【Computer Network】HTTPS

Others 2023-09-15 18:50:26 views: null

Article directory

1. Concept of HTTPS

HTTPS is also an application layer protocol, which introduces an encryption layer based on the HTTP protocol.

Since the content of the HTTP protocol is transmitted in clear text form, some tampering occurs during the transmission process.

When the message is transmitted, the payload is transmitted in plain text and is easily leaked.
Add a software layer between the application layer and the transport layer, generally called SSL/TLS.

SSL/TLS is essentially HTTP handshake negotiation, encryption and decryption

Therefore, the data handed over to the transport layer at this time is encrypted.

The remote host also needs to communicate.
Instead, the data is handed over to the remote HTTP
. By adding a software layer, the encryption and decryption function can be added to the protocol stack. The
actual messages in the network must be encrypted.

HTTP plus SSL/TLS is called HTTPS

2. Encryption

Encryption is to perform a series of transformations on plain text to generate cipher text.
Decryption is to perform a series of transformations on cipher text and restore it to plain text.

In this encryption and decryption process, one or more intermediate data are needed to assist in this process. Such data is called a key.

Common encryption methods

Symmetric encryption

Using the encryption method of a single-key cryptosystem, the same key can be used for encryption and decryption of information at the same time. This encryption method is called symmetric encryption . It
is also called single-key encryption. Features: The key used for encryption and decryption is the same. Features
: open algorithm, small amount of calculation, fast encryption speed, high encryption efficiency

asymmetric encryption

Use two keys for encryption and decryption, the public key and the private key

Public key: can be disclosed to the entire network.
Private key: can only be owned by yourself.

Encrypt with the public key and can only be decrypted with the private key Encrypt
with the private key and can only be decrypted with the public key

Because the public key is public, anyone can use it for encryption and decryption

Features: The strength of the algorithm is complex, and security depends on the algorithm and key. However, due to the complexity of the algorithm, the encryption and decryption speed is not as fast as that of symmetric encryption and decryption.

3. Exploring the working process of HTTPS

Option 1 – Use only symmetric encryption

If both parties to the communication hold the same key and no one else knows it, the security of the communication between the two parties can certainly be guaranteed
(unless the key is cracked)

Even if a hacker intercepts the data, since the hacker does not know what the key is, he cannot decrypt it and does not know the content of the request.

How to ensure that both the client and the server use the same key?
If it is built-in, it will be built into the Windows operating system or the browser. No matter which one it is, hackers will have certain channels to obtain it.

If the key is passed to the server at the beginning, the server will know the corresponding key, and both parties will use the key for encryption.
However, sending the key to the server through the client cannot guarantee the security of the key itself,
so the solution is unsafe

Option 2 – Use only asymmetric encryption

When using public key encryption and private key decryption, it doesn't matter even if a hacker intercepts the data, because only the private key can decrypt it and it
seems safe.

(Private key encryption, public key decryption)
If the server encrypts the data with its private key and sends it to the browser, the browser can use the public key to decrypt it. The public key is made public by the entire network.
If the public key is hijacked, then he The public key can also be used to decrypt messages from the server
, so this solution is also unsafe.

Option 3 - Both parties use asymmetric encryption

The server has the public key S and the private key S1, and the client has the public key C and the public key C1.
Before communication, the client and the server exchange their own public keys.
The client sends its public key directly to the server, and the server knows it. The client's public key C
, the server then sends its public key directly to the client, and the client knows the server's public key S

If the client sends a message to the server, it is encrypted with the public key S, and only the server can decrypt it.

If the server sends a message to the client, it uses public key C to encrypt it.

This approach seems safe, but there are problems with inefficiency (asymmetric encryption is slower, and it is even slower if both parties use asymmetric encryption),
but there are still security problems.

Solution 4 - Asymmetric encryption + symmetric encryption

The server uses non-pair encryption and decryption, and the client uses symmetric encryption and decryption. The
server has the public key S and the private key S1
. The client initiates an HTTP request. When the server responds
that both the request and the response are clear text
, it pushes the server-side public key to the client. S

Assume that the client forms a symmetric secret key C
and uses the symmetric secret key C and the push public key S to form a ciphertext
and push the encrypted data to the server.

