Basic knowledge of computer network (7) - what is the HTTPS protocol? listen to me "bullshit"

HTTPS is a secure transmission protocol based on the TLS/SSL protocol, which is used to ensure confidentiality, integrity, identity authentication and non-repudiation during network communication.
In HTTP communication, data packets are transmitted in clear text in the message, which has low security. HTTPS uses the TLS/SSL protocol to encrypt and authenticate the communication process, thereby improving communication security.
HTTPS is a secure network transmission protocol that can ensure data security and credibility during communication. It is widely used in scenarios that require confidentiality, such as e-commerce and online banking, and has become an important means of protection on the Internet.

01 | How it works

The working principle of HTTPS involves many aspects such as handshake protocol, digital certificate verification, encryption and decryption. Let's first understand the working principle of HTTPS

When the client and server establish an HTTPS connection, the following processes are performed:

When an HTTPS connection is established between a client (such as a browser) and a server, a secure channel is created on top of the Transport Layer, which includes the following four basic steps:

1. The client initiates an SSL/TLS connection request : the client initiates a connection request to the server, telling the server that it wants to establish an SSL/TLS encrypted channel;

2. The server responds to the SSL/TLS connection request : After receiving the request from the client, the server replies with its own identity information and public key and other certificates. The client verifies the identity of the server, and accepts the public key provided by the server if the verification is passed;

3. The client sends encrypted data to the server : the client uses the public key provided by the server to encrypt the data to be transmitted, and transmits the encrypted data to the server;

4. The server decrypts and responds to the client's request : the server uses its own private key to decrypt the encrypted data sent by the client, and responds accordingly to the client's request;

02 | SSL/TLS protocol

The TLS/SSL protocol (Transport Layer Security/Secure Socket Layer) is the core technology to realize HTTPS encrypted communication. It is necessary to study the various parts of the TLS/SSL protocol including the handshake protocol and certificate verification, and master its basic principles and implementation methods. .

The SSL/TLS protocol mainly includes the following parts:

1. Handshake protocol : the client and the server negotiate the encryption algorithm and determine the symmetric key through communication;

2. Change the password protocol : the client and the server confirm the switch to the encrypted transmission mode through communication;

3. Warning protocol : used to notify the other party when a protocol operation error occurs;

4. Application data protocol : based on the application data transmission on the channel that has negotiated and completed the encryption settings

Among them, the handshake protocol is one of the most important parts of the SSL/TLS protocol. In the handshake protocol, the client and server will first negotiate encryption algorithms, including asymmetric encryption algorithms and symmetric encryption algorithms, and determine which algorithms to use for encrypted transmission. Next, the client and the server will use an asymmetric encryption algorithm to exchange keys, and both parties will generate a session key for the encryption and decryption operations of the symmetric encryption algorithm

2.1 | Handshake protocol

The SSL handshake protocol is divided into four parts: client hello, server hello, certificate and key agreement. The process is as follows:

• Client hello: The client makes a request to the server and sends a "hello" message including supported encryption algorithms, random number generators, and other information.

• Server hello: The server replies to the client with a "hello" message including supported encryption algorithms, random number generators, and other information.

• Certificate verification: The server returns its digital certificate, which is usually issued by a trusted third-party digital certificate authority (CA). The client uses the pre-installed root certificate or intermediate certificate to verify the legitimacy of the certificate to ensure that it is connected to the real server. After the certificate is verified, the client can obtain the server's public key.

• Key agreement: The client uses the server's public key to encrypt a random value, called a session key, for encrypted communication. The server decrypts the random value with its own private key to obtain the client session key.

2.2 | Change Cipher Spec Protocol

Used to ensure that any malicious user cannot decipher the password and steal subsequent data encrypted with the key by the other party during the communication process . The replacement password protocol mainly includes the following steps:

1. The client sends the specification record of changing the encryption password of the server to the server.

2. The server acknowledges receipt of the Change Cipher Specification record and sends the Change Client Encryption Cipher Specification record.

3. The client acknowledges receipt of the Change Cipher Specification record.

After the above operations are completed, the client and server use the new encryption specification to encrypt and transmit data, thus ensuring the security and integrity of data during communication.

