Let you understand HTTPS in minutes

1. Problems with HTTP

1.1 Potential for eavesdropping

1. HTTP itself does not have the function of encryption, and HTTP packets are sent in clear text
2. Since the Internet is made up of network facilities that connect all parts of the world, all data sent and received through certain devices may be intercepted or spied on. (For example, the well-known packet capture tool: Wireshark)

1.2 Authentication Issues

1. Unable to confirm that the server you are sending to is the real target server (maybe the server is fake)
2. Unable to determine whether the returned client is the one that received it as intended (possibly a disguised client)
3. It is impossible to determine whether the communicating party has access rights. Some important information on the Web server is only sent to a specific user, and even the meaningless request will be received according to the order. Unable to prevent DoS attacks (Denial of Service, denial of service attacks) under massive requests.

1.3 May be tampered with

1. An attack in which a request or response is intercepted and tampered with content during transmission is called a Man-in-the-Middle attack (MITM).

2. Introduction to HTTPS

2.1 What is HTTPS

Hypertext Transfer Protocol Secure (English: Hypertext Transfer Protocol Secure, abbreviation: HTTPS, often referred to as HTTP over TLS, HTTP over SSL or HTTP Secure) is a transmission protocol for secure communication over computer networks. HTTPS communicates via HTTP, but utilizes SSL/TLS to encrypt packets. The main purpose of HTTPS development is to provide authentication for website servers and to protect the privacy and integrity of exchanged data.

2.2 How HTTPS solves the above problems

HTTPS uses TLS (Transport Layer Security) in the communication interface part. The TLS protocol adopts a master-slave architecture model to create a secure connection between two applications through the network to prevent the exchange of data. Eavesdropping and tampering.

 

 

2.3 Relationship between SSL and TLS

1. Transport Layer Security (English: Transport Layer Security, abbreviated TLS), and its predecessor Secure Sockets Layer (Secure Sockets Layer, abbreviated SSL) is a security protocol, the purpose is to provide security and data integrity for Internet communications Assure.
2. When Netscape launched its first web browser, Netscape Navigator, in 1994, it launched the HTTPS protocol and encrypted it with SSL, which is the origin of SSL.
3. The IETF standardized SSL and published the first version of the TLS standard document in 1999. RFC 5246 (August 2008) and RFC 6176 (March 2011) were subsequently published. This protocol is widely supported in applications such as browsers, email, instant messaging, VoIP, and Internet faxing.

2.4 TLS/SSL protocol

The main functions of the HTTPS protocol basically depend on the TLS/SSL protocol, and the function implementation of TLS/SSL mainly depends on three basic algorithms: 散列函数, 对称加密and 非对称加密, which use asymmetric encryption to realize identity authentication and key negotiation, and the symmetric encryption algorithm adopts the negotiated algorithm. The key is used to encrypt data and verify the integrity of the information based on a hash function.

 

For the operating mechanism of the SSL/TLS protocol, see Mr. Ruan 's overview of the operating mechanism of the SSL/TLS protocol.

The principle of RSA encryption algorithm can be seen in these two articles by Mr. Ruan: Principle of RSA Algorithm (1) , Principle of RSA Algorithm (2)

2.5 Explaining in terms of carrier pigeons

Cryptography is an incomprehensible and abstract subject, and any activity on the Internet can be thought of as sending and receiving information from a server. We can assume that these messages are delivered using carrier pigeons.

Before we talk about it, let's talk about Alice, Bob and Mallory. They are generic roles that are widely used in cryptography and physics. These names are for the convenience of explaining the issue, and if the sentence is something like "A wants to send a message to B", the more complex the issue becomes, the harder it will be to understand and get confused. In a typical protocol operation, these characters are not necessarily a "human", but may be a trusted automatic agent (such as a computer program). Using these names helps illustrate structure and is sometimes used as humor.

2.5.1 Initial communication

If Alice wanted to send a message to Bob, she would tie the message to the pigeon's leg and send it to Bob. Bob got the message, and read it, perfect.

But what if Mallory intercepted Alice's pigeon and tampered with the message? There is no way for Bob to know that Alice's message has been modified in the process.

This is how HTTP works. Looks scary right? I don't send my bank references over HTTP, and neither should you.

