Tyler_Zx 2018-07-09 14:23:35 110476 Collection 850
Category Column: Computer Network Article Tags: HTTPS TLS/SSL
Copyright
Foreword
Whether studying at school or looking for a job, teachers and interviewers have asked classmates HTTP and HTTPS The difference. I usually don't pay attention to this problem when I surf the Internet, I just know the concept of HTTP in the computer network, so I recently checked the information to make up for this. In fact, this piece of knowledge extends widely. If you don't know the encryption algorithm and SSL protocol before, you can do research on the basis of learning this problem.
TLS/SSL working principle and detailed explanation of the handshake process: https://tyler-zx.blog.csdn.net/article/details/107591115
1. The basic concepts of HTTP and HTTPS
HTTP: HyperText Transfer Protocol (HTTP, HyperText Transfer Protocol) is the most widely used network protocol on the Internet. The original purpose of HTTP was to provide a way to publish and receive HTML pages. It can make the browser more efficient. The HTTP protocol sends information in plain text. If a hacker intercepts the transmission message between the Web browser and the server, the information in it can be obtained directly.
HTTP principle:
① The client's browser must first establish a connection with the server through the network. The connection is completed through TCP. Generally, the port number for TCP connection is 80. After the connection is established, the client sends a request to the server. The format of the request is: Uniform Resource Identifier (URL), protocol version number, followed by MIME information including request modifiers, client information, and license content.
② After receiving the request, the server will give the corresponding response information. The format is a status line, including the protocol version number of the information, a success or error code, and the MIME information includes server information, entity information, and possible content.
HTTPS: An HTTP channel with security as the goal, and a secure version of HTTP. The security foundation of HTTPS is SSL. The SSL protocol is located between the TCP/IP protocol and various application layer protocols to provide security support for data communication. The SSL protocol can be divided into two layers: SSL Record Protocol, which is built on a reliable transmission protocol (such as TCP) and provides support for basic functions such as data encapsulation, compression, and encryption for high-level protocols. SSL Handshake Protocol (SSL Handshake Protocol), which is built on top of the SSL record protocol, is used to authenticate the identity, negotiate encryption algorithms, and exchange encryption keys between the communicating parties before the actual data transmission starts.
HTTPS design goals:
(1) Data confidentiality: to ensure that data content will not be viewed by a third party during transmission. Just like a courier delivering a package, it is packaged, and others cannot know what is inside.
(2) Data integrity: timely discover transmission content tampered with by a third party. For example, although the courier does not know what is in the package, he may drop the package halfway. Data integrity means that if the package is dropped, we can easily find out and reject it.
(3) Identity verification security: to ensure that the data reaches the destination that the user expects. Just like when we mail a package, although it is a packaged package that has not been dropped, it must be ensured that the package will not be sent to the wrong place, and identity verification is used to ensure that it is sent to the right place.
2. The difference between HTTP and HTTPS
1. The HTTPS protocol requires a CA (Certificate Authority) to apply for a certificate. Generally, there are fewer free certificates, so a certain fee is required. (The former NetEase official website was http, and NetEase mailbox was https.)
2. HTTP is a hypertext transmission protocol, information is transmitted in plain text, and HTTPS is a secure SSL encrypted transmission protocol.
3. HTTP and HTTPS use completely different connection methods and use different ports. The former is 80 and the latter is 443.
4. HTTP connection is very simple and stateless. The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can carry out encrypted transmission and identity authentication, and is safer than the HTTP protocol. (Stateless means that the sending, transmission and reception of data packets are independent of each other. Connectionless means that both parties in communication do not maintain any information about each other for a long time.)
3. The improvement of HTTPS relative to HTTP
Two-way identity authentication
Before transmitting data, the client and server will authenticate the identity of both parties based on the X.509 certificate. The specific process is as follows:
The client initiates an SSL handshake message to the server to request a connection.
The server sends the certificate to the client.
The client checks the server certificate and confirms whether it is issued by a certificate issuing authority that it trusts (the client has built-in certificates of all trusted CAs). If not, the user will decide whether to continue the communication or not (note that this will be a security flaw). If the check is correct or the user chooses to continue, the client approves the identity of the server.
The server requires the client to send the certificate and checks whether it passes the verification. If it fails, the connection is closed. If the authentication succeeds, the client's public key is obtained from the client certificate, which is generally 1024 bits or 2048 bits. At this point, the identity authentication of the server and the client ends, and both parties ensure that the identities are authentic and reliable.
note:
(1) The server using the HTTPS protocol must have a set of digital certificates, which can be made by yourself or applied to the organization. The difference is that the self-issued certificate needs to be verified by the client before you can continue to access it. This set of certificates is actually a pair of public and private keys.
