Before understanding HTTPS, you also need to know:
Principles of encryption, certificates, and signatures: https://zhuanlan.zhihu.com/p/50046393
Insufficiency of Http protocol
- If the identity is not verified, the identity may be disguised.
HTTP does not authenticate both parties to the request. The server does not verify the identity of the client. Anyone can send a request to the server. Anyone will respond to the request; the client will not verify whether the response data is correct. Sent by the target server requested by itself.
2. Clear text communication, data may be stolen
In the HTTP request process, the communication content is not encrypted. Once the requested or response data is stolen in the network, it will cause data leakage and cause data security problems.
3. The integrity of the message cannot be verified, and the content may be tampered with.
HTTP does not verify the consistency of the data. Once the data is tampered by the middleman during data transmission, the double transmission of communication cannot determine whether the data received by itself is consistent with the data sent by the other party.
SSL/TSL protocol solution
SSL usually refers to SLL and TSL. TSL is packaged on SSL. In essence, they are the same. Usually HTTPS is HTTP+SSL or HTTP+TSL; SSL mainly solves the three problems of HTTP one by one. Program.
Communication encryption (to solve the problem of data being stolen)
Because HTTP does not encrypt the communication content, it derives the SSL encryption technology protocol. SLL uses hybrid encryption (using both asymmetric encryption and symmetric encryption) to establish secure HTTP communication. Even if the encrypted content is eavesdropped, The eavesdropper cannot decrypt the corresponding data.
Symmetric encryption, asymmetric encryption, hybrid encryption mechanism
- Symmetric encryption
Symmetric encryption means that the encryption and decryption keys are the same. The key used to encrypt data can also be used.) It is characterized by fast encryption speed and simple use, because encryption and decryption only requires the same key. The difficulty of cracking increases as the size of the key increases. The larger the key, the harder it is to crack, but the larger the key, the longer the decryption time will be;
Problems with symmetric encryption
(1) Both parties must agree on encryption rules in advance.
(2) The number of keys is difficult to manage. Because each partner needs to use a different key, it is difficult to adapt to the large number of partner exchanges in the open Internet.
(3) It can't be applied to the environment of unfamiliar network, both parties must be trustworthy to proceed.
The premise of using symmetric encryption is that both parties must know the encryption rules before sending information. However, in the Internet environment, we may send information to different people every day. Many people have never known each other before. In this case, we simply don’t. Encryption rules may be agreed in advance, then we can only send the encryption rules (keys) to the other party through the information, and then we will encrypt the chat messages according to the encryption rules. Obviously this is definitely not advisable, without encryption. There is no security in data transmission on the network, so asymmetric encryption appears;
- Asymmetric encryption
Unlike symmetric encryption, the keys for asymmetric encryption are paired (public key and private key). The private key is kept safe by itself and not leaked, while the public key can be sent to anyone in the network. Asymmetric encryption uses one of this pair of keys for encryption, while decryption requires another key. The private key cannot be derived from the public key;
Compared with symmetric encryption, asymmetric encryption has the following advantages:
(1) It is safer than symmetric encryption: encryption and decryption are different keys. The private key of asymmetric encryption is kept by yourself and will not be leaked. No one knows the private key except yourself, while symmetric encryption has only one key and Both parties in communication must know the key. Once the more people know the key, the greater the security risk.
(2) More convenient and extensible: the public key can be published in the network, anyone can hold the public key to communicate with you, and the symmetric encryption key is impossible to publish in the network, only through private agreement rule.
The problem of asymmetric encryption
Although asymmetric encryption is very secure, but and symmetric encryption compared to its decryption speed is very slow; it will usually communicate with the hybrid encryption way hybrid encryption is asymmetric encryption way exchange between the two sides of said encryption keys , After exchanging the symmetric encryption key , the two parties communicate using symmetric encryption .
Digital certificate (to solve the problem of identity disguise)
HTTP does not verify the identity of the two parties in communication, so the identity may be disguised and cause security problems. Therefore, in order to solve this problem, a digital certificate is generated. The use process of the digital certificate is roughly as follows:
1. The server first applies for an identity certificate from a third-party organization that everyone trusts.
2. Before the client establishes communication with the server, it first requests the server's certificate from the server.
