HTTPS finally figured it out

• A cryptographic knowledge
• 1.1 One-way encryption
• 1.2 Symmetric encryption
• 1.3 Asymmetric encryption
• 2. Summary of encryption knowledge
• Start with a need

I believe that many people are not clear about the process of HTTPS, but they just know that HTTPS is securely encrypted, and the principle behind it is not clear

The author used to be unclear about the process of HTTPS, and the most infuriating thing is that every interview, the interviewer is likely to ask you this question

Every time the answer is not correct or the interviewer is not satisfied, in other words, or they do not really understand

In fact, the principle process of HTTPS is not so complicated, but some articles are not clear, such articles read more, and they are confused.

Before we understand the process of how HTTPS works, let's take a look at encryption

A cryptographic knowledge

Encryption can be divided into the following three ways according to the encryption method

1.1 One-way encryption

Also called irreversible encryption, the encryption of the plaintext produces a ciphertext, and the corresponding plaintext can no longer be solved through the ciphertext

Generally used to generate message digests, key encryption, etc., common one-way encryption is:

• MD5: I believe everyone is familiar with this, a plaintext, after md5, corresponds to a unique ciphertext
• SHA : which is divided into sha192 and sha256

Peculiarity:

1. irreversible
2. If the input is the same, the output must be the same

1.2 Symmetric encryption

Symmetric encryption, with a key, encrypts the plaintext, and in the same way, the ciphertext can also be decrypted with the same key

That is, encryption and decryption can be encrypted with the same key

This encryption method is called symmetric encryption

Commonly used symmetric encryption methods are:

• SOME
• 3DES
• AES

Peculiarity:

1. The encrypter and decryptor use the same key
2. The speed of encryption and decryption is relatively fast

1.3 Asymmetric encryption

We know that symmetric encryption uses the same key, as opposed to asymmetric encryption, which uses a public and private key for encryption and decryption

You can use private key encryption, the public key can be decrypted, and similarly, you can use public key encryption and the private key can be decrypted

Common asymmetric encryption methods are:

• RSA
• DSA

The most common thing we usually use is RSA

Peculiarity:

1. Two keys are used for encryption and decryption, the public key and the private key
2. The public key encrypts the private key decrypts, and the private key encrypts the public key can decrypt
3. Encryption or decryption, very slow
4. Private and public keys come in pairs

2. Summary of encryption knowledge

** One-way encryption: ** irreversible, as long as the input content is the same, the output ciphertext must be the same, and if there is any modification, the resulting ciphertext is different

Symmetric encryption: Encryption and decryption use the same key, and encryption and decryption are particularly fast

Asymmetric encryption: Encryption and decryption using public and private keys, public key encryption private key solution, private key encryption public key solution. The process of encryption and decryption is very slow

The so-called public key is something that can be disclosed to others

The so-called private key is not allowed to be disclosed to others and is privately retained by oneself.

Note: The above content is purely cryptographic knowledge and has nothing to do with HTTPS. Let's start with the process of HTTPS. Let's start with a requirement

After solving this requirement, you understand the process of https.

Start with a need

Suppose there is such a demand: Xiaoming and Xiaohua need to communicate, and boys and girls write love letters, and they definitely don't want others to see it, so they need secure communication.

Question 1: How does Bob safely pass content to Xiaohua?

Through the above learning of encryption knowledge, we can easily think that the content of the communication is encrypted

The answer is yes, just encrypt the content of the communication.

Question 2: Which encryption method is used?

One-way encryption definitely can't work, Xiaohua receives the letter, can't solve it, this love can't be discussed

Symmetric encryption can be used, and as long as the flower has the key, it can solve the content

Asymmetric encryption can also be used, Bob encrypts with his own private key, and Xiaohua gets Bob's public key and can also solve the content

Question 3: Symmetric encryption and asymmetric encryption can be used, which one is used?

Through the learning of encryption knowledge above, we know

Symmetric encryption is fast, and asymmetric encryption is slow

Then for Xiaoming and Xiaohua, they often talk for hours, and the data is very much

If asymmetric encryption is used, it is estimated to be depressing, because encryption is also slow, decryption is also slow, these two people will definitely not use asymmetric encryption, if I, I don't use, in a hurry to die personally.

Then the answer is to use symmetric encryption, because the encryption is fast, Xiaoming Xiaohua, both hold the same key, and both parties can decrypt each other's letters.

