preface

After the TCP/IP interview, please read the following

Pay attention to the public account, communicate together, wechat search: sneak forward

Interviewer: HTTPS what is the authentication encryption process and how does it guarantee that the content will not be tampered with

  • Friend: 1. HTTPS is based on TCP. The client initiates the establishment of a link with the server
  • Friend: 2, the server will then return its certificate to the client, including the public key S.pub, the issuing authority, and the validity period
  • Friend: 3. You can verify the validity of the certificate through the built-in root certificate of the browser (including C.pub)
  • Friend: 4. The client generates a random symmetric encryption key Z and sends it to the server through the server’s public key S.pub
  • Friend: 5, the client and server use the symmetric secret key Z to encrypt data for HTTP communication

Interviewer: How does the certificate guarantee that the issued certificate is safe and valid

  • Friend: 1- the server will pre-generate asymmetric encryption keys, the private key s.pri keeps itself; The public key S.pub is sent to the CA for signature authentication
  • Friend: 2-CA also generates an asymmetric encryption key, whose private key C.pri is used to sign the server’s public key S.pub to generate a CA certificate
  • Friend: 3- THE CA organization will return the CA certificate generated by the signature to the server, that is, the server gave the client the certificate
  • Friend: 4- Because the CA(certificate authority) is authoritative, many browsers have a built-in certificate that contains its public key (C.pub), called the root certificate. You can then use the root certificate to verify that it issued the certificate

Interviewer: What if there is an infinite nesting situation and the root certificate is tampered with?

  • Friend: No solution. This requires that the CA root certificate is correct. If you do not manually modify the local root certificate, it is ok

Interviewer: You speak a little fast. Draw a picture

  • Friend: HTTPS encryption process

  • Friend: The process for the server certificate to be authenticated by the CA is as follows

Interviewer: You mentioned earlier that CA organizations use keys to sign, sign, and encrypt the public keys of the server. What do you think

  • Friend: When using asymmetric encryption algorithms, a signature is used to indicate the encryption process using a private key
  • Friend: If data is encrypted with a public key, it is encrypted
  • Friend: If a private key is used to encrypt data, it is called a signature

Interviewer: What is a CA certificate?

  • Friend: THE CA certificate is to ensure that the public key of the server is correct and has not been modified
  • Friend: Certificates usually contain (1) the public key of the server; (2) Digital signature of certificate by certificate issuer (CA); (3) the signature algorithm used by the certificate; (4) Certificate issuing authority, validity period, owner information and other information

Interviewer: You mentioned that HTTPS uses encryption algorithms. What are the types of encryption algorithms? Tell me

  • Friend: Encryption algorithms fall into three categories: one-way encryption, symmetric encryption algorithm and asymmetric encryption algorithm

Interviewer: What’s the difference between symmetric and asymmetric encryption

  • Friend: When symmetric encryption is used, both encryption and decryption use the same key; Asymmetric encryption requires two keys. Public key encryption requires private key decryption, and private key encryption requires public key decryption. Cannot encrypt private key, decrypt private key

Interviewer: What types of algorithms are MD5, SHA, Base64 and RSA, symmetric or asymmetric?

  • Friend: MD5 and SHA, known as digest algorithms, can be classified as one-way encryption algorithms. The digest information calculated by them cannot be reversely restored to the original data
  • Friend: RSA is an asymmetric encryption algorithm
  • Friend: Base64 isn’t really an encryption algorithm, it’s more of a data encoding method

Interviewer: What HTTP client tool classes have you used?

  • Friends: Apache’s CloseableHttpClient, JDK9’s httpClient, and Spring clould’s Ribbon and Feign

Interviewer: Have you encountered any problems using HTTPS certificates? If so, what are the problems?

  • Friend: Of course, there was a time when a custom certificate was loaded using apache-HttpClient (without CA authentication), and the test server threw a certificate that could not be trusted, while running it locally
  • By default, the certificate was added to the root certificate. However, the root certificate directory of the test server JRE (/lib/security/cacerts) does not have the certificate, and the certificate stored in the project resource does not take effect

Interviewer: Oh, how did you solve it

  • Friend: Three solutions. 1- Rewrite the TrustManager to unconditionally trust the certificate. 2- Add the certificate to the root certificate directory of the JRE. 3- The CA is authenticated

Interviewer: Network data capture packet understanding not

  • Friend: On Linux, you can use the tcpdump command to capture TCP request data packets and output the captured data to a file. The Wireshark software can then be used to load TCP data files on Windows, which provides interface analysis

Interviewer: Well done, let’s change the subject and talk about mysql transaction….

  • Friend: Yes, I know something about business…

Welcome to correct the errors in the article (the story is pure fiction, if any similarities are pure coincidence)

Refer to the article

  • Illustrate HTTPS setup
  • What are abstracts, signatures, and digital certificates?
  • What is a digital signature?