The following article published by SSL finishing shield small series, www.ssldun.com] [Site Security Shield
above clients that use HTTPS to communicate with the server to the CA certificate, here you may ask why not just use asymmetric encryption in the form of direct for, first introduced here first asymmetric encryption.
Asymmetric encryption: the client and server both have a public key and a private key. Foreign public key can be exposed, while the private key is only visible to yourself.
The use of public key encrypted message, only the corresponding private key can decrypt. In turn, using a private key to encrypt a message, only the public key can decrypt. So that the client before sending the message, the first message is encrypted with the public key of the server, the server receives and then use their private key to decrypt it.
Asymmetric encryption advantages:
Asymmetric encryption uses a public key and a private key way to solve the problem http message confidentiality, but also makes the private key leak risk reduction.
Because the public key to encrypt messages that only the corresponding private key can decrypt, so to ensure the accuracy and completeness of the source of the message and the message to a large extent.
Asymmetric encryption disadvantages:
Need to use asymmetric encryption public key to the recipient to encrypt the message, but the public key is not secret, anyone can get, intermediaries may be. Then the intermediary can do two things, first is the middleman can be when the client and server exchange public key will replace the client's public key into their own. So that the server will not get the public key of the client, but intermediaries. Server can not determine the validity of the public key sources. The second element is the intermediary may not replace the public key, but he can intercept the message sent by the client, and tampering, and encrypting with the server's public key and then sent to the server, the server will receive an error message.
Asymmetric encryption performance symmetric encryption is relatively slower on times or even hundreds of times more consumption of system resources. Because of this, https combines the two encryption.
To address the above problems caused by asymmetric encryption, we introduced a digital certificate and digital signature
CA certification process so involved in our HTTPS connection is as follows:
1, the server has its own private key and a public key
2, the server public key to the CA certification authority, the request to give a digital certificate
3, CA certification bodies generate a digital certificate, and presented to the server
4, the server digital certificate with a public key information to the client
5, the client enters the process then generates a symmetric key docking ......