In iOS development, how does one deal with network encryption? [Personal analysis], ios development

In iOS development, how does one deal with network encryption? [Personal analysis], ios development

The company's interface generally has two types of Protocols: one is HTTP and the other is HTTPS. The server will respond as long as the request is sent. If we do not encrypt the request and response, all information is detected and hijacked, which is very insecure. You can use this tool class to process client encryption.

Introduction

The company's interface generally has two types of Protocols: one is HTTP and the other is HTTPS. The server will respond as long as the request is sent. If we do not encrypt the request and response, all information is detected and hijacked, which is very insecure. You can use this tool class to process client encryption.

However, the service should be deployed over HTTPS at any time, because it can avoid man-in-the-middle attacks and also comes with an asymmetric key-based encryption channel.

HTTPS interaction Principle

A short answer: HTTPS is the encryption processing of an SSL protocol added to the HTTP protocol. The SSL certificate is a compliance with the SSL protocol, and is issued by a trusted Digital Certificate Authority CA (such as GlobalSign and wosign ), the certificate is issued after the server identity is verified. The issued certificate is usually stored in the root directory of the server as the public key, so that client requests can be returned to the client, the private key is saved in the internal center of the server and used to decrypt the public key.

The interaction process between the HTTPS client and the server:

1) when the client sends a request, the server returns the public key to the client;

2) The client generates a symmetric encryption key, which is encrypted with the public key and then returned to the server;

3) After receiving the accesskey, the server uses the private key to unlock it to obtain the symmetric encryption key and save it;

4) all subsequent interactions use symmetric encrypted data for interaction.

Certificate

In short, there are two types of certificates:

Certificate issued by CA

One is not serious:

Generate a self-issued certificate

What do we need to do

If you encounter a serious certificate, we can directly use AFNetworking to directly request it. AFNetworking internally helped us encapsulate the HTTPS request method, but most corporate interfaces are not serious certificates, here we need to do the following steps:

1) drag the server's public key certificate to Xcode

2) modify the Verification Mode

Manager. securityPolicy = [AFSecurityPolicy policyWithPinningMode: AFSSLPinningModePublicKey];

Principle

To put it simply, you can modify the AFN setting to allow the client to receive any server certificate. But the problem is that you cannot verify whether the certificate is your server's backend certificate, attacks to the man-in-the-middle, that is, analysis and forgery of your server through redirection routing opens the door.

AFSecurityPolicy * securityPolicy = [AFSecurityPolicy defaultPolicy];

SecurityPolicy. allowInvalidCertificates = YES;

Solution

AFNetworking allows embedded certificates. AFNetworking verifies that the Connected Server is correct by comparing the server certificate, embedded certificate, and site domain name. Because the CA certificate is verified by the site domain name, if your server has a bound domain name at the backend, this is the most convenient. Convert your server certificate in pem format to cer format using the following command

Openssl x509-in <your server certificate>. pem-outform der-out server. cer

Then, import the generated server. cer file, if there is a self-built ca, plus the ca cer format certificate, into the app bundle, AFNetworking

AFSecurityPolicy * securityPolicy = [AFSecurityPolicy AFSSLPinningModeCertificate];

Or

AFSecurityPolicy * securityPolicy = [AFSecurityPolicy AFSSLPinningModePublicKey];

In this case, the bundle is automatically scanned. Cer file, and introduce it to verify the uniqueness of the server through the self-signed certificate.

AFSecurityPolicy three authentication modes

AFSSLPinningModeNone

This mode indicates that SSL pinning is not performed,

Verify the certificate returned by the server only in the trusted organization list of the system, just like the browser. If the certificate is issued by a trusted organization, it will pass, and if it is generated by your server, it will not pass.

AFSSLPinningModeCertificate this mode indicates to use the certificate binding method to verify the certificate. The client needs to save a copy of the certificate from the server. Here, the verification is divided into two steps. The first step is to verify the domain name validity period and other information of the certificate, the second step is to compare whether the certificate returned by the server is consistent with that returned by the client.

AFSSLPinningModePublicKey

This mode is also verified by certificate binding. The client must have a copy of the server certificate,

Only the public key in the certificate is verified, and the validity period of the certificate is not verified. As long as the Public Key is correct, communication will not be eavesdropped, because the intermediary does not have a private key and cannot unbind data encrypted by the public key.