Android security encryption: detailed explanation of HTTPS programming
Android security encryption feature article index
All the above contents, such as symmetric encryption, asymmetric encryption, message digest and digital signature, are used as a preparatory knowledge to understand the working principle of digital certificate. Digital certificate is the ultimate weapon in cryptography and the crystallization of wisdom summarized by human history for thousands of years. Only after understanding the working principle of digital certificate can we understand the secure communication mechanism of HTTPS protocol. Finally, it can be handy in the SSL development process.
In addition, symmetric encryption and message digest can be used separately.
Knowledge points in series:
Digital certificate uses all the knowledge learned above
Through the study of the above contents, we should be able to master the following knowledge points:
summary
SSL (secure sockets layer) is developed by Netscape to ensure the security of data transmission on the Internet. Using data encryption technology, it can ensure that data will not be intercepted and eavesdropped during transmission on the network. The general specification is 40 bit security standard, while the United States has introduced 128 bit higher security standard, but it is limited to exit. Only i.e. or Netscape browsers above version 3.0 can support SSL.
TLS (Transport Layer Security) is used to provide confidentiality and data integrity between two communication applications. TLS is the product of SSL standardization. It has three versions: 1.0, 1.1 and 1.2. 1.0 is used by default. There is almost no difference between tls1.0 and SSL3.0. In fact, we all use TLS now, but we are used to the name SSL in history.
Simple illustration of SSL communication:
Detailed diagram of SSL communication:
When requesting website data using a self signed certificate, such as the passenger service page of request 12306: https://kyfw.12306.cn/otn/ , the following error will be reported because the root certification authority of the client cannot recognize the certificate. The error message is: unable to find valid certification path to requested target
Solution 1
A certificate can be untrusted, which is determined by the trustmanager, so we only need to customize a trustmanager that does nothing. All certificates presented by the server are released without verification.
Solution 2
The certificate presented by the 12306 server is issued by the SRCA of China Railway Group, so the SRCA certificate can identify the 12306 certificate. Therefore, you only need to import the SRCA certificate into the keystore of the system and then submit it to the trustmanagerfactory for initialization. Then you can add the SRCA to the root certificate certification authority. After verification, SRCA can pass the authentication when verifying the 12306 certificate.
There are two ways to use this solution: one is to directly use the srca.cer file, and the other is to use the RFC format data of the modified file and write it in the code.
HTTPS request in Android:
Check the scra.cer file into the assets or raw directory, or directly use the RFC format of the certificate. The next procedure is the same as that of Java engineering code
Two way certificate verification
Nogotofail
Network traffic security testing tool, Google's open source project: https://github.com/google/nogotofail