This article is a thorough understanding of HTTPS encryption mechanism of text and text version, the original text is longer, combined with this article take effect better

HTTP is transmitted in plaintext, as shown

In the transmission process, the data will pass through various intermediate nodes. In the transmission process, the data is easily exposed and may be tampered with. Since there is no verification mechanism, the two parties will not be aware of it, which is called man-in-the-middle attack. If A bank transfer that should have been made to account A was tampered with to account B, the consequences would be severe.

Symmetric encryption

How to solve it? Encryption! When it’s encrypted, middlemen can’t read my data, so they can’t change it. The simplest is symmetric encryption. What is symmetric encryption? The same algorithm is used to encrypt and decrypt data. For example

The key to the safe is a symmetric encryption key, so even if a middleman hijacks the safe, he can’t destroy the data inside.

The problem is that keys are essentially data and can be tampered with during transmission. How can the client and server securely exchange keys?

Asymmetric encryption

Asymmetric encryption is the equivalent of having two keys, public and private, in pairs. Data encrypted with a public key can only be decrypted with the corresponding private key, and vice versa. The private key is stored on the server, the public key is sent to the client, the client encrypts the data with the public key to the server, and the server decrypts the data with the private key.

This ensures the security of server-to-client data. What about client-to-server? Plus a pair of public and private keys?

The problem with this is that asymmetric encryption algorithms are very time-consuming. The larger the encrypted data is, the longer it takes, while symmetric encryption is fast. So, can asymmetric encryption be used to solve the problems of symmetric encryption?

Symmetric encryption + asymmetric encryption

Asymmetric encryption algorithm is used to solve the secure transmission of symmetric encryption key, and the subsequent transmission of data can only be symmetric encryption, so that asymmetric encryption and decryption only need 1 time respectively. How do you do that?

  1. The client initiates a request to the server, and the server returns the public key M to the client
  2. The client randomly generates key X, encrypts key X with the server’s public key M and sends it to the server
  3. The server gets the encrypted key X and decrypts the plaintext of key X with the server private key M
  4. With key X, all data is then encrypted and decrypted with key X


Key X is encrypted by the server public key during transmission. Only the server private key can be decrypted, so it is secure.

Is it really safe? Also not necessarily

Man-in-the-middle attack

In step 1, you cannot determine whether the received public key has been tampered with or replaced. The following problems may occur:

Middlemen have a public key N & private key N, he seized the server to the client’s public key M, replace their own public key N, client to public N encryption key X, back to the server process was hijacked and decrypting middleman, middleman thus got the key X, subsequent data transfer between the two sides for the middleman, so clear. Here’s how to solve the problem:

In real life, the id card issued by the government can prove a person’s identity. In the computer world, there is also a certificate-issuing agency similar to the government, which is called Certificate Authority (CA for short). CA issues a digital Certificate to each user who uses a public key, and the digital Certificate can prove the validity of the public key.

The digital certificate

Can the digital certificate itself be tampered with? Learn about digital certificate generation:

  1. The CA uses hash functions on the data and public key of the website to obtain the digest, and encrypts the digest with the CA’s private keyA digital signature
  2. CA combines the site’s information and public key as wellA digital signaturePlus the certificate validity period, generatedThe digital certificate

If the digital signature is tampered with, the digital signature cannot be decrypted by CA’s public key. Assume that the public key of the digital certificate is tampered with, use the same hash function to obtain hash value A for the public key of the digital certificate and the website information, and decrypt the digital signature with the CA public key to obtain hash value B. Compare A and B. If the public key is different, it indicates that the public key is tampered with

conclusion

That’s how HTTPS works, and if you can answer the following questions, you have a pretty good idea:

  • Why use symmetric + asymmetric encryption?
  • Why is it neededThe digital certificate?
  • Why is it neededA digital signature?