In iOS development, how to handle the network encryption this piece? [Detailed personal analysis]

The company's interface generally will be two kinds of protocol, an HTTP, an HTTPS, HTTP as long as the request, the server will respond, if we do not encrypt the request and response, all information will be detected hijacked, is very insecure, client-side encryption can be used in this set of tool class for processing.

Introduction

The company's interface generally will be two kinds of protocol, an HTTP, an HTTPS, HTTP as long as the request, the server will respond, if we do not encrypt the request and response, all information will be detected hijacked, is very insecure, client-side encryption can be used in this set of tool class for processing.

However, the service should be placed on HTTPS at all times, because it avoids the problem of man-in-the-middle attacks, and also comes with an encrypted channel based on an asymmetric key.

HTTPS interaction principle

Jiang said that HTTPS is the HTTP protocol with a layer of SSL protocol encryption processing, SSL certificate is to adhere to the SSL protocol, by a trusted digital certification authority CA (such as Globalsign,wosign), issued after verifying the server identity, it is necessary to spend money, The issued certificate is generally placed at the root of the server as a public key, which facilitates client requests to be returned to the client, and the private key is stored in the server's internal center for decrypting the public key.

HTTPS client-to-server interaction process:

1) The client sends the request, the server returns the public key to the client;

2) The client generates a symmetric encryption key, which is encrypted with the public key and returned to the server;

3) After receiving the server, using the private key to unlock the symmetric encryption key, save;

4) Subsequent interactions are interacted using data that is symmetric and encrypted.

Certificate

Simply put, there are two kinds of certificates, one is serious:

Certificate issued by CA

One is not serious:

Generate a signed certificate yourself

What we need to do

If you encounter a serious certificate, we directly with afnetworking directly request, afnetworking internal help us encapsulate the HTTPS request way, but most of the company interface is not serious certificate, then we need to do the following steps:

1) Drag the server's public key certificate into Xcode

2) Modify the validation mode

Manager.securitypolicy = [Afsecuritypolicy Policywithpinningmode:afsslpinningmodepublickey];

Principle

Simply put, you could have modified the AFN setting to allow the client to receive any certificate from the server, but the problem is that you can't verify that the certificate is your server's back-end certificate, giving the man-in-the-middle attack, that is, by redirecting the route to analyze the forgery your server has opened the door.

Afsecuritypolicy *securitypolicy = [Afsecuritypolicy defaultpolicy];

Securitypolicy.allowinvalidcertificates = YES;

Workaround

Afnetworking is to allow the embedded certificate, through the embedded certificate, afnetworking through the server-side certificate, embedded certificate, the site domain name is consistent to verify that the server is correct. Because CA certificate validation is verified by the site domain name, this is most convenient if your server backend has a domain name bound to it. Turn your server-side certificate, if it is in PEM format, to the CER format with the following command

OpenSSL x509-in < Your server certificate >.pem-outform der-out server.cer

Then the generated server.cer file, if there is a self-built CA, plus the CA's CER format certificate, introduced into the app bundle, afnetworking in

Afsecuritypolicy *securitypolicy = [Afsecuritypolicy afsslpinningmodecertificate];

Or

Afsecuritypolicy *securitypolicy = [Afsecuritypolicy Afsslpinningmodepublickey];

, the bundle is automatically scanned. CER file and introduced so that you can verify the uniqueness of the server by self-visa books.

Afsecuritypolicy three types of authentication modes

Afsslpinningmodenone

This mode means no SSL pinning,

Verify the certificate returned by the server in the system's trust authorities list just like the browser. If the certificate is issued by a trust authority, it will pass, if the certificate generated by its own server will not pass.

Afsslpinningmodecertificate This mode means that the certificate is validated by the certificates binding, the client is required to save a copy of the certificate of the server, there are two steps to verify the certificate, the first step to verify the domain name validity and other information, The second step is to compare whether the certificate returned by the server is consistent with the return of the client.

Afsslpinningmodepublickey

This mode is also verified by the certificate binding method, the client must have a copy of the certificate of the server,

Only verify the public key in the certificate, do not verify the validity of the certificate, and other information. As long as the public key is correct, it ensures that the communication is not bugged because the middleman does not have a private key and cannot unlock data that is encrypted with the public key.

In iOS development, how to handle the network encryption this piece? [Detailed personal analysis]