(2) There are too many services on the Internet that need to use certificates to verify identity, so that the client (operating system or browser, etc.) cannot have all the certificates built in, and the certificate needs to be sent to the client through the server.
(3) The root certificate of the CA (Root Certificate) is built in the client. In the HTTPS protocol, the server will send the certificate chain (Certificate Chain) to the client.
Confidentiality of data transmission
Before the client and server begin to transmit data, they will negotiate the encryption algorithm to be used in the transmission process. The client sends a negotiation request to the server, which contains the unpaired encryption key exchange algorithm (usually RSA) that it supports, the data signature digest algorithm (usually SHA or MD5), and the symmetric encryption algorithm for encrypted transmission data (generally Is DES), and the length of the encryption key. After the server receives the message, it selects the most secure algorithm and sends the selected algorithm to the client to complete the negotiation. The client generates a random string, uses the negotiated asymmetric encryption algorithm to encrypt the string with the server's public key, and sends it to the server. After receiving it, the server uses its own private key to decrypt the string. In the subsequent data transmission, use this string as a key for symmetric encryption.
Prevent replay attacks
SSL uses serial numbers to protect communication parties from packet replay attacks. This serial number is encrypted as the payload of the data packet. In the entire SSL handshake, there is a unique random number to mark the SSL handshake. This prevents the attacker from sniffing the entire login process, and after obtaining the encrypted login data, the attack method of directly retransmitting the login data packet without decrypting the data.
It can be seen that, in view of security requirements such as e-commerce, HTTPS has been greatly enhanced in terms of security compared to HTTP protocol. In summary, the improvement of HTTPS lies in the creative use of asymmetric encryption algorithms. On insecure networks, the keys used for asymmetric encryption are safely transmitted, and the security and symmetrical encryption of asymmetric encryption are comprehensively utilized. The speed of encryption.
Fourth, the advantages of HTTPS
1. The use of HTTPS protocol can authenticate users and servers to ensure that data is sent to the correct client and server.
2. The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can be used for encrypted transmission and identity authentication. It is safer than the HTTP protocol. It can prevent data from being stolen or modified during transmission and ensure the integrity of the data.
3. HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.
V. Disadvantages of HTTPS (comparison advantages)
1. The handshake phase of HTTPS protocol is time-consuming, which will extend the loading time of the page.
2. HTTPS connection caching is not as efficient as HTTP, which will increase data overhead, and even existing security measures will be affected.
3. The security of the HTTPS protocol has scope, and it has little effect on hacker attacks, denial of service attacks and server hijacking.
4. An SSL certificate usually needs to be bound to an IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption.
5. Cost increase. After HTTPS is deployed, the work of the HTTPS protocol will increase the consumption of additional computing resources. For example, the SSL protocol encryption algorithm and the number of SSL interactions will occupy a certain amount of computing resources and server costs.
6. The encryption range of the HTTPS protocol is also relatively limited. The most important thing is that the credit chain system of SSL certificates is not secure, especially when some countries can control CA root certificates, man-in-the-middle attacks are equally feasible.
6. HTTPS connection process
https://blog.csdn.net/kobejayandy/article/details/52433660 (the picture is borrowed from this big guy, you can check it out)
The process in the picture is divided into 8 steps, but there are more detailed steps on the Internet, so I matched the detailed process with this picture.
① The client's browser sends a request to the server, and transmits the version number of the client's SSL protocol, the type of encryption algorithm, the random number generated, and other information needed for communication between the server and the client.
② The server transmits the version number of the SSL protocol, the type of encryption algorithm, random number and other related information to the client, and the server will also transmit its own certificate to the client.
③ The client uses the information sent by the server to verify the legitimacy of the server. The legitimacy of the server includes: whether the certificate has expired, whether the CA issuing the server certificate is reliable, and whether the public key of the issuer certificate can correctly unlock the "issuer of the server certificate" Digital signature", whether the domain name on the server certificate matches the actual domain name of the server. If the legality verification fails, the communication will be disconnected; if the legality verification is passed, the fourth step will continue.
④ The client randomly generates a "symmetric password" for communication, then encrypts it with the server's public key (the server's public key is obtained from the server's certificate in step ②), and then encrypts the encrypted "pre-master password" "Pass it to the server.
⑤ If the server requires the client's identity authentication (optional during the handshake), the user can create a random number and then sign the data, and combine the signed random number with the client's own certificate and encrypted key Pass it to the server.