The server then uses its own private key S1 to decrypt to form a symmetric key C. The symmetric key C
is used to complete symmetric encryption to ensure the data security of both parties,
but there are still security issues.

man-in-the-middle attack

Take scheme 4 as an example
, referred to as MITM attack.

After the client obtains the public key S, the client forms a symmetric secret key C and encrypts it with the public key S given to the client by the server.
Even if the middleman steals the data, the middleman cannot decipher the secret key C formed by the client.

M represents the middleman.
The server side has asymmetrically encrypted public key S and private key S1.
The middleman has public key M and private key M1.

The client first requests, then the server responds, and the server sends the public key S to the client.

When the server pushes its public key to the client, the middleman intercepts it,
takes S out of the message, saves it, and fills it in with the middleman's own public key M.

Forward the new message to the client. Because the client requested the server, it defaults to the message sent by the server. The
client obtains the public key M, and the client does not know that the public key has been changed.

The client runs normally, and the public key M is combined with the symmetric secret
key
Get the client's symmetric secret key X

After obtaining the client's symmetric secret
key The server still decrypts
the encrypted message with public key S and obtains the client's symmetric secret key X.

Summary:
What is the core reason for man-in-the-middle attack?
The client cannot verify the validity of the public key

Introduce certificate

The server that provides network services to others does not have the final say on whether it is legal or not.
An authoritative, third-party organization must be introduced to certify the server.

For example: You are the owner of a restaurant. You don’t know whether the dishes cooked in the restaurant are food safe. Even if you say yes, why should others believe you? So you must go to the relevant government
unit and obtain a business license. certification, food safety is somewhat guaranteed.
So at this time, others believe in the food safety of the restaurant because they believe in the food safety department that certified the restaurant.

CA certification

The CA organization is an organization jointly established by the Internet Standardization Organization and the entire network standardization organization. It
certifies all corresponding servers nationwide and issues an electronic certificate before the server can be trusted.

If you want to use HTTPS, you must be certified in a CA organization to obtain a CA certificate.
If not certified, the browser will pop up and the link is unsafe, causing customers to not trust the website.

Digital certificates are essentially data

Understanding data signatures

Summarize large text, and then encrypt the summary information, that is, data signature

Hash the text to form a hash value. Encrypt the hash value
with the private key of a specific CA certificate to form a signature.

Combining the original text and signature to form signed data
is a process called issuing a certificate

When pushing the certificate to a certain person, split the received certificate (plain text) into data and corresponding signatures, continue to use hashing on the original data to form a hash value, and then use the encrypted signature to use the CA certificate . Public key decrypts to form hash value

Compare whether the hash values ​​of the two are equal
. If they are equal, it means that the signature data has not been tampered with.
If they are not equal, at least one of the plaintext data and the signature data has been tampered with.

Solution 5 - Asymmetric encryption + symmetric encryption + certificate authentication

The client requests first, then the server responds and gives the client a certificate

1. Verify the validity of the certificate

The client authenticates first, the validity of the certificate

Through verification, the content and signature are separated, and the same hash algorithm is used to form the corresponding hash value.
First, the data is hashed using the hash algorithm to form the corresponding hash value.
Use the browser's built-in public key to decrypt the signature and form the hash value.

If the hash values ​​of the two are different, the data may have been tampered with, so it is discarded directly.
If the hash values ​​of the two are the same, it means that the content has not been tampered with and the certificate is legitimate.

2. The client extracts the public key from the certificate

If the certificate is legitimate, extract the public key in the certificate

The client forms a symmetric secret
key

The purpose of the certificate is to ensure that the content has not been tampered with. While verifying the legitimacy of the certificate, it also verifies the legitimacy of the public key.

Guess you like

Origin blog.csdn.net/qq_62939852/article/details/132777897
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com