Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.

Learning today: review the knowledge of a common – HTTP and HTTPS origin, a word not clear or have to write out deeper impression.

HTTP

HyperText Transfer Protocol (HTTP) is a standard for network communication. There are different protocols in the computer and network worlds, such as routing protocols, broadcast protocols and so on.

HTTP is A transport protocol, the data from A to B or from B to A, A and B can also exist A lot of A third party, between the transmission of data is not computer the underlying binary package, but the complete data has A certain meaning, such as image files, HTML files, such as hypertext, these things can be detected upper application.

In practical applications, HTTP is often used to send messages between Web browsers and Web servers in plain text without providing any form of encryption. Common features are as follows:

  • Support client/server mode;
  • Simple and fast: when a client requests services from the server, it only needs to send the request method and path. Because HTTP protocol is simple, the HTTP server program size is small, so the communication speed is fast.
  • Flexibility: HTTP allows the transfer of any type of data object. The Type being transferred is marked by content-Type;
  • No connection: It means that only one request can be processed per connection. The server disconnects after processing the request and receiving the reply from the customer. In this way, transmission time can be saved.
  • Stateless: THE HTTP protocol cannot process the request based on the previous status.

HTTPS

HTTPS is designed to address the insecure features of HTTP, that is, HTTPS = HTTP + SSL/TLS. SSL certificates are used to verify the identity of the server and encrypt the communication between the browser and the server.

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are a Security protocol that provides Security and data integrity for network communications

SSL protocol is located between TCP/IP and various application-layer protocols. When establishing SSL connections, browsers and servers need to select a set of encryption algorithms to achieve secure communication and provide secure support for data communication.

Process:

  • First, the client accesses the server through the URL to establish an SSL connection

  • Upon receiving the request from the client, the server sends a copy of the certificate information supported by the website (including the public key) to the client

  • The client server starts to negotiate the security level of the SSL connection, that is, the level of information encryption

  • The browser on the client establishes the session key according to the mutually agreed security level, then encrypts the session key using the website’s public key and transmits it to the website

  • The server decrypts the session key using its own private key

  • The server uses the session key to encrypt communication with the client

The difference between

  • HTTPS is a secure version of HTTP. HTTP data is transmitted in plain text, which is insecure. HTTPS uses SSL and TLS to encrypt data, making it more secure
  • HTTP and HTTPS use different connection modes, and the default port is different. HTTP is 80, and HTTPS is 443
  • HTTPS is inferior to HTTP in terms of performance due to the need to design encryption and multiple handshakes
  • HTTPS requires SSL, SSL certificates cost money, and more powerful certificates cost more

SSL encryption method

SSL encryption methods include:

  • Symmetric encryption: Encrypts data with negotiated keys
  • Asymmetric encryption: Implements identity authentication and key negotiation
  • Algorithm: verify the integrity of information
  • Digital signature: authentication

Symmetric encryption

Symmetric encryption is encryption and decryption using the secret key is the same, is symmetric meaning, as long as the security of the secret key, the communication process will have confidentiality.

Asymmetric encryption

Asymmetric encryption, there are two secret keys, one is called public key, one is called private key. The two secret keys are different. The public key can be used by anyone, while the private key needs to be kept secret.

Both public and private keys can be used for encryption and decryption. However, after the public key is encrypted, only the private key can be decrypted, and vice versa.

Mixed encryption

In HTTPS communication, hybrid encryption is symmetric encryption and asymmetric encryption. In this way, the party sending the ciphertext uses the other party’s public key to encrypt the symmetric secret key, and the other party uses its private key to decrypt the symmetric secret key.

In this way, symmetric encryption can be used to communicate with each other on the premise that the exchanged keys are secure.

The algorithm

The realization of real security is mainly the summary algorithm, which is often said hash function, hash function.

It can be understood as a special compression algorithm, which can “compress” arbitrary length of data into a fixed length, unique “summary” string, as if to generate a digital “fingerprint” for the data.

The algorithm ensures that the digital abstract is equivalent to the original text. Therefore, as long as we attach an abstract to the original text, we can ensure the integrity of the data.

A digital signature

A digital signature can confirm that a message is actually signed and sent by the sender, because no one can impersonate the sender’s signature.

The principle is actually very simple, is to use private key encryption, public key decryption.

The signature is as public as the public key, and anyone can get it, but the signature can only be unlocked by the public key corresponding to the private key. After getting the abstract, it can verify the integrity of the original text, just like signing a document to prove that the message was really sent by you.

As with the message itself, since anyone can publish a public key, we also lack the means to prevent hackers from forging it, that is, how to tell if it is your public key.

This requires a third party, a certificate verification authority.

A digital certificate Authority is in the position of being a third-party organization that can be trusted by both client and server.

CA’s signature authentication requirements for public keys include serial number, purpose, issuer, validity time, etc. These are put into a package and then signed to prove all kinds of information associated with public keys completely, forming a “digital certificate”.

The operator of the server applies for a public key to a DIGITAL certificate Authority:

  • After identifying the applicant, the digital certificate Authority will digitally sign the applied public key
  • This signed public key is then assigned and bound together in the public key certificate
  • The server sends the digital certificate issued by the Digital Certificate Authority to the client to communicate in asymmetric encryption mode

The client receiving the certificate can use the public key of the DIGITAL Certificate Authority to verify the digital signature on the certificate. Once the verification is successful, it proves that:

  • The public key of the authentication server is a real and valid digital certificate authority
  • The server’s public key is trusted

conclusion

It can be seen that although HTTPS and HTTP are only one SSL, the communication security is greatly guaranteed, and the four features of communication are solved. The solution is as follows:

  • Confidentiality: Hybrid algorithms
  • Integrity: Summary algorithm
  • Authentication: digital signature
  • Undeniable: digital signature

At the same time, a third-party certificate authority is introduced to ensure the security of the public key.

reference