HTTPS principle

reference

Why HTTPS

  • What problem does HTTPS solve

  1. Because HTTP is not secure, due to the nature of HTTP plaintext transmission, in the process of HTTP transmission, anyone can intercept, modify or forge the request sent.

  2. The identity of the communication party is not verified during HTTP transmission, so the two sides of the HTTP message exchange may be masqueraded, that is, there is no user authentication.

  3. During HTTP transmission, the receiver and sender do not verify packet integrity

  • What is the HTTPS

In HTTPS, communication protocols are encrypted using transport Layer Security (TLS) or secure Sockets Layer (SSL). That is HTTP + SSL(TLS) = HTTPS.

  • What does HTTPS do

Encryption. HTTPS encrypts data to protect it from eavesdroppers. This means that when a user is browsing a website, no one can listen in on the information exchanged between the user and the website, or track the user’s activities, access history, etc., to steal user information.

Data integrity: Data will not be modified by eavesdropping during transmission. The Data sent by the user will be completely transmitted to the server to ensure that the server receives what the user sends.

Authentication, which means confirming the true identity of the other party, or proving that you are you (can be likened to face recognition), prevents man-in-the-middle attacks and builds user trust.

HTTPS TLS encryption algorithm

Symmetric encryption algorithm

Encryption and decryption use the same key.

  1. The browser sends a random number to the serverclient-randomAnd a list of supported encryption methods
  2. The server returns another random number to the browserserver-randomAnd mutually supported encryption methods
  3. Then the encryption method is used to mix the two random numbers to generate the key, which is the key of encryption and decryption for communication

The problem is how to safely transfer two random numbers and encryption methods, directly to the client, that process is likely to be stolen, others can successfully decrypt to get the data.

Asymmetric encryption algorithm

It is a pair of keys. There are public and private keys. Data encrypted by one key can only be decrypted by the other key.

TLS actually uses a hybrid encryption of the two algorithms. Asymmetric encryption algorithms are used to exchange keys of symmetric encryption algorithms. After the exchange, symmetric encryption is used to encrypt and decrypt data. This ensures the confidentiality of the session.

The algorithm

It is used to ensure the integrity of information. The common MD5 algorithm, hash function and hash function all belong to this kind of algorithm, which is characterized by unidirectional and cannot be backward deduced from the original text

How to ensure that data is not tampered with? Signing Principles and Certificates?

Digital Certificate (Digital Signature)

Digital certificates need to be licensed to a server from an authoritative certification authority (CA). First, the server and CA each have a pair of keys (public and private), and then how to generate the digital certificate?

  • CA organization approvalThe algorithmGenerates the server public keyAbstract(Hash abstract)
  • CA organization approvalThe CA private keyAnd specific signature algorithmsencryptionAbstract, generateThe signature
  • theThe signature,Server Public KeyAnd so on.Add digital certificatesAnd returns it to the server

Certificate Verification Process

  • useThe CA’s public keyAnd the statement ofSignature algorithmThe signature in the CA is executeddecryptionTo get the server public keyIn this paper, the content
  • Then useThe algorithmGenerate a summary of the server’s public key in the certificate and combine this summary with the summary obtained in the previous stepcontrastIf the certificate is valid, the public key in it is also correct; otherwise, the certificate is invalid

Advantages and disadvantages the HTTPS

advantages

  • The content is encrypted and the original content cannot be viewed in the middle
  • Identity authentication to ensure correct user access. For example, if you visit Baidu, even if the DNS is hijacked to a third-party site, users will be reminded that they have not accessed Baidu services and may be hijacked
  • Data integrity, preventing content from being impersonated or tampered with by third parties
  • Although not absolutely secure, it is the most secure solution under the current architecture, greatly increasing the cost of man-in-the-middle attacks

disadvantages

  • The more powerful the certificate, the more expensive it is
  • The certificate must be bound to an IP address. Multiple domain names cannot be bound to the same IP address
  • HTTPS encryption and decryption consumes more server resources
  • HTTPS handshake takes more time and slows down user access speed