- the Https Web era - Moment For Technology

Today we are going to dig deeper into HTTP. This article will cover Https, and I believe you have some understanding of Https after reading it.

HTTPS

HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) is an HTTP channel aimed at security. Based on HTTP, it ensures the security of the transmission process through transmission encryption and identity authentication [1]. HTTPS adds SSL to HTTP. The security of HTTPS is based on SSL. Therefore, SSL is required for encrypting details. HTTPS has a different default port from HTTP and an encryption/authentication layer (between HTTP and TCP). This system provides authentication and encrypted communication methods. It is widely used for security-sensitive communications on the World Wide Web, such as transactions and payments (source: Baidu Encyclopedia)

Why HTTPS?

HTTP requests are made in plaintext, and it’s easy for criminals to use packet capture tools to access the information we transmit across the network. Imagine how risky it would be if we were paying for something and our card pin was sent across the network in clear text. To solve this problem, Netscape developed the HTTPS protocol, which encrypts and transmits data in ciphertext that can’t be deciphered even if a hacker intercepts the data in transit, thus ensuring network communication is secure.

To understand why HTTPS is secure, continue to understand the concepts of plaintext, ciphertext, keys, encryption algorithms, digest algorithms, digital signatures, and digital certificates.

Plaintext: Plaintext refers to raw data that has not been encrypted. Ciphertext: After the plaintext is encrypted by an encryption algorithm, it becomes ciphertext to ensure the security of the original data. Ciphertext can also be decrypted to get the original plain text. Key: A key is a parameter that is entered in the algorithm that converts plaintext to ciphertext or ciphertext to plaintext. Keys are classified into symmetric keys and asymmetric keys, which are used for symmetric encryption and asymmetric encryption respectively.

The encryption algorithm

Symmetric key cryptosystem

Symmetric key cryptography, that is, the encryption key and decryption key use the same cryptography. One of the disadvantages of symmetric key encryption is that the sender and receiver must have a shared key before they can talk, so it is not secure. The parties must negotiate a secret key.

The encryption process is as follows: Plaintext + encryption algorithm + private key => Ciphertext decryption process is as follows: Ciphertext + decryption algorithm + private key => plaintext

The key used in symmetric encryption is called a private key. A private key is a private key that cannot be leaked. The private key used in encryption and decryption is the same key, which is the reason why encryption is called “symmetric”. Because the algorithm of symmetric encryption is public, once the private key is leaked, the ciphertext is easy to be cracked. Therefore, the disadvantage of symmetric encryption is the difficulty of key security management. Encryption and decryption algorithms require both parties to know the key, but the key cannot be sent over the network. That’s a problem again.

Public key cryptosystem (asymmetric encryption) RSA

Public key cryptography (asymmetric encryption) uses different encryption keys and decryption keys. There are two main reasons for the emergence of public key cryptosystem: one is key distribution in symmetric key cryptosystem, the other is the demand for digital signature. (For RSA algorithm, you can go to Baidu. It will not be described here.)

In public key cryptography (asymmetric encryption), there is no need for two parties to negotiate a secret key, but a pair of keys, one is secret, called private key; The other is public and is called a public key.

In public key cryptosystem (asymmetric encryption), the encryption key is public, the decryption key (private key) is confidential, and the encryption algorithm and decryption algorithm are also public.

The encryption and decryption of public key cryptosystem (asymmetric encryption) has the following characteristics:

Data encrypted with the private key can be decrypted only by the corresponding public key. Data encrypted with a public key can be decrypted only by the corresponding private key.

The key pair generator generates a pair of keys of receiver B, namely, the encryption key PK and the decryption key SK. Sender A uses B’s public key PK as the encryption key to encrypt the message, and user B uses the decryption key SK to decrypt the message after receiving it.

When the symmetric key is used, one-to-one bidirectional communication can be carried out on the communication channel because the two parties use the same key. Both parties can use the same key for encryption and decryption.

When using a public key, it can be a many-to-one unidirectional secure channel on a communication channel. That is, more than one person can hold B’s public key, but only B can decrypt it.

The algorithm

The main characteristics of the digest algorithm are that the encryption process does not need a key, and the encrypted data cannot be decrypted. At present, only CRC32 algorithm can be reversely decrypted. Similarly, the digest algorithm can be turned into a message digest after a hash algorithm. Only input the same plaintext data through the same message digest algorithm can get the same ciphertext.

cuFCIs.png

A digital signature

The encryption system is used to sign packets to show who wrote the packets and to prove that the packets have not been tampered with. This technology is called digital signature.

