The Network Security Protocol should first Use HTTPS to build a secure site (on)

Friends who often use online banking will not be unfamiliar with the term "certificate", because they are often asked to verify digital certificates when logging on to online banking. In fact, this is a very effective security measure that can maximize the security of your account, and this security is implemented based on the network security protocol HTTPS. HTTP data transmission process WWW is one of the most popular network services on the network. It consists of three parts: Web server, Web browser, and communication protocol. The WWW Service is the most used HTTP (Hyper Text Transfer Protocol, Hypertext Transfer Protocol), so when users browse the Web page, you can see the URL in the address bar, such as "http://www.microsoft.com" form, the first "http" indicates that the website is based on HTTP. When HTTP is used to transmit data between the Web server and the Web browser, HTTP first converts the Web browser access request to the format supported by TCP/IP and sends the request to the Web server. The Web server receives a request from the Web browser through TCP/IP and sends the response information to HTTP. The HTTP request is processed and returned to the Web browser. In this transmission process, data is transmitted in plain text, so it is easy for hackers to listen and steal data. It can be seen that it is insecure to transmit data over the Internet using HTTP. HTTPS application instance Using HTTPS, you can build a secure Web site. Taking Windows 2000 Server as an example, the implementation method is as follows: Install the Certificate Server The Certificate Server is used to issue a certificate to the Web site. By default, Windows 2000 Server does not have a certificate Server installed, so you need to manually install it. In step 2, double-click "add or delete programs" in the "control panel" window to open the "add or delete programs" window. In the left pane, click "add> Delete Windows Components" to open the "Windows component wizard" dialog box. In step 2, find and check the "Certificate Service" option in the "components" list, and click "details, in the "Certificate Service" dialog box that appears, select the "Certificate Service Web registration support" and "Certificate Service Authority (CA)" check boxes. Click "OK> next", as shown in 1. Figure 1 select Certificate Service

In step 2, click the "independent root (CA)" button on the "Certificate Authority type" Wizard Page and click "Next. Open the "CA identity information" Wizard Page, enter "CA name" and other identity information, and click "Next.

In step 2, the data storage location Wizard Page is displayed. We recommend that you keep the default path and click "next> finish.

TIPS: During file copying, you are required to provide a Windows 2000 Server installation disc or specify the installation source. After the installation is complete, the Certificate Service will automatically start.

Step 1: Click Start> program> Management Tools> Certificate Authority ", in the open Certificate Authority Console window, make sure that the Certificate Server is enabled (that is, whether there is a green check mark before the CA name ).

Apply for a certificate for the Web Server

Now the Certificate Server can provide the certificate issuing service for the Web site. However, if the Web server does not request a certificate, the Certificate Server will never provide the certificate independently. To apply for a certificate for the Web server, follow these steps:

In step 2, click Start → program → Administrative Tools → Internet Service Manager to open the Internet information service window. In the left pane, right-click the Web site name (for example, "Default Web site") and run the "properties" command to open the "Default Web site properties" dialog box.

In step 2, click the "Directory Security" tab, click the "server certificate" button on the "Directory Security" tab, enter the Web server certificate wizard, and click the "Next" button.

Step 2 open the "server certificate" Wizard Page. Because this is the first time you use the certificate wizard, you should click "Create a new certificate. Click "Next", as shown in figure 2.

Figure 2 create a new certificate

In step 2, click "Prepare now request, but send later" in the "Wait or request now" Wizard and click "Next.

Step 2 open the "Name and Security Settings" Wizard Page, and type the name of the certificate in the "name" edit box. Keep the default value for "bit length" and click "Next.

In step 2, click Next in the organization information and site public name Wizard to go to the geographic information Wizard Page. Select the appropriate geographic location information and click "Next.

Step 2 open the "certificate request file name" Wizard page, click the "Browse" button to specify the Save location and file name of the certificate application file (you can also use the default value, but remember to use it later ). Click "next> finish" to apply for the server certificate, as shown in figure 3.

Figure 3 specify the name and location of the certificate request file

Submit Certificate Application

The certificate application request for the Web server has been submitted, but has not yet been submitted to the Certificate Server for processing. Now you need to log on to the Certificate Server and submit a certificate application from the Web server. The procedure is as follows:

In step 2, type the Certificate Server address in the address bar of the IE browser (in this example, the Certificate Server IP address is 10.115.236.200) "http: // 10.115.236.200/CertSrv/default. asp and press enter to go to the Certificate Server web page.

On the "welcome" page, click "apply for Certificate", and click "Next" to open the "select Application Type" web page. Click "advanced application" and click "Next,

Step 2 open the "Advanced Certificate Application" web page, and click "submit a certificate application using Base64 encoded PKCS #10 file, or use Base64 encoded PKCS #7 file to update the certificate application, click "Next", as shown in figure 4.

Figure 4 select a Certificate Application Method

In step 2, on the open "Submit a saved application" web page, find and open the previously saved certificate application file, paste the content in the "Base64 encoding Certificate Application (PKCS #10 or #7)" text box. Finally, click the submit button. The system prompts that the certificate is suspended, indicating that the submission is complete.

Issue and export certificates

The certificate that has been submitted has been temporarily suspended. The Web server waits for the Certificate Server to approve the application and issues a certificate for itself. The process for the Certificate Server to issue a certificate is as follows:

Step 2: Click Start> program> Administrative Tools> Certificate Authority to open the Certificate Authority window. Expand the CA root certificate server directory in the left pane, and click the "pending application" option to view the certificate application you just submitted in the right pane.

In step 2, click the "actions> all tasks> Issue" menu command to issue a certificate. Click the issued certificate directory to view the newly issued certificate in the right pane.

Step 2 double-click the issued certificate in the right pane to open the certificate dialog box. Click the Details tab, click Copy to file on the Details tab, enter the certificate export wizard, and click Next, as shown in Figure 5.

Figure 5 certificate details

Step 2 open the Export File Format Wizard Page, click DER-encoded binary X.509 (. CER) single region, and click "Next.

In step 2, specify the storage path and file name of the exported file on the "file to be exported" Wizard Page (note the file name and path for later use ). Click "next> finish" to export the certificate.

HTTPS came into being
With the increasing commercialization and socialization of the Internet, people have paid great attention to the security of Internet information, especially in terms of online shopping, online banking, commercial communications and other sensitive services. To improve the security of HTTP data transmission, Netscape developed the SSL (Secure Socket Layer) protocol to ensure Secure data transmission over the network. The role of SSL is to encrypt data and use the SSL protocol to implement encrypted HTTP transmission. This is the main character we discuss today, HTTPS ("SSL over HTTP "). Currently, common browsers (such as IE, Netscape, and AO you) Support HTTPS.

When using HTTPS to transmit data over the Internet, the sender first delivers the data to the SSL protocol for encryption, and then the ciphertext is transmitted over the TCP/IP network. After receiving the ciphertext, the receiver first submits it to the SSL protocol for decryption and then submits the plaintext to HTTP. In this transmission process, data is transmitted in the form of ciphertext in the network, even if hackers steal the data transmitted, it is not easy to crack, so the data security is relatively high.

TIPS: SSL is the soul of HTTPS. The security of HTTPS comes from the SSL encryption algorithm. Currently, SSL uses a cryptographic technique called "Public Key algorithm" proposed by Diffle and Hellman. Based on the so-called key pair, this technology consists of two different keys to form a key pair. If you encrypt data with one key of the key pair, it can only be decrypted with another key of the key pair. One key in the key pair is public for users to encrypt data, and the other is private for decryption of data encrypted with the public key.