1. Why is there HTTPS with HTTP?
https is a secure version of http, because the data of the http protocol is transmitted in plain text, so the transmission of some sensitive information is very insecure. https is to solve the insecure of http Born.
2. How does HTTPS ensure security?
First of all, we must understand two concepts:
1. Symmetric encryption:
① Both parties in the communication use the same key for encryption. For example, the secret code of the spy connector belongs to symmetric encryption.
2. Asymmetric encryption :
①Private key + public key = key pair
②The data encrypted with the private key can only be decrypted by the corresponding public key. Data encrypted with the public key can only be decrypted by the corresponding private key
③Because of communication Both parties have their own key pair in their hands. Before communication, both parties will send their own public keys to the other party
④ and then the other party will use this public key to encrypt the data and respond to the other party. When it reaches the other party, the other party Use your own private key to decrypt
3. Differences and advantages and disadvantages
① Although symmetric encryption is simple and has good performance, it cannot solve the problem of sending the key to the other party for the first time, and it is easy to be intercepted by hackers.
② Although asymmetric encryption is more secure, it brings problems It is very slow, which affects performance.
4. Solution
Then combine the two encryption methods, encrypt the symmetric encryption key with the asymmetric encryption public key, and then send it out. The recipient uses the private key to decrypt and obtain the symmetric encryption key. Then both parties can Use symmetric encryption to communicate.
At this time there is another problem, the middleman problem :
if there is a middleman between the client and the server at this time, the middleman only needs to replace the public key that the two parties communicate with each other with his own public key, so that the middleman can easily Decrypt all data sent by both parties in communication.
So at this time, a secure third party is required to issue a certificate (CA) , an ID card that proves the identity, and prevent man-in-the-middle attacks.
The certificate includes: issuer, certificate purpose, user public key, user private key, user HASH algorithm, certificate expiration time, etc.
But the question is, if the middleman tampered with the certificate, is the identity certificate invalid? This certificate was bought for nothing. At this time, a new technology, digital signature, is needed.
The digital signature is to use the AC's own HASH algorithm to hash the content of the certificate to obtain a digest, then encrypt it with the CA's private key, and finally form a digital signature.
When someone else sends his certificate, I use the same HASH algorithm to generate the message digest again, and then use the CA's public key to decrypt the digital signature. At this time, the CA can guarantee the security of the communication to the greatest extent.