current position：Home>Principle of HTTPS encrypted communication process
Principle of HTTPS encrypted communication process
1. What is? HTTPS？
HTTP The protocol runs in TCP above , All transmitted content is clear text , Neither the client nor the server can verify the identity of the other party . HTTPS Is running on the SSL/TLS Above HTTP agreement ,SSL/TLS Running on the TCP above . All transmitted content is encrypted , Encryption uses symmetric encryption , But the key of symmetric encryption is asymmetric encrypted with the certificate of the server . So ,HTTP There's no security HTTPS high , however HTTPS Than HTTP Consume more server resources .
2. What is? SSL and TLS？
SSL（Secure Sockets Layer） Both agreement Secure socket layer protocol
TLS（Transport Layer Security） The agreement is Secure transport layer protocol .
Today, SSL After three generations of updates , stay SSLv3.0 Then it was officially renamed TLS1.0. It can also be understood as TLS1.0 It's actually SSLv3.1.
3. TLS The role of the agreement ？
be located HTTP and TCP The agreement between , It has TLS handshake protocol 、TLS Record agreements HTTPS Through HTTP communicate , But use TLS To ensure safety , namely HTTPS = HTTP + TLS
Don't use SSL/TLS Of HTTP signal communication , It's communication without encryption . All information is transmitted in plain text , There are three risks .
- The risk of eavesdropping （eavesdropping）： The third party can know the content of the communication .
- Risk of tampering （tampering）： The third party can modify the content of the communication .
- Pretend to be a risk （pretending）： The third party can participate in the communication as others .
4. From the point of view of cryptography HTTPS
HTTPS Use TLS Keep it safe , there “ Security ” Two parts , First, the transmission content is encrypted 、 The second is the identity authentication of the server
5. Two encryption methods
secret key ：
It's a parameter , Parameters input in the algorithm of converting plaintext into ciphertext or ciphertext into plaintext .
There is only one key , Encrypt and decrypt to the same password , And fast encryption and decryption , Typical symmetric encryption algorithms are DES、AES etc. ;
characteristic ： Algorithm disclosure , Fast encryption and decryption , Suitable for a large number of data encryption .
The process ： Plaintext + encryption algorithm + Private key => Ciphertext Ciphertext + Decryption algorithm + Private key => Plaintext
Key pairs appear （ And the private key cannot be inferred from the public key , The public key cannot be inferred from the private key ）, Encryption and decryption use different keys （ Public key encryption requires private key decryption , Private key encryption requires public key decryption ）, Relatively symmetric encryption speed is slow , Typical asymmetric encryption algorithms include RSA、DSA etc. .
The public key is used to encrypt , The private key is used to decrypt , Only the owner of the private key , To see the real content of the message
shortcoming ： Encryption and decryption take a long time , Slow speed , Suitable for a small amount of data encryption .
The process ： Plaintext + encryption algorithm + Public key => Ciphertext Ciphertext + Decryption algorithm + Private key => Plaintext
or Plaintext + encryption algorithm + Private key => Ciphertext Ciphertext + Decryption algorithm + Public key => Plaintext
6. Use https Communication process
1. Client initiated HTTPS request
There's nothing to say about this , That is, the user enters a https website , Then connect to server Of 443 port .
2. Server-side configuration
use HTTPS The server of the protocol must have a set of digital certificates , You can make it yourself , You can also apply to the organization . The difference is that the certificate issued by itself needs to be verified by the client , To continue to visit , The certificate applied by the trusted company will not pop up a prompt page (startssl It's a good choice , Yes 1 Free service in ). This set of certificates is actually a pair of public key and private key . If you don't understand public key and private key very well , Think of it as a key and a lock , Only you are the only one in the world who has this key , You can give the lock to someone else , Others can use this lock to lock up important things , And send it to you , Because you alone have the key , So only you can see what's locked up .
3. Transmission certificate
This certificate is actually the public key , It's just a lot of information , Such as the certification authority , Expiration time, etc .
4. Client resolves Certificate
There are clients for this part of the work TLS To complete , First, it will verify whether the public key is valid , For example, the issuing authority , Expiration time, etc , If an exception is found , A warning box will pop up , There is a problem with the certificate . If the certificate is OK , Then generate a random value . The random value is then encrypted with a certificate . As it says , Lock the random value with the lock , So unless there's a key , Otherwise, we can't see the locked content .
5. Send encrypted messages
This part transmits random values encrypted with certificates , The purpose is to let the server get the random value , After that, the communication between the client and the server can be encrypted and decrypted through this random value .
6. The server decrypts the information
After the server decrypts with the private key , Get the random value from the client ( Private key ), The content is then symmetrically encrypted with this value . Symmetric encryption is , Mix information and private key together by some algorithm , So unless you know the private key , Otherwise, we can't get the content , And both the client and the server know the private key , So as long as the encryption algorithm is strong enough , The private key is complex enough , Data is safe enough .
