On the essential of the encryption of the front-end information (to encrypt, how to encrypt)

I. Preamble

　　Recently, I have focused on the web-side login, the transmission of data encryption scenarios. Found some interesting things. An Internet finance company programmer to do login verification, first to a MD5 encryption, and then proudly said my login is encrypted, outsiders can not crack, absolutely protect the user's information security.   After the blogger found that my gold, the entire station HTTP protocol, only login using the MD5 encryption. PS: Secretly laughing ...

Next, bloggers share some of the things they know, understand it is not deep, we have a look, understand just fine.

There is a general list of directories, the friends according to their own situation to see Kazakhstan. Some knowledge needs a cushion.

Second, the catalogue

　　1. HTTP and HTTPS

2. Classification of encrypted information (Bo master himself)

3. Problems and effects of web-side encryption

4. How to secure the encryption (relative increase in security)

Third, HTTP and HTTPS

　　1. First, let's start with a simple understanding of these 2 transport protocols.

http: Hypertext Transfer Protocol for passing information between a Web browser and a Web server. The plaintext sends the content, does not provide the data encryption in any way, the intruder can capture the packet directly obtains the transmission the message, then obtains the user data.
HTTPS: Secure Sockets Layer Hypertext Transfer Protocol, which joins the SSL protocol on the basis of HTTP, SSL relies on certificates to verify the identity of the server and encrypt communication between the browser and the server.
is divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.

2. Then, let's compare these 2 kinds of protocols

A, HTTPS protocol requires a certificate to the CA, generally less free certificate, and therefore a certain cost. and HTTP not money
B, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol.
C, HTTP and HTTPS use a completely different way of connection, the same port is used, the former is 80, the latter is 443.
D, HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

3. Here's a quick step to introducing HTTPS

A, the customer uses the HTTPS URL to access the Web server, requires an SSL connection with the Web server.
b, when the Web server receives a client request, it sends a copy of the Web site's certificate information (the certificate contains the public key) to the client.
C, the client's browser and the Web server began to negotiate the security level of the SSL connection, that is, the level of information encryption.
D, the client's browser based on the agreed security level, establish a session key, and then use the public key of the website to encrypt the session key and send to the website.
E, the Web server decrypts the session key with its own private key.
F, the Web server uses the session key to encrypt communication with the client.

See this, I believe you should have a more clear impression of these 2 kinds of agreements. Someone said, this https is so awesome, it seems that this encryption problem has been solved. But far less simple, HTTPS, although safe, but it is the hacker attack, the server hijacked what, or the shape of a fake, not much use. And these provide the certificate of the Organization, the organization, plainly or people, others have your certificate, these people can hold your certificate aboveboard decryption.

PS: Well, gossip about this, this piece is to let you know what we usually use the transmission protocol.

Iv. Classification of cryptographic information

　　Most of the data in the Web is usually clear text and does not need to be encrypted. Bloggers believe that there are 2 types of data that need to be encrypted

1. User's login information. (account number, password ...) ）

2. Private information of the user. (name, bank card number, home address ...) ）

For these 2 kinds of data, we have different requirements for encryption, the latter is slightly weaker than the former

Five, the problem and function of web-side encryption

　　Now we know that the HTTP protocol is clear-text transmission, as long as the other people grab a packet to get the transmission of the message, many people will ask, is not the front end of the HTTP transmission does not need data encryption? This is a big mistake, and we can analyze it by the following points, even if it is not safe to encrypt the necessity

1. The front end of the user password hash value encryption, such as MD5, and then others grabbed the bag, can be simulated landing. But he is only able to land, he does not know what your source code is, he intercepted MD5 encrypted ciphertext, which greatly reduced the sociological attack. (explain some, sociological attacks.) Everyone habitually set the platform account for one or a few passwords, easy to remember, they took you one, to try other, duang! It exploded!)

2. Front-end encryption also has a certain security. Our simple encryption, will be caught, then we can make encryption more complex. So that the direct clutch can not be landed, or not easy to log in.

six, how to secure the encryption

Continue with the above topic, how we encrypt, make data transfer more secure, here are a few examples

1. Use HTTPS. You can even use HTTPS login, and then redirect to the HTTP page, to ensure that your page load fluency

2. Just use HTTP. The password + timestamp is encrypted and transmitted, the server decrypts, and the login is allowed in the way of timestamp 3s. This also strengthens the security ps:3s is my yy ha

3. Follow the QQ Web version login mode

　　　　

function getencryption (password, UIn, Vcode, isMd5) {    var str1 = Hexchar2bin (isMd5? PASSWORD:MD5 (password));    var str2 = MD5 (str1 + uin);    var STR3 = MD5 (str2 + vcode.touppercase ());    Return STR3}

modeled after the QQ login mode. We can open the login interface, while transmitting a graphics verification code, verification code in the background is unique, time-sensitive, one-time storage. In this way, the account number, password, verification code, encryption method together with an irreversible encryption, the general use of MD5 bar, so that the service end in the same way to encrypt, than the encrypted cipher to determine the login. This way, even if you know your encryption code, it is not easily compromised.

4. There is now the simplest, direct mobile phone number + Verification code login, safe and effective, simple. Of course the information also needs to be encrypted.

Vii. Summary

　　The above is all the content, the introduction of relatively shallow, suitable for everyone to understand. Serious's web security, too many things, also to be perfected. If there are errors in the text, also hope to point out!