2.5.2 Covert password

Well if Alice and Bob are very witty. They agreed to use a covert cipher to write their messages. They move each letter in the message three places forward in the alphabetical order. For example, D→A, E→B, F→C. As a result, the original message "secret message" becomes "pbzobq jbppxdb".

Now if Mallory intercepts the carrier pigeon again, she can neither make meaningful changes nor know the content of the message, because she doesn't know what the secret code is. Bob, however, can easily reverse the cipher, relying on rules like A → D, B → E, C → F to decipher the content of the message. The encrypted information "pbzobq jbppxdb" will be restored to "secret message" by cracking.

This is 对称密匙加密because if you know how to encrypt a piece of information then you can also decrypt it. The aforementioned ciphers are often referred to as Caesar codes. In real life, we use more exotic and complex passwords, but the principle is the same.

2.5.3 How do we decide the key?

Symmetric key encryption is very secure if no one but the sender and recipient knows what key was used. In Caesar encryption, the key is the offset by how many bits each letter needs to move to the encrypted letter. In my previous distances, the offset used was 3, but 4 or 12 could also be used.

The problem is that if Alice and Bob hadn't met before they started using the pigeons, they wouldn't have a secure way to establish the keys. If they themselves passed the key in the letter, Mallory would have intercepted the message and discovered the key. This allows Mallory to read the content of Alice's and Bob's messages and alter them as she wishes, before or after they start encrypting them.

This is a 中间人攻击classic example, and the only way to avoid this problem is for both parties to modify their encoding systems together.

2.5.4 Passing boxes through carrier pigeons

So Alice and Bob came up with a better system. When Bob wants to send a message to Alice, he will follow these steps:

鲍勃向爱丽丝送一只没有携带任何信息的鸽子。

爱丽丝给鲍勃送回鸽子，并且这只鸽子带有一个有开着的锁的盒子，爱丽丝保管着锁的钥匙。

鲍勃把信放进盒子中，把锁锁上然后把盒子送给爱丽丝。

爱丽丝收到盒子，用钥匙打开然后阅读信息。

This way Mallory can't tamper with the information by intercepting the pigeon, since she doesn't have the key to the box. When Alice wants to send a message to Bob, follow the same process as above.

The process used by Alice and Bob is often called 非对称密钥加密. It is called asymmetric because even if you encode the information (lock the box) you cannot decipher the information (open the locked box).

In terminology, the box is called 公匙and the key used to open the box is called 私匙.

2.5.5 How to trust the box

But you will find that there are still problems. How can Bob be sure when Bob receives the box that it came from Alice and not Mallory who intercepted the pigeon and replaced it with a box that she has a key to open?

Alice decides to sign the box so that when Bob receives the box, he can check the signature to make sure that Alice sent the box.

So how does Bob recognize Alice's signature in the first place? This is a good question. Alice and Bob did have this problem too, so they decided to have Ted mark the box instead of Alice.

So who is Ted? Ted is famous and a trustworthy guy. He'll sign anyone and everyone trusts that he'll only sign the box for legitimate people.

If Ted can confirm that the person asking for the autograph is Alice, he will sign Alice's box. So Mallory couldn't get a box with Ted's signature on behalf of Alice, because Bob knew that Ted would only sign for people he'd confirmed, thus seeing through Mallory's trick.

Ted's character is called in terminology 认证机构. And the browser you're reading this in is packaged with the signatures of many certificate authorities.

So when you first visit a website you can trust the box from that site because you trust Ted and Ted will tell you that the box is legitimate.

2.5.6 Heavy Box

Alice and Bob now have a reliable system for communicating, but they also realize that having the pigeon carry the box is slower than it would otherwise be to carry only the letters.

So they decided to use the pass-the-box method (asymmetric encryption) only when choosing a key to encode the message with symmetric encryption (remember Caesar encryption?).

In this way, the advantages of both can be combined, the reliability of asymmetric encryption and the efficiency of symmetric encryption.

In the real world, we don't use a slow delivery method like carrier pigeons, but using asymmetric encryption to encode information is still slower than using symmetric encryption, so we only use asymmetric encryption when exchanging encoding keys.

So I believe that now you have understood how HTTPS works~

refer to:

1. HTTPS explained with carrier pigeons
2. Hypertext Transfer Security Protocol
3. Transport Layer Security Protocol