The password change protocol is not an independent protocol, but is carried out in the handshake protocol as a sub-protocol of the SSL/TLS protocol. Changing the cipher protocol ensures that any third party who has intercepted the communication cannot crack the cipher and use the old secret key for things like decryption.

It should be noted that changing the encryption protocol does not affect the selection of the symmetric encryption algorithm and the generation of the session key, but only updates the key used by the symmetric encryption algorithm during the communication process . The importance of changing the encryption protocol is to ensure that the SSL/TLS protocol adjusts the encryption mode and key in time during the communication process, thereby improving the security and reliability of the communication process

2.3 | Alert Protocol

It is used to transmit various warning messages during the communication process to remind both parties to pay attention to possible security issues or protocol operation errors . The warning protocol mainly includes the following two types of warning information:

1. Warning level (Alert Level): There are two types of warning levels: fatal warning and warning. Fatal warnings are used to prompt serious security issues (such as certificate verification failures), which may lead to communication termination. Warnings, on the other hand, indicate non-critical problems (such as unknown function codes in the case of extensions).

2. Alert Description: For each alert level, the SSL/TLS protocol specifies a set of alert description information, including the following:

   • Message Authentication Code (MAC) failure

   • decryption failure

   • Authentication failed

   • etc.

When using the SSL/TLS protocol for communication, any participant may send a warning message to the other to better ensure data security and integrity . For example, in the process of establishing an SSL/TLS connection between the client and the server, if the client request received by the server contains problems such as wrong certificates or unverifiable digital signatures, it can send a warning to the client through the warning protocol. Corresponding warning information, so that the client can respond and deal with it in a timely manner.

2.4 | Application Data Protocol

It is the last protocol after the handshake protocol and the warning protocol. The application data protocol is mainly used for the actual transmission of data, including encrypted data and unencrypted data for SSL/TLS connections .

In the SSL/TLS protocol, the application data protocol uses a symmetric encryption algorithm to encrypt data, and the input key is generated through the key exchange protocol in the handshake protocol. Symmetric encryption algorithm can provide efficient encryption and decryption speed, and its security is strong enough for most application scenarios. Moreover, the application data protocol can support multiple encryption algorithms, such as AES, DES, 3DES, etc., to meet different security requirements.

Because the application data protocol is based on the handshake protocol and the warning protocol, before the application data protocol transmits data, it is necessary to ensure that the handshake protocol has been correctly executed and the key negotiation is completed. If there is a problem in the key negotiation process, such as a certificate verification failure, the SSL/TLS connection cannot be established, so that data cannot be transmitted using the application data protocol.

In addition, the application data protocol can also support compressed data for more efficient transmission. At the same time, when transmitting data, the SSL/TLS protocol also supports advanced functions such as segmented transmission and concurrent processing of data (that is, transmitting multiple pieces of data at the same time). These functions can further enhance the security and efficiency of the SSL/TLS protocol, and are applicable to various application scenarios in the communication process.

03 | Encryption algorithm

HTTPS uses a variety of encryption algorithms to ensure the security of data transmission, such as symmetric encryption algorithms, asymmetric encryption algorithms, hash algorithms, etc. You need to be familiar with the basic principles and usage methods of these encryption algorithms.

A digital certificate is an electronic file that contains certificate information related to a website, such as the website's name, public key, etc. Digital certificates can be issued by an authority to identify and verify a website's identity. When a client connects to an HTTPS website, the server will return its digital certificate to the client to prove its authenticity. The client will use the pre-installed root certificate or intermediate certificate to verify the legitimacy of the certificate to ensure that it is connecting to a real server.

3.1 | Symmetric encryption algorithm

It is an encryption algorithm that uses the same key for encryption and decryption, also known as shared secret encryption . In the symmetric encryption algorithm, the sender uses a key to encrypt the plaintext to obtain the ciphertext, and the receiver uses the same key to decrypt the ciphertext to obtain the plaintext after receiving the ciphertext.

Symmetric encryption algorithm has the characteristics of fast speed, high efficiency and balanced security (because if the bad guys get the common key, the security will almost disappear), so it is widely used in network communication, data transmission, file encryption and other fields. Common symmetric encryption algorithms include AES, DES, 3DES, etc.

