This article mainly describes the working process of the HTTPS protocol and how to solve the problem of being replaced during the public key exchange process
HTTPS protocol interaction process
1. The client initiates SSL communication, the message contains the SSL version supported by the client, encryption components, etc.
2. When the server supports SSL communication, the message contains the SSL version and encryption component, which is selected from the list given by the client
3. The server sends the public key
4, 5, 6. After the client verifies that the public key is legal, it will randomly generate a key, which will be used as the encryption key for subsequent communication, and use the public key of the server to send it to the server. (The reason for randomly generating a key is because it is too complicated to encrypt the message with the public key and consume too much resources)
Step 3: How to prevent the public key from being transferred
Digital certificate
What if the server sends a public key to the client and is replaced by a middleman? Here is a picture, which can be more
easily understood
The problem of the public key being tuned is because our client cannot tell whether the returned public key is the server or a middleman. The difficulty of the problem is that if we choose to directly pass the public key to the client, we cannot always solve the problem of the public key being transferred by the middleman.
Therefore, we cannot directly pass the server's public key to the client, but a third-party organization uses its private key to encrypt our public key and then pass it to the client. The client then uses the public key of the third-party organization to decrypt. This is the data certificate. After the
client gets the certificate returned by the server, it can use the public key of the third-party organization to decrypt and determine whether the certificate is legal.
digital signature
However, this third-party organization can issue certificates to many people, so how to ensure that this certificate has not been replaced by an intermediary. As long as it is the same third-party organization, the public key of the organization can decrypt all digital certificates issued by the organization.
Digital signature
to solve the problem of tampering of different certificates issued by the same organization. To solve this problem, we must first think about a problem and identify the responsibility of different certificates under the same organization. Where should we put it?
Can only be put on the client. After the client gets the certificate, he has the ability to tell whether the certificate has been tampered with. How can we have this ability?
We find inspiration in reality. For example, if you are HR, you get the candidate's academic certificate, the certificate holder, the issuing authority, the time of issuance, etc., and at the same time, the certificate also contains one of the most important: certificate number! How do we identify the authenticity of this certificate? As long as you carry this certificate number on the relevant institution to check, if the certificate holder is consistent with the actual candidate, and the certificate number can also be matched, it means that the certificate is true.
But where is this "third-party organization"? Is it a remote service? impossible? If it is a remote service, the entire interaction will be slow. Therefore, the verification function of this third-party organization can only be placed locally on the client.
How does the client verify the certificate locally? The answer is that the certificate itself already tells the client how to verify the authenticity of the certificate.
That is, how to generate a certificate number according to the content of the certificate is written on the certificate. After obtaining the certificate, the client generates a certificate number by itself according to the method on the certificate. If the generated certificate number is the same as the certificate number on the certificate, it means that the certificate is authentic. At the same time, in order to avoid the certificate number itself being transferred, so the private key of the third party is used for encryption.
