Catalog

1. What is? HTTPS？

2. What is? SSL and TLS？

3. TLS The role of the agreement ？

4. From the point of view of cryptography HTTPS

5. Two encryption methods

Symmetric encryption

Asymmetric encryption

6. Use https Communication process

7. About passwords

1. What is? HTTPS？

HTTP The protocol runs in TCP above , All transmitted content is clear text , Neither the client nor the server can verify the identity of the other party . HTTPS Is running on the SSL/TLS Above HTTP agreement ,SSL/TLS Running on the TCP above . All transmitted content is encrypted , Encryption uses symmetric encryption , But the key of symmetric encryption is asymmetric encrypted with the certificate of the server . So ,HTTP There's no security HTTPS high , however HTTPS Than HTTP Consume more server resources .

2. What is? SSL and TLS？

SSL（Secure Sockets Layer） Both agreement Secure socket layer protocol

TLS（Transport Layer Security） The agreement is Secure transport layer protocol .

Today, SSL After three generations of updates , stay SSLv3.0 Then it was officially renamed TLS1.0. It can also be understood as TLS1.0 It's actually SSLv3.1.

3. TLS The role of the agreement ？

be located HTTP and TCP The agreement between , It has TLS handshake protocol 、TLS Record agreements HTTPS Through HTTP communicate , But use TLS To ensure safety , namely HTTPS = HTTP + TLS

Don't use  SSL/TLS Of HTTP signal communication , It's communication without encryption . All information is transmitted in plain text , There are three risks .

• The risk of eavesdropping （eavesdropping）： The third party can know the content of the communication .
• Risk of tampering （tampering）： The third party can modify the content of the communication .
• Pretend to be a risk （pretending）： The third party can participate in the communication as others .

4. From the point of view of cryptography HTTPS

HTTPS Use TLS Keep it safe , there “ Security ” Two parts , First, the transmission content is encrypted 、 The second is the identity authentication of the server

5. Two encryption methods

secret key ：

It's a parameter , Parameters input in the algorithm of converting plaintext into ciphertext or ciphertext into plaintext .

Symmetric encryption

There is only one key , Encrypt and decrypt to the same password , And fast encryption and decryption , Typical symmetric encryption algorithms are DES、AES etc. ;

  characteristic ： Algorithm disclosure , Fast encryption and decryption , Suitable for a large number of data encryption .
  The process ： Plaintext + encryption algorithm + Private key => Ciphertext       Ciphertext + Decryption algorithm + Private key => Plaintext

Asymmetric encryption

Key pairs appear （ And the private key cannot be inferred from the public key , The public key cannot be inferred from the private key ）, Encryption and decryption use different keys （ Public key encryption requires private key decryption , Private key encryption requires public key decryption ）, Relatively symmetric encryption speed is slow , Typical asymmetric encryption algorithms include RSA、DSA etc. .

The public key is used to encrypt , The private key is used to decrypt , Only the owner of the private key , To see the real content of the message

  shortcoming ： Encryption and decryption take a long time , Slow speed , Suitable for a small amount of data encryption .
  The process ： Plaintext + encryption algorithm + Public key => Ciphertext       Ciphertext + Decryption algorithm + Private key => Plaintext
          or   Plaintext + encryption algorithm + Private key => Ciphertext       Ciphertext + Decryption algorithm + Public key => Plaintext

6. Use https Communication process

1. Client initiated HTTPS request  
There's nothing to say about this , That is, the user enters a https website , Then connect to server Of 443 port .

2. Server-side configuration  
use HTTPS The server of the protocol must have a set of digital certificates , You can make it yourself , You can also apply to the organization . The difference is that the certificate issued by itself needs to be verified by the client , To continue to visit , The certificate applied by the trusted company will not pop up a prompt page (startssl It's a good choice , Yes 1 Free service in ). This set of certificates is actually a pair of public key and private key . If you don't understand public key and private key very well , Think of it as a key and a lock , Only you are the only one in the world who has this key , You can give the lock to someone else , Others can use this lock to lock up important things , And send it to you , Because you alone have the key , So only you can see what's locked up .

3. Transmission certificate  
This certificate is actually the public key , It's just a lot of information , Such as the certification authority , Expiration time, etc .

4. Client resolves Certificate  
There are clients for this part of the work TLS To complete , First, it will verify whether the public key is valid , For example, the issuing authority , Expiration time, etc , If an exception is found , A warning box will pop up , There is a problem with the certificate . If the certificate is OK , Then generate a random value . The random value is then encrypted with a certificate . As it says , Lock the random value with the lock , So unless there's a key , Otherwise, we can't see the locked content .

5. Send encrypted messages  
This part transmits random values encrypted with certificates , The purpose is to let the server get the random value , After that, the communication between the client and the server can be encrypted and decrypted through this random value .

6. The server decrypts the information  
After the server decrypts with the private key , Get the random value from the client ( Private key ), The content is then symmetrically encrypted with this value . Symmetric encryption is , Mix information and private key together by some algorithm , So unless you know the private key , Otherwise, we can't get the content , And both the client and the server know the private key , So as long as the encryption algorithm is strong enough , The private key is complex enough , Data is safe enough .

7. Transmit encrypted information  
This part of information is the information encrypted by the private key in the service section , Can be restored on the client side

8. Client decrypts information  
The client uses the previously generated private key to decrypt the information from the service segment , So we get the decrypted content . In the whole process, even if the third party listens to the data , I have no idea .
 

To sum up, briefly describe HTTPS One time request flow of

Create a tcp The connection of

Get certificate from browser

Browser validation certificate -> Go to ca( Certification authority ) verification ,ca( Certification authority ) The root certificate has been saved into our operating system

The browser encrypts a symmetric key with a public key ( A piece of data ),

The server received the ciphertext , Decrypt your private key to get the symmetric key

The next transmission uses a symmetric encryption algorithm , And symmetric key for communication ,

7. About passwords

Password summary

TLS The cryptography used

1. Pseudo random number generator ： Randomness of secret key generation , Harder to guess

2. Symmetric code ： The secret key used in symmetric cipher is generated by pseudo-random number , Compared with asymmetric passwords , More efficient

3. Message authentication code ： Ensure the integrity of message information 、 And verify the source of the message information

4. Public key password ： Certificate technology uses public key cryptography

5. digital signature ： Verify the signature of the certificate , Determined by a real CA Issued by

6. certificate ： Solve the real ownership problem of public key , Reduce the probability of man in the middle attack