⑥ If the server requires the client’s identity authentication, the server must verify the legitimacy of the client’s certificate and the signed random number. The specific legitimacy verification process includes: whether the client’s certificate is valid or not, whether the CA providing the client’s certificate is reliable, and the issuing CA’s Whether the public key can correctly unlock the digital signature of the issuing CA of the client certificate, check whether the client's certificate is in the certificate revocation list (CRL). If the verification fails, the communication will be interrupted immediately; if the verification is passed, the server will use its own private key to unlock the encrypted private key, and then perform a series of steps to generate the master communication password (the client will also generate the same master through the same method Communication password).
⑦ The server and the client use the same symmetric encryption key, and the symmetric key is used for the encryption and decryption communication of the secure data communication of the SSL protocol. At the same time, the integrity of data communication must be completed during SSL communication to prevent any changes in data communication.
⑧ The client sends a message to the server, indicating that the master password in step ⑦ is a symmetric key to be used in subsequent data communication, and at the same time notifies the server that the handshake process of the client is over.
⑨ The server sends a message to the client, indicating that the master password in step ⑦ is a symmetric key for subsequent data communication, and at the same time notifies the client that the server-side handshake process is over.
⑩ The handshake part of SSL ends, the data communication of the SSL secure channel starts, the client and the server begin to use the same symmetric key for data communication, and at the same time, the integrity of the communication is checked.
The core idea that the above process needs to understand is the
client parsing certificate
This part of the work is done by the client's TLS. First, it will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an abnormality is found, a warning box will pop up, indicating that there is a problem with the certificate. If there is no problem with the certificate, then generate a symmetric encryption key, and then use the public key to perform asymmetric encryption on the key.
Transmit encrypted information
This part of the transmission is the symmetric encryption key encrypted with the public key, the purpose is to let the server get this key, and the communication between the client and the server can be encrypted and decrypted through this key in the future.
Decrypt information on the server
After the server decrypts with the private key in the asymmetric encryption algorithm, it obtains the private key of the symmetric encryption algorithm passed by the client, and then symmetrically encrypts the content transmitted afterwards using this value.
Why use asymmetric encryption to negotiate symmetric encryption keys
The characteristics of symmetric encryption: There is only one kind of key in the symmetric cryptosystem, and it is private. If you want to decrypt, you have to let the other party know the key, so if you want to ensure its security, you must ensure the security of the key.
The characteristics of asymmetric encryption: the strength of the algorithm is complex, and the security depends on the algorithm and the key. However, due to the complexity of the algorithm, the encryption and decryption speed is not as fast as that of the symmetric encryption and decryption. There are two types of keys in the asymmetric key system, one of which is public, so that you don't need to transmit the other party's key like a symmetric key, so the security is much greater.
How to use the public key and private key for asymmetric encryption: (1) Public key encryption and private key decryption. (2) The private key is used for digital signature and the public key is verified.
Supplement:
SSL provides services
(1) Authenticate users and servers to ensure that data is sent to the correct client and server;
(2) Encrypt data to prevent data from being stolen in the middle;
(3) Maintain the integrity of the data and ensure that the data will not be changed during transmission.
SSL workflow
server authentication phase:
(1) The client sends a start message "Hello" to the server to start a new session connection;
(2) The server determines whether a new master key needs to be generated according to the client's information. If necessary, the server will include the information required to generate the master key when responding to the client's "Hello" message;
(3) The client generates a master key according to the received server response information, encrypts it with the server's public key, and sends it to the server;
(4) The server replies to the master key and returns to the client a message authenticated with the master key, so that the client can authenticate the server.
User authentication phase: Prior to this, the server has passed the client authentication. This phase mainly completes the authentication of the client. The authenticated server sends a question to the client, and the client returns the (digital) signed question and its public key to provide authentication to the server.
The secure channel provided by the SSL protocol has the following three characteristics:
Confidentiality: The SSL protocol uses a key to encrypt communication data.
Reliability: Both the server and the client will be authenticated, and the client's authentication is optional.
Integrity: The SSL protocol will check the integrity of the transmitted data.
Server certificates (server certificates) are a form of SSL digital certificates, which means submitting digital certificates to prove your identity or show that you have the right to access online services. In simple terms, the use of server certificates can provide identity authentication for different sites and ensure that the site has high-strength encryption security. It is the only digital identifier that constitutes the SSL security function of the Web server. Obtained through a mutually trusted third-party organization, and provide users with a means to verify the identity of your Web site. The server certificate contains detailed authentication information, such as the organization affiliated with the server content, the organization issuing the certificate, and a unique authentication file called a public key.
————————————————
Copyright Statement: This article is the original article of the CSDN blogger "Tyler_Zx", and it follows the CC 4.0 BY-SA copyright agreement. Please attach the original source link and this statement for reprinting. .
Original link: https://blog.csdn.net/qq_38289815/article/details/80969419