Outline
Towards https from http, safety factor is the primary factor, roughly https say something about the process, expressing the wrong place bear with me.
Digest Algorithm
Digest algorithm is a text of arbitrary length, by an algorithm, the text to give a fixed length. Common are MD5 message digest algorithm and secure hash algorithm SHA family.
Encryption Algorithm
Symmetric encryption and asymmetric encryption.
Symmetric encryption is used when the same key encryption and decryption, symmetric encryption algorithms are common AES, ChaCha20,3DES, Salsa20, DES, Blowfish, IDEA, RC5, RC6; symmetric encryption much faster than public key encryption.
Asymmetric encryption, it takes two keys, one public key and one private key; the public key encryption using the resulting ciphertext can only be decrypted with the corresponding private key and get the original plaintext; in contrast, private key encryption using the resulting ciphertext can only be decrypted and the original ciphertext obtained by a corresponding public key can.
The public key can be made public, you can publish any outward; private not public, must be strictly kept secret by the users themselves, not available to any person through any means.
digital signature
We can direct the message signature, the verifier with the public key to decrypt the message correctly, and if the original message is consistent, successful signature verification. But usually we have a message hash signature, because the length of the hash value is typically much smaller than the original message, so that efficiency is greatly improved.
Signatures can ensure the integrity of the message, to confirm the identity of the sender of the message, but the sender has sent a repudiation of the facts of this message.
CA certificate
Join me to apply for a certificate, I will get out of their own in a pair of public and private keys, and then I put the public and I think some of the information generated certificates issued certificate authority, certificate authority staff will review my request, if I think that is trusted, the certificate authority will make up my basic data and information on the public key certificate, and certificate authority with its private key to my public key plus a digital signature, and finally generate the certificate.
Certificates will generally include the following sections: version, serial number, subject, issuer, validity start time, end time period, the use of public key, the public key, the public key fingerprint, digital signature, subject alternative name.
People who want to visit my Web site uses the public key to verify the digital signature of the certificate authority, if the validation is successful, it can prove that the public key really is to me, that people who visit the site can use my public key on the certificate to encrypt the plaintext , the ciphertext sending site, and I can use their private key to decrypt the ciphertext to obtain the plaintext.
In this machine, the preset number will root CA certificate and other certificates institutions, these certificates can be used to verify other certificates the next level.
HTTPS Process
To access https://httpbin.org/robots.txt for example, the results would be obtained browser
User-agent: *
Disallow: /deny
By capturing Packet can analyze the general process, wireshark on how to resolve https see this article.
First tcp three-way handshake, then the client makes server hello, will be issued at this time encryption supported by the client and a random number;
after the server receives a request, will send a random number;
then will send the certificate of the site, will transmit multiple certificates that are nested relationship, the site's certificate is the minimum level. Root certificate verifies it under a certificate, and then until the site's certificate from its previous level of public key to verify the digital signature, verified, then prove that the CA certificate is issued by the agency to the site, and is complete;
containing public key information on the certificate, the client get the public key, will then generate a random number using the public key and then encrypts the random number, to the server, the server can only be decrypted with the private key, At this time produced a total of three random numbers, random numbers are the first two plaintext, and finally a random number is encrypted, and client and server are aware of these three random numbers, and then use the encryption algorithm agreed, will be a symmetric encryption key for communication, why back symmetric encryption, asymmetric encryption because of too much consumption of resources.
This is the total process of communication, in the middle there are a lot of complex algorithms, packet capture analysis.
to sum up
HTTPS security is to have a letter of support agencies do not because there are absolutely safe algorithm, if any of the intermediate ring mechanism problem, that communication is no longer safe.
Reference links
Wikipedia,
the interviewer worship your HTTPS running processes (super detail)
how TLS packets with wireshark capture
digital signature is what?