Interview_HTTP/HTTPS/Digital Signature/TLS/SSL/DNS/JWT

📌 HTTP

HTTP, HTTPS 정리글 https://soheeparklee.github.io/posts/n-6httphttps/

✅ What is HTTP?

Hypertext Transport Protocol

- allow data transfer in WWW
- client-server

- HTTP request: method
- HTTP response: status code
- message: status line + header + body

- connectionless
- stateless: cookie, session

- HTTP 1.0: non-persistent
- HTTP 1.1: persistent, pipelining
- HTTP 2: multiplexing, server push
- HTTP 3: UDP
- pipelining 🆚 multiplexing

✅ How is the request of HTTP? And its message format?

- HTTP requst: method

- GET
- POST
- HEAD
- PUT
- PATCH
- DELETE
- CONNECT
- OPTIONS
- TRACE

- message format: status line + header + body
- header: host, user-agent, accept-languge, encoding, charset

✅ What is inside status line?

- HTTP version, HTTP method(request) or status code(response)

✅ What is the difference between GET and POST?

- GET: fetch data from server, data on HTTP packet header
- POST: send client data to server, data on HTTP packet body

✅ Why is data on header for GET and body for POST?

- visibility: data in header(GET) are part of URL parameters
- security: header visible in URL param ➡️ less secure, shows
- length limitation: URL has limit
- GET on header will be cacheable
- data in POST will be secure in body

✅ What is the difference between PUT and PATCH?

- PUT: change all data on server
- PATCH: change part of data on server

✅ How is the response of HTTP? And its message format?

- HTTP response: status code

- 200: get success
- 201: post success
- 3xx: redirect
- 4xx: client error
- 400: bad request
- 401: unauthorized
- 404: cannot find resource
- 5xx: server error
- 500: internal server error
- 502: gateway error

- message format: status line + header + body
- header: data, server, last-modified, content-type

✅ What is HTTP header?

- Part of HTTP request, response message with information about the message
- Request: host, user-agent, keep-alive, accept language, charset, encoding that browser can accept
- Response: date, server, last modified, content-type, cache-control

✅ What is HTTP keep-alive?

- HTTP is connectionless
- HTTP connection: persistent, non-persistent
- HTTP/1.0: non-persistent
- From HTTP/1.1: can keep connection

- keep-alive: feature of HTTP/1.1
- header to set timeout, maximum of requests(limit pipelining)

✅ What is pipelining? Benefits and disadvantages?

- From HTTP/1.1
- persistent connection
- do not have to wait for response, can send several request
- however, recieve response in order (123 ➡️ 123)
- 👍🏻 network latency lower
- 👎🏻 head of line blocking

✅ What is multiplexing?

- From HTTP/2
- like pipelining, but dont have to recieve in order (123 ➡️ 준비되는 response부터 받음)

✅ Evolution of HTTP?

- HTTP/1.0: TCP, non-persistent
- HTTP/1.1: persistent, pipelining
- HTTP/2: multiplexing, server push
- HTTP/3: UDP

✅ What is HTTP/2 server push?

- server proactively sends resource even before client requests!

✅ What is HTTP stateless?

- HTTP server will not remember the client request
- need session, cookie

📌 cookie, session, JWT

✅ why do we neeed cookie, session, JWT?

- Bc HTTP is stateless

✅ What is a cookie, what is session?

Cookie:

• purpose: for server to distinguish client
• track user behavior
• server issue cookie, give to client
• client holds cookie, send to request to server with cookie
• 👎🏻 Malicious user can alter, forge cookie

Session:

• authenticate user
• saved on server DB, memory
• 👍🏻 Can kickout user if maicious behavior
• 👎🏻 Difficult to scale server
• 👎🏻 Burden on server(need to save user session)

✅ What is token?

- stateless, server does not remember user
- server issue token to cient
- client will use this token to verify himself

- issued by server with digital signature(with server's private key)
- user shows this JWT everytime requesting to server
- server verifies JWT with public key

✅ What are the benefits of using token?

- 👍🏻 server burden ⬇️
- 👍🏻 server scalability ⬆️
- 👍🏻 oauth

✅ What is JWT?

- token used for authorization
- JSON, string

- server authenticates client
- when authenticated, issue token with [header+payload] + digital signature
- client sends JWT every time it makes a request
- server verify token with public key

✅ How is JWT structure?

- Header.Payload.Signature
- Header: algorithm, type, key for digital signature
- Payload: JWT information(claim). client information, token created date...
- Signature: encode [Header+Payload] and sign with private key

Session 🆚 Cookie 🆚 JWT

🔗 session, cookie, token

---

📌 HTTPS, SSL/TLS

✅ What is HTTPS?

- HTTP over SSL
- send data encrypted
- use symmetric, assymetric encryption

✅ How does HTTPS work?

- server asks CA to issue digital certificate
- CA issues digital certificate with server's public key
- client has CA's public key
- client asks server for server's certificate and decrypts with CA's public key
- now client has server's public key
- ⭐️ when verified, client creates symmetric key and encrypts with server's public key
- server decrypts symmetric key with server's private key
- now server and client can communicate with symmetric key

✅ What is symmetric key? Algorithm?

- same key for encryption, decryption
- private key
- DES, IDEA, AES, RC Cipher Suite

⭐️ What is asymmetric key? Two ways to use asymmetric keys? Algorithm?

