Summary of the HTTPS

Why HTTPS?

Because HTTP is not secure.

  1. confidentiality, HTTP is used during communicationclear, which makes the communication process likely to be eavesdropped. The most common way to prevent eavesdropping is through encryption. The encryption mode is as follows:
    • Communication encryption: THERE is no encryption mechanism in HTTP protocol. SSL or TSL can be used for encryption.
    • Content encryption: Encrypts the communication content. The contents contained in packets are encrypted.
  2. Integrity: The HTTP protocol cannot verify the integrity of packets. Therefore, data may be subjected to man-in-the-middle attacks during transmission and packets may be tampered with.
  3. Identity authentication: THE HTTP protocol does not confirm the identity of the request and reply parties, so the identity may be disguised. SSL for HTTPS provides not only the encryption service, but also a certificate to determine the communication party. Certificates are created by a trusted third party, and it is extremely difficult to forge certificates. Therefore, as long as the certificate held by the communicating party can be confirmed, the identity of the other party can be confirmed.

What is HTTPS?

The HTTPS port number is 443, and the HTTP port number is 80. Except for this, everything is completely HTTP. So how does HTTPS make it secure? The way to do it is in this “S”. The underlying protocol of HTTPS is SSL/TLS. In other words, HTTPS is HTTP with SSL shell, that is, HTTP+ encryption + authentication + integrity protection =HTTPS.

What is the SSL/TLS

As we know from the previous question, HTTPS itself has nothing to do with itself, it is all supported by SSL/TLS, so what is the origin of SSL/TLS?

SSL isSecure jointTLS is a very good secure communication protocol. When it came to VERSION V3, the Intranet Engineering group renamed it TLSTransport layer securityAt present, the most widely used version is 1.2. In addition to HTTP, SSL/TLS also accepts other application protocols, such as FTP=>FTPS.

How does HTTPS address these three risks?

Through mixed encryption, the confidentiality of information is guaranteed

There are two types of encryption: symmetric encryption and asymmetric encryption. Symmetric encryption is encrypted in the form of a shared key. That is, the key must be sent to the other party. However, how to forward the key on the Internet? If the bugged key falls into the hands of an attacker, the encryption becomes meaningless. Asymmetric encryption uses a pair of asymmetric keys, one called the private key and one called the public key. As the name implies, a private key cannot be made known to anyone, and a public key is available to anyone. The sender uses the public key to encrypt the packet. After receiving the packet, the sender uses the private key to decrypt the packet. In this way, the attacker does not need to eavesdrop on the packet and steal the key. Because asymmetric encryption is based on the operation of large numbers, so the speed is slow, and there is a disadvantage is the same strength of encryption, asymmetric encryption needs more bits. So HTTPS takes advantage of both and combines the two for communication. Asymmetric encryption is used in the key exchange phase, and symmetric encryption is used in the communication packet exchange phase.

Abstract Algorithms are used to achieve integrity

Algorithms are commonly known as hash functions and hash functions, which can generate unique fingerprints for data to verify the integrity of data. Before the client sends data through the fingerprint algorithm to calculate the clear, when sending the clear + fingerprint encryption, together sent to the server, the server receives after decryption, in with the same digest algorithms have received clear fingerprints, compared with the fingerprint of carried in the message, if the same fingerprint, then to be complete.

Putting the server public key in the digital certificate solves the risk of impersonation

As mentioned above, encryption can ensure the confidentiality of messages. In this process, there is a problem of public key trust. How to ensure that the public key is not modified? To solve the above problems, you can use the public key authentication certificate issued by the digital certificate Authority, that is, CA authentication. As long as the certificate is trusted, the public key is trusted.

The process of establishing HTTPS links

In THE HTTP protocol, a request packet is sent immediately after the connection is established, but HTTPS requires another “handshake” process, i.eThe TLS handshake. The TLS handshake process is shown in the figure below:TLS completes the handshake process through two round trips (four messages). Let’s analyze the process of shaking hands with the above picture:

  1. Browser sendClient HelloThe message is as follows:
    • SSL/TLS version supported by the client, for example, TLS1.2
    • Supported cipher suites, such as ECDHE
    • The random number C generated by the client is used to generate subsequent session keys
  2. After receiving the Hello message from the Client, the server sends itServer Hello
    • True SSL/TLS protocol version. If the browser does not support it, disable encrypted communication
    • Confirm the list of cipher suites and select the most appropriate encryption algorithm, such as ECDHE
    • The random number S generated by the server is used to generate subsequent session keys
    • The server sends the certificate to the client to prove its identity
  3. The Client responds, Client Key Exchange. After receiving the message from the server, the client uses the CA public key in the browser or system to verify the authenticity of the digital certificate. If the certificate is valid, the client extracts the server certificate from the digital certificateThe public keyIs used to encrypt packets.
    • A random number that is encrypted by the public key of the server mentioned above to prevent hackers from cracking it. This random number plus the other two random numbers generated above will each generate the encrypted session master key using the convention encryption algorithm in the session.
    • Encrypted communication algorithm change notification, subsequent information will be encrypted with the session key communication
    • Finished message: Indicates the end notification. Take a summary of all the data that was sent and encrypt it, and have the server verify it
  4. The server’s final response.
    • Encrypted communication algorithm change notification
    • Finished message: Indicates the end notification. Make a summary of all the data sent and encrypt it, and let the client verify it

Q&A

Q: Why do you need a certificate?

A: Prevent “man-in-the-middle” attacks and identify both parties in A conversation

Q: Can I still get caught using HTTPS?

A: Packets can be captured, but no clear text can be seen after being captured and cannot be tampered with

Q: What is the HTTPS encryption process?

A: The client requests and verifies the public key from the server. The public key is used to encrypt the random number generated during the TLS handshake to generate A session key. The two parties use the session key for encrypted communication.

Q: How does the client verify the validity of the certificate during the HTTPS handshake

A: A digital certificate includes the serial number, purpose, issuer, valid time, and public key. If the information is simply sent to the browser, the middleman can easily change the public key to his own. The solution is to use A digital signature. Generate a digest of the certificate information, encrypt the digest with the CA private key, and generate a digital signature. The server sends the digital certificate to the browser along with the digital signature. Because of the digital signature, the digital certificate cannot be modified by the middle man (the modification would cause the digest to change and the digital signature to be undeniable). The browser takes the digital certificate and verifies its credibility against a “certificate chain.”

Q: This section describes HTTPS man-in-the-middle attack

A: Intercept tampered data during transmission. CA certificates can solve the problem of man-in-the-middle attacks