current position:Home>Explore HTTPS

Explore HTTPS

2022-04-29 20:35:14Byte Education

Let me share with you today HTTPS Knowledge about . As a front-end Engineer , For those who deal with every day HTTP We must all be too ripe , Every request sent through the browser needs to meet HTTP Agreed . that HTTPS and HTTP Do you know the difference between ?

This is a classic interview question , Most people would answer that

  1. HTTPS Than HTTP One more. S(Secure), in other words HTTPS It's a safe version HTTP
  1. Port number is different .HTTP Use 80 port ,HTTPS Use 443 port
  1. HTTPS Using an asymmetric encryption algorithm

How much can the above answer give ? After reading this article, we can go back to this answer

that ,HTTPS How to achieve secure data transmission ? Want to understand this problem thoroughly , We need to understand HTTP Development history of 、HTTP Problems encountered 、 Symmetric and asymmetric encryption algorithms 、 digital signature 、 Third party certification authority and other concepts .

therefore , Want to know all about HTTPS, Or from HTTP From the development of ......

I.HTTP

HTTP yes Hypertext Transfer Protocal Abbreviation , The full Chinese name is hypertext transfer protocol .

  • Hypertext refers to images that contain but are not limited to text 、 Audio 、 Video and other multimedia resources .
  • The protocol is the data transmission format and communication rules agreed by both parties .

HTTP yes TCP/IP Top layer of protocol cluster -- Application layer protocol .

Browsers and servers are using HTTP When the protocol passes hypertext data to each other , Put the data into the message body , Fill the head at the same time ( Request header or response header ) Constitute a complete HTTP The message is sent to the lower transport layer , Then add the corresponding head on each floor ( control section ) Then they issued it layer by layer , Finally, the physical layer sends the binary data in the form of electrical signal .HTTP The message structure is as follows

  • HTTP The development process is as follows
edition Production time Summary of content Current situation of the development of
HTTP/0.91991 year No packet transfer involved , Specify the communication format between client and server , Can only GET request Informal standards
HTTP/1.01996 year Transmit content 、 Format 、 Header and array sizes are not limited , increase POST、PUT、PATCH、HEAD、 OPTIONS、DELETE The way Formal standards , Widely used
HTTP/1.11997 year Persistent connection ( A long connection )、 Save bandwidth 、HOST Domain 、 Pipeline mechanism 、 Block transfer coding Most widely
HTTP/22015 year Multiplexing 、 Server push 、 Header compression 、 Binary protocol, etc . It has to go with TLS, That is to say, the default is HTTPS Gradually rising

from HTTP In the course of development , The original version of HTTP(HTTP1.0) Every time you build TCP You can only initiate once after connecting HTTP request , Release... When the request is complete TCP Connect . We all know TCP The establishment of a connection requires three handshakes , And every time you send HTTP All requests need to be re established TCP Connect , There is no doubt that it is very inefficient . therefore HTTP1.1 Improved this , Use the mechanism of long connection , That is to say “ once TCP Connect ,N Time HTTP request ”.

HTTP Long connection and short connection of protocol , Is essentially TCP Long connection and short connection of protocol .

With long connections , When a web page is opened , Transport between client and server HTTP Data TCP Connection will not close , When the client accesses this server again , Will continue to use this established connection .Keep-Alive Not permanently connected , It has a hold time , Different server software is available ( Such as Apache) Set this time in . To realize long connection, both client and server need to support long connection .

(HTTP1.0 To open a long connection , Need to add Connection: keep-alive Request header )

  • With HTTP More and more widely used ,HTTP Security issues are also gradually exposed .

    Recall that it was everywhere many years ago The operator hijacked , When you visit a normal web page , But there are some advertising labels on the page 、 Jump script 、 Deceptive red envelope button , Sometimes you even have to download a file , In the end, it became a completely different thing , These are all hijacked by operators HTTP Phenomenon of plaintext data .

