Do you really know the connection process of HTTPS

The unencrypted plain text is used in the HTTP protocol communication process, and the security cannot be guaranteed. For example, if you enter a credit card number on a Web page, if this communication line is tapped, the credit card number will be exposed.

In order to solve these problems in a unified manner, it is necessary to add encryption and authentication mechanisms to HTTP. We call HTTP with encryption and authentication mechanisms added as HTTPS (HTTP Secure).

Macro

The entire connection process of HTTPS is quite complicated, and network, encryption, etc. are involved, so let’s take a macro look at how HTTPS is connected, and then refine the points in the connection process. Please see the figure below.

1. The negotiation process between the client and the server is mainly used to determine the SSL version, the encryption algorithm used, the length of the secret key, etc.
2. During the negotiation process, the server will send the public key certificate to the client. The client uses the public key of the certification authority to confirm the validity of the certificate, and then takes out the public key
3. The client uses the obtained public key to encrypt a random password string called Pre-master secret used in the communication encryption generated by the client , and sends it to the server.
4. The server uses the private key to decrypt the sent data and retrieve the Pre-master secret
5. The server and the client generate master_secret according to the Pre-master secret . The calculation formula of master_secret is PRF (pre_master_secret, "master secret", ClientHello.random + ServerHello.random), where ClientHello.random and ServerHello.random are in the negotiation process. Complete the exchange with the client, and then use the master_secret to generate a symmetric encryption key
6. The client and server use the symmetrically encrypted key to send subsequent data

detail

SSL and TLS

The SSL (Secure Sockets Layer, Secure Sockets Layer) protocol was originally developed by Netscape to protect the security of online transactions. This protocol protects customers' personal data through encryption, and ensures transaction security through authentication and integrity checks. To achieve this goal, the SSL protocol is implemented at the application layer directly above the TCP.

What is the relationship between SSL and TLS?

When the IETF later standardized the SSL protocol, it was renamed Transport Layer Security (TLS, Transport Layer Security). Many people will mix TLS and SSL, but strictly speaking they are not the same because they refer to different protocol versions.

Usually, HTTP communicates directly with TCP. When SSL is used, it evolves to communicate with SSL first, and then communicate with SSL and TCP. In short, the so-called HTTPS is actually HTTP in the shell of the SSL protocol.

After adopting SSL, HTTP has the functions of encryption, certificate and integrity protection of HTTPS.

SSL is a protocol independent of HTTP, so not only the HTTP protocol, but other protocols such as SMTP and Telnet running at the application layer can be used in conjunction with the SSL protocol. It can be said that SSL is the most widely used network security technology in the world today.

TLS runs on top of a reliable transport layer (TCP), which means that TCP's "three-way handshake" must be completed first.

Symmetric encryption and asymmetric encryption

Symmetric encryption : also called shared secret key encryption, the same key is used for encryption and decryption. When the server sends the secret key to the client, it is easy to be hijacked and lose the security effect.

Asymmetric encryption : also called public key encryption. Asymmetric encryption has two secret keys, one is called a private key and the other is called a public key. As the name implies, the private key cannot be known to anyone else, while the public key can be released at will and anyone can obtain it. The party sending the ciphertext uses the public key for encryption, and after the other party receives the encrypted information, it uses its own private key for decryption.

In the process of exchanging pre_master_secret, HTTPS uses asymmetric encryption. The main purpose is to safely negotiate a symmetric encryption key.

After HTTPS obtains the symmetric encryption key, it uses the symmetric encryption algorithm to encrypt the sent data.

Certification authority

There are some problems with the public key. How does the client know that the public key received is indeed the public key of the server and has not been replaced by the attacker during transmission?

At this time, a digital certificate certification authority (CA, Certificate Authority) and a public key certificate issued are required.

The operator of the server submits an application for the public key to the digital certificate certification authority. After the digital certificate certification authority has determined the identity of the applicant, it will digitally sign the applied public key, then distribute the signed public key, and put the public key in the public key certificate and bind it to together.

The server sends the certificate to the client. The client uses the public key of the digital certificate certification authority to verify the digital signature on the certificate. Once the verification is passed, the client can clarify two things: 1. The public key is a real and effective digital certificate certification authority. Second, the server's public key is trustworthy.

How does the client get the public key of the digital certificate authority? When most browser developers release the version, they will implant the public key of the commonly used certification authority in advance.

HTTPS secure communication process

After understanding the macro and details, let’s take a look at the complete communication process of HTTPS. This process starts after the TCP handshake.

Step 1: The client starts SSL communication by sending a Client Hello message. The message contains the specified version of SSL supported by the client, a list of encryption components (Cipher Suite) (the encryption algorithm and key length used, etc.).

Step 2: When the server is available for SSL communication, it will respond with a Server Hello message. Like the client, the SSL version and encryption components are included in the message. The content of the encryption component of the server is filtered from the received encryption component of the client.

Step 3: Then the server sends a Certificate message. The message contains the public key certificate.

Step 4: Finally, the server sends a Server Hello Done message to notify the client that the initial SSL handshake negotiation part ends.

Step 5: After the first SSL handshake ends, the client responds with a Client Key Exchange message. The message contains a random password string called Pre-master secret used in communication encryption. The message has been encrypted with the public key in step 3.

Step 6: Then the client continues to send Change CipherSpec messages. The message will prompt the server that the communication after this message will be encrypted with the Pre-master secret key.

Step 7: The client sends a Finished message. This message contains the overall check value of all messages connected so far. Whether the handshake negotiation can be successful is determined by whether the server can correctly decrypt the message.

Step 8: The server also sends a Change Cipher Spec message.

Step 9: The server also sends a Finished message.

Step 10: After the Finished messages of the server and the client are exchanged, the SSL connection is established. Of course, the communication will be protected by SSL. From here, the communication of the application layer protocol is started, that is, an HTTP request is sent.

Step 11: Application layer protocol communication, that is, sending HTTP response.

Step 12: Finally, the client is disconnected. When the connection is disconnected, a close_notify message is sent. The above figure has made some omissions. After this step, send a TCP FIN message to close the communication with TCP.

The communication flow of the serious version is shown in the figure below

to sum up

The HTTPS connection process is quite complicated. This article only briefly introduces the entire framework, and there are many details worth discussing. As for the depth of the discussion, it depends entirely on your own needs. After all, some tasks can be done without understanding HTTPS.

data

1. The definitive guide to web performance

2. Graphical HTTP

3. The process from pre-master-secret to master-secret of https?

At last

If you like my article, you can follow my official account (Programmer Mala Tang)

My personal blog is: https://shidawuhen.github.io/

Review of previous articles:

technology

1. HTTPS connection process
2. Current limit realization 2
3. Spike system
4. Distributed system and consensus protocol
5. Service framework and registry of microservices
6. Beego framework usage
7. Talking about microservices
8. TCP performance optimization
9. Current limit realization 1
10. Redis implements distributed locks
11. Golang source code bug tracking
12. The realization principle of transaction atomicity, consistency and durability
13. Detailed CDN request process
14. Common caching techniques
15. How to efficiently connect with third-party payment
16. Gin framework concise version
17. A brief analysis of InnoDB locks and transactions
18. Algorithm summary

study notes

1. Agile revolution
2. How to exercise your memory
3. Simple logic-after reading
4. Hot air-after reading
5. The Analects-Thoughts after Reading
6. Sun Tzu's Art of War-Thoughts after reading

Thinking

1. Project process management
2. Some views on project management
3. Some thoughts on product managers
4. Thoughts on the career development of programmers
5. Thinking about code review
6. Markdown editor recommendation-typora