Network: friends interview: the encryption process of HTTPS authentication

cscw 2021-06-23 22:35:54
network friends interview encryption process


Last time my friend talked about TCP/IP Follow up to the interview , Mainly https Interview points related to , Please see below

Official account , Communicate together , Search on wechat : Sneak forward

github Address , thank star

interviewer :HTTPS What's the authentication and encryption process , How does it guarantee that the content won't be tampered with

  • friend :1,https Is based on tcp Agreed , The client will initiate the link establishment with the server first
  • friend :2, Then the server will return its certificate to the client , The certificate contains the public key、 Information about the issuing authority and validity period
  • friend :3, Get the certificate through the browser's built-in root certificate ( contains Verify its validity
  • friend :4, The client generates a random symmetric encryption key Z, Through the public key of the server Encrypt and send it to the server
  • friend :5, The client and server use symmetric secret key Z Encrypt data to do http signal communication

interviewer : How does that certificate guarantee that the issued certificate is safe and effective

  • friend :1- The server generates an asymmetric encryption key in advance , Private key S.pri keep ; And the public key Issued to CA It's a signature verification
  • friend :2-CA An asymmetric encryption key is also generated in advance , Its private key C.pri The public key to the server Make signature generation CA certificate
  • friend :3-CA The agency will generate the signature CA The certificate is returned to the server , That's the certificate that the server gave to the client just now
  • friend :4- because CA( Certification authority ) Comparative authority , So many browsers have built-in public keys ( Certificate , Call it the root certificate . Then you can use the root certificate to verify the validity of the certificate it issued

    interviewer : If there's an infinite set of Dolls , What if the root certificate has been tampered with ?

  • friend : unsolvable , This needs to be CA The root certificate is accurate , It's OK not to modify the local root certificate manually , Because a certificate that is not authenticated by the original root certificate cannot be added to the root certificate automatically

interviewer : You speak a little fast , Take a look at the picture below

  • friend :https The encryption process
  • friend : Server certificate passed CA The process of institutional signature authentication is as follows

interviewer : Earlier you said CA The organization will sign the server's public key with the key , Signing and encryption , How do you understand

  • friend : When using asymmetric encryption algorithms , A signature is used to represent the encryption process using a private key
  • friend : If you encrypt data with a public key , It's encryption
  • friend : On the contrary, use the private key to encrypt the data , It's called a signature

interviewer : that CA What is the certificate ?

  • friend :CA Certificate is to ensure that the public key of the server is accurate , Not modified
  • friend : Certificates usually contain these things (1) The public key of the server ;(2) Certificate issuer (CA) Digital signature of certificate ;(3) The signature algorithm used for the certificate ;(4) Certification authority 、 The period of validity 、 Owner information and other information

interviewer : You talked about it HTTPS The encryption algorithm is used , What are the types of encryption algorithms , tell us your opinion

  • friend : Encryption algorithms fall into three categories : One way encryption , Symmetric encryption algorithm and asymmetric encryption algorithm

interviewer : What's the difference between symmetric encryption and asymmetric encryption

  • friend : When using symmetric encryption , Encryption and decryption use the same key ; And asymmetric encryption , Two keys , Public key encryption requires private key decryption , Private key encryption requires public key decryption . Cannot encrypt private key , Private key decryption

interviewer :MD5、SHA、Base64 and RSA What kind of algorithm does it belong to , Symmetrical or asymmetrical ?

  • friend :MD5、SHA, It's called a digest algorithm , It can be classified as one-way encryption algorithm , The calculated summary information , It's irreversible to recover to the original data
  • friend :RSA It belongs to asymmetric encryption algorithm
  • friend : and Base64 It's not an encryption algorithm , It's more often referred to as a way of data encoding

interviewer : Which have been used? HTTP Client tool class ?

  • friend :apache Of CloseableHttpClient、jdk9 Of httpClient and spring clould In the system ribbon、feign

interviewer : Have you ever encountered using https Certificate problem , If there is , What's the problem ?

  • friend : Of course , Once used apache-httpClient When loading a custom certificate ( I didn't go through it CA authentication ), The test server cannot trust the certificate , However, the local operation is no problem
  • friend : The reason is that the certificate is generated locally , At that time, it has been added to the root certificate by default , And the test suit jre The root certificate directory of (/lib/security/cacerts) There is no such certificate , Put it on the project resource You can't have a valid certificate

interviewer : Oh , So how did you solve it

  • friend : Three solutions .1- rewrite TrustManager, Unconditional trust certificate ;2- Add the certificate to jre The root certificate directory of ;3- adopt CA authentication

interviewer : Network packet capture does not understand

  • friend : stay linux The system can use tcpdump Command to tcp Request packet capture , The captured data is output to a file ; Then you can go to window Use wireshark Software loading tcp Data files , It can provide interface analysis

interviewer : Well said , Now let's change the subject , Chat mysql Business ....