Summary: Bob and Xiaohua communicate using symmetric encryption, if the key is S, both parties use the same key S for encryption and decryption

In this way, Bob and Xiaohua can communicate happily, and the content is encrypted, and the speed of encryption and decryption is also fast, which is very beautiful.

But there is a hidden danger in this, that is, the key S, in the process of transmission, was accidentally intercepted by Lao Wang

The consequence is: Xiaoming, Xiaohua and Lao Wang all have the same key S

Then, there is no secret between Xiaoming and Xiaohua, the letter they sent, Lao Wang can unravel and see, read it and then encrypt it, and then send it to Xiaohua, which is still worth it.

So how to solve the situation that the key S is intercepted by others during transmission?

Some people say that the key S can be encrypted and then transmitted by symmetric encryption, so the key S1 at this time is also at risk of being intercepted

Then encrypt S1 again, transmit ... , and so on. Definitely not.

The above method is definitely not working, and now the question becomes: how does Bob securely pass the key S to Xiaohua, is this the same as the previous question, how does Bob securely pass the content to Xiaohua? similar

Therefore, how to communicate securely, Bob and Xiaohua need to use symmetric encryption to encrypt the content of the letter

Then we have to solve a problem first: how does Bob securely transmit the key S to Xiaohua?

Question 4: How does Bob securely transmit the key S to Xiaohua?

If the transmission process of key S is not secure, then the subsequent communication is insecure, on the contrary, how can the key S be safely transmitted to Xiaohua, then the subsequent communication is secure.

If this is such a job that the leader gave us, how should we solve it by using the above encryption knowledge we have learned?

Through the learning of the above encryption knowledge, is there such a secure encryption transmission method as the following

1. Bob uses asymmetric encryption to communicate, first Bob generates his own pair of private and public keys, which are called privateKey and publicKey for convenience
2. Bob gave the publickey to Xiaohua

• Method 1 Bob uses his own privateKey to encrypt the key S, and the encrypted ciphertext S0 is transmitted to the flower, and the flower decrypts the key S with the publicKey
• Method 2 Xiaohua encrypts the key S with the publicKey, and the encrypted ciphertext S0 is transmitted to Bob, and Bob decrypts the key S with S0 with the privatekey

Above, method one is not feasible, because Bob's publicKey is public and anyone can download it, that is, Lao Wang also has Bob's publicKey, and S0 can also be decrypted out of Key S

Method two is feasible, because the privateKey is only owned by Bob, and Xiaohua is encrypted with Bob's public key, which only Bob can unravel and no one else can unlock

So the above solution is:

Use asymmetric encryption to encrypt key S for transmission

Some people say, no, asymmetric encryption performance is not good, encryption and decryption is particularly slow, or at the beginning, Xiaoming and Xiaohua directly use asymmetric encryption for communication, or it will not work

That's right, but we're just using asymmetric encryption to encrypt the key S, which is a small amount of data and the key S is securely transmitted to the other party

The subsequent communication directly uses symmetric encryption, so that the efficiency is high, and non-symmetric encryption is only used in the stage of starting to negotiate how to securely transmit the key S, and after this stage is completed, it is no longer needed.

As can be seen from the above, asymmetric encryption has such characteristics

As long as I get the public key and who I communicate with, it is safe

For example, you have a pair of private keys and public keys, I just need to get your public key, and then use your public key to encrypt the transmission content, only you can unlock it, because the private key is only yours

As follows:

In turn, Bob encrypts with his own private key, and others use Bob's public key to decrypt, what is the function of this process?

The answer is: identity verification.

As long as Bob encrypts with his own private key, and others can unlock it with Bob's public key, it proves that the letter must and must have been written by Bob

For example, you need to send a notice, but make sure that this notice must be sent by you, for fear that others will change it in the middle (such as ancient false propagation of holy orders, that is, not doing a good job of identity verification)

You can use your private key to encrypt the notification, and if others want to see it, they can decrypt it by downloading your public key and decrypting it, indicating that the notification must have been sent by you.

Because someone else alters it in the middle, but doesn't re-encrypt your private key, it won't work.

Summary: Through the above description, we have solved several problems and gone through the following processes.

