Series Article Directory
How to use code to construct HTTP request? _crazy_xieyi's blog - CSDN blog
Common status codes in HTTP protocol and their meanings - Crazy_xieyi's Blog - CSDN Blog
Detailed explanation of "header" and "body" in HTTP protocol - Programmer Sought
What is the difference between GET and POST? _crazy_xieyi's blog - CSDN blog
HTTP protocol format, URL format and URL encode_crazy_xieyi's blog - CSDN blog
Fiddler capture package: download, install and use_crazy_xieyi's blog - CSDN blog
Article directory
- foreword
- 1. Symmetric encryption
- 2. Asymmetric encryption
- Third, the introduction of the certificate
- Summarize the transmission process of HTTPS
- Is HTTPS transmission guaranteed to be secure?
foreword
HTTPS
is also an application layer protocol
.
It introduces an encryption layer based on
the
HTTP protocol.
Because the content of the HTTP
protocol is transmitted in plain text in the form of text, this leads to some tampering during the transmission process. For example: "operator hijacking".
Not only operators can hijack
, but
other hackers can also use similar means to hijack
to
steal user private information
or tamper with content. Therefore, it is more dangerous to transmit plaintext
on the Internet ! ! ! Then
HTTPS
is
encrypted on the basis of
HTTP
to further ensure the security of user information.
The one with the lock icon in front of it is https. If the word "insecure" is displayed in front of it, it means http.
Symmetric encryption actually encrypts
plaintext into ciphertext through the same
" key
" ,
and can also decrypt ciphertext into plaintext.
The most critical thing in symmetric encryption is the secret key. The client and the server need to agree on what the secret key is. If the client generates the secret key, it needs to tell the server what the secret key is through the network. Then a problem will be introduced, because the secret key itself is transmitted in clear text on the network, so it is easy to be obtained by hackers. Once obtained by hackers, the subsequent encryption will be meaningless.
In fact, there is a solution to this problem. A long time ago, the client and the server could generate the same secret key at the same time. For example, when you went to the bank to open an online banking account a long time ago, you will be given a USB shield.
But today, this method is obviously outdated, so the correct method is to encrypt the symmetric key as well. Next, asymmetric encryption will be introduced to encrypt the symmetric key.
2. Asymmetric encryption
Asymmetric encryption uses two keys
,
one is called
the "
public key
" and the
other is called
the "
private key
". A website generates a pair of public key and private key, discloses the public key, and keeps only the private key.
The client generates a symmetric key locally
,
encrypts it with the public key
, and
sends it to the server. Since the intermediate network device does not have a private key,
even if the data is intercepted
,
the internal original text cannot be restored
,
and the symmetric key cannot be obtained. The server decrypts with the private key,
restores the symmetric key sent by the client,
and
uses this symmetric key to encrypt the response data returned to the client. Subsequent client and server communications can only be encrypted using symmetric encryption.
Then there are two problems:
One: Since there is asymmetric encryption, why do you need to use symmetric encryption? Why not just encrypt with an asymmetric key?
In fact, the cost of using symmetric encryption is relatively low, because the resource consumption of the machine is relatively small, and the speed is very fast. Asymmetric encryption, the cost is much higher than symmetric encryption, the machine resource consumption is more, and the speed is much slower. Therefore, symmetric encryption is used for plaintext, and asymmetric encryption is used for symmetric keys, which is much more efficient.
Two: How to ensure that the public key obtained by the client is authentic and reliable? instead of hackers forging?
In fact, anyone can generate a pair of public key and private key. The website server can generate it. Of course, hackers can also generate it. In fact, hackers can take advantage of this to make a trick of "civet cat for prince", which is also called " man-in-the
-middle attack
"!
There must be a countermeasure to this problem. By introducing a certificate, hackers can counteract the forgery of public keys.
When the client and the server are connected, the client does not simply ask for the public key, but directly asks for a "certificate", and the public key is included in the certificate. This certificate is not generated by the server itself, but issued by a third-party organization. After the client receives the certificate, it can go to the third-party organization for authentication based on the information provided in the certificate to verify whether the certificate is legal! If the certificate is valid, the public key in it can be trusted. (When server developers build a server, they need to go to a third-party agency for certification to apply for a certificate)
Third, the introduction of the certificate
When the client and server first establish a connection
, the server returns a
certificate
to the client .
This certificate contains the public key just now, as well as the identity information of the website.
When the client obtains this certificate
, it
will verify the certificate
(
to prevent the certificate from being forged
).
Complete process:
Summarize the transmission process of HTTPS
There are three sets of keys involved in the working process of HTTPS :
The first group
(
asymmetric encryption
)
:
used to verify whether the certificate has been tampered with.
The second group
(
asymmetric encryption
):
used to negotiate the keys for generating symmetric encryption.
The third group
(
symmetric encryption
):
The data subsequently transmitted by the client and the server are encrypted and decrypted by this symmetric key.
In fact, the key to everything is around this symmetric encryption key.
Other mechanisms assist this key to work.
The second set of asymmetric encryption keys is for the client to pass the symmetric key to the server.
The first set of asymmetric encryption keys is for the client to obtain the second set of asymmetric encryption keys.
Summary of the HTTPS transmission process:
1. The client first obtains a certificate from the server, and the certificate contains the public key.
2. The client verifies the certificate.
3. The client generates a symmetric key, encrypts the symmetric key with the public key and sends it to the server.
4. After the server receives the request, it decrypts with the private key to obtain the symmetric key.
5. The client sends subsequent requests, and subsequent requests are encrypted with a symmetric key.
6. The data received by the server is also decrypted with a symmetric key.
Is HTTPS transmission guaranteed to be secure?
When a hacker conducts a man-in-the-middle attack, he can forge a certificate, then the browser will verify the obtained certificate. If the verification fails, the browser will have an error message: something like " The certificate of this website is illegal, continue Access is a security risk! " message. At the same time, there will be a click button " Continue to visit " on the browser . If you click "Continue to visit" and enter the link, then the safety of the user cannot be guaranteed!
No matter how awesome the technology is, it can't resist stupid users! ! !