Easy-to-understand TCP, SSL and HTTPS connection establishment process

You can refer to a video at station B , which degrades the TLS/SSL connection establishment process very thoroughly. It is better to eat with this blog. If you don't understand it once, please read it several times, it is very useful!

1 Description

1.1 Symmetric and asymmetric encryption

In digital encryption algorithms, encryption can be divided into symmetric encryption and asymmetric encryption.

What is symmetric encryption?

1. In the symmetric encryption algorithm, encryption and decryption use the same key, that is: use the same key to encrypt and decrypt the same password;

2. The encryption process is as follows:

Encryption: original text + key = cipher text

Decryption: ciphertext - key = original text

3. HTTPS is built on the SSL/TCL protocol, and SSL/TLS is built on the TCP protocol.
   Therefore, the establishment process of HTTPS can be decomposed into the process of establishing connections in sequence by TCP + SSL/TLS + HTTP protocol
4. Advantages: simple algorithm, easy encryption and decryption, high efficiency and fast execution.
5. Disadvantages: Relatively speaking, it is not particularly safe. There is only one key. If the ciphertext is intercepted and the key is also hijacked, the information can be easily deciphered.

asymmetric encryption

1. Symmetric encryption uses the same key for encryption and decryption. Well, asymmetric encryption naturally uses different keys for encryption and decryption . Asymmetric encryption has two keys, a public key (Public Key) and a private key (Private Key). The public key and the private key exist in pairs. If the original text is encrypted with the public key, only the corresponding private key can be used to decrypt it; because the encryption and decryption do not use the same key, this algorithm is called non- Symmetric encryption algorithm. The key of an asymmetric encryption algorithm is a long string of random numbers obtained through a series of algorithms. Generally, the longer the length of the random number, the more secure the encrypted information. The public key can be derived from the private key through a series of algorithms, that is, the public key exists based on the private key. However, the private key cannot be reversed through the public key. This process is one-way.

2. Advantages: Security. Even if the ciphertext is intercepted and the public key is obtained, but the private key cannot be obtained, the ciphertext cannot be deciphered. As the recipient, be sure to keep your own key safe.

3. Disadvantages: The encryption algorithm is very complicated, the security depends on the algorithm and the key, and the encryption and decryption efficiency is very low, generally used for the verification of the SSL certificate of the website

2 SSL and TLS

2.1 What is a digital certificate?

Digital certificates are somewhat similar to our resident ID cards, except that digital certificates are based on Internet communications and are used to mark the identities of both parties .

The digital certificate binds the public key and the real identity . It is similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but a section containing the certificate holder Identity information and electronic data audited and issued by the certification center are widely used in e-commerce and mobile Internet.

The server can apply for a certificate from the certificate authority CA to avoid man-in-the-middle attacks (to prevent certificates from being tampered with). The certificate contains three parts: tbsCertificate (to be signed certificate) content of the certificate to be signed, the certificate signature algorithm and the digital signature given by the CA (use the certificate signature algorithm to hash the tbsCertificate to obtain the hash value, and the CA will use its private key Sign this hash and place it in the signature section). Signatures are used to verify identity.

2.2 Relationship between SSL and TLS

SSL is the predecessor of TLS. Since the introduction of HTTPS was welcomed by many people, when SSL was updated to 3.0, IETF (The Internet Engineering Task Force - Internet Engineering Task Force) standardized SSL3.0 and added a few mechanisms (but almost the same as SSL3. 0 no difference), the standardized IETF changed its name to TLS1.0 (Transport Layer Security Security Transport Layer Protocol), it can be said that TLS is the new version 3.1 of SSL, and at the same time released "RFC2246-TLS Encryption Protocol Detailed Explanation", if you want to go deeper To understand the working principle of TLS, you can go to the official website of RFC: http://www.rfc-editor.org, search for RFC2246 to find the RFC document! ——The above is the historical background

Because SSL is more famous, we often use them together;
most browsers do not support SSL at present, but support TLS

