Preface: The HTTP protocol was introduced in detail before. Based on the HTTP protocol, this chapter introduces the content of the HTTPS protocol in detail. If you have any questions about the HTTP protocol, you can read the previous article "HTTP Protocol Detailed Explanation" , I hope it can help you!
Article directory
1. What is HTTPS
HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer):
- HTTPS is aapplication layer protocol, is a transport protocol for secure communication over a computer network.
- HTTPS communicates via HTTP, but introduces an encryption layer on top of HTTP, usingSSL/TLSto encrypt packets
- The main purpose of HTTPS development is to provide identity authentication for website servers and protect the privacy and integrity of exchanged data.
- HTTPS works on TCP port 443 by default
2. What is "encryption"
Encryption related terms:
- Plaintext: The original message to be transmitted
- Ciphertext: The content of the plaintext transformed by certain rules
- Encryption: turn plaintext into ciphertext
- Decryption: turn ciphertext into plaintext
- Key: In the process of encryption and decryption, one or more intermediate data is often needed to assist the process, such data is called a key
Why do we need HTTPS and why do we need encryption?
There was an operator hijacking incident a few years ago. Since any data we transmit through the network will pass through the operator's network equipment (routers, switches, etc.), the operator's network equipment can parse out the data content we transmit and carry out tamper.
For example, if you want to download a certain software, when you click to download, you are actually sending an HTTP request to the server. The obtained HTTP response should contain the download link of the software, but after being hijacked by the operator, this response can be sent to the server. To tamper with the download link of other software, so that the tamper can obtain illegal benefits.
In the above examples, not only operators can hijack, some hackers or illegal persons can use this method to steal user privacy or tamper with content.
Therefore, the emergence of HTTPS, the use of ciphertext transmission to further ensure the user's information security
3. The working process of HTTPS
Since data security is to be ensured, "encryption" is required, that is, the plaintext is no longer directly transmitted during network transmission, but the encrypted "ciphertext". There are many ways to encrypt, but the overall can be divided into two categories:Symmetric encryptionandAsymmetric encryption
3.1 Introducing Symmetric Encryption
basic introduction:
Symmetric encryption is actuallyEncrypt plaintext into ciphertext and decrypt ciphertext into plaintext with only one key
A simple symmetric encryption can be achieved by using the XOR operation. Let the plaintext be
1234, and the key be8888. Encryption is achieved through the XOR operation of the plaintext and the key1234 ^ 8888, and the ciphertext is obtained as9834. Then decrypt the ciphertext and the key XOR operation9834 ^ 8888to get the plaintext1234
Only the problems of symmetric encryption are introduced:
Through symmetric encryption, it seems that data protection can be carried out. Even if the hacker invades the router, they can only get the ciphertext content of the request.
However, there is a problem with the above scheme, that is, how to agree on the key? After all, a server corresponds to many clients, and each client and server need to agree on a unique key.
However, it is not easy to let the server manage all the keys, so it is better to bring a key generated by the client when the client connects. Before each client connects, it generates a key by itself, and tells the server the information through the network, and the server can save the key.
It is precisely because of this that the hacker obtains the key while obtaining the ciphertext request, so only using symmetric encryption cannot play a role in data protection. Therefore, the key needs to be encrypted, but using symmetric encryption will not work, so asymmetric encryption is introduced.
3.2 Introducing asymmetric encryption
basic introduction:
asymmetric encryptionadditionalreusetwo keys, a called == "public key", a called"private key". The public and private keys arePaired ==, the pair of keys is generated by the server.
shortcoming:
Very slow operation, much slower than symmetric encryption
Import process:
The server sends the public key directly to the client, keeping the private key. After the client obtains the public key, it encrypts the key with the public key and sends it to the server, and the server obtains the key by decrypting the private key. After that, the message of receiving the key is encrypted by the key and sent to the client. After the client receives it, it uses the key to passSymmetric encryptionway of data transmission with the client
Why use symmetric encryption when asymmetric encryption is introduced?
