Preface 🍊

In our daily life, we often see HTTP, but with the massive use of HTTP also brings a lot of security risks. So HTTPS came into being, we began to see SSL/TLS, this part of the front end students are generally less likely to understand, while the latest in this aspect to share with you and popular science!

Background 🍊

The difference between HTTP and HTTPS

Before we get to HTTPS, let’s take a look at some of the drawbacks of HTTP:

  • With plaintext communications, content can be eavesdropped and manipulated at will
  • If the identities of communication parties are not verified, they may be disguised
  • The integrity of the packet cannot be proved and the content may be tampered with

To address these shortcomings, HTTPS has the following features:

  • TLS/SSLContent encryption
  • Digital Certificate (CA)Identity verification: Guard against man-in-the-middle attacks
  • MD5, SHA - 1The equal hash value method prevents information tampering

HTTPS has a lower performance than HTTP because SSL/TLS has several handshakes and encryption and decryption processing, but encryption and decryption processing can already be accelerated by special hardware.

What is SSL/TLS?

SSL(Secure Sockets LayerSecure Sockets Layer (SSL), and its successor Transport layer security (Transport Layer Security, TLS) is a security protocol that provides security and data integrity for network communication.TLSwithSSLEncrypts network connections at the transport layer.In order to protect the security of sensitive data during transmission, many well-known enterprises in the world adopt SSL encryption mechanism. With the importance and trend of data security, more and more websites start to access HTTPS.

The SECURE channel provided by SSL has the following features:

  • Confidentiality: THE SSL protocol uses keys to encrypt communication data.
  • Reliability: Both the server and the customer are authenticated, and the customer’s authentication is optional.
  • Integrity: THE SSL protocol checks the integrity of the transmitted data.

In a nutshell, SSL/TLS is a protocol that combines various cryptographic algorithms, digital signature algorithms, and digital certificates to ensure communication security. The SSL/TLS protocol is adopted. Before establishing a connection, the communication parties shake hands to negotiate the session key for subsequent encryption and decryption of communication data. Encryption algorithms fall into two broad categories:

  1. Symmetric encryption algorithm

Data encryption and decryption use the same key, encryption and decryption speed, high efficiency, the disadvantage is that the key management is difficult, once the key transmission is leaked, it is useless.

  1. Asymmetric encryption algorithm

Data encryption and decryption use public keys and private keys. The public key is used for transmission, and the private key is saved by itself. The public key is secure, but the encryption and decryption speed is slow.

The concept of public and private keys

Private keys (stored on servers for data encrypted by public keys) that are not transmitted over the Internet; Public key (an encrypted string that is available to anyone on the Internet to encrypt our character information. When the encrypted data is sent to the server, the server can only retrieve the data encrypted with the public key if it is decrypted by the private key.)

The public key and private key are mainly used for a transfer during the handshake, and then during the handshake, the contents of the public key and private key transfer are actually encrypted strings during the actual transmission. The client and server can carry out secure data transmission through the encrypted string, and then carry out data transmission between the client and server through the master secret key, so the encrypted data transmission in the middle is secure data transmission

In addition, it is extremely difficult to recover the original message based on ciphertext and public keys.

SSL certificate

SSL certificates are digital certificates similar to electronic copies of driving licenses, passports and business licenses. Also known as SSL server certificates because they are configured on the server.

An SSL certificate is issued by a trusted digital certificate authority (CA) after authenticating the identity of the server in compliance with the SSL protocol. It has the functions of authenticating the server and encrypting data transmission.

The text 🍊

Diagram to SSL/TLS

Before the formal analysis, first introduce ruan Yifeng teacherDiagram of SSL/TLS protocolTo help you quickly understand the basic concepts, John translated the dialogue into Chinese:The handshake phase is divided into five steps:

  1. In the first step, Alice gives the protocol version number, a random number generated by the client (Client random), and the encryption methods supported by the client.
  2. Second, Bob confirms the encryption method used by both parties and givesThe digital certificate, and a server-generated random number (Server random).
  3. Third, Alice verifies that the digital certificate is valid and generates a new random number (Premaster secret) and uses the public key in the digital certificate to encrypt the random number and send it to Bob.
  4. The fourth step, Bob uses his private key to obtain the random number sent by Alice (i.ePremaster secret).
  5. Fifth step, Alice and Bob use the first three random numbers according to the agreed encryption method to generate “dialogue key” (session key) to encrypt the rest of the conversation.

