HTTPS protocol and network security

HTTPS protocol
HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel targeted at security. HTTPS transmits ciphertext data, port 443, and HTTPS adds the SSL layer to HTTP, the foundation of HTTPS security is SSL.

L experiment steps for configuring SSL for Tomcat

1. Use keytool to create or import the certificate required by the Web server.

1) keytool introduction (a tool that comes with JDK to generate certificates)

Related commands

Use keytool-various commands in the doscommand window

Exportcert: Output certificate (to bring a certificate out)

Genkeypair: generate a certificate (the password of mykey can be used with the box password)

Genseckey: generate a key (-alias)

Importcert: Put the external certificate in

Importcertkeystore: transfers many certificates

List: list all certificates in the box

Printcert: print the certificate

Storepasswd: Change the box password (changeit by default)

Note: All certificates are placed under the Home Directory of the current Login User

2. Modify the server. xml file to add a connector that supports SSL for Tomat. Uncomment the SSL connector and adjust the parameters according to the installed Digital Certificate Information.

Note: A service element represents a service. For example, selling train tickets is a service, while selling plane tickets is another service. connector is equivalent to a ticket sales method under a service, tickets can be sold at railway stations or at ticket sites. engine is used to process the internal work of tickets. No matter which method is used to receive incoming ticket sales requests, the internal ticket sales process is always the same, this engine is used. The advantage of this mechanism is that it has excellent scalability. If you want to increase the number of online tickets, you only need to add a new ctor for online ticketing, and the engine is still the original one.

3. Compile a JSP program to check whether the access protocol is HTTPS. If not, redirect the request to HTTPS.

LConfigure an SSL website
1). Create a request Certificate file
After the Certificate Service is installed, you can create a request Certificate file for the website that uses the SSL security mechanism. Click "Control Panel> Administrative Tools", run "Internet Information Service-IIS manager", expand the "website" directory in the Manager window, right-click the website to use SSL, select "properties", switch to the "Directory Security" tab (figure 1) in the "website properties" dialog box, and click "server certificate. In the "IIS certificate wizard" dialog box, select "New Certificate", click "Next", and select "Prepare certificate request now, but send it later ". Name the certificate in the "name" input box, and then select the key length from the "bit length" drop-down list. Set the public name and geographic information of the Certificate Unit, Department, and site, and specify the storage location of the Request Certificate file. This completes the creation of the Request Certificate file.
2). Apply for a server certificate
After completing the preceding settings, submit the created request Certificate file to the Certificate Server. Enter "http: // localhost/certsrv/default. asp" in the address bar of the IE browser on the server side ". In the "Microsoft images" file, copy the content to the "Save application" input box and click "Submit.
3). Issue a server certificate
Click "Control Panel> Administrative Tools" and run "Certificate Authority ". Expand the tree directory in the main window, click "pending applications" (Figure 2), find the certificate you just applied for, right-click this item, and select "all tasks> issue ". After the certificate is successfully issued, click "issued certificate" in the tree directory and double-click the issued certificate. In the "details" tab of the "certificate" dialog box that appears, click "Copy To File". The certificate export wizard is displayed. Click "Next", specify the file name in the "file to be exported" dialog box, and click "finish ".
4). Install the server certificate
Log on to the "Directory Security" tab of IIS manager and click "server certificate". In the "pending certificate requests" dialog box, select the "process pending requests and install Certificates" option, click "Next", specify the location of the exported server certificate file, set the SSL port, use the default "443", and click "finish.
On the "Directory Security" tab, click the "edit" button in the secure communication column, select the "require secure channel (SSL)" option, and click "OK" to enable SSL.
After configuring the SSL website, you only need to enter "https: // website domain name" in the IE browser to access the website.

Network security knowledge

HTTPS is a secure communication channel. Therefore, we will first introduce the HTTPS protocol in detail, and then introduce some knowledge about network security.

1. digital digest and MD5/Sha Algorithm

1) A digital digest converts a message of any length into a short message of a fixed length. It is similar to a function of the message as an independent variable, that is, a hash function.