  • friend : B: yes, you can , I've also learned a little bit about business ...

Welcome refers to a mistake in the text ( The story is pure fiction , It's a coincidence )

Reference article


  1. redis cluster如何支持pipeline
  2. How does redis cluster support pipeline
  3. 上海 | 人英网络 | 招Java开发25-35K、React前端开发25-40K
  4. Shanghai | Renying network | recruit java development 25-35k, react front end development 25-40k
  5. SpringCloud+Docker+Jenkins+GitLab+Maven实现自动化构建与部署实战
  6. Spring cloud + docker + Jenkins + gitlab + Maven to realize automatic construction and deployment
  7. 性能工具之linux三剑客awk、grep、sed详解
  8. Performance tools of Linux three swordsmen awk, grep, sed
  9. 一次“不负责任”的 K8s 网络故障排查经验分享
  10. An "irresponsible" experience sharing of k8s network troubleshooting
  11. 性能工具之linux三剑客awk、grep、sed详解
  12. Performance tools of Linux three swordsmen awk, grep, sed
  13. 使用Spring Data JPA 访问 Mysql 数据库-配置项
  14. Accessing MySQL database with spring data JPA - configuration item
  15. 一次“不负责任”的 K8s 网络故障排查经验分享
  16. An "irresponsible" experience sharing of k8s network troubleshooting
  17. 注册中心ZooKeeper,Eureka,Consul,Nacos对比
  18. Linux最常用的指令大全!快看看你掌握了吗?
  19. Comparison of zookeeper, Eureka, consult and Nacos
  20. Linux most commonly used instruction encyclopedia! Let's see. Do you have it?
  21. Matrix architecture practice of Boshi fund's Internet open platform based on rocketmq
  22. 字节面试,我这样回答Spring中的循环依赖,拿下20k offer!
  23. Byte interview, I answer the circular dependence in spring like this, and get 20K offer!
  24. oracle 11g查看alert日志方法
  25. How to view alert log in Oracle 11g
  26. 手写Spring Config,最终一战,来瞅瞅撒!
  27. Handwritten spring config, the final battle, come and see!
  28. 用纯 JavaScript 撸一个 MVC 框架
  29. Build an MVC framework with pure JavaScript
  30. 使用springBoot实现服务端XML文件的前端界面读写
  31. Using springboot to read and write the front interface of server XML file
  32. 【Javascript + Vue】实现随机生成迷宫图片
  33. [Javascript + Vue] random generation of maze pictures
  34. 大数据入门:Hadoop伪分布式集群环境搭建教程
  35. Introduction to big data: Hadoop pseudo distributed cluster environment building tutorial
  36. 八股文骚套路之Java基础
  37. commons-collections反序列化利用链分析(3)
  38. Java foundation of eight part wensao routine
  39. Analysis of common collections deserialization utilization chain (3)
  40. dubbogo 社区负责人于雨说
  41. Yu Yu, head of dubbogo community, said
  42. dubbogo 社区负责人于雨说
  43. Yu Yu, head of dubbogo community, said
  44. 设计模式 选自《闻缺陷则喜》此书可免费下载
  45. The design pattern is selected from the book "you are happy when you hear defects", which can be downloaded free of charge
  46. xDAI被选为 Swarm 的侧链解决方案,将百倍降低 Swarm 网络Gas费
  47. L2 - 深入理解Arbitrum
  48. Xdai is selected as the side chain solution of swarm, which will reduce the gas cost of swarm network 100 times
  49. L2 - deep understanding of arbitrum
  50. Java全栈方向学习路线
  51. 设计模式学习04(Java实现)——单例模式
  52. Java full stack learning route
  53. Design pattern learning 04 (Java implementation) - singleton pattern
  54. Mybatis学习01:利用mybatis查询数据库
  55. Mybatis learning 01: using mybatis to query database
  56. Java程序员从零开始学Vue(01)- 前端发展史
  57. Java程序员从零开始学Vue(05)- 基础知识快速补充(html、css、js)
  58. Java programmers learn Vue from scratch
  59. Java programmers learn Vue from scratch (05) - quick supplement of basic knowledge (HTML, CSS, JS)
  60. 【Java并发编程实战14】构建自定义同步工具(Building-Custom-Synchronizers)