In symmetric encryption algorithms, the key is the key. The longer the key length, the more difficult it is to crack, but it will also bring correspondingly higher encryption and decryption costs . At the same time, the management and distribution of keys is also an important issue. It is necessary to ensure the security of keys and prevent them from being obtained by malicious attackers.

For symmetric encryption algorithms, another important issue is key exchange . Before the communication parties establish a connection, they need to negotiate a shared key and ensure the security of the key. In symmetric key exchange, there are two common methods:

1. Pre-shared key : The pre-shared key means that the key is handed over to the other party through other channels before the two parties establish a connection. This method is relatively secure, but the key distribution is more cumbersome.

2. Key exchange protocol : The key exchange protocol is a method for negotiating keys during the process of establishing a connection between two communicating parties. Common key exchange protocols include Diffie-Hellman, RSA, etc.

In a word, the symmetric encryption algorithm is an efficient, fast and safe encryption algorithm, which has been widely used in various application fields. By selecting an appropriate key length and key exchange method, the confidentiality and security of communication data can be guaranteed.

3.2 | Asymmetric encryption algorithm

Also known as public key encryption algorithm, it is an encryption algorithm that uses different keys for encryption and decryption . In an asymmetric encryption algorithm, each participant has a pair of keys: a public key and a private key . The public key can be made public, while the private key must be kept secret. The sender uses the recipient's public key to encrypt the plaintext to obtain the ciphertext, and the recipient uses its own private key to decrypt the ciphertext to obtain the plaintext .

Asymmetric encryption algorithms have the advantages of key management, distribution, and identity verification , and are widely used in digital signatures, key exchange protocols, digital certificates, and other fields. Common asymmetric encryption algorithms include RSA, DSA, ECC, etc.

In an asymmetric encryption algorithm, the public key can be made public, but the private key must be kept secret ; therefore, it is very difficult to design a secure asymmetric encryption algorithm mathematically. Although public key encryption can effectively achieve the effect of " slow encryption speed and high encryption strength ", its encryption complexity is tens of thousands of times that of symmetric encryption algorithms, and it is not suitable for large-scale data encryption.

In the asymmetric encryption algorithm, another important issue is key exchange. Before the communication parties establish a connection, some methods need to be used to transmit the public key to the other party . A common method is to use a key exchange protocol (such as Diffie-Hellman), although the private key is not disclosed, but a symmetric key can be negotiated by both communicating parties, thereby avoiding man-in-the-middle attacks.

In short, the asymmetric encryption algorithm is a safe, reliable and practical encryption algorithm. It has the advantages of key management and distribution and identity verification, but it also has defects such as slow encryption speed, low encryption and decryption efficiency, and key exchange . It is necessary to reasonably select the encryption algorithm and key length according to actual needs, and combine encryption technologies such as symmetric encryption algorithms to achieve better protection of communication security.

04 | Summary

To sum up, the specific steps of HTTPS are as follows:

1. The client requests an SSL connection to the server, and at this time the client sends a "Client Hello" message, which includes:

   • Supported SSL or TLS protocol version number

   • generated random number

   • List of supported encryption algorithms

2. After the server receives the "Client Hello" message, it sends a "Server Hello" message to the client, which includes:

   • Confirm the protocol version number

   • generated random number

   • The chosen encryption algorithm

   At the same time, the server also sends its public key and certificate to the client.

3. The client verifies the certificate returned by the server, including the following steps:

   • Check if the certificate is expired

   • Check that the certificate is in the list of trusted certificate authorities (CAs)

   • Verify that the digital signature in the certificate is correct

   If the certificate is verified, the client encrypts a random value with the public key sent by the server and sends it to the server.

4. The server uses its own private key to decrypt the random value sent by the client and uses that random value to generate a symmetric key. The server sends this key to the client and uses this key to encrypt all data from then on.

5. After receiving the key sent by the server, the client generates a "Finished" message according to the previously negotiated encryption algorithm, encrypts the message with a symmetric key, and sends it to the server.

6. After receiving the "Finished" message from the client, the server will also generate a "Finished" message according to the previously negotiated encryption algorithm, encrypt the message with a symmetric key, and then send it to the client.

7. After the secure channel is established, the two parties can start encrypted communication. The client and server use symmetric keys to encrypt all data to ensure the security of transmission.