Since the cost of symmetric encryption (the consumption of machine resources) is much lower than that of asymmetric encryption, in fact, the amount of data transmitted between the client and the server will be very large. If asymmetric encryption is used, the overall transmission speed will be reduced. It is very slow. Therefore, through asymmetric encryption, after the server obtains the key, symmetric encryption is used for transmission, which can improve the transmission efficiency.
Problems that still exist after the introduction of asymmetric encryption:
The server first generates a pair of public key A and private key A. First, the server needs to send the public key A to the client. At this time, the hacker can act as a middleman and generate a pair of public key B and private key B by himself. He will stage the server's information and send his own generated public key B to the client. When the client obtains the public key B, it uses the public key B to encrypt the key A generated by itself and sends it to the server. At this time, the hacker intercepts again, decrypts the public key B through the private key B, obtains the key A, and uses the public key A to encrypt the key and return it to the server. At this point, both the server and the client have determined the key A, but the hacker also knows the key A unknowingly. Therefore, in the subsequent data transmission, the hacker can directly and completely obtain the plaintext data of the client and the server. So even with the introduction of asymmetric secrets there are still two problems:
- How does the client get the public key?
- How does the client determine that this public key is not forged by a hacker?
In order to solve these two problems, certificates are introduced
3.3 Introducing the certificate mechanism
basic introduction:
When the client and server just establish a connection, the server returns aCertificate. This certificate is like a person's ID card, which is used as the identity of the website. Every time you build an HTTPS website, you need to apply for a certificate from the CA.
Important information contained in the certificate:
- Certificate issuing authority
- Certificate validity period
- public key
- certificate owner
- sign
Introduce the certificate process:
The server first generates a pair of public key and private key. When a third-party notary agency applies for a certificate, the certificate contains the public key information, and then the server sends the public key to the client. Because the verification of the certificate is very difficult Strict, so even if a hacker obtains it, it is difficult to forge a fake certificate. Even if it is forged, the client can get the third-party notary agency to verify, so the client can get the public key sent by the server, and then encrypt the key generated by itself with the public key and send it to the server. Since the hacker does not have the private key, even if the request is intercepted, the key cannot be obtained, so the server can successfully obtain the encrypted key and use the private key to decrypt it. In the end, it is very good to prevent hackers from obtaining or tampering with data.
Verification certificate method:
- Determine if the validity period of the certificate has expired
- Determine if the issuing authority of the certificate is trusted
- Determine whether the certificate has been tampered with (get the public key of the certificate issuing authority from the system, decrypt the signature, get a hash value (called data digest), set it as hash1. Then calculate the hash value of the entire certificate and set it as hash2. Compare whether hash1 and hash2 are equal, if they are equal, it means that the certificate has not been tampered with)
Understanding data value digests and signatures:
For a piece of data, a signature can be generated for this data through some specific algorithms. Since the signatures generated by different data are very different, the signature can be used to distinguish different data to a certain extent. Common algorithms for generating signatures are: MD5 and SHA. The following takes MD5 as an example to introduce its characteristics
- Fixed length: No matter how long the string is, the calculated MD5 value is fixed length (16-byte version or 32-byte version)
- Scattering: As long as the source string is changed a little, the final MD5 value will be very different
- Irreversible: It is easy to generate MD5 from the source string, but it is theoretically impossible to restore the original string through MD5
Due to the characteristics of MD5, it can be considered that if the MD5 values of two pieces of data are the same, the two pieces of data are the same
3.4 Complete Process
- Symmetric encryption: A symmetric key generated by the client is required to encrypt the transmitted data, but the symmetric key needs to be notified to the server
- Asymmetric encryption: The server provides a public key (holds the private key by itself), transmits the public key to the client, and the client uses the public key to encrypt the symmetric key and transmits the ciphertext to the server
- Introduce the certificate mechanism: issue a certificate to the website through a third-party notary agency, and the certificate contains the public key. What the client requests from the server is the certificate. After the client gets the certificate, it goes to the notary public for verification. If the certificate is valid, it uses the public key inside to encrypt the symmetric key.