One
HTTPS protocol has been a web development, regardless of the front and rear ends are indispensable knowledge, However, due to historical reasons, the agreement and knowledge boring and many, if reading and writing very difficult to understand the bitterness. But we had to grasp how to do it?
Just to give an interesting graphic use of cartoons to explain the https protocol from friends small gray there, we look to deepen understanding.
What is the HTTP protocol?
HTTP protocol stands for Hyper Text Transfer Protocol, which translates hypertext transfer protocol, the application layer TCP / IP model among the four.
HTTP protocol request / response mode, communication between client and server.
It all looks very nice, but the HTTP protocol has a fatal flaw: not enough security .
Information transmission HTTP protocol completely in the clear, without any encryption, the network is the equivalent of "streaking." This will cause the problem? Let's make an example:
The client is a small gray, small gray colleagues red is the service side, one day little red gray attempt to send the request.
However, since the information is transmitted in plain text, this information is likely to be a middleman or even malicious tampering interception. This behavior is called man in the middle attacks .
How to encrypt it?
Small gray and red can be agreed in advance one kind of symmetric encryption mode, and a randomly generated key agreement. Subsequent communication, the sender uses the key information to encrypt information, and the information recipient by the same key to decrypt the information.
This is not the absolute safety of it? It is not.
While we plaintext is encrypted in a subsequent communication, but for the first time agreed communication and encryption keys are still plain text, if the first communication had been intercepted, then the key will be leaked to middlemen still you can decrypt all subsequent communications.
what should I do? Do not worry, we can use asymmetric encryption , do extra layer of protection for the transport keys.
A set of asymmetric encryption secret key pair comprising a public key and a private key. Plaintext may be encrypted with a public, private key decryption; may be encrypted with the private key, public key decryption.
在小灰和小红建立通信的时候,小红首先把自己的公钥Key1发给小灰:
收到小红的公钥以后,小灰自己生成一个用于对称加密的密钥Key2,并且用刚才接收的公钥Key1对Key2进行加密(这里有点绕),发送给小红:
小红利用自己非对称加密的私钥,解开了公钥Key1的加密,获得了Key2的内容。从此以后,两人就可以利用Key2进行对称加密的通信了。
在通信过程中,即使中间人在一开始就截获了公钥Key1,由于不知道私钥是什么,也无从解密。
是什么坏主意呢?中间人虽然不知道小红的私钥是什么,但是在截获了小红的公钥Key1之后,却可以偷天换日,自己另外生成一对公钥私钥,把自己的公钥Key3发送给小灰。
小灰不知道公钥被偷偷换过,以为Key3就是小红的公钥。于是按照先前的流程,用Key3加密了自己生成的对称加密密钥Key2,发送给小红。
这一次通信再次被中间人截获,中间人先用自己的私钥解开了Key3的加密,获得Key2,然后再用当初小红发来的Key1重新加密,再发给小红。
这样一来,两个人后续的通信尽管用Key2做了对称加密,但是中间人已经掌握了Key2,所以可以轻松进行解密。
是什么解决方案呢?难道再把公钥进行一次加密吗?这样只会陷入鸡生蛋蛋生鸡,永无止境的困局。
这时候,我们有必要引入第三方,一个权威的证书颁发机构(CA)来解决。
到底什么是证书呢?证书包含如下信息:
为了便于说明,我们这里做了简化,只列出了一些关键信息。至于这些证书信息的用处,我们看看具体的通信流程就能够弄明白了。
流程如下:
1.作为服务端的小红,首先把自己的公钥发给证书颁发机构,向证书颁发机构申请证书。
2.证书颁发机构自己也有一对公钥私钥。机构利用自己的私钥来加密Key1,并且通过服务端网址等信息生成一个证书签名,证书签名同样经过机构的私钥加密。证书制作完成后,机构把证书发送给了服务端小红。
3.当小灰向小红请求通信的时候,小红不再直接返回自己的公钥,而是把自己申请的证书返回给小灰。
4. After the small gray receive a certificate, the first thing to do is to verify the certificate of authenticity. It should be noted that all major browsers and operating systems have maintained the names of all authority and public key certificate authority . So small gray just need to know which agency issued the certificate, you can find from the local authority public key corresponding to decrypt the signed certificate.
Next, in the same small gray signature rule, it would generate a certificate signing, if the same two signatures, indicating that the certificate is valid.
After successful authentication, a small gray can safely use public institution again, red decrypt the server's public key Key1.
5. As before, small gray to generate their symmetric encryption key Key2, and encrypted using the server public key Key1 Key2, sent to red.
6. Finally, the red unlock encrypted with its private key, to obtain a symmetric encryption key Key2. So they begin symmetric encryption communication Key2.
In this process, we might think about whether the intermediary also has space have hurt it?
Note: The latest TLS protocol, the general principle is an upgraded version of SSL 3.0 protocol and SSL protocol is the same.
Reprinted from Public number: Programmer small gray