- public key, private key
- encrypt with public key, decrypt with private key: when sharing symmetric key in HTTPS
- encrypt with private key, decrypt with public key: digital signature

- Diffie Hellman, RSA, ECC

✅ What is digital signature? Benefits? Algorithm?

- non-repudiation: it is me who encrypted this file!
- data integrity

- DSA, RSA
🔗 Symmetric, assymetric, digital signature

✅ What is TLS/SSL?

- provide network transport security
- operate at session layer(layer 5)
- TLS: improved SSL
- handshake, use CA, certificate, symmetric, assymetric encryption, digital signature

✅ What is TLS/SSL handshake?

- client hello
- server hello
- client verify, create symmetric key
- client encrypt symmetric key with server's public key
- server decrypts symmetric key with private key
- create master secret and session key
- communication encrypted with session key
🔗 TLS/SSL

✅ Why not only use assymetric/public key?

- public key uses a lot of computer power

✅ Why not only use symetric/private key?

- client and server needs to share private key
- in order to do this, need encryption, thus need public key

✅ Why use SSL/TLS over HTTP?

- HTTP: application layer
- SSL/TLS: sesison layer
- HTTP exchange data with plain text
- SSL, TLS encrypt data

✅ Cases where digital signature is used?

- HTTPS authentication
- DKIM(Domain Keys Identified Mail):
  - Add digital signature to email header
  - can verify sender of the email
- code signing

---

📌 DNS

https://soheeparklee.github.io/posts/n-6httphttps/

✅ What is domain name?

- IP address in human readable format

✅ What is DNS?

- Domain Name System: domain name ➡️ IP address
- distributed database, has hierarchy
- application layer
- UDP
- port 53

✅ What are the benefits of DNS being hierarchical, distributed?

- manage requests more efficiently
- more scalable

✅ What is the benefit of one domain name being corresponded to several IP addresses?

- can distribute the load

✅ Why does DNS operate with UDP?

- prioritize speed over reliability
- DNS has lots of users! lots of request
- DNS requests are small enough to fit in UDP

✅ How is DNS hierarchy?

- Root DNS server
- Top Level Domain server (.com)
- Authoritative Domain server (google, apple)

✅ What is DNS recursor? Local DNS server?

- recursive recursor
- server that responds wo DNS query
- ask another DNS server for IP address
- local DNS server

✅ Types of DNS service?

- Recusive DNS resolver
- Authoritative DNS server

✅ Types of DNS queries? Disadvantages of recursive query?

- Non-recursive query
- Recursive query: 👎🏻 DNS resolver burden ⬆️
- Iterative query

✅ What is DNS record?

- information on database that linkes URL to IP address
- A, AAA, CNAME, TXT

✅ What is DNS cache? Benefit?

frequently visited site IP address saved on device
- 👍🏻 speed up DNS request
- 👍🏻 reduce bandwidth

✅ How does DNS work?

- request domain name
- check local DNS cache
- contact DNS resolver
- recursive server lookup
- query root name server
- query TLD name server
- query authoritative name server
- get IP address
- client access website

---

📌 URI/URN/URL

✅ What is difference between URI, URL, URN?

- URI ⊃ URL, URN
- URL = protocol + URI

✅ What are the disadvantages of URL, and how can we overcome?

- when location of resource changes, URL will change
- URN will remain fixed

---

📌 What happens when I type URL in web browser?

✅ What happens when I type URL in web browser?

- type URL, enter - browser translate, encode URL - check if HTTPS is needed on HSTS list - check local cache for IP address - If cache does not have, get IP address of domain name from DNS - get MAC address from IP address with ARP - browser initiate TCP connection - If HTTPS needed, make SSL/TLS handshake - send HTTP request to server - server sends response - browser rendering, show response to user: DOM tree

📌 VPN/ SSL/TLS encryption

✅ VPN and SSL/TLS both serves encryption. How are they different?

- VPN: enables encryption between computer and private network (remote access to company network from home) - use various types of tunneling protocols - SSL/TLS: encryption between applications - use symmetric, assymetric encryption in SSL handshake

---

📌 Session

✅ What is session in OSI 7 Layer? and what is session to remeber the user?

- although name session is same, they serve different functions - session in OSI 7 Layer: controls connection between two computers - web application session: as HTTP is statelss, use session to remember the user

---

📌 TLS

✅ On what OSI7 layer does TLS function, and why?

- Although TLS has name transport layer, - TLS is used on OSI session layer(layer 5) - as it's job is to encrypt session between client and server - OSI transport layer(layer 4): reliable transport of data between client and server(TCP, UDP)

✅ 23/Aug Feedback

소희님 9:44 ~ 9:59 - 보완 질문 * 대칭키 비대칭키 -> 답변을 조금 정리하면 좋을 것 같습니다! * 개발자로서의 단점 - 좋은 점 * 톤 앤 매너 100점 * 긴장하지 않고 편안하게 말하는 점은 본 받고 싶습니다. * 질문에 대한 답변만 준비한 것이 아니라 체내화한 지식을 기반으로 답변하는 것 같아 매우 똑똑해보입니다. * 개발자가 되려는 이유 답변 구성이 좋았습니다. * (사고를 할 수 있는 인재라는 느낌을 받아서 채용하고 싶었습니다) - 쪼금 보완하면 좋을 점 * 조금만 천천히 말씀하셔도 좋을 것 같습니다! * 관련 개념에 대해서 자세하게 설명해주신 점은 강의를 듣는 것처럼 정말 좋았지만 면접이라는 상황을 고려하면 답변을 조금 줄여도 괜찮을 것 같습니다!