Safety basis

Let’s first take a look at three representative problems that may occur in data transmission on the Internet. In fact, all the methods mentioned later are put forward to solve these three problems.

hacking

fake

deny

Symmetric key encryption

Suppose A is sending data to B over the Internet. If the data is not encrypted, it can be seen by A malicious third party X

Therefore, data that needs to be kept secret needs to be encrypted before being sent

  • Use to encrypt data into ciphertext
  • Send the ciphertext toB
  • BUse the key to decrypt fromAReceived ciphertext, so we can get the raw data
  • Because the data is encrypted, it is secure even if it is intercepted by a malicious third party

A very important feature of symmetric key encryption is to use the same key for encryption and decryption

Going back to the previous scenario, suppose THAT B does not have the decryption key, so A needs to send the key to B over the Internet

  • butXYou might see this key, too
  • As a result,XYou can also use this key to decrypt the ciphertext

This scenario leads to a new problem, called the “key delivery problem.” How to solve this problem?

Public-key encryption

In order to solve the above “key delivery problem”, we introduce a new method — “public key encryption”. The following figure shows the main features of “public key encryption”

  • The key used for encryption is called a “public key” and the key used for decryption is called a “private key”
  • Compared with symmetric key encryption, public key encryption usually requires more time for encryption and decryption

Let’s take a look at the whole process of public-key encryption

Recipient B creates A public key and A private key, and the public key is sent to A

  1. AUse fromBThe received public key encrypts the data and sends the ciphertext toB
  2. BUse the private key to decrypt fromAThe ciphertext is received and the original data is obtained

In the process

  • The ciphertext and public key may also be intercepted by a malicious third party X
  • But the private key isBSave,XWithout access, there is no way to decrypt the ciphertext
  • This solves the key delivery problem.

Problems with public-key encryption

  1. Both encryption and decryption take time, and there is a method called “hybrid encryption” that can solve this problem
  2. Reliability of public keys

Mixed encryption

Mixed-key encryption is divided into two steps

  1. Pass the key through public key encryption
  2. Data is transmitted through faster symmetric key encryption

Man-in-the-middle attack

To better understand the reliability of public-key encryption, let’s return to the public-key pass-through scenario

A actually got the fake public key that X sent to him, but A was unaware of it

Finally, X encrypts the response data with his own key and sends it to A. In this way, although A and B can successfully complete the communication, A malicious third party X can see the decrypted request data and response data without the knowledge of A and B.

This method of stealing data by secretly replacing the public key is known as A “man-in-the-middle attack”, and the root of the problem is that PARTY A cannot confirm that the public key they receive was created by Party B. How do you avoid man-in-the-middle attacks? We’ll talk about that in the section on digital certificates, and then we’ll talk a little bit about the basics

Message identification code

In English, the message identification code is called MAC, which can be understood as the hash value of the string of key and ciphertext

Although message authentication code can solve the forgery problem, it still cannot avoid the denial problem

A digital signature

To solve this denial problem, let’s look at the “digital signature” approach

The digital certificate

Although the above method has been able to avoid eavesdropping, forgery, denial and other problems, there is still no way to avoid “man-in-the-middle attack”, because there is still no way to verify the owner of the public key, so we need a “digital certificate” system to verify the owner of the public key.

Next, we will first look at the digital Certificate application process, we will call the digital Certificate Authority (CA)

Now that B has applied for a digital certificate, how to use the digital certificate to verify that the public key PB belongs to B

Now you can verify that PB belongs to B, but how do you verify that PC belongs to the trusted CA

In fact, the certification authority forms a tree structure, the higher level authority creates the certificate for the lower level authority, that is, if there is any authentication, it is the first level of authentication, the ultimate trust chain is the Root CA, he uses self-signature, his signature is unconditional trust.

HTTPS

After fully understanding the above, it is easy to understand HTTPS, which uses the above mentioned “hybrid encryption” and “digital certificate” two technologies to ensure the whole communication process is secure and reliable.

What HTTPS does is add an SSL/TLS layer between the transport layer and the application layer to encrypt and decrypt TCP traffic

Here’s another look at the detailed workflow

Implement a man-in-the-middle proxy server with Node

Now that we know about HTTPS and digital certificates, we are ready to implement a man-in-the-middle server. Here is a link to see how to implement a man-in-the-middle server with Node