Comprehensive analysis of

WireShark: HTTPS handshake: wireShark: HTTPS handshake: wireShark: HTTPS handshake: wireShark: HTTPS handshake

  1. The client generates oneThe random number“, and then transferred to the server, taking with it all that the client supportsEncryption suite
  2. The server takes this random number and stores it. The server generates a random number, which is accompanied by the servercertificateThat’s what we talked about earlierThe public keyTo the client
  3. After the client gets the random number from the server, it also stores it and generates one through the public key passed to it by the serverThe main secret key, a new random number will be generated during the generation process, so there is a total ofThree random numbersThe random number generated by the client is encrypted with the public key and then transmitted to the server. This process is a process that cannot be resolved by the middle man, because it uses the public key for encryption and only the server sideThe private keyYou can decrypt it
  4. And once that data is sent to the server, the server decrypts it with the private key, and gets the pre-master key which is the random string that we’re talking about
  5. Finally, the server will select an encryption suite supported by the client, and then determine to use the same encryption suite at the same time to perform one of the three random numbersalgorithmTo generate aThe main secret key, because the last one random number only client and the server know, intermediary simply can’t get, so they generate the main secret key and there is no way to crack and middlemen, transmission data are all through the master of the late to encrypt the secret key, because on both sides of the main secret key is the same, so both sides can encrypt data after decryption, Since the middleman has no way of knowing the master key, he has no way of decrypting the data, so the data transfer becomes secure

1. The client sends random numbers and supports encryption suites. 2, the server sends a random number and certificate (public), and choose one of them he thought the most reasonable encryption package returned 3, client generating a random number generation is encrypted with the public key in advance the main secret key is sent to the server 4, server using a private key to decrypt the secret key 4, both sides have used at the same time confirmed the encryption suite, An algorithm operation is carried out on these three random numbers to generate a master secret key for data encryption and decryption transmission

The following uses the Wireshark to analyze the HTTPS handshake process and digest packets.

  1. The client sends one to the serverClient Hello

Among themrandomIs a random number generated,cipher SuitesAll that’s supported on the client sideEncryption suiteThe server will then choose which one it thinks is best and return it to the client, who will eventually use the encryption suite in the process of generating the master key

  1. The server returns one to the clientServer Hello

Here the server will also send onerandomRandom numbers, he’s going to pick one of themcipher SuitesThat is, one of the more than 10 types of return that the server considers the most reasonable

  1. The server returns one to the clientCertificate

The server also sends a return in which the server sends a certificate, the public key, to the client

  1. The client sends a message to the serverClient Key Exchange, Change Cipher Spec, Encrypted Handshake Message

After the client gets the certificate, it sends the last Encrypted random number. We can see that Encrypted Handshake Message data cannot be displayed. It is Encrypted data (pre-master key), and the server needs to decrypt the data through the private key to get something really useful

Conclusion: this is the handshake HTTPS, last one data is encrypted to ensure that the entire transmission part of the contents are safe, go-between can’t get that last generated key is both sides know but couldn’t get and parse middleman, in this way to ensure that the data transmission is real security

According to the process: both sides exchange Random1 and Random2. The client generates Random3 as pre Master Secret and encrypts it to the server through the signed reliable public key. So both sides take Random1 random2 Random3 through the algorithm respectively generate master secret here, only random3 is able to guarantee not to be known by the third party, why public random1 and random2 have the necessary existence? Why not just generate master secret and send it? I looked it up. It’s forward security. Random parameters are added so that even if all keys are now leaked, the history message cannot be cracked. Reference Links: How to understand forward security? The difference between perfect Forward Secrecy?

References:

HTTP protocol principle + practice Web development engineers must learn

Diagram of SSL/TLS protocol