1. In order to secure communication, Xiaoming and Xiaohua use encryption methods to encrypt and transmit content
2. In contrast, symmetric encryption can only be selected to encrypt and transmit content
3. But symmetric encryption key S, the transmission process is not secure, easy to be stolen by Lao Wang, what to do
4. Bob thought of an asymmetric encryption method, so he generated a pair of private key public keys and gave the public key to Xiaohua
5. Xiaohua encrypts the key S with the public key and passes it to Xiaoming
6. Because it is encrypted with Bob's public key, and because the private key is only owned by Bob, only Bob can decrypt it. In this process, even if Lao Wang intercepted the ciphertext, he could not decrypt it
7. In this way, Bob decrypted the key S with his private key
8. At this time, Xiaoming and Xiaohua use symmetric encryption, key S, to communicate happily, such as discussing how much to give the bride price, where to hold the banquet, and where to spend the honeymoon
9. In this way, the communication process is secure.

The above process is perfect, but the road is one foot high, the demon is one foot high, and the old king's brain is particularly good, and he came up with a trick

Since you two use asymmetric encryption, I can't decrypt the ciphertext when I intercept it, so let's do it differently.

If Xiaohua is in the process of obtaining Xiaoming's public key, something goes wrong, for example, Xiaohua did not obtain Xiaoming's public key, and Lao Wang's public key (at this time, Xiaohua still thought that the public key in his hand was Xiaoming's)

What happens? Let's take a look at the diagram (also known as a man-in-the-middle attack)

According to the above figure, Lao Wang, also called the middleman, the above picture is the man-in-the-middle attack, and the process is as follows:

1. In the process of obtaining Xiaoming's public key, Xiaohua was given his own public key by Lao Wang and sent to Xiaohua
2. Xiaohua mistakenly thought that the public key in her hand was Xiaoming's (in fact, it was Lao Wang's public key), so she used Lao Wang's public key to encrypt the key S to get the ciphertext S0
3. During the process of ciphertext S0 being sent to Xiaoming, it was intercepted by Lao Wang, who decrypted it with his private key and obtained the key S
4. After Lao Wang got the key S, he backed up a copy of it himself, and then encrypted this key S with Xiaoming's public key, obtained the ciphertext S1, and sent it to Xiaoming
5. After Bob gets ciphertext S1, he decrypts it with his private key and obtains the key S
6. In the future, Xiaoming and Xiaohua will use symmetric encryption, key S to communicate
7. They still thought it was safe, but in fact, the content of the communication had already been read by Lao Wang first. Still not safe

Ahhhhh

For the security of key transmission, we produce a private key public key pair, give the public key to the flower, and the flower encrypts the key with the public key and then transmits

In this way, only Bob can decrypt it, and I never thought that the transmission of the public key was not secure.

It's hard to talk about a hobby, Lao Wang, what are you doing...

Something went wrong, it had to be solved, now it's the process of transmitting the public key, and it's not safe again

This and the above question, how to securely transmit the content of the letter to the other party? And how to securely transmit the key to the other party? '' is similar

Now the question is: how to transmit public key security to the other party?

It feels like you're in an endless loop, whether it's securely transmitting the contents of the letter, securely transmitting the key, or securely transmitting the public key

The essence is similar, but the things transmitted are different, and the methods used are different

Question 5: How does Bob securely transmit his public key to Xiaohua?

After the problems we solved above, you can know

• How to securely transmit the content of the communication to the other party? Solution: We communicate with symmetric encryption
• How to securely transmit the key S to the other party? Solution: Using asymmetric encryption, Bob uses his public key to Xiaohua Xiaohua and transmits the key S encryption to Bob, and Bob decrypts this process with his own private key that only Bob can decrypt, so it is safe

Now the new question is: how can the public key be securely transmitted to the other party?

Is symmetric or asymmetric encryption used again? None of them are right. This is no longer working.

Imagine that in life, we have a contradiction, there is a problem, and who we believe in the most, it must be the government

Now my download of the public key from Bob is no longer reliable and insecure

Who should I believe? Who got the public key from is Bob's real public key?

So, we also have an institution, and we all believe in this institution, anyway, I just believe in this institution 100 percent unconditionally, this is the rule.

We gave this institution a name, called the CA agency

Well, now we throw the problem to the CA institution, whether it is Xiaohua, Xiaoli, Xiaomei, as long as you get Xiaoming's public key, you will get it from CA

Where did the CA agency get Bob's public key? It must be given by Bob, for Bob, anyway, I have given my public key to your CA, and your CA institution must ensure safe transmission to others

This CA is also unlucky enough, the work you can't get is all thrown to me, and it's not me and Xiaohua falling in love...

Complain is complain, how does CA solve it?

The answer is digital certificate , how to come out with a name again, what the hell is the digital certificate, is it already dizzy, don't worry, faint at this time, and then go back and look at what was written earlier

Look at it a few more times, don't forget, the author also watched N many times, asked himself the problem, and tried to solve it himself, only to understand the process.

