Data security (MD5), HTTPS, detecting network status

First, data security

1. Submit the user's privacy data
Be sure to use the POST request to submit the user's privacy data
All parameters of the GET request are exposed directly to the URL
The requested URL is typically recorded in the server's access log
Server access logs are one of the key objects of hacker attacks

User's privacy data
Login Password
Account
... ...

2. Data security
Simply submitting a user's privacy data with a POST request is still not a complete solution to the security issue
You can use software (such as Charles) to set up a proxy server to intercept request data for viewing your phone
Therefore: When submitting the user's privacy data, must not be explicitly submitted, to encrypt processing and then submit

Common cryptographic algorithms
MD5 \ SHA \ DES \ 3DES \ RC2 and RC4 \ RSA \ idea \ DSA \ AES

Selection of cryptographic algorithms
General companies will have a set of their own encryption scheme, according to the requirements of the company interface documents to encrypt

3, MD5
What is MD5
Full name is message Digest algorithm 5, translated as "Message Digest algorithm 5th Edition"
Effect: Generates a unique 128-bit hash value (32 characters) for the input information

Features of MD5
Input two different plaintext does not get the same output value
According to the output value, the original plaintext cannot be obtained, i.e. its process is irreversible

Application of MD5
Because the MD5 encryption algorithm has good security, and free, so the encryption algorithm is widely used
Mainly used in digital signature, file integrity verification and password encryption and other aspects

But MD5 is not absolutely safe.

Background data can find the corresponding real value according to the record
MD5 Decryption Website: http://www.cmd5.com

4. Security procedures for submitting private data – Registration

5. Security process for submitting private data – Login

Conclusion
User's privacy data, only at the moment the user input is clear text, other cases are ciphertext processing

6, MD5 Improvement
Now the MD5 is no longer absolutely safe, in this, can be slightly improved MD5 to increase the difficulty of decryption
Add Salt: Insert a random string in the fixed position of the plaintext before MD5
First encryption, after the chaos sequence: first MD5 the plaintext, and then the encryption of the MD5 string of characters to disorderly order
... ...
In short, the purpose is: hackers even if the database is compromised, can not decrypt the correct plaintext

Second, HTTPS

1. Introduction
HTTPS (full name: Hyper Text Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). The system was originally developed by Netscape (Netscape) and built into its browser Netscape navigator, providing an authentication and encryption method of communication. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments

2. History
Netscape created HTTPS in 1994 and was used in the Netscape Navigator browser. Initially, HTTPS was used with SSL, and when SSL evolved to TLS, the latest HTTPS was formally determined by RFC 2818, which was released in May 2000.
It is developed by Netscape and built into its browser to encrypt and decrypt data and return results that are sent back on the network. HTTPS actually applies the Netscape Secure Sockets Layer (SSL) as a sub-layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80来 and TCP/IP to communicate like HTTP.) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. HTTPS and SSL support use of the digital authentication of the number, and if necessary, the user can confirm who the sender is. [1]
In other words, its main function can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, and the other is to confirm the authenticity of the website, any site that uses HTTPS, you can click the browser address bar of the lock logo to view the real information after the site certification, you can also through the CA Security seal issued by the agency [2].

3. The difference between HTTPS and HTTP
The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server. The HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so the HTTP protocol is not suitable for transmitting sensitive information such as credit card numbers, passwords, etc.
To address this flaw in the HTTP protocol, you need to use a different protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. For the security of data transmission, HTTPS joins the SSL protocol on the basis of HTTP, SSL relies on the certificate to verify the identity of the server, and encrypts the communication between the browser and the server.
The main differences between HTTPS and HTTP are the following four points:
First, the HTTPS protocol requires a certificate to the CA, the general free certificate is very small and requires a fee.
Second, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.
Third, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.
Four, HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol to encrypt the transmission and authentication, which is more secure than the HTTP protocol.

4, HTTPS implementation principle

//whenever you access a path that is HTTPS, you call the//The function of this method is to process the certificate returned by the server, in which you need to tell the system whether to install the certificate returned by the server//nsurlauthenticationchallenge: Empowering questioning//+ protected Space//+ The type of certificate returned by the server- (void) Urlsession: (Nsurlsession *) session Didreceivechallenge: (Nsurlauthenticationchallenge *) challenge Completionhandler: (void(^) (Nsurlsessionauthchallengedisposition, Nsurlcredential *)) completionhandler{//NSLog (@ "Didreceivechallenge");//NSLog (@ "%@", Challenge.protectionSpace.authenticationMethod); //1. The type of certificate obtained from the protected space returned by the server//2. Determine if the certificate returned by the server is trusted by the server    if([Challenge.protectionSpace.authenticationMethod isequaltostring:nsurlauthenticationmethodservertrust]) {NSL OG (@"is a certificate that the server trusts"); //3. Create a certificate based on the protected space returned by the server//void (^) (nsurlsessionauthchallengedisposition, nsurlcredential *)//         //the Completionhandler block of the proxy method receives two parameters://First parameter: represents how the certificate is handled//second parameter: represents which certificate needs to be processednsurlcredential*credential =[Nsurlcredential CredentialForTrust:challenge.protectionSpace.serverTrust]; //4. Install the certificateCompletionhandler (nsurlsessionauthchallengeusecredential, credential); }}

Third, detect network status
1. Detect Network Status
In the network application, the network status of the user device needs to be monitored in real time to
Let users know their network status, to prevent some misunderstandings (such as the application of incompetence)
Intelligent processing based on the user's network status, saving user traffic and improving the user experience
WIFI\3G network: Automatically download HD images
Low-speed network: Download thumbnails only
No network: Show only cached data that is offline

Apple officially provides a sample program called Reachability, which allows developers to detect network status
Https://developer.apple.com/library/ios/samplecode/Reachability/Reachability.zip

2, reachability
Reachability Steps to use
Add Frame Systemconfiguration.framework

Add source code

Include header file
#import "Reachability.h"

3. Common usage of reachability

// whether WiFi+ (BOOL) isenablewifi {    return ([[Reachability Reachabilityforlocalwifi] Currentreachabilitystatus]! = notreachable);} // whether 3G+ (BOOL) isenable3g {    return ([[Reachability reachabilityforinternetconnection ] Currentreachabilitystatus]! = notreachable);}

4. Network Monitoring

Object= [reachability reachabilityforinternetconnection];[ Self.netreachability Startnotifier]; -(void) dealloc{    [self.netreachability stopnotifier];     Object : nil];}

Data security (MD5), HTTPS, detecting network status