7. Transmit encrypted information
This part of information is the information encrypted by the private key in the service section , Can be restored on the client side
8. Client decrypts information
The client uses the previously generated private key to decrypt the information from the service segment , So we get the decrypted content . In the whole process, even if the third party listens to the data , I have no idea .
To sum up, briefly describe HTTPS One time request flow of
Create a tcp The connection of
Get certificate from browser
Browser validation certificate -> Go to ca( Certification authority ) verification ,ca( Certification authority ) The root certificate has been saved into our operating system
The browser encrypts a symmetric key with a public key ( A piece of data ),
The server received the ciphertext , Decrypt your private key to get the symmetric key
The next transmission uses a symmetric encryption algorithm , And symmetric key for communication ,
7. About passwords
|Message authentication code||Confirm the integrity of the message 、 And authenticate the source of the message||Share secret key + Hash value of the message|
|digital signature||Sign the hash value of the message||Public key + Private key + Hash value of the message|
|Public key password||Solve the problem of secret key distribution||Public key + Private key + news|
|certificate||Solve the ownership problem of public key||Public key in public key cryptography + digital signature|
TLS The cryptography used
Pseudo random number generator ： Randomness of secret key generation , Harder to guess
Symmetric code ： The secret key used in symmetric cipher is generated by pseudo-random number , Compared with asymmetric passwords , More efficient
Message authentication code ： Ensure the integrity of message information 、 And verify the source of the message information
Public key password ： Certificate technology uses public key cryptography
digital signature ： Verify the signature of the certificate , Determined by a real CA Issued by
certificate ： Solve the real ownership problem of public key , Reduce the probability of man in the middle attack
author[ZtCling],Please bring the original link to reprint, thank you.
The sidebar is recommended
- babel7. 0 compatible with IE browser
- Nginx configuring reactrouter browserhistory browserrouter
- JS, react use html2canvas page screenshot and export
- Big data front-end visualization screen -- the road of front-end development
- Vue element admin login function, token filling, language conversion, routing setting
- Summation of corresponding position elements of multiple lists in Python
- Discussion on HTML page knowledge
- Using Ajax to realize non refresh paging
- HTTP format
guess what you like
Zhang San has a meal - did he eat the difference between get and post in HTTP?
The ultimate actual combat of the most complete tourism project based on spring boot + Vue front-end and back-end separation in history (with source code attached), none of them!!!
Vue basic grammar
LeetCode 217. There are duplicate elements
Pagoda does not configure the solution of SSL site accessing HTTPS and jumping to other websites
About the problem that the container will hang up after starting nginx in the docker container
The core element of large-scale software design is to control complexity. What is the root cause?
What are the core elements of large-scale software design?
- C + + small job - create an array class arr to delete duplicate elements in the array
- Fancy front gradient
- Introduction to HTML + CSS Basics
- Summary of Vue basics 14: what does vuex do?
- CSS introduction
- CSS introduction method
- CSS basic selector
- HTTPS pressure test you don't know
- Intersectionobserver and custom hooks
- Vue uses vis to implement topology map
- [Django CI system] if the front-end date is complete, it will be fully updated to the back-end; If the front-end date is incomplete, the date will not be updated to the back-end-20220510
- Is your endurance anxiety saved? 10 minute full electric vehicle technology is mature, netizen: it's useless to find a charging pile
- After reading 2000 applications for venture capital financing, I summed up the 20 elements that investors value most
- Diesel automobile double pickup truck leads the industry, and Jiangxi Isuzu no longer bows its head and acts recklessly
- Vue + elementui learning notes, use custom events to monitor the closing and opening events of the pop-up window of the introduced component
- Lazy loading usage based on element UI tree directory
- Vue encapsulates multiple request requests (solution for multiple domain names)
- Getting started with Vue
- Vuex getting started from 0 to 1
- Uniapp configuration element UI code block
- HTTP request method security: get, post, put, patch, delete, options, head, trace
- Axios source code analysis - Request interceptor
- Introduction to HTML tag list
- HTML and servlet cannot be connected together, and the set servlet cannot be implemented
- The back end returns HTML code. How can the front end preview
- About vue3 0 failed to load SVG through SVG sprite loader
- Antd Vue realizes login login page layout - with verification code verification function - Case
- Find a 5 respectively × 5 the sum of all rows, columns and elements on two diagonal lines of the matrix. (the input data is inconsistent with the output data)
- Raptor flowchart: random function generates a random array. The size of array elements is in the closed range of 100-999 and the length is 10. Find out the largest element and display its position
- How does PHP render some of the following JSON data into HTML
- The requested resource is not available when idea runs the HTML file
- JMeter generates HTML test report
- The spring of Huidong white potted pearl is a restless dream
- Vue3, complex watch implementation, solution For the second time