Are you sure HTTPS is asymmetric encryption for content encryption? See the answers and reasons

Programmer base 2021-10-14 04:37:26

answer

HTTPS The reason why the agreement is secure is HTTPS The protocol encrypts the transmitted data , The encryption process is implemented by asymmetric encryption . But in fact ,HTTPS Symmetric encryption is used for encryption of content transmission , Asymmetric encryption only works in the certificate verification phase .

 

Why is data transmission encrypted symmetrically ?

First , The efficiency of asymmetric encryption is very low , and http There is a lot of interaction between the normal end and the end in the application scenario of , The efficiency of asymmetric encryption is unacceptable ;

in addition , stay HTTPS Only the server saves the private key in the scenario , A pair of public and private keys can only realize one-way encryption and decryption , therefore HTTPS The content transmission encryption in is symmetric encryption , Not asymmetric encryption .

Principle and process

Man in the middle attack principle

Process principle :

  1. Local request hijacked ( Such as DNS Hijack, etc ), All requests are sent to the broker's server

  2. The broker server returns the broker's own certificate

  3. Client creates random number , The random number is encrypted by the public key of the intermediary certificate and then sent to the intermediary , Then construct symmetric encryption with random number to encrypt the transmission content

  4. Middleman because of the random number of clients , The content can be decrypted by symmetric encryption algorithm

  5. The middleman sends the request to the regular website with the request content of the client

  6. Because the communication process between the middleman and the server is legal , The regular website returns encrypted data through the established security channel

  7. The middleman decrypts the content with the symmetric encryption algorithm established with the regular website

  8. The middleman encrypts the data returned by the normal content through the symmetric encryption algorithm established with the client

  9. The client decrypts the returned data through the symmetric encryption algorithm established with the middleman

Due to the lack of verification of certificates , So although the client initiated HTTPS request , But the client has no idea that his network has been blocked , The transmission content is stolen by the middleman .

 

How do browsers verify the validity of certificates ?

Browser initiation HTTPS When asked , The server will return to the website SSL certificate , The browser needs to verify the certificate as follows :

  1. Verify domain name 、 Whether the validity period and other information are correct . The certificate contains this information , It's easier to verify ;

  2. Determine whether the source of the certificate is legal . Each certificate can be checked according to the verification chain to find the corresponding root certificate , operating system 、 The browser will store the root certificate of the authority locally , Local root certificate can be used to issue certificates to corresponding organizations to complete source verification ; 

  3. Judge whether the certificate has been tampered with . Need and CA The server does the check ;

  4. Determine if the certificate has been revoked . adopt CRL(Certificate Revocation List Certificate cancellation list ) and OCSP(Online Certificate Status Protocol Online Certificate Status Protocol ) Realization , among OCSP It can be used in 3 Step in to reduce with CA Server interaction , Improve verification efficiency

Only when any of the above steps are satisfied can the browser consider the certificate legal .

 

Can only certification authorities generate certificates ?

If you need a browser that doesn't prompt for security risks , Only certificates issued by certification bodies can be used . But browsers usually just hint at security risks , There is no restriction on the access of the website , So technically anyone can generate a certificate , As long as you have a certificate, you can complete the website HTTPS transmission . For example, the early 12306 It adopts the form of manual installation of private certificate HTTPS visit .

What to do if the local random number is stolen ?

Certificate verification is implemented by asymmetric encryption , But the transmission process is symmetric encryption , The important random number in symmetric encryption algorithm is generated locally and stored locally HTTPS


How to ensure that random numbers are not stolen ?

Actually HTTPS It doesn't include security guarantees for random numbers ,HTTPS The only guarantee is the security of the transmission process , And random numbers are stored locally , Local security belongs to another security category , The countermeasures are to install anti-virus software 、 Ewido 、 Browser upgrade to fix bugs, etc .

 

It was used HTTPS Will you be caught ?

HTTPS The data is encrypted , In general, the package content caught by the agent of the packet capturing tool after request is the encrypted state , Unable to view directly .

however , As mentioned above , The browser will only prompt for security risks , If the user is authorized to continue to visit the website , Complete the request . therefore , As long as the client is our own terminal , When we authorize , Then we can set up a network of middlemen , And the bag grabbing tool is acting as a middleman . Usually HTTPS The way to use the package grabbing tool is to generate a certificate , The user needs to manually install the certificate into the client , Then all requests initiated by the terminal complete the interaction with the packet capturing tool through the certificate , Then the packet capturing tool forwards the request to the server , Finally, the results returned by the server are output by the console and then returned to the terminal , To complete the whole request closed loop .

 

since HTTPS Can't prevent catching bags , that HTTPS What's the point ? 
HTTPS It can prevent the communication link from being monitored without the user's knowledge , There is no protection for the operation of capturing the package of active credit , Because users of this scenario are already aware of the risks . To prevent being caught , Application level safety protection is required , For example, using private symmetric encryption , At the same time, do a good job of anti decompilation and reinforcement of mobile terminal , Prevent local algorithms from being **.

