Vanilla HTTP
browser open tcp connection for you (fetch api does can do this for you)
Http can be used based on udp or tcp because it is stateless
port is different from HTTP 80 -> 443
Handshake happens before sending http request = give same symmetric(same) key to client and server
tcp blindly trasfer get request (it doesn't even know ,if request is encrpyted) -> server decrpy with key
HTTP version 1 closed connection after request respond but HTTP version 2 doesn't it keeps connection alive
client hello == tell server that what client can support for security things (RSA, AES , key exchange ...)
Server hello == gives certain certificate (like public key)
Change cipher , fin == client send encrpyt key(can be random number , it is called session key) with public key
but this session key can be stolen if we take down server which is not secure
red(client) + blue(server) == they don't send these 2 keys only send public key
pink = client ususally generate this key
combining all three can give yellow private key
with this combination we can send private key
client hello == send client's private key with public key -> server make yellow key
server hello == send server's private key with public key -> client make yellow key
even bad guy steal client hello and sever hello they cannot get yellow key because there are 2 public(pink) key included
'WEB > Security' 카테고리의 다른 글
| Lesson 2 - Implementing the UserDetailsService (0) | 2022.05.05 |
|---|---|
| Lesson 1 - The basic contracts in Spring Security architecture (0) | 2022.05.05 |
| OAuth 2.0 and OpenID Connect (OAtuh 2.0 in depth) (0) | 2021.12.19 |
| [java brains] OAuth2 , Google (0) | 2021.04.26 |
| [java brains] JWT+ Spring Security (0) | 2021.04.18 |