It comes HTTPS
, we will have to talk about contrast HTTP
. HTTP
Characteristic is transmitted in the clear, so every link transmission, the data are likely to be a third party to steal or tamper with, specifically, HTTP data through the TCP layer, and then through WIFI路由器
, 运营商
and 目标服务器
, these links may be to get the data intermediaries and falsification, that is, we often say that the man in the middle attack .
In order to prevent such a type of attack, we are forced to introduce a new encryption scheme, namely HTTPS.
HTTPS
It is not a new agreement, but an enhanced version HTTP
. The principle is HTTP
and TCP
is established between a intermediate layer, and when HTTP
and TCP
when not the communication is encrypted as before direct communication through an intermediate layer directly, the encrypted data packet transmitted TCP
, response TCP
must packet decryption in order to pass the above HTTP
. The middle layer is also called 安全层
. 安全层
It is the core of the data 加解密
.
Then we have to analyze what HTTPS
how encryption and decryption is done.
Symmetric encryption and asymmetric encryption
concept
First need to understand 对称加密
and 非对称加密
concepts and then discuss how the effect after both applications.
对称加密
It is the easiest way to refer to 加密
and 解密
use the same key .
For 非对称加密
, if there are A, B two keys, if encrypted with A through B packet can only be decrypted, whereas, if encryption through B packet can be decrypted using A.
Encryption and decryption process
Then we talk about 浏览器
and 服务器
the process of negotiation encryption and decryption.
First, the browser will give the server sends a random number client_random
and an encrypted list of methods.
Another random number returned to the browser receives the server server_random
and the encryption method.
Now, both have the same credentials three things: client_random
, server_random
and encryption methods.
This encryption method followed by mixing up the two random numbers generated key, which is the browser and server communications 暗号
.
The effect of their application
If 对称加密
the way, the third party can get to the middle client_random
, server_random
and the encryption method, since the encryption method and can decrypt, so the man in the middle of the signal can be successfully decrypted, get the data, this encryption method will be easily cracked.
Since 对称加密
so vulnerable, we'll try 非对称
encryption. In this encryption method, the hands of the server has two keys, one is 公钥
, that everyone can get, it is public, the other is 私钥
, that the server private key only you know.
Well, to start transmission now.
The browser client_random
and the encryption method pass over the list, the server receives, the server_random
, 加密方法
and 公钥
passed to the browser.
Now both have the same client_random
, server_random
and encryption methods. Then browser with the public key client_random
and server_random
encryption, generating a communication with the server 暗号
.
This time because it is asymmetric encryption , public key encrypted data can only be 私钥
decrypted, even if the middleman and therefore get the data from the browser, because he is not private, still can not be decrypted, to ensure the security of the data.
Is it necessarily safe? Clever little partners have discovered clues. Back to 非对称加密
the definition of public key encrypted data can be decrypted with the private key, the private key that encrypted data can also use the public key to decrypt it!
Data server can only be encrypted with the private key (the public key because if it is used then the browser would not be able to decrypt it), once the middlemen to get the public key, then it can be transmitted to the server to decrypt the data, so It has been cracked. Also, just using asymmetric encryption, server performance for consumption is quite huge, so if we do not adopt this approach.
Symmetric encryption and asymmetric encryption binding
Can be found, symmetric encryption and asymmetric encryption, either alone, there will be a security risk. That we can not put a combination of both, to further ensure the safety of it?
In fact, it is possible, show you the entire process:
- The browser sends to the server
client_random
list and encryption methods. - Server receives the return
server_random
, and a public key encryption method. - Receives the browser, then generates another random number
pre_random
and public key encrypted to the server. (Knock blackboard! Key operation!) - After the server with the private key to decrypt the encrypted
pre_random
.
Now the browser and server have the same credentials three things: client_random
, server_random
and pre_random
. Then both the mixture of these three random numbers with the same encryption method to generate the final 密钥
.
Although the browser and the server then communicates with the same key, that use 对称加密
.
The final key is hard to get the middleman, why? Because there is no middleman private key, so get pre_random , will not be able to generate the final key.
Back to compare and simple to use asymmetric encryption , this way what has been done to improve it? Essentially prevents the private key to encrypt data rumor . Alone asymmetric encryption , the biggest flaw is that the server can only transmit data to the browser with 私钥
encryption, which is the source of the danger created. Use 对称和非对称
of an encrypted combination, prevents this, thus ensuring safety.
Add digital certificates
Despite the adoption of a combination of both encryption and encrypted transmission can achieve a good, but in fact there are some problems. If DNS hijacking hackers, the hacker would replace the destination address into the address of the server, and then making a hacker own public and private keys can still perform data transmission. As for the browser user, he does not know that they are accessing a server's dangerous.
In fact HTTPS
the above 结合对称和非对称加密
basis, has added 数字证书认证
steps. Its purpose is to allow the server to prove their identity.
Transfer process
To obtain this certificate, the server operator needs to obtain authorization to a third party certification body, this third-party organization, also known as CA
( Certificate Authority
), CA will issue the authentication server digital certificates .
The digital certificate serves two purposes:
- Server to prove their identity to the browser.
- The public key pass browser.
This validation process takes place at what time?
When the server transmits server_random
, when the encryption method, will bring the way 数字证书
(included 公钥
), and then begins to verify the digital certificate after the browser receives. If verified, then the process behind as usual, otherwise rejected.
Now let's sort out what HTTPS
the final encryption and decryption process:
Certification process
The browser to get a digital certificate, how to authenticate the certificates with you?
First, it reads the plain text contents of the certificate. CA will be saved when signing digital certificate of a Hash function to compute this function to obtain the plaintext content 信息A
, then get a public key to decrypt the contents of plain text 信息B
, do the two compare information, it means that the same legal certification.
Of course, sometimes for the browser, it does not know which CA is trusted, and therefore will continue to look for higher levels of CA CA, the same information to verify the legitimacy of a higher level than the CA on the way. CA will be built in the general root level operating system which, of course, if there is no looking up to find the root level of the CA, so will be considered illegal.
to sum up
HTTPS is not a new agreement, it HTTP
and TCP
the establishment of a security layer transmission, use 对称加密
and 非对称加密
combine digital certificate authentication, which allows the security transfer process is greatly improved.