 

Please bring the original link to reprint ,thank
Similar articles
Chen Ruifeng took the initiative to take a photo with Zhou Yangqing and sprinkle sugar. They are each other's ideal type and are willing to continue their contacts

2021-10-14

After breaking up with the new guest, Zhou Yangqing made rapid progress in his relationship and was confessed by the man. The ideal requirements were consistent with the man

2021-10-14

Facial expression pack burst fire National Day! Quan hongchan's first TV program was broadcast and announced an important decision

2021-10-14

Crazy fan culture, sad under the bright appearance, Zhang Xiaofei: I'm disbanded, you still come

2021-10-14

At the age of 67, Li Xuejian had damaged vocal cords due to nasopharyngeal carcinoma. He could not speak clearly and clenched his fist with full momentum

2021-10-14

Changjin Lake box office broke 800 million. Veterans recalled the details of the war. The soldiers were frostbitten and amputated without crying

2021-10-14

Lizzie's family of eight rarely have the same frame! 15 years older, her husband's hair is gray, and her mother's diamond ring is too photogenic

2021-10-14

Wu Jing asked Wu Lei to kiss him, and Wang Feng took little apple to support Zhang Ziyi. In order to promote "parents", he fought hard

2021-10-14

Jin Chen was praised for his performance at the National Day party. He was accused of sincerity in clothing matching, and got full marks for expression management

2021-10-14

The famous host Li Hao's wife eats spicy hot, squats directly on the ground without a stool, and one leg occupies three seats

2021-10-14

Guan Xiaotong looks like walking on the T-stage. He wears black short sleeves with cowboy hot pants, with an aura of 2.8 meters

2021-10-14

Insiders revealed that Kate and Megan fell in love and killed each other. Megan used her own method to make Kate more confident

2021-10-14

The 65 year old billionaire woman revealed that she wanted to take off the order! List the mate selection conditions, and the most important thing is to calculate the property of both parties

2021-10-14

What has Zhu Yuchen, 42, experienced from being a popular student to having no drama to shoot?

2021-10-14

One of the most high-frequency algorithm problems in the front end! Reverse linked list

2021-10-14

CSC 321 / 621 analysis

2021-10-14

Intel launched the second generation neural mimicry research chip Loihi 2 and the new lava software framework

2021-10-14

Eleven data of Baidu map 2021: the national high-speed congestion mileage exceeds 7000 km

2021-10-14

Weima automobile sold 5005 vehicles in September, with a year-on-year increase of 115.8%

2021-10-14

Microsoft Windows 11 exposure: Center display "start" menu

2021-10-14

Gao de: on the first day of the long holiday, Guangzhou, Dongguan and Foshan became the top three cities in China

2021-10-14

Following WeChat's payment, Alipay announced that it would pay an open online scenario to the UnionPay cloud.

2021-10-14

Weekend Hotel reported that Ctrip forced businesses to "choose one from two". Ctrip responded: there is a misunderstanding against "choose one from two"

2021-10-14

Apple pushed IOS version 15.0.1 to fix the bug involving iPhone 13

2021-10-14

Tesla entered the African market for the first time: deploying the first two super charging stations in Morocco

2021-10-14

Youbixuan panda robot appears in the China Pavilion of Dubai World Expo and can also play Tai Chi

2021-10-14

On the first day of the long holiday, the top three scenic spots in China were the West Lake, Tiananmen Square and Guangzhou tower

2021-10-14

The "monthly test" report card of the new car built under the lack of core: Xiaopeng and Weilai took the lead in "breaking 10000", and the ideal plummeted by 25%

2021-10-14

China Mobile Gao Tongqing: actively promote 6G to form a global unified standard system to avoid industrial fragmentation

2021-10-14

Youbixuan robot officially appeared in the China Pavilion of Dubai World Expo

2021-10-14

Weilai delivered 10628 intelligent electric vehicles in September, with a year-on-year increase of 125.7%

2021-10-14

Benchmarking Huawei mate X! Exposure glory's first folding screen flagship Q4 release

2021-10-14

Kidde launched a new networked moon smoke fire detection alarm and entered the Chinese consumer business market

2021-10-14

The box office on the first day of the national day broke 200 million, and Changjin Lake accounted for more than half of the box office

2021-10-14

Data abuse? Storage of important automobile data in China according to law: officially implemented from now on

2021-10-14

The survey found that nearly half of musk and Gates' twitter fans are 'robots'

2021-10-14

Half of the developers of hard core observation 411 consider resigning because of bad code, but if the money is enough

2021-10-14

Hard core observation 410 domestic well-known "open source software" Zhimeng CMS claimed a license fee of 5800 yuan from users

2021-10-14

Hard core observation 409 stack overflow "copy and paste keyboard"

2021-10-14

Introduction to making arch linux software package

2021-10-14

Hard core observation 408 young people have lost the concept of computer folders

2021-10-14

Make yaml as simple as it looks

2021-10-14

Hard core observation 407 HTTPS everywhere browser extension is about to retire

2021-10-14

How to use busybox on Linux

2021-10-14

In 2021, the talent incentive plan of Linux foundation open source software School Park was officially launched

2021-10-14

Managing CentOS streams with foreman

2021-10-14

On the format of configuration file

2021-10-14

It's not windows or Linux. Shrink is the "God operating system"

2021-10-14

Use vagrant to test your scripts on different operating systems

2021-10-14

Run the container on your Mac with Lima

2021-10-14

Install anydesk on Ubuntu Linux

2021-10-14

5 open source software that can replace zoom

2021-10-14

An open source alternative to Microsoft Exchange

2021-10-14

So... Can the code really be written at the age of 50?

2021-10-14

Euler: here comes the operating system that wants to unify the digital infrastructure

2021-10-14

2021, can we recommend using Linux to play games?

2021-10-14

Adobe Flash CS6 Chinese compact installation

2021-10-14

Qt5 self made serial port assistant (2) basic control settings

2021-10-14

Smart city local applet smart city local standard source code

2021-10-14

Git basic operation [3] -- screenshot attached

2021-10-14