3 HTTPS connection establishment process

3.1 First of all, the normal TCP three-way handshake is unchanged

1. The first handshake: the client initiates a connection establishment request to the server, the client will randomly generate a starting sequence number x, and the field sent by the client to the server contains the flag bit SYN=1 and the sequence number seq=x. The state of the client is CLOSE before the first handshake, and the state of the client is SYN-SENT after the first handshake. At this time, the status of the server is LISTEN
2. The second handshake: After receiving the message from the client, the server will randomly generate a starting sequence number y of the server, and then reply a message to the client, including the flag bit SYN=1, ACK= 1. Serial number seq=y, confirmation number ack=x+1. The state of the server before the second handshake is LISTEN, the state of the server after the second handshake is SYN-RCVD, and the state of the client is SYN-SENT. (SYN=1 means to establish a connection with the client, ACK=1 means the confirmation sequence number is valid)
3. The third handshake: After receiving the message from the server, the client will send a message to the server, which contains the flag bit ACK=1, the sequence number seq=x+1, and the confirmation number ack=y+1 . Before the third handshake, the state of the client is SYN-SENT, and after the third handshake, the states of both the client and the server are ESTABLISHED.

3.2 Establish TLS/SSL connection

Negotiation encryption algorithm stage:

1. The client will send a client hello message to the server in the third TCP handshake or in the newly sent TCP segment, which contains all SSL encryption algorithms (also called cipher suites) and TLS supported by the client. /SSL version and the domain name to be accessed (the server needs to return the TSL certificate corresponding to the domain name through the domain name), and will also contain a generated first random number

[External link image transfer...(img-eGCUj5eV-1639744405270)]

2. After the server receives the SSL hello message, it will send a server hello message in response. The message segment contains the selected encryption algorithm and TSL version, and also includes the randomly generated second random number

Certificate verification phase (using asymmetric encryption):
3. Then the server will send two messages to the client in turn. The first message contains information about the server certificate, and the second message contains the public key. information; if the server also needs the client's certificate, it will declare it in the second message. For example, in the scenario of logging in to online banking, this requirement is required, so that the client browser can confirm whether the server is available according to its own certificate
list. letter

first message

[External link image transfer...(img-8PZxv59M-1639744405277)]

second message

4. The client verifies the certificate using the RSA public key publicly released by the certificate authority CA. The following figure shows that the certificate authentication is successful.
   
   First of all, if you want to understand the decryption process clearly, you must first understand the process of making a digital signature, the process of making a digital signature:

• Use the CA certificate signature algorithm to hash the content of the certificate (the content of the certificate to be signed).
• The hashed value is encrypted with the CA's own private key to obtain a digital signature.

Browser verification process:

• Get the certificate, get the certificate content, certificate signature algorithm and digital signature.
• Use the public key of the CA organization to decrypt the digital signature (since it is an organization trusted by the browser, the browser will save its public key).
• Use the signature algorithm in the certificate to hash the content of the certificate.
• Comparing the decrypted digital signature with the hash value after hashing the certificate content, if they are equal, it indicates that the certificate is credible, otherwise it is not credible, and access to the server is denied. Since then, the security certification of the website has been completed

5. The server sends a server hello done message to the client, indicating that the server has sent the public key and certificate information
   

Establish session key phase (to pave the way for using symmetric encryption to transmit data):

6. The client sends a client key exchange message to the server, which contains a randomly generated third random number, also known as the pre-master key, which will be encrypted with the public key before loading the message; at the same time, the client also A session key will be generated using the first, second and third random numbers.
   

• After the server receives the client's message, it will use the private key to decrypt, thus obtaining the pre-master key, and only the client and the server know the pre-master key, and no one else knows (because the pre-master key Once encrypted by the public key, it can only be encrypted by the private key, and vice versa, so unless the private key is leaked, no one will know the pre-master key ).
• After obtaining the pre-master key, the server will use the first random number, the second random number and the pre-master key to generate a session key, which is the same as the session key generated by the client

8. At this point, the TSL connection is established, and the data can be transmitted, and the same private key is used for encryption and decryption (also known as symmetric encryption).

3.3 Establish HTTPS connection

The browser and the server only need to realize the encrypted transmission of data according to the HTTP connection rules of the response (including long connection or short connection, pipeline and non-pipeline connection)

Why doesn't the entire SSL connection establishment process use asymmetric encryption?

Combined with the analysis of 1.1, it can be seen that the asymmetric encryption algorithm is very complicated, the encryption and decryption time is long, and the efficiency is low. Therefore, we only use it when the TSL connection is established. Greatly enhanced security.