Let's start with a conclusion: digital certificates solve the problem of public key transmission

Important events are repeated three times: digital certificates are to solve the problem of public key transmission, digital certificates are to solve the problem of public key transmission, and digital certificates are to solve the problem of public key transmission

Before talking about digital certificates, let's solve such a problem

Question 6: During the transmission of letters, how to ensure that the content is not tampered with, that is, the integrity of the information?

Combined with the encryption knowledge learned earlier, we can use a one-way encryption algorithm, and we take the MD5 encryption algorithm as an example

1. After Xiaoming wrote the letter to Xiaohua, he used md5 to encrypt the content of the letter once to get a unique string, and we named this string as a summary
2. At the bottom of the letter, Bob wrote the one-way encryption algorithm md5, and the summary calculated by md5 on the content of the letter, and sent it to Xiaohua
3. After receiving the letter, Xiaohua saw that the md5 algorithm was at the bottom of the letter, so she used md5 to encrypt the content of the letter to get a new summary
4. The flower compares the new abstract with the additional abstract at the bottom of the letter, and if it is equal, it means that the letter has not been changed
5. If not, it means that the content of the letter has been changed by someone else.

This process is represented in the following figure.

But even the above process is also problematic, if Lao Wang appears again

1. First of all, Lao Wang got the letter and changed it
2. Lao Wang used the md5 algorithm to re-give the content of the letter to md5 to get a new encrypted string
3. Old Five put the new encrypted string at the bottom of the letter and sent it to Xiaohua
4. At this time, after Xiaohua received the letter, there was no way to judge whether the letter had been tampered with.

As shown in the following figure:

Therefore, simply using a one-way encryption algorithm to generate a digest cannot guarantee the integrity of the content

So how can we ensure the integrity of the letter and not be tampered with?

The answer is, signature

Another noun came out, signature, there are too many nouns in this article.

Through the previous learning, we know that asymmetric encryption has 2 functions, one of which is identity authentication

Or the above example me, let's change it:

1. Bob uses md5 to calculate the content of the letter and get a string, which we call the summary
2. Bob encrypts the digest with his private key and gets another string, which we call signature
3. Send the md5, abstract, signature piece to the flower
4. Xiaohua decrypts the signature with Bob's public key, and obtains a summary of the letter, if d1
5. Xiaohua uses md5 to calculate the content of the letter to obtain the summary of the letter, if d2
6. Compare whether d1 and d2 are equal, and equality means that the content of the letter has not been tampered with
7. D1 and D2 are not equal, indicating that the content of the letter has been tampered with.

At this point, the process is safe

If Lao Wang intercepts the letter again, Lao Wang can modify the content of the letter and use MD5 to calculate a new summary again

But the signature, Lao Wang cannot be modified. Because the signature is encrypted with Bob's private key, even if Lao Wang can decrypt it

Lao Wang has no way to generate a new signature, because Xiaoming's private key is only owned by Xiaoming.

Moreover, after Xiaohua received the letter, she used Xiaoming's public key to decrypt the signature, and if Lao Wang encrypted the digest with his private key to generate a new signature

Xiaohua cannot decrypt it with Xiaoming's public key.

At this point, let's define the concept of a moment

Abstract: MD5 (or other one-way encryption algorithm), the string that encrypts the content, is called the digest

Signature: Bob encrypts the digest with the private key, and encrypts the signature string, which is called a signature

Signature verification: Xiaohua uses Xiaoming's public key to decrypt the signature, and the decrypted summary is compared with the original, which is called signature verification

Question 7: How did digital certificates come about?

Digital certificates are issued by a CA authority, first of all, if Bob wants to have a digital certificate, he needs to apply to the CA authority

The CA authority will issue Bob a digital certificate, which contains:

1. Public key: Bob's public key
2. Issuer: CA (Certificate Authority)
3. Validity period: The validity period of the certificate
4. Digest algorithm: Specifies the digest algorithm that is used to calculate the digest of the certificate
5. Thumbprint: That is, the summary of the certificate to ensure the integrity of the certificate
6. Signature algorithm: Used to generate signatures to ensure that the certificate is signed by a CA
7. Serial number: A unique identifier for the certificate

Knowing what is contained in the certificate, let's understand how the certificate is generated?

