categories : One way encryption , Symmetric encryption algorithm and asymmetric encryption algorithm

interviewer : What’s the difference between symmetric encryption and asymmetric encryption

  • friend : When using symmetric encryption , Encryption and decryption use the same key ; And asymmetric encryption , Two keys , Public key encryption requires private key decryption , Private key encryption requires public key decryption . Cannot encrypt private key , Private key decryption

interviewer :MD5、SHA、Base64 and RSA What kind of algorithm does it belong to , Symmetrical or asymmetrical ?

  • friend :MD5、SHA, It’s called a digest algorithm , It can be classified as one-way encryption algorithm , The calculated summary information , It’s irreversible to recover to the original data
  • friend :RSA It belongs to asymmetric encryption algorithm
  • friend : and Base64 It’s not an encryption algorithm , It’s more often referred to as a way of data encoding

interviewer : Which have been used? HTTP Client tool class ?

  • friend :apache Of CloseableHttpClient、jdk9 Of httpClient and spring clould In the system ribbon、feign

interviewer : Have you ever encountered using https Certificate problem , If there is , What’s the problem ?

  • friend : Of course , Once used apache-httpClient When loading a custom certificate ( I didn’t go through it CA authentication ), The test server cannot trust the certificate , However, the local operation is no problem
  • friend : The reason is that the certificate is generated locally , At that time, it has been added to the root certificate by default , And the test suit jre The root certificate directory of (/lib/security/cacerts) There is no such certificate , Put it on the project resource You can’t have a valid certificate

interviewer : Oh , So how did you solve it

  • friend : Three solutions .1- rewrite TrustManager, Unconditional trust certificate ;2- Add the certificate to jre The root certificate directory of ;3- adopt CA authentication

interviewer : Network packet capture does not understand

  • friend : stay linux The system can use tcpdump Command to tcp Request packet capture , The captured data is output to a file ; Then you can go to window Use wireshark Software loading tcp Data files , It can provide interface analysis

interviewer : Well said , Now let’s change the subject , Chat mysql Business ….

  • friend : B: yes, you can , I’ve also learned a little bit about business …

Welcome refers to a mistake in the text ( The story is pure fiction , It’s a coincidence )

Reference article

  • The illustration HTTPS Establishment process
  • Abstract 、 What are signatures and digital certificates ?
  • What is digital signature ?

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注