2) MD5 (Message-Digest algorithm 5, Information-Digest algorithm ), the function of this function is to compress large-capacity information into a confidential format before signing a private key using digital signature software (that is, to convert a byte string of any length into a long size ). integer ). Whether md2, md4, or MD5, they all need to obtain a random length information and generate a 128-bit information digest. A typical application of MD5 is to generate a message digest for a message to prevent tampering.

3) use the MD5 Algorithm to obtain an information Summary

import java.security.MessageDigest;public class MD5Test {public static void main(String[] args) throws Exception{MessageDigest md = MessageDigest.getInstance("MD5");byte[] digest = md.digest("slx".getBytes());System.out.println(toHex(digest));}private static String toHex(byte[] buf){StringBuilder sBuilder = new StringBuilder();for(int i=0;i<buf.length;i++){byte hi = (byte)((buf[i]>>4) & 0x0f);byte lo = (byte)(buf[i] & 0x0f);sBuilder.append(Character.forDigit(hi,16)).append(Character.forDigit(lo, 16));}return sBuilder.toString(); }}

Small applications: many websites need to activate registration through email, and their activation accounts are mostly obtained through the MD5 algorithm.

4) Sha (secure hash algorithm, security hashing algorithm) is a series of cryptographic hashing functions designed by the National Security Agency (NSA) and released by the National Institute of Standards and Technology (NIST. The SHA-0 and SHA-1 generate a 160-bit digest from a message with a maximum of 2 ^ 64 bits, and then design the md4 and MD5 message digest algorithm by MIT Professor Ronald L. rivest is based on a similar principle.

2. symmetric encryption and asymmetric encryption

Symmetric algorithms mean that the encryption and decryption processes are symmetric. One key can be used for decryption with the same key. Symmetric encryption algorithms are characterized by public algorithms, low computational workload, fast encryption speed, and high encryption efficiency. The disadvantage is that both parties use the same key, and the security is not guaranteed. In addition, every time users use symmetric encryption algorithms, they need to use the unique key that is not known to others. This will increase the number of keys owned by both recipients in a geometric manner, key management becomes a burden on users. Symmetric encryption algorithms are difficult to use in distributed network systems, mainly because of difficulties in key management and high usage costs. Symmetric encryption algorithms widely used in computer private network systems include des, idea, and AES.

The asymmetric encryption algorithm uses two key-public keys and private keys that are completely different but completely matched. When files are encrypted using asymmetric encryption algorithms, only a matching pair of public keys and private keys can be used to encrypt and decrypt the plaintext. The public key is used to encrypt the plaintext, and the private key is used to decrypt the ciphertext. the sender (the encrypted) knows the public key of the recipient, and only the recipient (the decrypted) can decrypt the ciphertext) the only person who knows his/her private key. The basic principle of asymmetric encryption algorithms is that if the sender wants to send encrypted information that can only be interpreted by the recipient, the sender must first know the recipient's public key, then, the recipient's public key is used to encrypt the original text. After receiving the encrypted ciphertext, the recipient can use its own private key to decrypt the ciphertext. Obviously, using asymmetric encryption algorithms, the recipient must send the public key that has already been randomly generated to the sender before communication, while retaining the private key. Since asymmetric algorithms have two keys, they are particularly suitable for Data Encryption in distributed systems. The widely used asymmetric encryption algorithms include RSA and DSA proposed by the US National Bureau of Standards.

For example, if I have a file that cannot be viewed by others, I will use 1 for encryption. Someone else finds this file, but he does not know that 2 is the decryption private key, so he cannot undo it. Only I can use number 2, that is, my private key, to decrypt it. In this way, I can protect the data. My good friend Bob used my public key 1 to encrypt character a, encrypted it into B, and put it online. Someone else steals this file, but someone else cannot undo it, because someone else does not know that 2 is my private key. Only I can decrypt it. After decryption, I will get. In this way, we can transmit encrypted data.

Knowledge: Principles of Public Key and Private Key

L a public key corresponds to a private key.

L The key pair is the public key. If you do not know it, you only know it. It is the private key.

L if one of the keys is used to encrypt data, only the corresponding key can be decrypted.

If one of the keys can be used for data decryption, the data must be encrypted by the corresponding key.