    HTTP There are the following 3 Some security issues :

    • Data confidentiality

      because HTTP No state , And it's plaintext transmission , All data content streaks across the network , Including identity information of the user 、 Payment account and password . These sensitive information can easily be leaked, resulting in potential safety hazards .

    • Data integrity issues

      HTTP Packets will pass through many forwarding devices before reaching the destination host , Every device node may tamper with or transfer packet information , Unable to verify data integrity .

    • Identity verification problem

      Could be attacked by a middleman , We can't verify that the other side of the communication is our target object .

therefore , In order to ensure the security of data transmission , You have to deal with HTTP Data encryption .

II. encryption

There are three encryption methods : Symmetric encryption 、 Asymmetric encryption 、 Digital summary . The first two are suitable for data transmission encryption , The irreversibility of digital signature is often used in digital signature .

Symmetric encryption

Symmetric encryption is also called key encryption or one-way encryption , Is to use the same set of keys to encrypt and decrypt . The key can be understood as an encryption algorithm . Symmetric encryption is shown below

The widely used symmetric encryption is :

DES(Data Encryption Standard) Data encryption standard , Faster , Suitable for encrypting large amounts of data . at present DES It's not a secure encryption method anymore , Mainly because it uses 56 Bit keys are too short
3DES(Triple DES) be based on DES, A block of data is encrypted three times with three different keys , Stronger . It can solve the problem caused by the enhancement of computer computing ability ,DES A problem that can easily be solved by violence
AES(Advanced Encryption Standard) Advanced encryption standard , Is the next generation of encryption algorithm standards , Fast , High level of security , Support 128、192、256、512 Encryption of bit key
  • advantage : Algorithm disclosure 、 Simple , Easy encryption and decryption , Fast encryption , Efficient .
  • shortcoming : Relatively speaking, it's not particularly safe , There's only one key , If the ciphertext is intercepted , And the key was hijacked , that , Information is easily deciphered .
  • Applicable scenario : Fast encryption and decryption 、 Efficient , Therefore, it is suitable for the encryption scenario of a large amount of data . Because how to transmit the key is a headache , Therefore, it is suitable for scenarios without key exchange , Such as internal system , The key can be determined directly in advance .

Experience online Symmetric encryption

P.S. base64 Coding also belongs to symmetric encryption

Asymmetric encryption

Asymmetric encryption uses a pair of keys ( Public and private keys ) Encryption and decryption . Asymmetric encryption can be used without passing the key directly , Complete decryption , The specific steps are as follows :

  1. Party B generates two keys ( Public and private keys ). The public key is public , Anyone can get , The private key is confidential .
  1. Party A obtains Party B's public key , Then use it to encrypt information .
  1. Party B gets the encrypted information , Decrypt with private key .

Take the most typical asymmetric encryption algorithm --RSA Algorithm, for example :

Want to get to the bottom of RSA, Need to understand the knowledge of number theory , The whole derivation process RSA encryption algorithm . This paper briefly introduces the idea : Use two super prime numbers and their product as the material for generating public and private keys , It's very difficult to deduce the private key from the public key ( We need to factorize the super large number into the product of two large prime numbers ). The longest time it's been cracked RSA The key is 768 Binary bits . in other words , The length exceeds 768 A key , It's not cracked yet ( At least no one publicly announced ). So we can think that ,1024 Bit RSA The key is basically secure ,2048 Bit key is extremely secure .

  • advantage : High strength 、 Security is stronger than symmetric encryption algorithm 、 There is no need to pass the private key, resulting in no risk of key disclosure
  • shortcoming : Large amount of computation 、 Slow speed
  • Applicable scenario : For scenarios where key exchange is required , Such as Internet applications , Can't pre contract key . It can be combined with symmetric encryption algorithm :

    • The key of symmetric encryption algorithm is transmitted by using the good security of asymmetric encryption algorithm .
    • Using symmetric encryption algorithm to encrypt and decrypt fast characteristics , Encryption of encryption scenarios with large data content . Such as HTTPS.

