Menu Sidebar
Menu

[Reading] The First Few Milliseconds of an HTTPS Connection

链接: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

这是一篇2009年发布的文章, 文章以在亚马逊购物的任意的一个链接作为引子, 通过解释其中https的各层工作原理, 加密suits和相关文章, 总结了https的大部分工作原理.

文章着重的介绍了https的Transport Layer Security (TLS) 和Application Layer的一些主要的(非全部)加密措施, 其中大量篇幅侧重于RSA的工作原理. 虽然作者解释RSA是在2009年(10年前), 但是作者的思路清晰, 例子得当, 并且言简意赅, 虽然文章中的加密是10年前的版本, 但是RSA的思路确实万变不离其宗, 以下是精髓部分的quote.

其中重点的部分:

You pick two huge prime numbers “p” and “q.” Multiply them to get “n = p*q.” Next, you pick a small public exponent “e” which is the “encryption exponent” and a specially crafted inverse of “e” called “d” as the “decryption exponent.” You then make “n” and “e” public and keep “d” as secret as you possibly can and then throw away “p” and “q” (or keep them as secret as “d”). It’s really important to remember that “e” and “d” are inverses of each other.
Now, if you have some message, you just need to interpret its bytes as a number “M.” If you want to “encrypt” a message to create a “ciphertext”, you’d calculate:
C ≡ Me (mod n)
This means that you multiply “M” by itself “e” times. The “mod n” means that we only take the remainder (e.g. “modulus”) when dividing by “n.” For example, 11 AM + 3 hours ≡ 2 (PM) (mod 12 hours). The recipient knows “d” which allows them to invert the message to recover the original message:
Cd ≡ (Me)d ≡ Me*d ≡ M1 ≡ M (mod n)
Just as interesting is that the person with “d” can “sign” a document by raising a message “M” to the “d” exponent:
Md ≡ S (mod n)
This works because “signer” makes public “S”, “M”, “e”, and “n.” Anyone can verify the signature “S” with a simple calculation:
Se ≡ (Md)e ≡ Md*e ≡ Me*d ≡ M1 ≡ M (mod n)
Public key cryptography algorithms like RSA are often called “asymmetric” algorithms because the encryption key (in our case, “e”) is not equal to (e.g. “symmetric” with) the decryption key “d”. Reducing everything “mod n” makes it impossible to use the easy techniques that we’re used to such as normal logarithms. The magic of RSA works because you can calculate/encrypt C ≡ Me (mod n) very quickly, but it is really hard to calculate/decrypt Cd ≡ M (mod n) without knowing “d.” As we saw earlier, “d” is derived from factoring “n” back to its “p” and “q”, which is a tough problem.

http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

总结一下就是:

  • p和q一定要要大
  • e和d一定互为模倒数, 即满足 e*d = 1 (mod n)
  • RSA主算法:
    • 加密 C ≡ Me (mod n). M是明文数据,就是要加密的东西
    • 解密 Cd ≡ (Me)d ≡ Me*d ≡ M1 ≡ M (mod n)
  • Me 这个就是大数乘法,已经有很多现存的优化算法, 速度快。
  • 如果强行破解,那么 C -> M (mod n). 很难,https://en.wikipedia.org/wiki/Integer_factorization

文章后边还介绍了Master Secret的生成和Ron’s Code #4 (RC4), 一种基于xor性质的流加密.不过只是介绍了应用部分, 没有相信的展开里面的算法内容.

总体来说只是介绍了https的一些主要的加密措施, 对于入门的新手还是不错的了解.

Common Errors when installing VisualEditor/Parsoid in MediaWiki in CentOS 7

OK ok, here are all the errors I have during my installation.

My environment:

MediaWiki1.32.0
PHP7.3.6 (apache2handler)
MariaDB5.5.60-MariaDB
ICU62.1

Why do I have to use this environment ?

  • 1.32.0 is the ONLY stable version now, the current latest one is NOT stable at all. Try it, you will know that.
  • The tricky part in here is that the current version of VE (Visual Editor) is NOT compatible with 1.32.0. You have to download the previous stable one in https://www.mediawiki.org/wiki/Special:ExtensionDistributor/VisualEditor
  • However, the current version of parsoid is compatible with any version of VE and MW.

Next, The setting of domain inLocalSettings.php and /opt/parsoid/config.yaml must match, but you can use anything you want.

Next, you may have a ShortUrl setting by following https://shorturls.redwerks.org/ . If you have a problem to find the right path of api.php, just visit Special:Version, in the section Entry point URLs, you can find the path of api.php.

Next, the current version of Parsoid (0.10.0) does NOT work with Mediawiki 1.32.0 (the stable version). When you setup Flow, an extension for structural discussion, you will have the following error:

[[email protected]] Exception caught: Request to parsoid for “wikitext” to “html” conversion of content connected to title “Topic:V0udrm1q2u5nayuv” failed: 406

Please note that, it only shows in your Talk page. It is because the latest version of Parsoid removed the following config:

ParsoidConfig.prototype.strictAcceptCheck

So, the solution is uninstall 0.10.0, and install 0.9.0 with

ParsoidConfig.prototype.strictAcceptCheck = false

in parsoid/lib/config/parsoidconfig

Finally, I am using CentOS7 in Amazon Lightsail. It has a default setting called SELinux (https://en.wikipedia.org/wiki/Security-Enhanced_Linux). You probably don’t want to read it at all. So just go to /etc/selinux/config and set SELINUX=disabled. It will save you from tons of errors, including but not limited to:

  • Error loading data from server: (curl error: 7) Couldn’t connect to server
  • oldidnotfound: There is no revision with ID 0.
  • VE works in some pages but not all.
  • VE does not show up after reboot.
  • php session id fail in /var/log/httpd/access_log(Yes, it solved this error and I don’t know why).
Older Posts

书脊

这青苔碧瓦堆, 俺曾睡风流觉, 将五十年兴亡看饱.

June 2019
M T W T F S S
« May    
 12
3456789
10111213141516
17181920212223
24252627282930