Comics: Tell HTTPS with a story

This article was first published on my official account: Su Yan tells HTTPS with a story

The main actors in the story:

Xiao Hua is in her first year of college. This is the first time she has left her parents to attend school in Beijing alone. Today, my mother’s birthday, I want to give my mother a blessing, I sent a message to my mother:

The mother was very happy to receive the news, and the daughter was so busy that she still remembered her birthday, so they began to talk. Knowing that her daughter had been scrimping and saving, the mother decided to send some money to her daughter.

Xiao Hei, a hacker who specializes in “thieving” things, has been listening in on the mother and daughter’s conversations. I almost fell asleep watching them talk so much.

Until the mother and daughter mentioned the matter of money, immediately cheer up, decided to do a sum. Then he intercepted Xiaohua’s message and sent it to Xiaohua’s mother with his own carefully prepared message.

Xiaohua’s mother then made a call to xiaohua, unaware that the conversation between the mother and daughter was under Hei’s control. Hei got the money and ran away.

“Note from the public account Su Yan: HTTP protocol is built on TCP, which determines whether HTTP is secure. HTTP packet content is not encrypted, which is easy to be monitored and tampered with. Xiaohei listened to the chat content of the mother and daughter, and tampered with the content, pretending to be the daughter.

1. The content is not encrypted, easy to be monitored, and is transmitted in plaintext; 2. Unable to verify the integrity of the content, easy to tamper, that is to say, do not know whether the message has been modified; 3. Can’t verify the person’s identity. Who am I talking to right now?

Xiao Hua felt very sad after being cheated and told her computer teacher wang Daqiang about it. Teacher Wang heard the experience of being cheated, was very surprised, why would the news be tampered with! I immediately checked the chat software they used. It turned out that the software directly used TCP protocol without security measures.

After studying the software, Daqiang told Xiaohua, “There is something wrong with this software. Don’t use it in the future. Use software with security measures, such as TLS/SSL protocol.”

“What is TLS/SSL?” xiao Hua asked. . Seeing Xiaohua’s sincere expression, Daqiang decided to tell her the principle of HTTPS, but thought that she might not understand, and then decided to analyze the scene that she and her mother were cheated. Since xiaohua and her mother’s chats are transmitted in clear text, we can just encrypt them. Xiao Hua and her mother agreed on a password through which all content is encrypted and decrypted.

“Public number Su Yan note: this encryption method is called symmetric encryption, encryption and decryption are through the same password to operate, so you need to ensure the security of the password, once leaked, the consequences are very serious.” Xiao Hua immediately realized that something was wrong, how to pass the password to her mother. A password can only be agreed after the two sides meet. But she thought of her father in the United States. If she asked him for money, she would have to fly to the United States and tell him the password. It’s too much trouble.

Teacher Wang Daqiang said: “Don’t worry, there is a better way.” Use two keys, one for encryption (called a public key) and the other for decryption (called a private key). The content encrypted with the public key can only be decrypted with the private key. The private key can only be owned by yourself, but the public key can be thrown to others.

Hua and Mom, just give each other the public key. When Xiaohua sends a message to her mother, she encrypts it with her mother’s public key, but only her mother has the private key, which means that only her mother can decrypt it.

“Note from the public account Su Yan: This encryption method known as asymmetric encryption, there will be two key, a key encrypted content only by a decryption keys. As for why say public key to decrypt the private key encryption, although the two key can decrypt the encrypted, but the public key to decrypt the private key encryption of this statement is not better understand? The public key is knows that the private key is only oneself know “.

Xiaohua thought about it and felt a little unsafe, if she and her mother exchange the public key of the time, was small black listening. Xiaohua sent his public key xiaohua_pub to his mother, but xiaohei_pub switched it halfway and xiaohei_pub sent his public key Xiaohei_pub to Xiaohua’s mother. In this way, xiaohua’s mother used xiaohei’s public key to encrypt the message, and xiaohei can decrypt the message table with her private key.

When her mother sent her own public key to Xiaohua, xiaohei also switched it, and then Xiaohei had the public key of both sides.

Xiaohei monitored the news that Xiaohua asked her mother to make money and tampered with the news.

Teacher Wang Daqiang listened to Xiaohua’s doubts, gave a thumbs-up, said: “Don’t worry, listen to me slowly explain.”

Now the problem is that the public key exchange is switched by the black, then the next need to solve the problem. How to safely send the public key to the other party.

This seems to be an unsolvable problem, since public keys are always transmitted. It seems to be a chicken-and-egg problem. Later Xiaohua thought about his usual online shopping time, always worried about payment before, merchants run away not to deliver goods, since taobao this third-party organization, after all, Ali big business, trustworthy, even if the merchants run away can find Taobao.

Then there are the few, but very authoritative, certification bodies that will establish a trust relationship with computer, browser, etc., and install the public key of the certification body into the system in advance so that there is no transmission involved.

In the process of chatting, Xiaohua found that message sending and receiving were very slow. Later, she found that it took a long time because of the encryption algorithm. Xiaohua thought about it, using symmetric encryption, the only disadvantage is the exchange of secret keys more trouble, but the speed is very fast. Asymmetric encryption can be used to transmit symmetric encryption keys, and symmetric encryption can be used to encrypt messages after the key is successfully transmitted.

At this point, do you understand how to ensure communication security?

“Note from the public account Su Yan: HTTP is an application-layer protocol. HTTPS is not a new protocol, but an additional layer (TLS/SSL) is used to ensure data transmission security. Most implementations use OpenSSL, such as TLS in Node.

conclusion

This article introduces HTTP insecurity in the form of a story, to ensure HTTPS security behind the support, including digital certificates, digital signatures, symmetric encryption, asymmetric encryption concepts, of course, theory is not enough, need practice to better understand. Come on, everybody.

If you like to tell a story about technology, check out my other post:How to Break the Red Line in Salary Discussion by Signature (Comic)

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

conclusion

Recommended reading:

Comics: Tell HTTPS with a story

conclusion

Recommended reading:

Related Posts

Continuous update: Front-end CSS style implementation

Teach you to learn vue SSR server rendering tutorial, read to see the document more clearly

React Hooks useMemo