It comes HTTPS, we will have to talk about contrast HTTP. HTTPCharacteristic is transmitted in the clear, so every link transmission, the data are likely to be a third party to steal or tamper with, specifically, HTTP data through the TCP layer, and then through WIFI路由器, 运营商and 目标服务器, these links may be to get the data intermediaries and falsification, that is, we often say that the man in the middle attack .
In order to prevent such a type of attack, we are forced to introduce a new encryption scheme, namely HTTPS.
HTTPSIt is not a new agreement, but an enhanced version HTTP. The principle is HTTPand TCPis established between a intermediate layer, and when HTTPand TCPwhen not the communication is encrypted as before direct communication through an intermediate layer directly, the encrypted data packet transmitted TCP, response TCPmust packet decryption in order to pass the above HTTP. The middle layer is also called 安全层. 安全层It is the core of the data 加解密.
Then we have to analyze what HTTPShow encryption and decryption is done.
Symmetric encryption and asymmetric encryption
concept
First need to understand 对称加密and 非对称加密concepts and then discuss how the effect after both applications.
对称加密It is the easiest way to refer to 加密and 解密use the same key .
For 非对称加密, if there are A, B two keys, if encrypted with A through B packet can only be decrypted, whereas, if encryption through B packet can be decrypted using A.
Encryption and decryption process
Then we talk about 浏览器and 服务器the process of negotiation encryption and decryption.
First, the browser will give the server sends a random number client_randomand an encrypted list of methods.
Another random number returned to the browser receives the server server_randomand the encryption method.
Now, both have the same credentials three things: client_random, server_randomand encryption methods.
This encryption method followed by mixing up the two random numbers generated key, which is the browser and server communications 暗号.
The effect of their application
If 对称加密the way, the third party can get to the middle client_random, server_randomand the encryption method, since the encryption method and can decrypt, so the man in the middle of the signal can be successfully decrypted, get the data, this encryption method will be easily cracked.
Since 对称加密so vulnerable, we'll try 非对称encryption. In this encryption method, the hands of the server has two keys, one is 公钥, that everyone can get, it is public, the other is 私钥, that the server private key only you know.
Well, to start transmission now.
The browser client_randomand the encryption method pass over the list, the server receives, the server_random, 加密方法and 公钥passed to the browser.
Now both have the same client_random, server_randomand encryption methods. Then browser with the public key client_randomand server_randomencryption, generating a communication with the server 暗号.
This time because it is asymmetric encryption , public key encrypted data can only be 私钥decrypted, even if the middleman and therefore get the data from the browser, because he is not private, still can not be decrypted, to ensure the security of the data.
Is it necessarily safe? Clever little partners have discovered clues. Back to 非对称加密the definition of public key encrypted data can be decrypted with the private key, the private key that encrypted data can also use the public key to decrypt it!
Data server can only be encrypted with the private key (the public key because if it is used then the browser would not be able to decrypt it), once the middlemen to get the public key, then it can be transmitted to the server to decrypt the data, so It has been cracked. Also, just using asymmetric encryption, server performance for consumption is quite huge, so if we do not adopt this approach.
Symmetric encryption and asymmetric encryption binding
Can be found, symmetric encryption and asymmetric encryption, either alone, there will be a security risk. That we can not put a combination of both, to further ensure the safety of it?
In fact, it is possible, show you the entire process:
- The browser sends to the server
client_randomlist and encryption methods. - Server receives the return
server_random, and a public key encryption method. - Receives the browser, then generates another random number
pre_randomand public key encrypted to the server. (Knock blackboard! Key operation!) - After the server with the private key to decrypt the encrypted
pre_random.
Now the browser and server have the same credentials three things: client_random, server_randomand pre_random. Then both the mixture of these three random numbers with the same encryption method to generate the final 密钥.
Although the browser and the server then communicates with the same key, that use 对称加密.
The final key is hard to get the middleman, why? Because there is no middleman private key, so get pre_random , will not be able to generate the final key.
Back to compare and simple to use asymmetric encryption , this way what has been done to improve it? Essentially prevents the private key to encrypt data rumor . Alone asymmetric encryption , the biggest flaw is that the server can only transmit data to the browser with 私钥encryption, which is the source of the danger created. Use 对称和非对称of an encrypted combination, prevents this, thus ensuring safety.
Add digital certificates
Despite the adoption of a combination of both encryption and encrypted transmission can achieve a good, but in fact there are some problems. If DNS hijacking hackers, the hacker would replace the destination address into the address of the server, and then making a hacker own public and private keys can still perform data transmission. As for the browser user, he does not know that they are accessing a server's dangerous.
In fact HTTPSthe above 结合对称和非对称加密basis, has added 数字证书认证steps. Its purpose is to allow the server to prove their identity.
Transfer process
To obtain this certificate, the server operator needs to obtain authorization to a third party certification body, this third-party organization, also known as CA( Certificate Authority), CA will issue the authentication server digital certificates .
The digital certificate serves two purposes:
- Server to prove their identity to the browser.
- The public key pass browser.
This validation process takes place at what time?
When the server transmits server_random, when the encryption method, will bring the way 数字证书(included 公钥), and then begins to verify the digital certificate after the browser receives. If verified, then the process behind as usual, otherwise rejected.
Now let's sort out what HTTPSthe final encryption and decryption process:
Certification process
The browser to get a digital certificate, how to authenticate the certificates with you?
First, it reads the plain text contents of the certificate. CA will be saved when signing digital certificate of a Hash function to compute this function to obtain the plaintext content 信息A, then get a public key to decrypt the contents of plain text 信息B, do the two compare information, it means that the same legal certification.
Of course, sometimes for the browser, it does not know which CA is trusted, and therefore will continue to look for higher levels of CA CA, the same information to verify the legitimacy of a higher level than the CA on the way. CA will be built in the general root level operating system which, of course, if there is no looking up to find the root level of the CA, so will be considered illegal.
to sum up
HTTPS is not a new agreement, it HTTPand TCPthe establishment of a security layer transmission, use 对称加密and 非对称加密combine digital certificate authentication, which allows the security transfer process is greatly improved.