Current location - Quotes Website - Personality signature - Symmetric, asymmetric encryption and decryption, SSL, HTTPS detailed introduction
Symmetric, asymmetric encryption and decryption, SSL, HTTPS detailed introduction

Symmetric encryption: Encryption and decryption use the same key, and both parties receiving the information need to know this key in advance (the most common symmetric encryption algorithms are DES and AES).

Warm reminder: When reading the following content, please compare it with the pictures on this website to help your understanding. /yxhxj2006/archive/2012/10/15/389547.html?

Asymmetric encryption: Different keys are used for encryption and decryption (the most commonly used asymmetric encryption algorithm is RSA). It is a pair of keys, public key and private key. The public key is public to the outside world, and the private key is kept by itself. The public key can have many copies, such as the network topology of multiple clients and a single server. Each client has A public key, the server has a private key, and this public key is sent by the server to the client. The client uses the public key to decrypt the received ciphertext, and this ciphertext is encrypted by the server using the private key. On the contrary, if the client sends a request to the server, the client encrypts it with the public key sent by the server. After the server receives the ciphertext, it uses its own private key to decrypt it.

1. Digital summary of asymmetric encryption: It uses a one-way (irreversible) Hash function to encrypt the plaintext to be encrypted into a string of fixed-length (128-bit) ciphertext. This string of ciphertext is also It is called a digital fingerprint, because the digests formed by different plaintexts are different, and the digests formed by the same plaintext must be the same. Therefore, it is more appropriate to call it digital fingerprint. Numeric digests are the fundamental reason why https ensures data integrity and tamper resistance. (Hash functions including MD5 and SHA are not encryption algorithms because they are irreversible and can only be equivalent to fingerprints, while encryption algorithms are reversible. Base64 is also reversible.)

2. Asymmetric encryption Digital signature: After asymmetric encryption and digital digest are performed, the digital digest is encrypted with your own private key and it becomes a "digital signature". Simply put, the digital digest encrypted by the private key is a digital signature. Digital signatures can be attached to plain text.

The ciphertext sent at this time contains a digital digest and a digital signature. The recipient only needs to use the sender's public key to decrypt the signature, obtain the digest information, and then use the Hash function to process the received original text to generate A summary message that is compared to the decrypted summary message. If they are the same, it means that the received information is complete and has not been modified during the transmission process. Digital signatures can only verify the integrity of the information. Whether the data itself is encrypted is not within the control scope of the digital signature.

3. Asymmetric encryption digital certificate: Digital signatures can be fully achieved only from the perspective of "clearing the identity of the sender" and "ensuring data integrity", but the premise is that the key on which the digital signature relies Only if it is really reliable. If the public key held by the recipient has a problem or has been replaced, then the person holding the corresponding private key can pretend to be the sender and send plain text to the recipient, but the recipient does not know it. The question here is: for the recipient, how can it be sure that the public key it obtained must have been issued from the target host and has not been tampered with? At this time, we need an authoritative and trustworthy third-party organization (generally an organization audited and authorized by the government) to unify the external issuance of the organization's public key. As long as the sender has the public key of such an organization, the above problems can be avoided. occurrence. This kind of organization is called a Certificate Authority (CA), and the files they issue including the host organization name and public key are what people call "digital certificates."

The issuance process of digital certificates is generally as follows: the user first generates his or her own key pair and transmits the public key and some personal identity information to the certification center. After verifying the identity, the certification center will perform some necessary steps to ensure that the request is indeed sent by the user. Then, the certification center will issue a digital certificate to the user, which contains the user's personal information and his public key information. , and also includes the signature information of the certification center. Users can use their digital certificates to carry out various related activities. Digital certificates are issued by independent certificate issuing authorities. Digital certificates vary, and each provides a different level of trustworthiness. You can obtain your own digital certificate from a certificate issuing authority.

SSL: It is a security protocol. The process of SSL establishing communication is divided into two stages: handshake stage and transmission stage. The picture below shows the handshake stage.

The SSL protocol uses asymmetric encryption in the handshake phase (as explained clearly above), and symmetric encryption in the transmission phase (it is simple and will not be described in detail), which means that the data transmitted on SSL is Use symmetric key encryption! This is not surprising, as asymmetric encryption is slow and resource-intensive.

In fact, when the client and the host establish a connection using asymmetric encryption, the client and the host have already decided on the symmetric encryption algorithm and symmetric encryption key used during the transmission process. Since the process itself is safe and reliable, symmetric The encryption key cannot be stolen. Therefore, the symmetric encryption of data during transmission is guaranteed to be safe and reliable, because apart from the client and the host, it is impossible for a third party to steal and decrypt the symmetric encryption key. !

HTTPS: HTTPS is a network protocol built by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication (confirming whether the host connected by the client is the real and correct host). The security guarantee that HTTPS can achieve is officially the result of SSL.

Disadvantages of HTTPS:

The main disadvantage of https is performance issues. There are two reasons why https performance is lower than http:

1. Encrypting and decrypting data determines that it is slower than http.

2. Another important reason is that https disables caching.

Relevant test data shows that the efficiency of data transmission using HTTPS protocol is only one-tenth that of using HTTP protocol. Therefore, for a website, only data with extremely high security requirements will choose to use https for transmission.