Web Basics - Introduction to the HTTPS protocol

Introduction of agreement

HTTPS is the Transport Layer Security (TLS) protocol used to transmit HTTP content over encrypted channels

Run the process

The basic idea is to use public key encryption, that is, the client first asks the server for the public key, and then encrypts the information with the public key. After receiving the ciphertext, the server decrypts it with its own private key
handshake
- The client requests and verifies the public key from the server
- Both parties negotiate to generate “dialogue key”
Communication stage
- The two sides use a “conversation key” to encrypt communication

The TLS handshake

The client sends a ClientHello message to the server containing its TLS version, available encryption algorithm, compression algorithm, random number generated by the client (later used to generate the “conversation key”)
The server returns a ServerHello message to the client containing the TLS version on the server side, the random number generated by the server (later used to generate the “conversation key”), the encryption and compression algorithm chosen by the server, and the Certificate Authority, Abbr. CA) a server public certificate that contains the public key. The client uses this public key to encrypt the subsequent handshake until a new symmetric key is negotiated. The certificate also includes the domain Name (CN) used by the certificate, and the user client authenticates the identity
The client authenticates the certificate on the server based on its trusted CA list. If trusted, the client generates a string of pseudo-random numbers and encrypts it using the server’s public key. This random number is used to generate a new symmetric key
The server uses its own private key to decrypt the random numbers mentioned above, and then uses this string of random numbers to generate its own symmetric master key
The client sends a Finished message to the server using the symmetric key to encrypt a hash value for the communication
The server generates its own hash value and decrypts the message sent by the client to check if the two values match. If so, a Finished message is sent to the client, which is encrypted using the negotiated symmetric key

The TLS communication

From now on, the entire TLS session is encrypted using a symmetric secret key to transmit application layer (HTTP) content

TLS Certificate Mechanism

An important step in HTTPS is that the server needs to have a certificate issued by the CA. The client authenticates the server based on its trusted CA list. In modern browsers, the process of certificate verification depends on the certificate trust chain
The so-called certificate trust chain means that a certificate relies on the upper-level certificate to prove its credibility. The top-level certificate is called the root certificate, and the authority that owns the root certificate is called the root CA
Take Github as an example. In the browser, we can see its certificate trust chain as follows:

DigiCert High Assurance EV Root CA -> DigiCert SHA2 Extended Validation Server CA -> Github.com Root CA -> Level 2 CA from top to bottom - > websiteCopy the code

As mentioned earlier, the Common Name (CN) is included in the certificate. The browser verifies the CN as well as the certificate. So not only do you need to verify that this is a legitimate certificate, but you also need to verify that this is a certificate for Github.com
Using curl, you can also choose your own certificate to trust. Authoritative trust ultimately falls to a single point of trust, whether it is Root CA, or Microsoft, Apple, Google and other operating system manufacturers

conclusion

How to ensure that the public key is not tampered with?
- Solution: Put the public key in the digital certificate. The public key is trusted as long as the certificate is trusted
Public key encryption requires too much computation. How to reduce the time consumed?
- Solution: For each session, the client and server generate a session key, which is used to encrypt information. Because the “conversation key” is symmetrically encrypted, the operation is very fast, whereas the server public key is only used to encrypt the “conversation key” itself, which reduces the time consumed in the encryption operation

extension

The complete TLS process requires three algorithms (protocols), namely key exchange algorithm, symmetric encryption algorithm, and message authentication algorithm (MESSAGE Authentication Code (MAC) is used to verify the integrity of TLS transmission). Take the TLS used by Github as an example. Using a browser, you can see that the encryption it uses is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. The key exchange algorithm is ECDHE_RSA, the symmetric encryption algorithm is AES_128_GCM, and the message authentication (MAC) algorithm is SHA256.

The appendix

Github.com/skyline7548…
Hit – alibaba. Making. IO/interview/b…
www.ruanyifeng.com/blog/2014/0…
zhuanlan.zhihu.com/p/30655259

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Web Basics – Introduction to the HTTPS protocol

Introduction of agreement

Run the process

The TLS handshake

The TLS communication

TLS Certificate Mechanism

conclusion

extension

The appendix

Web Basics – Introduction to the HTTPS protocol

Introduction of agreement

Run the process

The TLS handshake

The TLS communication

TLS Certificate Mechanism

conclusion

extension

The appendix

Related Posts

Redis (high frequency)

Java and package the use of Atomic related classes

SpringCloud source code read 0-SpringCloud essential knowledge