1. Write Bob's public key, issuer, validity period, digest algorithm, hash algorithm to the certificate
2. Based on the hash algorithm specified in the certificate, the CA calculates a digest of the entire certificate, or digest
3. According to the signature algorithm and the digest calculated in the previous step, the CA encrypts the digest with its own private key to generate the signature of the CA, that is, signature
4. Finally, the summary, signature and basic information of the certificate were published together to get Bob's certificate

Question 8: The role of digital certificates

From the above, we know that digital certificates are to solve the problem of public key transmission, and we also know that digital certificates are a file

Since digital certificates are used to solve the secure transmission of public keys, how to solve the transmission problem

Now that Bob has his own certificate, we will not publicly transmit the public key, we only need to transmit the certificate

So, Bob and Xiaohua now need secure communication, so what is the process? as follows

1. Bob sent his digital certificate to Xiaohua
2. Worried that the certificate will be dropped by Lao Wang, Xiaohua needs to verify the certificate, what to verify?
3. In fact, to verify whether this number is issued by a CA authority, not a certificate issued by a CA authority, we consider the transmission to be insecure.
4. To verify that the digital certificate is issued by a CA, you need to have the public key of the CA... (Why do you need the public key of the CA, because the signature on the certificate is encrypted by the private key of the CA, and only the public key of the CA can be decrypted) Ah, ah, I can't stand it, how do I need the public key for half a day, we talked about the digital certificate for half a day, that is, to transmit the public key, so it will be better to change to the following description to verify whether the digital certificate is frequently issued by the CA, and the CA's digital certificate is required (because it has the CA's public key)
5. So where do we go to find the CA's digital certificate? From the above description, we know that if we need a digital certificate, we apply to the CA, and the CA issues it to us.
6. So where do CA authorities get their own digital certificates? The answer is also issued by ourselves, so where do we get it?
7. If you download from the Internet or from other servers, you may drop the package and it is not safe.
8. This is really a sad story, but today Brother Bunny has to finish this story.
9. Downloading digital certificates from the Internet or from other servers is not secure, so how is it safe?
10. The answer is: when your computer installs the operating system, there are already a lot of CA digital certificates built into the operating system
11. That is to say, as long as you install the operating system, whether it is Windows, Linux, or Mac, or the computer you just bought, there is already a digital certificate of the CA agency in it
12. This is trustworthy, is a real CA authority digital certificate, there will be no fake. (Unless you are installing a pirated operating system, so we try to use a genuine operating system)

The above process is really complicated, Brother Rabbit also took a long time to figure it out, knowing that this interview will pit many people, in fact, the https process does not know, it doesn't matter

It doesn't affect your code, but those interviewers love to ask this piece, as if it's great that they can understand the process, and it's not nice if you ask about design patterns.

1. Our computers are born with a CA's digital certificate, and it's true. Born. Heaven decides, heaven is the largest, then we can distinguish the authenticity of digital certificates.

Problem 9: Validation of digital certificates

From the above you can know:

Xiaohua received Xiaoming's digital certificate, and the first thing to verify was to verify whether the digital certificate was issued by a CA

Because our operating system has built-in digital certificates from all CA authorities, we can validate digital certificates

Before talking about the process, let's briefly review the previous summary, how the summary and signature came about

Digest = md5 (certificate content): A one-way encryption algorithm, such as md5, encrypts the entire content of the certificate to get a digest, also known as the thumbprint of the certificate

Signature = privateKey : The private key encrypts the previous digest to produce a signature

The verification process for a digital certificate is as follows:

1. Xiaohua uses the digital certificate of the built-in CA to obtain the public key of the CA
2. The digital certificate sent by Bob, let's say it is called C, Xiaohua decrypts the signature in the C certificate with the public key of the CA to get the digest D
3. According to the digest algorithm in the C certificate, if it is md5, the flower uses md5 to calculate the entire content of the certificate to get the abstract D1
4. The florets compare whether abstract D and abstract D1 are equal
5. If D == D1 , then the certificate was issued by a CA
6. If D != D1 , then this certificate is not issued by a CA, is risky, and is not secure

If the certificate is validated, it means that the certificate is indeed issued by a CA, and Xiaohua can get Xiaoming's public key from the digital certificate

Because when Bob applies for a digital certificate, the owner of the digital certificate is Bob, and the CA will verify Bob's identity, so Bob's public key in the digital certificate is real

So far, we have finally accomplished one thing: Bob correctly transmitted his public key security to Xiaohua

With this thing established, our work will be much easier to do. Next, let's take a look at the specific transfer process

Question 10: The complete transfer process

Let's take a look at Xiaoming's communication to Xiaohua again, which is different from the previous one, let's take a look:

