Https one-way and two-way authentication process

This article is reproduced from: https://blog.csdn.net/duanbokan/article/details/50847612

一、Http

HyperText Transfer Protocol, the most widely used protocol on the Internet, is a standard that all WWW documents must follow. The data transmitted by the HTTP protocol is unencrypted, that is, in plain text, so it is very insecure to use the HTTP protocol to transmit private information.

Use TCP port: 80

Two, Https

Hyper Text Transfer Protocol over Secure Socket Layer, a secure hypertext transfer protocol, Netscape has designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the Http protocol to ensure the security during the session.

Use TCP port default is 443

Three, SSL protocol encryption method

The SSL protocol uses both symmetric encryption and asymmetric encryption (public key encryption). When establishing a transmission link, SSL first uses the public key to perform asymmetric encryption on the symmetric encryption key. After the link is established, the SSL pair The transmission content uses symmetric encryption.

1. Symmetric encryption
   high speed, the larger the encrypted content, to encrypt the message session

2. Public key cryptography
   encryption slower, but provides better authentication techniques, used to encrypt the symmetric encryption key

Four, one-way authentication

Https needs to perform a handshake before establishing a Socket connection. The specific process is as follows:

1. The client sends the SSL protocol version number, encryption algorithm type, random number and other information to the server.
2. The server returns the SSL protocol version number, encryption algorithm type, random number and other information to the client, and also returns the server certificate, that is, the public key certificate

3. The client uses the information returned by the server to verify the legitimacy of the server, including:

• Whether the certificate has expired
• Is the CA of the hair style server certificate reliable?
• Whether the returned public key can correctly unlock the digital signature in the returned certificate
• Does the domain name on the server certificate match the actual domain name of the server?

After the verification is passed, the communication will continue, otherwise, the communication will be terminated

• The client sends the symmetric encryption scheme it can support to the server for the server to choose
• The server selects the encryption method with the highest degree of encryption among the encryption schemes provided by the client.
• The server returns the selected encryption scheme to the client in clear text
• After the client receives the encryption method returned by the server, it uses the encryption method to generate a random code, which is used as the key for symmetric encryption in the communication process, uses the public key returned by the server to encrypt, and sends the encrypted random code to server
• After the server receives the encrypted information returned by the client, it uses its own private key to decrypt it to obtain the symmetric encryption key.
  In the next session, the server and client will use the password for symmetric encryption to ensure the security of information during the communication process.

• Five, two-way authentication

  The principles of two-way authentication and one-way authentication are basically the same, except that the client needs to authenticate the server, and the authentication of the server to the client is added. The specific process is as follows:

  

  1. The client sends the SSL protocol version number, encryption algorithm type, random number and other information to the server.
  2. The server returns the SSL protocol version number, encryption algorithm type, random number and other information to the client, and also returns the server certificate, that is, the public key certificate

  3. The client uses the information returned by the server to verify the legitimacy of the server, including:

  • Whether the certificate has expired
  • Is the CA of the hair style server certificate reliable?
  • Whether the returned public key can correctly unlock the digital signature in the returned certificate
  • Does the domain name on the server certificate match the actual domain name of the server?

  After the verification is passed, the communication will continue, otherwise, the communication will be terminated

• The server requires the client to send the client's certificate, and the client will send its own certificate to the server
• Verify the client's certificate, after passing the verification, the client's public key will be obtained
• The client sends the symmetric encryption scheme it can support to the server for the server to choose
• The server selects the encryption method with the highest degree of encryption among the encryption schemes provided by the client
• Encrypt the encryption scheme by using the public key obtained before and return it to the client
• After the client receives the ciphertext of the encryption scheme returned by the server, it uses its own private key to decrypt it to obtain the specific encryption method, and then generates the random code of the encryption method, which is used as the key in the encryption process. The public key obtained in the certificate is encrypted and sent to the server
• After the server receives the message sent by the client, it uses its own private key to decrypt it and obtains the symmetric encryption key. In the next session, the server and the client will use the password for symmetric encryption to ensure that the communication is in progress Information security.