The road to the architect 14th Day Axis2 Web Service security Rampart

Encryption protects our web service transmission

In the course of the previous day, we talked about a simple "security-constraint" to protect a Web service by specifying a username and password, and how to use HTTPS to protect the Web service's communication process. Although it is protected with HTTPS, we put aside HTTPS, the user name, password, and data transmitted between the Web service are plaintext.

I have mentioned in the tutorial, there is a hacker tool called Sniffer, or using mim-attack (middleware interception), but also can be the flow of the client to intercept and send to the hacker host, so that our username and password can be obtained by hackers.

So today we're going to talk about how to make this user name and password and related data encrypted when the Web service is transferred.

Ii. Basic Concepts

Let's take a look at the basic concepts, this basic concept will be related to the field of PKI, please read this chapter carefully , otherwise you will be foggy then I advise you to start from the beginning, I will refer to the MIT Tutorial-rsa Company published "Computer Encryption and decryption principle", Use the most practical examples and the simplest language to explain the most important concepts in the PKI.

This should be our third request to generate a certificate request, certificate, signed, pretty tossing!!!

Do not toss you no, I want to put everyone toss the egg pain, this toss after the thoroughly understand.

was tossing, suffering and finally happy, well I have more nonsense, the following start.

2.1 Basic concepts of encryption and decryption

Our cryptographic decryption is divided into two types:

1) symmetric encryption (symmetric Cipher)

2) Asymmetric encryption (asymmetric Cipher)

2.1.1 Symmetric encryption

That is, a password (key) to decrypt a string of string, the same password (key) can be encrypted ciphertext to decrypt, until the end of only one password (key), so it is called symmetric encryption.

2.1.2 Asymmetric Encryption

This is one of the most important concepts

We know that symmetric encryption has only one key (you can think of this key as a password). Rather than symmetric encryption? It has 2 keys,

L What we call the private key is Privatekey, a private key can correspond to countless public key, the public key can be "spread".

L A call public key is PublicKey, a bunch of public key can only correspond to a private key, the private key is absolutely cannot "spread".

The two keys are produced together in the same year as the same month, that is, when the private key is generated, it is accompanied by the generation of the public key.

Here's the formula:

Public key encryption, private key decryption

Think about it, I have two keys, one is used to lock the door (encryption), one is dedicated to open the door (decryption). So the key I used to lock the door dropped and was picked up by someone else, okay? No one else can lock the door of my house.

But what if the key I used to open the door was lost? What to do? People can open my door into my house when they are picked up by someone else.

Therefore, the public key is always used for encryption, can have more to be held by many people, and the private key is always used to decrypt and can only host own.

public key encryption, private key decryption ! Old old Remember, this is the formula of Forever, is also the truth!