[Bagu] Computer Network-The difference between HTTP and HTTPS, the principle of HTTPS encrypted transmission

Language 2023-09-11 21:09:07 views: null

Computer network-the difference between HTTP and HTTPS, the principle of HTTPS encrypted transmission

1. Basic concepts of HTTP and HTTPS

HTTP: It is the most widely used network protocol on the Internet. It is a standard for client and server request and response (TCP). It is a transmission protocol used to transmit hypertext from the WWW server to the local browser. It can enable browsing The server is more efficient and reduces network transmission.

HTTPS: It is an HTTP channel aimed at security. Simply put, it is a secure version of HTTP, that is, an SSL layer is added to HTTP. The security foundation of HTTPS is SSL, so the details of encryption require SSL.

The main functions of the HTTPS protocol can be divided into two types: one is to resume an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

2. The difference between HTTP and HTTPS

1. The HTTPS protocol requires applying for a certificate from the CA. Generally, there are relatively few free certificates, so a certain fee is required.

2. HTTP is a hypertext transfer protocol, and information is transmitted in plain text, while HTTPS is a secure SSL encrypted transmission protocol.

3. HTTP and HTTPS use completely different link methods and use different ports. The former is port 80 and the latter is port 443.

4. The HTTP link is very simple and stateless; the HTTPS protocol is a network protocol built from the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the HTTP protocol.

3. HTTPS encrypted transmission principle

1. What is HTTPS

1.1 Reasons for the birth of https

HTTP, the Hypertext Transport Protocol, is a specification for realizing network communication. In practical applications, HTTP is often used to transfer information between web browsers and website servers.

However, HTTP sends content in clear text and does not provide any form of data encryption. However, in this case, data may be stolen or tampered with at every step of the transmission process, which also means that there may be conflicts between you and the server. There is a middleman, and everything you do in the communication process is under the control of the middleman, as shown below

Insert image description hereIn view of the fact that HTTP's clear text transmission makes the transmission process insecure, HTTPS emerged for encryption.

1.2 https encryption method

https actually allows http to run on the secure SSL/TLS protocol, which HTTPS = HTTP + SSL/TLS,uses the SSL/TLS protocol to verify the identity of the server and encrypt the communication between the browser and the server.

The SSL protocol is located in the security layer between HTTP and TCP. Data passing through this security layer will be encrypted and decrypted. The general structure is as follows:

Insert image description here
As can be seen from the figure, HTTPS is not a new protocol.

1.3.The difference between http and https

  • http is a clear text transmission, which has security risks; https uses the SSL/TLS protocol for encryption and decryption, making data transmission more secure.
  • The port of http is 80; the port of https is 443;
  • Data transmission using http only requires a TCP three-way handshake connection; data transmission using https, in addition to the TPC three-way handshake, also requires an SSL/TLS handshake before entering encrypted transmission;
  • Because https requires encryption, it needs to apply for a digital certificate from a CA (Certificate Authority) to ensure that the server's identity is trustworthy, and the more powerful the certificate, the higher the cost.

2. https workflow

  • The client initiates an https request and connects to the server port 443;
  • The server has a set of digital certificates (certificate content includes public key, certificate authority, expiration date, etc.), and after receiving the request, it will send the digital certificate information to the client (the public key is in the certificate information, and the private key is held by the server )
  • The client verifies the validity of the digital certificate
  • After passing the verification, the client will take out the public key in the certificate information; use the public key to encrypt its randomly generated key and transmit it to the server.
  • The server receives the encrypted data, uses its own private key to perform asymmetric decryption , and takes out the client's key. Then it encrypts the result data requested by the user using the client's key and transmits it to the client. The data is all encrypted.
  • After the client receives the data, it uses its own key to symmetrically decrypt it and obtains the final plaintext data.

Insert image description hereInsert image description here

3. Digital certificate

3.1 What is a digital certificate

In the above process, there is something called a digital certificate, so what is this? What is its use?

Through a mixture of symmetric and asymmetric methods, we can achieve encrypted transmission of data. However, there are still problems with this method. If a hacker replaces the IP address we want to access the official website with the hacker's IP address through DNS hijacking, when we visit this website, we actually access the hacker's server. The hacker can then access the official website on his own. The public key and private key are implemented on the server, and as for the browser, it has no idea that it is visiting a hacker's site.

So for this situation, we also need the server to provide proof to the browser that "I am me". How to prove it? At this time, you need an authoritative organization to prove yourself through the certificate issued by it.

This authoritative organization is called CA (Certificate Authority) , and the certificate issued is called Digital Certificate.

For the browser, the digital certificate has two functions: one is to prove the identity of the server to the browser through the digital certificate, and the other is that the digital certificate contains the server's public key.

3.2 How to apply for a digital certificate

So how to apply for a certificate from the CA. For example, website A needs to apply for a digital certificate from a CA. The usual application process is divided into the following steps:

  • First, A needs to prepare a set of private key and public key, and keep the private key for his own use;
  • Then submit the public key, company, site and other information to the CA agency and wait for certification. This certification process may be charged;
  • CA verifies the authenticity of the information provided by A through online, offline and other channels, such as whether the company exists, whether the enterprise is legal, whether the domain name belongs to the enterprise, etc.;
  • If the information is reviewed, the CA will issue a certified digital certificate to A, which contains his public key, organization information, CA information, validity time, certificate serial number, etc. This information is all in clear text and contains a certificate generated by the CA. sign.

3.3 How to verify certificate validity

Insert image description here
First understand the process of CA issuing certificates

  • CA first puts the public key, purpose, issuer, validity time and other information submitted by website A into a package, and then uses the Hash algorithm to calculate this information to obtain a Hash value;
  • Then the CA uses its own key to asymmetrically encrypt the Hash value to generate a Certificate Signature, that is, the CA signed the certificate.
  • Finally, add Certificate Signature to the certificate to form a digital certificate

Then the process of the client verifying the digital certificate of the server can be reversed according to this process:

  • First, the browser will read the relevant plaintext information in the certificate, use the same Hash function used when signing the CA to calculate and obtain a Hash value H1
  • Usually the browser and operating system integrate the public key information of the CA, and then the browser will use the CA public key to decrypt the received certificate signature and obtain another Hash value H2
  • Compare the values ​​of H1 and H2. If they are the same, it proves that the certificate is legitimate; at the same time, the browser will also verify the domain name information, validity time and other information related to the certificate.
  • At this time, it is equivalent to verifying who the CA is, but this CA may be relatively niche, and the browser does not know whether to trust it. Then the browser will continue to search for the CA that issued the certificate to this CA, and then verify its superior in the same way. CA reliability. Normally, the certificate information (including the public key) of a trusted top-level CA is built into the operating system. If the top-level CA built into the browser is not found in the CA chain, the certificate will also be judged to be illegal.
    (The certificate corresponding to the built-in CA is called a root certificate. The root certificate is the most authoritative organization. They sign themselves. We call this a self-signed certificate.)

4. Summary

This article first introduces what https is, the difference between http and https; then introduces the workflow of https; and finally introduces what a digital certificate is and how to apply for and verify a digital certificate

Guess you like

Origin blog.csdn.net/weixin_39589455/article/details/130904398
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com