Source: http://foofish.net/https-symmetric.html Author: _zhijun
Cryptography is widely used in computer science, and HTTPS is a secure communication protocol based on cryptography. HTTPS was first proposed by Netscape in 1994, and today, with the promotion of many Internet companies, HTTPS is widely used on various websites of all sizes. Before fully understanding HTTPS, it is necessary to clarify some concepts related to cryptography, such as: plaintext, ciphertext, cipher, key, symmetric encryption, asymmetric encryption, hash, digital signature, and digital certificate.
Cipher
The cipher in cryptography is different from the password we refer to in daily life. The term ‘cipher’ in computer science refers to an algorithm used for encryption or decryption, while the ‘password’ we use daily is a set of text strings for authentication purposes. Here we will discuss the former: cipher.
Key
A key is a parameter that is input during the process of using the cipher algorithm. The same plaintext will produce different ciphertext when calculated with the same cipher algorithm but different keys. Many well-known cipher algorithms are public, and the key is the critical parameter that determines the security of the ciphertext. Generally, the longer the key, the harder it is to crack. For example, an 8-bit key has a maximum of 256 possible combinations, which can be easily cracked using brute force. The well-known DES algorithm uses a 56-bit key, which is no longer considered a secure encryption algorithm mainly because 56 bits is too short and can be cracked within hours. Keys can be divided into symmetric keys and asymmetric keys.
Plaintext/Ciphertext
Plaintext is the original data before encryption, and ciphertext is the result obtained after the cipher operation, referred to as ciphertext.
cipher
Symmetric Key
Symmetric Key, also known as shared key encryption, uses the same key for both encryption and decryption. Common symmetric encryption algorithms include DES, 3DES, AES, RC5, and RC6. The advantage of symmetric keys is their fast computation speed, but they also have drawbacks. The key must be shared between the two ends of the communication; both parties need to know the key to decrypt correctly. If all clients share the same key, that key acts like a master key, allowing anyone with it to decrypt everyone’s ciphertext. If each client maintains a unique key with the server, the server must manage thousands of keys, which can be a nightmare. Below is a simple symmetric encryption example that encrypts plaintext into ASCII.
# Encryption method: based on ASCII + key value
def encipher(plain_text, key):
# Encrypt
cipher_text = []
for c in plain_text:
cipher_text.append(str(ord(c) + key))
return ' '.join(cipher_text)
def decipher(cipher_text, key):
# Decrypt
plain_text = []
for c in cipher_text.split(" "):
plain_text.append(chr(int(c)+key))
return "".join(plain_text)
if __name__ == '__main__':
print "cipher_text:", encipher("abcdef", 0)
print "plain_text:", decipher("97 98 99 100 101 102", 0)
Asymmetric Key
Asymmetric Key, also known as public key encryption. The server generates a pair of keys: a private key kept on the server known only to itself, and a public key that can be freely distributed for anyone to use. The plaintext from the client is encrypted using the public key, and the resulting ciphertext must be decrypted with the private key. In asymmetric key encryption, different keys are used for encryption and decryption, which is why it is called asymmetric encryption. Unlike symmetric key encryption, asymmetric encryption does not require sharing a key between the client and server. As long as the private key is not shared with any user, even if the public key is intercepted online, it cannot be decrypted. A common example of asymmetric encryption is RSA, with the decryption process as follows:
-
The server generates a pair of public and private keys.
-
The private key is kept on the server, and the public key is sent to the client.
-
The client encrypts the plaintext using the public key and sends it to the server.
-
The server decrypts the ciphertext with its private key to obtain the plaintext.
Digital Signature
When data is transmitted between the browser and server, it is possible for a malicious thief to replace the content during transmission. How can we ensure that the data is genuinely sent by the real server and has not been tampered with? To solve these two issues, we must use a digital signature. A digital signature is similar to a signature in daily life; once you sign a contract, it legally confirms that you signed it, which cannot be forged since it is your unique handwriting. So how does a digital signature work in computing? A digital signature is used to verify that the transmitted content is indeed sent by the real server and that it has not been altered. It serves these two purposes and is an application of asymmetric encryption. However, it is used in reverse: the private key encrypts, and the paired public key decrypts.
Step One: The server processes the message with a hash function to generate digest information. The digest is encrypted with the private key to create the signature, which is sent to the client along with the message.
signature1
Step Two: The client receives the data and extracts the signature to decrypt it using the public key. If Digest2 can be decrypted correctly, it confirms that it was sent by the other party. Step Three: The client extracts the message text, performs the same hash processing to obtain digest information Digest1, and compares it with the previously decrypted Digest2. If they are equal, it indicates that the content has not been tampered with; otherwise, it indicates that the content has been altered. This is because even the slightest change in the text will produce a completely different hash.
signature2
Digital Certificate
A digital certificate, abbreviated as CA, is a recognized credential issued by an authoritative body to a website, which is recognized by the public (browsers). Why is a digital certificate necessary? Isn’t a digital signature secure enough? There is a situation where browsers cannot determine whether all real servers are genuine. For example:
Manufacturer A installs a lock for you and gives you the key. As long as the key can open the lock, you can confirm that the key and lock are paired. If someone changes the key or the lock, you won’t be able to open the door, and you’ll know you’ve been robbed. However, if someone replaces the lock and key with a similar-looking but much lower quality set, even though the key and lock match, you cannot confirm if this is indeed from Manufacturer A. In this case, you can consult the quality inspection department to verify whether this lock is genuinely from Manufacturer A; the quality inspection department is an authoritative body, and its word is publicly recognized.
Similarly, if someone (Zhang San) replaces the public key sent by the real server with their own public key, Zhang San could use their private key to perform the same steps of hashing and digital signing, and everything might appear correct. However, what the browser sees is not what the real server provided, but what Zhang San has substituted from start to finish (from public key to private key).
So how do you ensure that the public key you are currently using is the one genuinely sent by the real server? We use a digital certificate to solve this problem. Digital certificates are generally issued by Certificate Authorities, which contain the real server’s public key and other information about the website. The certificate authority encrypts it with its private key and sends it to the browser, which uses the certificate authority’s public key to decrypt and obtain the real server’s public key. This process is based on the public recognition of the certificate authority, making it a secure method.
References:
-
http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html
-
https://zh.wikipedia.org/wiki/%E5%85%AC%E5%BC%80%E5%AF%86%E9%92%A5%E5%8A%A0%E5%AF%86
-
https://zh.wikipedia.org/wiki/%E9%AB%98%E7%BA%A7%E5%8A%A0%E5%AF%86%E6%A0%87%E5%87%86
-
https://zh.wikipedia.org/wiki/%E8%B3%87%E6%96%99%E5%8A%A0%E5%AF%86%E6%A8%99%E6%BA%96
-
https://zh.wikipedia.org/wiki/%E6%95%B8%E4%BD%8D%E7%B0%BD%E7%AB%A0
-
http://www.guokr.com/post/114121/
-
http://op.baidu.com/2015/04/https-s01a01/
Source: http://foofish.net/https-symmetric.html Author: _zhijun
Recommended Articles
Swipe to see more
Enter article ID or long press the QR code to access