HTTPS (full name: Hypertext Transfer Protocol Secure, https), is safe for the target HTTP channel, simply, is a safe version of HTTP.
Why https
The reason is very simple to use https, http unsafe because of
When we send compare privacy of data (such as your bank card, ID) to the server, if you use http to communicate. Then the security will not be guaranteed.
During the first data transmission, data capture might be a middleman to get, then the data will be stolen middleman.
Second, after the data is to get middlemen who may replace or modify the data, and sends it to the server.
After the last server receives the data, the data can not be sure there has not been modified or replaced, of course, if the server can not determine from the data really is the client.
To conclude, http there are three drawbacks:
We can not guarantee the confidentiality of messages
We can not guarantee the completeness and accuracy of news
We can not guarantee the reliability of sources
https is to solve the above problems emerged.
basic concept
https using some encryption, digital certificates, digital signature technology.
Symmetric encryption and asymmetric encryption
In order to guarantee the confidentiality of messages, we need to use encryption and decryption. Encryption and decryption algorithms into the mainstream of symmetric encryption and asymmetric encryption.
1. Symmetric Encryption (Shared Key Encryption): a client and a server public key used for message encryption, symmetric encryption this way is called. The client and server agreed well an encrypted key. Messaging client before the key to encrypt a message, after sending to the server, then the key to decrypt a message to get.
Symmetric encryption advantages:
Symmetric encryption solves the problem of confidentiality http messages
Symmetric encryption disadvantages:
Although symmetric encryption to ensure confidentiality of the message, but because the client and server share a key, so that the keys are particularly vulnerable to leakage.
Because the key is a higher risk of leakage, it is difficult to ensure the reliability of sources, completeness and accuracy of the message.
2. asymmetric cryptography (public key cryptography): Since symmetric encryption, the key so easy to leak, it can be encrypted using an asymmetric way to solve.
When using asymmetric encryption, both the client and server has a public key and a private key. Foreign public key can be exposed, while the private key is only visible to yourself.
The use of public key encrypted message, only the corresponding private key can decrypt. In turn, using a private key to encrypt a message, only the public key can decrypt. So that the client before sending the message, the first message is encrypted with the public key of the server, the server receives and then use their private key to decrypt
Asymmetric encryption disadvantages:
Need to use asymmetric encryption public key to the recipient to encrypt the message, but the public key is not secret, anyone can get, intermediaries may be. Then the intermediary can do two things, first is the middleman can be when the client and server exchange public key will replace the client's public key into their own. So that the server will not get the public key of the client, but the server. Server can not determine the validity of the public key sources. The second element is the intermediary may not replace the public key, but he can intercept the message sent by the client, and tampering, and encrypting with the server's public key and then sent to the server, the server will receive an error message.
Asymmetric encryption performance symmetric encryption is relatively slower on times or even hundreds of times more consumption of system resources. Because of this, https combines the two encryption.
Digital certificates and digital signatures
In order to solve insecurity asymmetric encryption key public sources. We can use digital certificates and digital signatures to resolve.
1. The application of digital certificates
In reality, there are some special authority to issue digital certificates, we call these institutions Certification Authority (CA Certificate Authority).
You can request a digital certificate server to the CA.
The application process is roughly:
Mr. themselves into a pair of local keys, and then took his own public key and other information (such as company name, ah, what) CA to request a digital certificate.
CA in getting this information, choose a one-way Hash algorithm (such as common MD5) to encrypt that information, what we call summary after encryption.
There is a one-way Hash algorithm is characterized by irreversible way, as long as there is a slight change in the original content, the encrypted data are going to be vastly different (of course, there is a small likelihood of repetition, there is little interest in the pigeonhole principle partners look ), thus preventing the information from being tampered.
After generating the summary is not finished, CA will encrypt the digest with his private key, data encryption digest what we call digital signature.
Finally, CA will put our application information (including public key server) and digital signatures together, thus generating a digital certificate. CA digital certificate will then be passed to us.
https principle:
https no single technology to achieve, but according to their characteristics, the full integration of these technologies will go in order to achieve maximized performance and security. This integration of technology we call SSL (Secure Scoket Layer Secure Sockets Layer). So https is not a new agreement, it just threw a shell layer of encryption on http.
https establishment
Here the https established to disconnect divided into six stages, 12 process. 12 The following will explain the process 11 to do
1. The client Client Hello messages sent by SSL communication begins. Specifies the version contained in the message client supports SSL, the encryption component (Cipher Suite) list (encryption algorithm and key length used, etc.).
2. server SSL communication, will Server Hello message as a reply. And the client, as well as versions of SSL encryption components included in the packet. When the encrypted content component within the client component from the received encryption server screened out.
3. The server sends the certificate message. Packet contains a public key certificate.
4. Finally, the server sends Server Hello Done message to inform the client, the end of the SSL handshake negotiation part of the initial phase.
After the end of 5.SSL first handshake, the client to Client Key Exchange message response. Random password comprising one kind of a communication packet used in the encryption is referred to as Pre-master secret string. Message has been encrypted using the public key in step 3.
6. Then the client continues to send the Change Cipher Spec message. The message will be prompted to server communication after this message will use Pre-master secret key encryption.
7. The client sends Finished message. The message contains the connection as a whole check value since all messages. Whether the handshake negotiation to be successful, whether you want to be able to properly decrypt the message server as a criteria.
8. The server also sends Change Cipher Spec message
9. The server also sends packets Finished
10. After the server and the client's Finished message exchange is completed, SSL connection even if established. Of course, the communication will receive the protection of SSL. It started from the application layer protocol where the communication, i.e. sends an HTTP request.
11. The application-layer communication protocol, i.e. HTTP respective transmission.
12. Finally disconnects from the client. When disconnected, sending a close_notify packets. FIG omissions made on, after which the retransmission step to close the TCP FIN packet to the TCP communication.
Summary: https while providing secure transmission of news channels, but each time the message is very time-consuming encryption and decryption, messaging system resources. In some high security scenarios, such as banking, shopping system, we must use https to communicate, a number of other scenarios for security less demanding, in fact, we do not need to use https. Use https requires the use of digital certificates, but the digital certificate issued by the authority are general charges, the price is not cheap, so for some personal website especially students, if they do not ask for security, no need to use https .