How to choose ?

  • Select symmetric encryption :HTTP The requestor encrypts the data using a symmetric algorithm , So in order for the receiver to decrypt , The sender also needs to pass the key to the receiver . In the process of passing the key, you may still be attacked by sniffing , After stealing the key, the attacker can still decrypt and get the sent data , So this scheme is not feasible
  • Select asymmetric encryption : The receiver keeps the private key , Pass the public key to the sender . The sender encrypts the data with a public key . The receiver decrypts the data using the private key . Although the attacker cannot directly obtain these data ( Because there is no private key ), But the public key that can be passed by intercepting , Then pass your public key to the sender , Then decrypt the data sent by the sender with its own private key . Both sides of the communication didn't know the existence of the middleman in the whole process , But intermediaries can get complete data information

  • Two mixed : First use the asymmetric encryption algorithm to encrypt and pass the symmetric encryption key , Then both parties encrypt the data to be sent through symmetric encryption . It doesn't look like a problem , But is it true ? Middlemen can still intercept the delivery of public keys , And replace it with your own public key , Treat the symptoms, not the root cause .

Want a cure , We need to find a third-party notary to prove that the public key has not been replaced , So it leads to CA The concept of

III.CA

CA Namely Certificate Authority, Institutions that issue digital certificates . As a trusted third party ,CA Bear the responsibility of public key validity test in public key system . A certificate is a data file that the source server applies to a trusted third-party organization . This certificate not only indicates who the domain name belongs to , Date of issue, etc , It also includes the private key of the third-party Certificate . The server puts the public key in the digital certificate , As long as the certificate is trustworthy , Public key is trusted . The following figure shows the information of some contents in the certificate of flying Book domain name

digital signature

  • The algorithm is generally implemented by hash function , It can be understood as a fixed length compression algorithm , It can compress any length of data to a fixed length . This is like adding a lock to the data , Any small change to the data will make the summary very different .
  • Usually , Applicants for digital certificates ( The server ) A file consisting of a private and public key and a certificate request will be generated (Certificate Signing Request,CSR) The key pair of .CSR It's a encoded text file , It contains the public key and other information that will be included in the certificate ( For example, domain name , organization , Email address, etc ). Key pair and CSR The build is usually done on the server where the certificate will be installed , also CSR The type of information contained in depends on the authentication level of the certificate . Different from public key , The private key of the applicant is secure , Never to CA( Or anyone else ) Exhibition .
  • Generate CSR after , The applicant sent it to CA,CA It will verify that it contains the correct information , If correct , Then use the issued private key to digitally sign the certificate , Then put the signature in the certificate and send it to the applicant with the certificate .

  • stay SSL handshake phase , After the browser receives the server's certificate , Use CA Public key to decrypt , Extract data from the certificate 、 Digital signature and the public key of the server . If the decryption is successful , Then you can verify the authenticity of the server identity . After that, the browser will do Hash operation , Compare the result with the digital signature , If it is consistent, it can be considered that the content has not been tampered with .
  • Symmetric encryption and asymmetric encryption are Public key encryption , Private key decryption , Digital signatures are just the opposite , yes Private key encryption ( Signature ), Public key decryption ( verification )

IV.HTTPS

《 The illustration HTTP》 Mentioned in the book HTTPS It's the body dress SSL The shell HTTP.

SSL stay 1999 It was renamed in TLS

So ,HTTPS It's not a new application layer protocol , It's just HTTP The communication interface part consists of SSL and TLS It's just a substitute .HTTP Will be direct and TCP communicate . and HTTPS Will evolve into first and SSL communicate , And then by SSL and TCP communicate .SSL It's an independent agreement , It's not just HTTP have access to , Other application layer protocols can also use , such as FTP、SMTP You can use SSL To encrypt .

