Network: friends interview: the encryption process of HTTPS authentication

Sneak on 2021-01-21 17:48:16
network friends interview encryption process


Preface

Last time my friend talked about TCP/IP Follow up to the interview , Mainly https Interview points related to , Please see below

interviewer :HTTPS What's the authentication and encryption process , How does it guarantee that the content won't be tampered with

  • friend :1,https Is based on tcp Agreed , The client will initiate the link establishment with the server first
  • friend :2, Then the server will return its certificate to the client , The certificate contains the public key S.pub、 Information about the issuing authority and validity period
  • friend :3, Get the certificate through the browser's built-in root certificate ( contains C.pub) Verify its validity
  • friend :4, The client generates a random symmetric encryption key Z, Through the public key of the server S.pub Encrypt and send it to the server
  • friend :5, The client and server use symmetric secret key Z Encrypt data to do http signal communication

interviewer : How does that certificate guarantee that the issued certificate is safe and effective

  • friend :1- The server generates an asymmetric encryption key in advance , Private key S.pri keep ; And the public key S.pub Issued to CA It's a signature verification
  • friend :2-CA An asymmetric encryption key is also generated in advance , Its private key C.pri The public key to the server S.pub Make signature generation CA certificate
  • friend :3-CA The agency will generate the signature CA The certificate is returned to the server , That's the certificate that the server gave to the client just now
  • friend :4- because CA( Certification authority ) Comparative authority , So many browsers have built-in public keys (C.pub) Certificate , Call it the root certificate . Then you can use the root certificate to verify the validity of the certificate it issued

interviewer : If there's an infinite set of Dolls , What if the root certificate has been tampered with ?

  • friend : unsolvable , This needs to be CA The root certificate is accurate , It's OK not to modify the local root certificate manually , Because a certificate that is not authenticated by the original root certificate cannot be added to the root certificate automatically

interviewer : You speak a little fast , Take a look at the picture below

  • friend :https The encryption process
  • friend : Server certificate passed CA The process of institutional signature authentication is as follows

interviewer : Earlier you said CA The organization will sign the server's public key with the key , Signing and encryption , How do you understand

  • friend : When using asymmetric encryption algorithms , A signature is used to represent the encryption process using a private key
  • friend : If you encrypt data with a public key , It's encryption
  • friend : On the contrary, use the private key to encrypt the data , It's called a signature

interviewer : that CA What is the certificate ?

  • friend :CA Certificate is to ensure that the public key of the server is accurate , Not modified
  • friend : Certificates usually contain these things (1) The public key of the server ;(2) Certificate issuer (CA) Digital signature of certificate ;(3) The signature algorithm used for the certificate ;(4) Certification authority 、 The period of validity 、 Owner information and other information

interviewer : You talked about it HTTPS The encryption algorithm is used , What are the types of encryption algorithms , tell us your opinion

  • friend : Encryption algorithms fall into three categories : One way encryption , Symmetric encryption algorithm and asymmetric encryption algorithm

interviewer : What's the difference between symmetric encryption and asymmetric encryption

  • friend : When using symmetric encryption , Encryption and decryption use the same key ; And asymmetric encryption , Two keys , Public key encryption requires private key decryption , Private key encryption requires public key decryption . Cannot encrypt private key , Private key decryption

interviewer :MD5、SHA、Base64 and RSA What kind of algorithm does it belong to , Symmetrical or asymmetrical ?

  • friend :MD5、SHA, It's called a digest algorithm , It can be classified as one-way encryption algorithm , The calculated summary information , It's irreversible to recover to the original data
  • friend :RSA It belongs to asymmetric encryption algorithm
  • friend : and Base64 It's not an encryption algorithm , It's more often referred to as a way of data encoding

interviewer : Which have been used? HTTP Client tool class ?

  • friend :apache Of CloseableHttpClient、jdk9 Of httpClient and spring clould In the system ribbon、feign

interviewer : Have you ever encountered using https Certificate problem , If there is , What's the problem ?

  • friend : Of course , Once used apache-httpClient When loading a custom certificate ( I didn't go through it CA authentication ), The test server cannot trust the certificate , However, the local operation is no problem
  • friend : The reason is that the certificate is generated locally , At that time, it has been added to the root certificate by default , And the test suit jre The root certificate directory of (/lib/security/cacerts) There is no such certificate , Put it on the project resource You can't have a valid certificate

interviewer : Oh , So how did you solve it

  • friend : Three solutions .1- rewrite TrustManager, Unconditional trust certificate ;2- Add the certificate to jre The root certificate directory of ;3- adopt CA authentication

interviewer : Network packet capture does not understand

  • friend : stay linux The system can use tcpdump Command to tcp Request packet capture , The captured data is output to a file ; Then you can go to window Use wireshark Software loading tcp Data files , It can provide interface analysis

interviewer : Well said , Now let's change the subject , Chat mysql Business ....

  • friend : B: yes, you can , I've also learned a little bit about business ...

Welcome refers to a mistake in the text ( The story is pure fiction , It's a coincidence )

Reference article

  • The illustration HTTPS Establishment process [1]
  • Abstract 、 What are signatures and digital certificates ?[2]
  • What is digital signature ?[3]

Reference

[1]

The illustration HTTPS Establishment process : https://www.cnblogs.com/softidea/p/6958394.html

[2]

Abstract 、 What are signatures and digital certificates ?: https://www.jianshu.com/p/b2774634041a

[3]

What is digital signature ?: http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html

This article is from WeChat official account. - Sneak forward (qianxingcsc)

The source and reprint of the original text are detailed in the text , If there is any infringement , Please contact the yunjia_community@tencent.com Delete .

Original publication time : 2021-01-16

Participation of this paper Tencent cloud media sharing plan , You are welcome to join us , share .

版权声明
本文为[Sneak on]所创,转载请带上原文链接,感谢
https://javamana.com/2021/01/20210121174556329e.html

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云