foreword
The https protocol is an encrypted protocol based on http. During the transmission of the http protocol, the transmitted data is transmitted in plaintext, so our information may be captured and tampered by others (for example, if you give The goddess confessed but was discovered by the programmer's rival and modified your message, and then you are gone), so in order to prevent this, it is necessary to understand the https protocol
Tip: The following is the main text of this article, the following cases are for reference
1. What is https?
The https protocol is encrypted on the basis of http to solve the problem of the insecurity of the http protocol. Now many websites use the https protocol for transmission for security. How is the https protocol encrypted on the basis of http? This is what we will discuss next;
2. Symmetric encryption and asymmetric encryption
1. Symmetric encryption
Symmetric encryption means that the client and the server share the same key, which can be used to encrypt a piece of content and decrypt it at the same time.
For example:
I use a key locally and use this key for encryption (AES, DES algorithm), the middleman can only get our encrypted key, he does not know our message, even if the encrypted information is tampered with, the other side uses the key Decryption will fail, and a piece of garbled code may be decrypted;
2. Asymmetric encryption
But there is a problem with symmetric encryption. How do the client and server determine what key to use for encryption? If you want to achieve symmetric encryption, you must also exchange the key during the first transmission. The key is transmitted in plaintext. If the key is captured by the middleman at this time, then the symmetric encryption is useless. At this time, it should be asymmetric encryption. appeared;
Asymmetric encryption divides keys into two types: public key and private key. The public key is available to anyone. Data encrypted with the public key can only be decrypted with the private key, and data encrypted with the private key can only be decrypted with the public key, and the private key is only known to the server. The advantage of asymmetric encryption is higher security, because the encrypted information sent by the client to the server can only be decrypted with the private key of the server, so there is no need to worry about being cracked by others, but the disadvantage is that the efficiency of encryption and decryption is worse than that of symmetric encryption. a lot of. The representative algorithms of asymmetric encryption are: RSA, ElGamal, etc.
Still draw a picture:
The efficiency of asymmetric encryption is not symmetric encryption, so we can determine a key through asymmetric encryption for the first time, and then use this key for symmetric encryption to improve efficiency;
2.1 The problem of asymmetric encryption
It looks like asymmetric encryption is perfect, what else could go wrong? The problem is that when the client requests the server's public key, if it is tampered with during the transmission of the public key network to the client, the client encrypts with a fake public key, and the attacker can also decrypt it with the fake private key.
Three, ssl certificate
In order to solve this problem, the server can configure the certificate through the CA agency. The server registers its public key to the CA agency for certification. After the certification is successful, the CA agency will encrypt the server's public key with its own public key, and then return it to the server. An encrypted certificate, in addition to protecting the public key of the server, there are other information in the certificate, such as the domain name of the website, etc., which are used for some other verifications.
For example, you can see the certificate details in the upper left corner of the browser
After the user makes a request again, the certificate is directly sent to the client. Because the certificate is encrypted with the private key of the CA agency, the client can decrypt it through the public key of the CA agency, because there are only a few CA agencies. The operating system will build the public keys of all major CA agencies into the operating system, so there is no need to request for it, so that the public key of the browser can be obtained safely.
But there is still another question. Since the certificate is encrypted with the CA's private key, can an attacker use the CA's public key to crack it?
Obviously, this possibility is possible. However, in addition to the public key of the website, the certificate produced by the CA also contains many other data to assist in verification. For example, the domain name of the website is one of the important If the domain name of the website is added to the certificate, the attacker can only return without success. Because even if the encrypted data can be successfully decrypted, but the domain name contained in the decrypted certificate does not match the domain name being requested by the browser, the browser will still display an abnormal interface at this time.
证书不止包括公钥
Tamper-proof
Summarize
Speaking of which, I believe you have a basic understanding of how the https protocol encrypts http, through symmetric encryption, asymmetric encryption, and ssl certificates. If you can conduct in-depth research on https, then Next, you can study symmetric encryption algorithms, such as AES, DES, asymmetric encryption algorithms RSA, ElGamal, etc.