HTTPS The whole flow chart of the request is as follows

  1. The user initiates... In the browser HTTPS request , By default, the server side is used 443 Port to connect ;
  1. HTTPS Need to use a set of CA digital certificate , The certificate will be accompanied by a server Public key Pub, And the corresponding Private key Private Keep it on the server side and don't make it public ;
  1. The server receives the request , Return the configured include Public key Pub To the client ;
  1. Client received certificate , Verify legitimacy , It mainly includes whether it is within the validity period 、 Whether the domain name of the certificate matches the requested domain name , Whether the upper level certificate is valid ( Recursive judgment , Until it is judged that the root certificate built in the system or configured by the browser ), If it doesn't go through , Is displayed HTTPS Warning message , If yes, continue ;
  1. The client generates a for symmetric encryption Random Key, And use the... In the certificate Public key Pub To encrypt , Send it to the server ;
  1. Server received Random Key The ciphertext of , Use with Public key Pub Paired Private key Private To decrypt , Get what the client really wants to send Random Key;
  1. The server uses the... Sent by the client Random Key For the data to be transmitted HTTP Data is symmetrically encrypted , Return the ciphertext to the client ;
  1. Client side usage Random Key Symmetric decryption ciphertext , obtain HTTP Data plaintext ;
  1. follow-up HTTPS Request the exchange before use Random Key Symmetric encryption and decryption .

HTTPS It does solve HTTP Three security issues of :

(1) confidentiality : Combine asymmetric encryption and symmetric encryption to achieve confidentiality . Use asymmetric encryption to encrypt the secret key of symmetric encryption , Then encrypt the data by symmetric encryption

(2) integrity : Through a third party CA Digital signature solves the problem of integrity

(3) Identity verification : Through a third party CA Verify the identity of the server with your digital certificate

Finally, let's summarize HTTPS Advantages and disadvantages

HTTPS advantage HTTPS shortcoming
Use HTTPS The protocol authenticates users and servers , Make sure the data is sent to the correct client and server HTTPS Time is HTTP Of 2-100 times , Because you need to experience SSL(TLS) handshake , And asymmetric encryption is slow
Safe and reliable , Prevent data from being stolen during transmission 、 change , Ensure data integrity HTTPS The security of the protocol has scope , In a hacker attack 、 Denial of service attacks and server hijackings play little role
HTTPS Is the most secure solution under the current architecture , Although not absolutely safe , But it significantly increases the cost of man in the middle attacks SSL The credit chain system of certificates is not secure . Especially in some countries CA In the case of root certificate , A man in the middle attack is as feasible

You can see ,HTTPS Indeed, today's secure transmission HTTP The best solution , But he's not perfect , There will still be loopholes

Reference resources

《 The illustration HTTP》

RSA Algorithm principle

HTTPS Upgrade guide

SSL/TLS Overview of protocol operation mechanism

️ Thank you for your support

The above is the whole content of this sharing , I hope it helped you ^_^

Don't forget what you like   Share 、 give the thumbs-up 、 Collection   Sanlian ~.

Welcome to the official account  ELab The team   Harvest a good article from a big factory ~

We come from , It is the front-end Department of education , Responsible for the front-end development of all kinds of education products .

We focus on improving product quality 、 Development efficiency 、 Creative and cutting-edge technology and other directions of precipitation and dissemination of professional knowledge and cases , Contribute experience value to the industry . Including but not limited to performance monitoring 、 Component library 、 Multiterminal Technology 、Serverless、 Visual building 、 Audio and video 、 Artificial intelligence 、 Product design and marketing, etc .

Welcome interested students to the author department in the comment area or use the internal push code to make bricks 🤪

Byte beat calibration / Social recruitment delivery link :

jobs.bytedance.com/campus/posi…

Push in code :65SKBPJ

copyright notice
author[Byte Education],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/04/202204292035016840.html

Random recommended