Dongdong wants to visit xx website, the underlying network is set up:

The link layer physically links networks together.

The network layer can navigate from hosts in the East to hosts on the XX server based on IP routing rules.

The transport layer transfers data from the browser process of Dongdong to the XX server process of the server.

The application layer then parses the HTTP content and does different processing and presentation.

Based on the infrastructure of these networks, Dongdong can visit the XX website he likes to see.

But dongdong want to store some of their own data on xx website, that has to add a own identity bar, that is, the user name, but also have to add a password to prove that this is their own.

The process of creating the identity is registration, and the process of proving that the identity is its own is login.

But after a period of time, dongdong found that something was wrong, how did the little wang next door know that he saw xx website?

He must have lost track of something, or seen my username or password, or seen what I was accessing.

What to do?

Encryption!

I’ll put it in a box and lock it and pass it along, and there’s a key that opens it. No one can read the content without a key. This type of key is called a symmetric key.

But how do you pass the key without anyone knowing?

Dongdong was immersed in thought.

At this time, Guangguang introduced him to a magical lock. This lock is unlocked and unlocked using different keys, called asymmetrical keys, said to solve the problem.

Dongdong thought for a while, right, if unlock unlock unlock with different key, that XX server just give me a key, I put the content in, only he can unlock.

This solves the problem of symmetric key transfer, which can then be used for encrypted communication.

It was later learned that this encryption technique, called RSA, could generate two keys.

Leave one key behind and one public.

You leave your own key, called a private key.

A public key that is available to everyone is called a public key.

In public key encryption, only the private key can be decrypted, and in private key encryption, only the public key can be decrypted.

Because the public key is public, someone else encrypts it and only I can decrypt it, which is called encryption.

The private key is something that only I have, and I encrypt it, and everyone else can reveal it, but everyone knows I encrypted it, and prove my identity, and that’s called a signature.

Encryption and signatures are used to solve different problems.

Back to dongdong’s question, there are so many locked boxes and public keys in the world, how do I know this box and public key is given to me by XX server?

If only there were an authority that could authenticate public keys.

This body, called a CA, is used to authenticate public keys. A public key authenticated by this body is called a digital certificate.

Now dongdong has saved which CA he trusts on his computer, and when he visits XX website, he will get its digital certificate. By comparison, it is issued by the CA I trust. Well, we’ll just pass him the symmetric key, and then we’ll use the symmetric key to encrypt our messages.

After that, Dongdong will be able to visit xx website happily without worrying about the snooping of xiao Wang next door.

Take a look at the techniques:

The core RSA algorithm for asymmetric encryption can generate two keys, which are used as public and private keys for encryption and signature. In this way, symmetric keys are transferred and information is encrypted and transmitted. The public key also needs to be authenticated. This one is made by the CA, and that one is stored in the computer by a trusted organization. The public key they authenticate is called a digital certificate.

At what layer of the network is this technology?

Process-to-process encrypted transmission, obviously at the transport layer, is called SSL. After the release of version 1.0, 2.0, 3.0, I found a bug, and later fixed it. I felt that the change was relatively large, so I changed the name to TSL.

The next level is HTTP for accessing web content.

So this secure communication is SSL + HTTP or TLS + HTTP or HTTPS.

CA certificates can also be called HTTPS digital certificates, SSL digital certificates, TLS digital certificates, and so on.

Later dongdong did a programmer, not only through the web page to browse xx website pages, but also to link to the server to execute some scripts, a lot of professional.

And visit xx website, the same login, that can also use HTTPS?

No, not every website to find CA authentication again, otherwise so many internal servers, authentication side to access it?

So to simplify things, xx server gives me the public key directly and lets me choose whether to trust it or not:

So AS long as I trust the public key can prove that it is XX server, and then pass the user name and password, there verification, you can log in the server. This is called the SSH protocol.

It doesn’t look much different from HTTPS, except that public keys don’t require CA authentication.

This is not enough, every time I have to input a user name password more trouble, how can not input a password to prove my identity?

Dongdong think of RSA private key can be used to sign, that I put the public key to XX server, through the private key encryption of a random content, he can unlock is not to prove that I am me?

Therefore, dongdong improved SSH protocol. Instead of trusting the server’s public key and passing the user name and password, the server returned a random number. I used my private key to encrypt this random number (that is, to sign a name), and if I could unlock it, I would prove that I was myself.

Private key signature can achieve the purpose of proof of identity, then use what username password, but also more secure.

In this way, dongdong can avoid secret login XX server to execute various commands.

Just at the beginning of the need to generate public and private keys in the local, the public key to tell xx website on the line.

Recall that HTTS and SSH have been used along the way, although both are based on public and private keys, but there are some differences:

  • HTTPS orientation is an ordinary user, they are using a username and password authentication status, only need a browser that digital certificate, you can get a symmetric key and then encrypt data communication, for ordinary users, just in your browser’s address bar a little more keys icon, the other can’t feel.

  • SSH is aimed at professional users, they can not only through the user name and password authentication, but also through a set of public and private key authentication, and there are many servers, do not need CA authentication, hit the console to have a look. Using a private key to sign instead of a user name password, but also can be encrypted login.

In fact, there are two differences: one is whether the public key is authenticated by CA, and the other is whether the user name and password are used to authenticate the identity.

Of course, they are used for different purposes, one is the safety of web browsing, one is the remote execution of commands.

HTTPS and SSH develop into different protocols based on the public and private key mechanism of RSA because of their different orientations. Dongdong has also grown from an ordinary computer user to a professional programmer.