3. The server sends the digital certificate to the client after receiving the request.
4. After the client obtains the server's certificate, it then verifies with a trusted third-party certificate. After the verification is passed, normal content communication is performed.
Digital signature (to solve the problem of data tampering)
Http does not verify the integrity of the data, which will cause the data to be maliciously tampered with by others during the communication process
, The two parties of the communication have no way to know, so there is a digital signature technology.
Digital signatures have two main functions. One is to verify whether the data is sent by the expected object, and the other is to verify the integrity of the data to verify whether the data has been tampered with:
1. Summarize the data that needs to be sent
The main purpose of digesting data is to confirm the integrity of the data. The sender first hashes the data according to the agreed hash algorithm to obtain a hash value, because any difference between the two data will result in a different hash Value, so the hash value obtained by hashing the data content is sent to the other party as a digest of the data;
Then, after the other party receives the data, he firstly hashes the received data content according to the agreed hash algorithm to obtain a hash value, and then compares his hash value with the sent digest information, according to the Ha It is hoped that the value is consistent to confirm the integrity of the data.
2. Sign the summary information
The purpose of signing the digest is mainly to confirm the identity of the sender of the data. The signature technology uses the principle of asymmetric encryption.
Asymmetric encryption uses a key pair (a public key, a private key). Public key encryption can only be decrypted by the private key, and private key encryption can only be decrypted by the public key; the public key is the published key, the private key It is kept safe by ourselves and will not be leaked, so we can actually confirm the identity of the sender through the private key when the private key is not leaked.
Then we want to authenticate the data sent by A, then we only need to decrypt the data with A's public key (if it can be decrypted, then it means that the data was encrypted by A with his own private key , And A's private key is only owned by A himself)
HTTPS communication process
HTTPS communication mainly includes several nodes, initiating request, verifying identity, negotiating secret key, and encrypting session. The specific process is as follows (in this example, there is only one-way authentication of the client to the server):
1. The client initiates an HTTPS request to the server.
2. The server sends a digital certificate to the client.
3. The client verifies the digital certificate. After the certificate is verified, the client generates a session key (for two-way verification, the client will also send the certificate to the server).
4. The server generates a session key (two-way verification where the server will also verify the client's certificate).
5. The client and the server start an encrypted session.
The overall situation is as follows:
HTTPS communication process
Step 1: The client initiates a request to the server
(1) The client generates a random number R1 and sends it to the server;
(2) Tell the server which encryption algorithms it supports;
Step 2: The server sends a digital certificate to the client
(1) The server generates a random number R2;
(2) Choose an encryption algorithm supported by both parties from the encryption algorithms supported by the client (this algorithm is used for subsequent session key generation);
(3) The server generates the certificate, the random number R2 and the session key generation algorithm, and sends them to the client together;
Step 3: The client verifies the digital certificate.
(1) To verify the reliability of the certificate, first use the CA’s public key to decrypt the encrypted certificate. If it can be decrypted, it means that there is no problem with the certificate. Then use the digest algorithm provided in the certificate to digest the data, and then use the self-generated digest Compare with the summary sent by the server.
(2) Verify the validity of the certificate, including whether the certificate is revoked, expired, and whether the domain name matches. After passing, proceed to the following process
(3) Obtain the public key of the certificate, the session key generation algorithm, and the random number R2
(4) Generate a random number R3.
(5) Use R1, R2, and R3 to generate the session key according to the session key algorithm.
(6) Encrypt the random number R3 with the public key of the server certificate and send it to the server.
Step 4: The server gets the session key
(1) The server uses the private key to decrypt the random number R3 sent by the client
(2) Use R1, R2, and R3 to generate the session key according to the session key algorithm
Step 5: Encrypted session between client and server
(1) The client sends encrypted data to the server
Send encrypted data: The client encrypts the data and sends it to the server.
(2) The server responds to the client
Decrypt the received data: the server uses the session key to decrypt the data sent by the client;
Encrypt response data: Use the session key to encrypt the response data and send it to the client.
(3) The client decrypts the data responded by the server
Decrypt data: The client uses the session key to decrypt the response data;