Because the HTTP protocol is based on data transmitted in the clear, so the data during transmission is very vulnerable to theft, tampering, leading to some important information leakage, or lead to important information being maliciously modified. At this point, you have to use the HTTPS protocol.
HTTPS(Hypertext Transfer Protocol Secure)并不是一个新的协议,而是HTTP+SSL;
The equivalent nested between HTTP and SSL transport layer;
SSL的作用有:
1.认证客户端和服务器,确保数据发送到正确的地方(证书认证)
2.加密数据以防止数据中途被窃取(密钥加密)
3.维护数据的完整性,防止数据在传输过程中被篡改(数据签名)
※ When it comes to the above-key encryption, the client must first obtain the public key of the server, and determines that the public key is really the server's public key (certificate authentication), and then use the public key to encrypt a symmetric be used next key, transmitted to the server, the server uses its own private key to decrypt the symmetric key to obtain, after the data transmission between the two is based on the symmetric key encryption.
A one-way HTTPS:
the so-called one-way HTTPS, meaning that the certification, you can just go to the customer service end authentication server, without the need for the service to authenticate the client.
As follows:
1. The client sends an HTTPS link to send your own SSL version number and supported Hash Algorithm
2. server after receiving the HTTPS request, the company generated key pair and public key to the CA to generate the certificate, then negotiated based on the client's SSL version number sent Hash algorithms and their version numbers and Hash algorithm, the final version will be negotiated, send hash algorithm and certificate to the client
3. the client acceptance certificate to verify the certificate legitimacy (CA after using a public key decryption mechanism, the use of the server's public key hash operation once this digital signature, if the same, then the public has not been tampered with);
followed by a trusted certificate, or if the client receives no trusted certificate:
1> browser generates a random number (symmetric key), using the public key of the server encrypts the random number;
2> and then generates a message handshake, a handshake message negotiated hash hash prior to use computing, using the random number is then encrypted;
3> is sent to the server (content transmission comprises using a public key encryption of the random number encrypted using a random number The handshake messages, the handshake message Hash)
·因为证书中包含了证书的信息(颁发机构,服务器域名,有效期等),数字签名,服务器公钥,所以CA机构在返回给服务器证书时,使用CA机构的私钥对证书进行加密(后面服务端发送给客户端后,因为客户端浏览器内嵌了CA机构的公钥,所以可以直接解密);
·数字签名是指对服务器的公钥进行hash运算(之前协商),得到得信息摘要;
4. After receiving the message server:
1> using the private key to decrypt the random number;
2> obtained after random number (symmetric key) for decrypting the handshake message;
3> then use the hash calculation of the handshake message, to compare the obtained hash of the handshake message;
server then generates a handshake message using a hash operation performed, and then using a random number (symmetric key) is encrypted, transmitted to the client (content transmission comprises: using a random number encrypted a handshake message and the calculated hash) -> At this time, public and private key encryption is no longer needed, because the random number (symmetric key) only if both parties know.
5. After the client receives the message sent using the decrypted random number, then performs the hash function on the handshake message, to compare the hash to pass over;
if the comparison is successful, the actual data transmission is performed, after which the actual data transmission this random number is used (symmetric key) for encryption.
Second, the two-way HTTPS
bidirectional HTTPS, as the name suggests, is a client after you verify the server, the server also needs to authenticate the client.
Just two-way HTTPS client after authentication server certificate properly, sending verify after receiving their certificates and public key server. Then in the process of sending a random number, the client uses the server's public key to encrypt and in negotiated encryption algorithm when the client sends its support encryption, the server choose a high level of encryption way using the client's public key to encrypt , sent to the client.
The above is one-way and two-way HTTPS HTTPS