A digital signature is a special encryption check code attached to a packet. The benefits of using a digital signature include:

The signature proves that the author compiled the packet. Only the author has the most secret private key, so only the author can calculate these checksums. The signature prevents the packet from being tampered with. If the packet is modified during transmission, the checksum no longer matches the packet. Digital signatures are usually generated using asymmetric public key techniques.

Images from the Internet

As shown in the figure above, anyone can use A’s public key PK to perform E operation on the ciphertext and get the plaintext sent by A. This communication is not for confidentiality, but for signature verification, that is, to confirm that the message is sent by USER A. (Only user A’s public key can be used to decrypt packets encrypted with user A’s key.) However, the above process only signs the packet, but does not secure the packet X itself. Therefore, the following method is adopted to realize secret communication and digital signature at the same time.

Images from the Internet

The digital certificate

If you want to access a website, how do you ensure that the public key given to you is the public key of the site you want to access, and not one tampered with by a middleman?

Digital certificates, issued by a digital Certificate Authority (CA) to prove the identity of a public key owner, are designed to solve this problem. In other words, the digital certificate acts like a person’s id card, proving that John Is John and not someone else.

A digital certificate generally contains the following contents:

The name of the object (person, server, organization, etc.); Expiration time; The issuer of the certificate (who vouches for the certificate); Digital signatures from certificate publishers; Object public key; Object and descriptive information about the signature algorithm used. Anyone can create a digital certificate, but who vouches for it is important. A digital certificate is a digital certificate issued by a certification Authority (CA) or a sub-certification authority of the CA that establishes a link between an identity and the public/private key pair owned by the holder of that identity. The root certificate is the basis for the authentication center to establish trust relationship with users. Digital certificates must be downloaded and installed before users can use them

The calculation process of digital signature of digital certificate:

Abstract algorithm is used to calculate the content of digital certificate abstract. The digest is encrypted with the private key of the digital certificate to obtain a digital signature.

Images from the Internet

When the browser receives the certificate, it validates the signing authority, and if the issuer is an authoritative public signing authority, the browser probably knows its public key (the browser preinstalls many signing authority certificates). If you don’t know anything about the signature issuer, the browser will usually show the user a dialog box to see if he trusts the signature issuer.

Because digital certificate’s public key is public, anyone can use the public key to decrypt the digital certificate of the digital signature, and then use the same algorithm in computing the content of the certificate, will draw a summary and decrypted in contrast, if the content is consistent, explain the certificate has not been tampered with, you can trust.

This process is based on the public key obtained from a recognized certificate authority, so it is a secure way.

Verify the signature

Https request process

An HTTPS request actually contains two HTTP transfers, which can be broken down into eight steps.

1. The client sends an HTTPS request to the server and connects to port 443 of the server

2. The server has a key pair, that is, a public key and a private key, which are used for asymmetric encryption. The server stores the private key and cannot disclose it.

3. The server sends its public key to the client.

4. After receiving the certificate from the server, the client checks the certificate to verify its validity. If the certificate is faulty, THE HTTPS transfer cannot continue. Strictly speaking, verify the validity of the digital certificate sent by the server and how the client verifies the validity of the digital certificate. If the public key is qualified, the client generates a random value, which is the key used for symmetric encryption. This key is called the client key, which is easy to distinguish from the server key in concept. The server’s public key is then used to encrypt the client key asymmetrically, so that the client key becomes ciphertext, and the first HTTP request in HTTPS ends.

5. The client initiates the second HTTP request in HTTPS and sends the encrypted client key to the server.

6. After receiving the ciphertext from the client, the server uses its own private key to decrypt it asymmetrically. The plaintext is the client key, and the client key is used to encrypt data symmetrically.

7. The server sends the encrypted ciphertext to the client.

8. The client receives the ciphertext sent by the server and decrypts it symmetrically using the client key to obtain the data sent by the server. This completes the second HTTP request in HTTPS and completes the entire HTTPS transfer.

That’s Https. If you like it, please follow me. And I’m going to keep doing that.

Reference: “Code farmers turn over”

Reference: Rookie Tutorial

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

– the Https Web era

HTTPS

Why HTTPS?

The encryption algorithm

Symmetric key cryptosystem

Public key cryptosystem (asymmetric encryption) RSA

Https request process

– the Https Web era

HTTPS

Why HTTPS?

The encryption algorithm

Symmetric key cryptosystem

Public key cryptosystem (asymmetric encryption) RSA

Https request process

Related Posts

Convert HTML to PDF, Word in Python

Query too slow? See how ES squeezes index performance to the hilt!

Selenium Project Code Optimization and Refactoring Road, Snowball Learning Python Topics month