This is the 4th day of my participation in the August More Text Challenge

Why use HTTPS

After submitting HTTP data to the TCP layer, it passes through the user’s computer, the WiFi router, the carrier, and the target server, and at each point it can be stolen or tampered with. For example, if a hacker installs malware on a user’s computer, the malware can crawl and tamper with the content of HTTP requests made. Or if a user accidentally connects to a WiFi phishing router, the data can be grabbed or tampered with.

What is the HTTPS protocol

In effect, a security layer is introduced into the HTTP protocol stack, and all data passing through the security layer is encrypted or decryptedThe security layer has two main responsibilities:

  1. Encrypts the data that initiates the HTTP request.
  2. Decrypt the received HTTP content.

The following step by step implementation of a simple to complex HTTPS protocol

First edition: Use symmetric encryption

Symmetric encryption means that both encryption and decryption use the same key.

  1. Random number on the browser (client-random) and send a list of the encryption suites it supports.
  2. The server selects one from the list of encryption suites sent to it, and also selects the entire random number (service_random) and returns to the browser
  3. The browser and the server return confirmation messages.

According to the encryption suite algorithm, client-random and service-Random are mixed to generate a key master Secret, and then data is encrypted and transmitted based on this key.

Disadvantages: Because both client-Random and service-Random transmit in plaintext, they are intercepted. The hacker takes the negotiated encryption suite and random numbers from both sides to generate the key.

Second edition: Use asymmetric encryption

Asymmetric encryption algorithms have A and B keys. If you use A key for encryption, you can only use B key for decryption. Conversely, if you want the B key to encrypt, you can only decrypt it with the A key.

  1. The browser sends a list of the encryption suites it supports.
  2. The server generates a public key and a private key. The public key is used for browser encryption, so the public key is returned with the selected encryption suite
  3. The browser and the server return confirmation messages.

In this way, when the browser sends data to the server, the public key can be used to encrypt the data. Because the public key data can be decrypted only by the corresponding private key, even if the hacker intercepts the data and the public key, the data cannot be decrypted. Disadvantages:

  1. Asymmetric encryption is inefficient
  2. The data sent by the server to the browser cannot be guaranteed because the server encrypts the data with the private key, whereas the hacker can intercept the public key and the data returned by the server cannot be guaranteed.

Third edition: Symmetric encryption and asymmetric encryption used together

Symmetric encryption is still used in the data transmission stage, but the symmetric encryption key is transmitted by asymmetric encryption.

  1. Random number on the browser (client-random), and sends a list of supported cryptosuites and a list of asymmetric cryptosuites.
  2. The server generates a public and private key, and gives a random number (service-random), returns the random number, public key, selected encryption suite, and asymmetric encryption suite
  3. The browser regenerates a random numberpre-masterAnd use public key encryption for browser confirmation
  4. Finally the server takes out its own private key and decrypts itpre-masterData and returns an acknowledgement message.

In this way, the browser and the server have the same client-random, service-random, and pre-master keys. Symmetric keys are generated based on these keys. Because a symmetric encryption suite is used at both ends, the generated keys are consistent. The pre-master is encrypted with a public key, so hackers cannot obtain the pre-master. In this way, hackers cannot generate a key, which ensures that hackers cannot decrypt the data during transmission. Cons: Hackers use DNS hijacking to replace your official website IP address with the hacker’s IP address. That is, the server cannot be proven to be reliable.

Version 4: Add digital certificates

The server needs to provide a Certificate to the browser that “I am myself” : the Certificate issued by the Authority is called the Certificate Authority (CA). The Certificate issued by the Authority is called the Digital Certificate. For browsers, digital certificates do:

  1. One is to prove the server’s identity to the browser through a digital certificate
  2. The other is a digital certificate that contains the server’s public key.

Two points of transformation:

  1. Instead of returning the public key directly to the browser, the server returns the digital certificate, which contains the public key;
  2. A certificate verification operation is added on the browser side. After the certificate is verified, the subsequent process is continued.

HTTPS handshake process

  1. The first istcpThree handshakes to establish a connection
  2. clientsendrandom1+ Set of supported encryption algorithms (clientHello)
  3. serverReceiving the message, return to select an encryption algorithm +random2(serverHello) + certificate + confirmation
  4. clentVerify the validity of the certificate and generate random numberspre-masterAnd encrypted by the server’s public keyserver
  5. serverreceivedpremaster, according to the convention encryption algorithm pairrandom1 + random2 + premaster(decrypt) generatemaster-secretAnd then send the reservation successfully
  6. clientReceived generates the samemaster-secertThe symmetric encryption key is transferred