1. Bob attached the completed letter to the bottom of the letter with the summary algorithm, if it is MD5, and the summary calculated by MD5
2. Bob uses his private key to encrypt the digest of the previous step and get a signature
3. Bob attaches the digest algorithm, abstract, and signature to the bottom of the letter, and then sends his digital certificate to Xiaohua together
4. After receiving the letter, Xiaohua first uses her own CA digital certificate, obtains the CA public key, and then verifies the digital certificate with the CA public key (that is, the process we talked about above)
5. After the digital certificate is validated, it means that the certificate was issued by the CA and has not been tampered with
6. Xiaohua got Xiaoming's public key from the certificate
7. With Bob's public key, the next process is to verify the content of the letter

The verification process for the content of the letter is as follows (we actually talked about it earlier):

1. Xiaohua uses Xiaoming's public key to decrypt the signature of the letter and obtain the summary D1 of the letter
2. Xiaohua uses the summarization algorithm to calculate the letter and obtain the abstract D2 of the letter
3. Florets versus whether D1 is equal to D2
4. If it is not equal, it means that the letter has been tampered with and is not safe
5. If equal, the content of the letter has not been tampered with
6. In equal cases, Xiaohua got the contents of the letter

Summary:

All of the above content is the process of digital certificates, encryption and decryption, signature, and signature verification, and there is no formal process of HTTPS.

With the above knowledge, it is much easier for us to talk about https. Let's look at a picture

Let's take the www.helloworld.net website as an example to explain the process of HTTPS

This process is divided into 3 phases, which we describe below

The process stages of accessing www.helloworld.net are as follows

• The website requests the certificate stage
• The website requests a digital certificate from a CA (requires the submission of some materials, such as a domain name)

1. The CA writes important information such as the digest algorithm, domain name, and public key of the website to the certificate
2. The CA calculates the digest of the certificate based on the digest algorithm written in the certificate
3. The CA encrypts the digest with its own private key to calculate the signature
4. The CA generates a digital certificate that is issued to the www.helloworld.net
5. The administrator of the website, put the certificate on his own server

• The browser validates the certificate phase
• The browser enters https://www.helloworld.net in the address bar and enters

1. The server sends the digital certificate to the browser
2. The browser uses the digital certificate of the CA built into the operating system to obtain the public key of the CA
3. The browser verifies the digital certificate of the www.helloworld.net with the CA public key
4. Specifically, the browser uses the CA public key to decrypt the signature in helloworld's digital certificate to obtain a digest D1
5. The browser calculates the digest D2 of the certificate based on the digest algorithm in the helloworld digital certificate
6. Compare whether D1 and D2 are equal.
7. If not, the certificate is dropped
8. If equal, the certificate validation passed.

• Negotiate a symmetric encryption key phase
• The browser verifies the digital certificate after it is passed

1. The browser gets the public key in the digital certificate, which is the public key of the www.helloworld.net website
2. After the browser has the public key of the website, it encrypts the key S with the public key, and sends the ciphertext after encryption to the server
3. After the server receives the ciphertext, it decrypts it with its own private key to obtain the key S
4. After that, the browser, the server and the two sides use the key S for symmetric encrypted communication.

After terminating the story, it was finally finished, and it took a whole day

There are so many processes, in fact, it is very simple to grasp a few key questions, essentially two people, how to communicate safely and efficiently

Let's briefly summarize again, using a question-and-answer approach, I think it's better

Question 1: How to do Xiaoming and Xiaohua communicate securely?

A: By encryption

Question 2: Which encryption method is more efficient to communicate?

A: Symmetric encryption

Because, one-way encryption, there is no way to decrypt, no

Asymmetric encryption, too slow, and no

Only symmetric encryption, fast

Question 3: How can the key S be transmitted securely using symmetric encryption?

Answer: Xiaohua uses Bob's public key to encrypt the key S and pass it to Bob

Bob decrypts it with his private key

Question 4: How does Bob securely transmit his public key to Xiaohua?

A: Use digital certificates

Specifically, Bob applies to the CA for a digital certificate of his own and puts his public key in the certificate

Bob sends the digital certificate to Xiaohua

Question 5: How does Xiaohua verify the authenticity of digital certificates?

Answer: Xiaohua uses the digital certificate of the CA built into the operating system to obtain the public key of the CA, and uses the public key of the CA to verify and sign the digital certificate

The signature verification is passed, indicating that the digital certificate is genuine.

The above questions, I hope readers ask themselves more, if it is themselves, how should they solve this problem.