HTTP shortcomings
https mainly has the following disadvantages
- Using plaintext communication transmission (not encrypted) content may be tapped.
- Communication does not verify the identity of the parties, and therefore may encounter disguise.
- Unable to prove the integrity of the message, so the message may have been tampered with.
Sentence summary is not secure enough , because of these shortcomings, https proposed to solve these problems. Interested students can visit a Web site is still using the http protocol, grasping it with Wireshark packet capture can be verified first, http plain text transmission, really naked on the network. . . The figure is my visit http://life.hao123.com/health after the capture site to track the flow, use utf-8 shows the results of clearly can be seen in clear text transmission, as for the second and third points can read other relevant information.
The HTTP Authentication + + + encrypted integrity protection = HTTPS
HTTPS is not a new application layer protocol, except that the HTTP communication interface portion with SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocol instead of (ps: SSL respect TSL is earlier than TSL, in the SSL originally designed when there are some shortcomings, so now adopt a more TSL1.2 ).
Typically, HTTP, and TCP communication directly, when in HTTPS or TLS and SSL to be in communication, and then re-SSL or TLS and TCP communication. In the following we explain one by one interpretation of the encryption, authentication, integrity protection.
encryption
HTTPS采用共享秘钥和公开秘钥两者并用的混合加密方式进行加密,一般在秘钥传输阶段,采用公开秘钥加密方式安全的传递稍后在共享秘钥加密中使用的共享秘钥,在确保安全的交换了共享秘钥的前提下,会开始使用共享秘钥加密的传输方式进行通信,看不懂没关系,后面还会提到接下来介绍一下共享密钥加密和公开秘钥加密。
共享秘钥加密
共享秘钥加密也叫作对称秘钥加密,相对于公开密钥加密算法来说,加密简单,加密和解密使用同一个秘钥,但是不安全,为什么不安全呢?这是因为,在双方通信前必须将秘钥安全的传输给对方,如果通信被监听,攻击者成功获得了秘钥,那么就没有安全性可言,换句话说,发送秘钥就有被窃听的风险,如果不发送,对方就无法解密,不知道你发的是什么,而且这种方式如果你能保证秘钥可以安全发送,那数据也就可以安全达到,还加什么密。
公开密钥加密
公开密钥加密也叫作非对称秘钥加密,相对于共享秘钥加密来说,加密复杂,但是就目前的技术来说很安全。公开秘钥加密使用两把秘钥来进行加解密,一把叫做公开密钥,可以随意发布,任何人都可以获取;一把叫做私有秘钥,只能自己拥有,任何人都不能获取。现在举个例子来说明为什么很安全。如图,现在Alice和Bob进行通信,首先Alice通过Bob的公钥B将需要发送的数据进行加密后将加密数据发送给Bob,在Bob拿到加密数据后,Bob会对加密数据用只有自己有的私钥B进行解密,获得传输过来的信息。利用这种方式不需要发送私钥,也不怕通信被监听,因为监听了也没什么用,公钥是公开的,任何人都可以获得,假设现在攻击者获取到公钥后和监听到的密文,想要通过密文和公钥进行解密,就目前的技术而言是基本上不可能实现的。
认证
仔细思考上述公开秘钥加密方式,可以看出Alice是无法验证Bob的公开密钥B的,例如,Alice是想和Bob通信的,他想收到的是公开密钥B,但是当他收到公钥的时候他无法确认这公钥到底是不是Bob的,因为,可能在公开密钥B传输的过程中就已经被攻击者替换成公开密钥C了,但是Alice是完全不知道的,所以这就需要一个权威的中间人提供一些办法来帮助Alice鉴别收到的公钥是不是Bob的,这个中间人就是数字证书认证机构(CA,Certificate Authority)和其相关机构所颁发的公开密钥证书。
数字认证机构是权威的第三人,Alice和Bob都信任他。数字认证机构的业务流程是这样的。首先服务器运行人员(这里可以看做是Bob)向数字认证机构提出公开密钥的申请,数字认证机构在对申请者的身份进行判别核实后,会对已申请的公开密钥(公钥B)用机构的私钥进行数字签名,然后分配这个已签名的公开密钥,并将公开密钥放入到公钥证书后绑定在一起(公钥证书也叫作数字证书或者证书)。细心的朋友可能会发现这个流程是数字认证机构处理申请公钥证书的流程,这和Alice和Bob通信没有直接关系啊,别急,接下来就说Alice是如何认证公钥B就一定是Bob的公钥的。
In fact, in the process of communication Alice and Bob, Bob is sent to Alice's public key certificate, rather than simply the public, after Alice receives Bob's public key certificate, Alice uses the CA's public key to decrypt the certificate, after decryption public key certificate can be obtained Bob B, B can then be used to detect the legitimacy of the public key of the digital signature, so as to achieve the purpose of the legitimacy of the authentication keys disclosed. Summary sentence, Alice can receive is to ensure Bob's public key B, if not, then the browser will warn the detailed procedure, please refer to this article. https://blog.csdn.net/qq_28267025/article/details/78070211 .
Integrity protection
When using SSL or TLS HTTPS transmission data, when transmitting the application layer data appended called MAC (Message Authentication Code) is a message digest. MAC can check on whether the message has been tampered with, so as to ensure the integrity of the message.
So far, the encryption + authentication + = HTTPS to protect the integrity of finished, if the article pointed out that there is an error in trouble to learn from each other.
references:
"Graphic HTTP"