HTTP Review: You have to know the HTTP protocol! ! !
We know, HTTP requests are transmitted in the clear, so-called expressly refers not encrypted information, if the HTTP request is intercepted by hackers, and it contains a bank card passwords and other sensitive data, it will be very dangerous. To solve this problem, Netscape company developed the HTTPS protocol, HTTPS encrypted data can be transmitted, that is, the transmission is encrypted, even if a hacker to intercept the data during transmission can not be deciphered, which ensures secure network communications.
I. Foundations of Cryptography
-
Plaintext : plain text refers to the original data is not encrypted.
-
Ciphertext : plaintext is then encrypted, it will become some sort of cipher encryption algorithm to ensure the safety of the original data. The ciphertext can be decrypted to obtain the original plaintext.
-
Key : a key parameter, which is in plaintext into ciphertext, or ciphertext is converted to plaintext algorithm parameters entered. Symmetric key into the key asymmetric key, are used in symmetric encryption and asymmetric encryption.
3.1 symmetric encryption
symmetric encryption is also called private key, i.e., the sender and recipient information using the same key to encrypt and decrypt data. Symmetric encryption algorithm is disclosed features, fast speed encryption and decryption, suitable for encrypting large amounts of data, a common symmetric encryption algorithms are DES, 3DES, TDEA, Blowfish, RC5 and IDEA.
Encrypting process is as follows: + plaintext private key encryption algorithm + => ciphertext
decryption process is as follows: The ciphertext decryption algorithm + + private key => plaintext
symmetric encryption key is called the private key used in private key secret private individuals represents key, namely the key can not be compromised.
Its private key encryption and decryption process used in the process is the same private key, which is citing encryption is called a "symmetry". Since symmetric encryption algorithm is public, so once the private key is compromised, then the ciphertext is easy to be cracked, the symmetric encryption key security management drawback is difficult.3.2 Asymmetric encryption
Asymmetric encryption is also called public key encryption. Asymmetric encryption compared with symmetric encryption, security better. Symmetric encryption communicating parties use the same key, if the key party was leaked, the entire communication will be cracked. Instead of using a pair of symmetric encryption key, i.e., public and private, and the two in pairs. The private key is saved himself, not leaked outside. Key is a public key, anyone can get the key. Private key encrypted with a public key or any, to be decrypted by the other.
Encrypted through public key ciphertext can only be decrypted private key, as follows:
plaintext + + public key encryption algorithm => ciphertext, the ciphertext decryption algorithm + + private key => plaintext
is encrypted private key ciphertext only public key can be decrypted as follows:
plaintext encryption algorithm + + private key => ciphertext, the ciphertext decryption algorithm + + public key => clear text
because the encryption and decryption using two different keys, which asymmetric encryption the reason "asymmetric" is.
Asymmetric encryption to encrypt and decrypt the disadvantage that it takes a long time, slow, suitable only for small amounts of data to be encrypted.
The main algorithm used in asymmetric encryption has: RSA, Elgamal, Rabin, DH , ECC ( elliptic curve cryptography) and the like.
Two. HTTPS communication process
-
HTTPS
HTTPS protocol = HTTP protocol + SSL / TLS protocol, in the course of HTTPS data transmission, data needs to be encrypted and decrypted using SSL / TLS, encrypted data needs to be transmitted over HTTP, HTTPS can be seen a by the HTTP and SSL / TLS collaboration together. -
The SSL
the SSL stands for Secure Sockets Layer, i.e. Secure Sockets Layer protocol, to provide security and data integrity of a secure communications protocol for the network. SSL protocol is Netscape invention in 1994, and later various browsers support SSL, its latest version is 3.0 -
TLS
stands TLS is Transport Layer Security, namely Transport Layer Security, the latest version of the TLS (Transport Layer Security, Transport Layer Security) is a new protocol IETF (Internet Engineering Task Force, Internet Engineering Task Force) to develop, it is built on top of SSL 3.0 protocol specification, follow-up version of SSL 3.0. There are significant differences between TLS and SSL3.0, mainly different encryption algorithms are supported, so SSL3.0 not interoperate with TLS. Although the TLS encryption algorithm on SSL3.0 different, but in our understanding of the process of HTTPS, SSL and TLS we can be seen as the same protocol. -
HTTPS For both safety and efficiency, while using a symmetric encryption and asymmetric encryption. Data is transmitted symmetric encryption, symmetric key encryption process requires a client, in order to ensure that the key can be transmitted to the security server using an asymmetric encryption key to encrypt the transmission, in general, the data symmetric encryption, symmetric encryption key to be used in asymmetric encryption transmission.
-
HTTPS transport procedure will involve three key:
the server public and private keys, asymmetric encryption is used to
randomly generated client key, used for symmetric encryption -
A HTTPS request actually contains two HTTP transport, it can be subdivided into 8 steps.
1. The client sends a request to the HTTPS server, the server is connected to the port 443
2. server has a key pair, namely a public key and a private key, is used to use asymmetric encryption, the server holds the private key, it can not be leaked, the public key can be sent to anyone.
3. The server sends its public key to the client.
4. Client after client receives the server's public key, the public key will be checked to verify its legitimacy, if you find a problem with the public key, then HTTPS transport can not continue. Strictly speaking, this should be the legitimacy of the digital certificate sent by the server to verify the legitimacy of the client on how to verify the digital certificate, it will be explained below. If the key is qualified, then the client generates a random value, the random value is used for symmetric encryption key, the key we call client key, i.e., client key, so that the concept and the server end of the key is easy to distinguish. Then the client server's public asymmetric encryption key, and client key becomes a ciphertext, so far, the first HTTP request in HTTPS end.
5. The client initiates a second HTTP request to the HTTPS, the client after the encryption key to the server.
6. After the server receives the client to ciphertext, it will use its own private key to decrypt asymmetric, that is, the plaintext after decryption client key, and client key using symmetric encryption of the data, so it becomes the ciphertext data.
7. The server then transmits to client ciphertext encrypted.
8. The client receives the ciphertext sent by the server, the decrypted symmetric key with its client, the server sends the obtained data. The second end of the HTTPS HTTP requests, HTTPS entire transfer is complete.
