http we have some understanding of how much, after all, to the Internet, then be sure to touch it. http There is a very obvious shortcomings, is transmitted in plaintext, very safe. To address this situation, we launched https, that is, http + ssl / tls.
For questions expressly unsafe, I thought sure it is encrypted. So how to encrypt it?
The first method, using symmetric encryption. When a client starts to connect to the server, the server sends a key to the first client, after we all encryption and decryption using this key. A problem arises here, is the server when sending the key, there may be intercepted by an intermediary, then the encryption would be no meaning.
The second method, using an encryption key of an asymmetric encryption method is the first additional layer. When the connection start, the server sends the client a public key, a symmetric key requires the client to use this public-key encryption, the server with the private key to decrypt it, then we happy with the symmetric key for transmission. That this safe? nor. Because the intermediary server public key may be intercepted transmission (referred to as A), then the self-generated a public key (referred to as B) sent to the client, then the symmetric key when the client sends encrypted with the public key B , the first intermediary with its private key to a symmetric key solved, and then transmitted to the server a public key encryption, so that intermediaries also successfully obtained symmetric key. So this is not safe.
This time we found only if both the client and server, it is unable to secure the connection. Then the introduction of third-party authority, that is, we often say that the certificate authority.
Certificate Authority issued the following information:
1. Certification Authority
2. The server URL
3. After the server public key certificate issued by a private key encryption mechanism
4. After the certificate authority certificate private key encryption signature
Then talk about the connection process after the introduction of the certificate:
1. To end service agencies submit their public key, generates a certificate of their own.
2. The client initiates a connection to the server, the server will send the certificate to the client.
3. The client after receipt of the certificate, the first is to verify the authenticity of the certificate. Because all major browsers and operating systems have maintained the names of all authority and public key certificate authority . So long as we know what is a certificate issued by the agency, it can decrypt the certificate signature and the public key of the server. Client signature generated in accordance with the rules of a certificate, signed and sent me to see if consistent, consistent, then you can rest assured that the use of public key sent me.
4. Once the authentication is successful, the client uses a symmetric key pass over to use public-key encryption, back to the server.
The symmetric key server solved, and both start using the symmetric key decryption interact.
Because the middleman can not get private institutions naturally can not be forged certificates, it ensures safety. In fact, this is the main idea of https, http https on the basis of the agreement on the added layer of security ssl above mentioned verification process is completed ssl layer.