Shulou(Shulou.com)06/01 Report--

What is HTTPS

Before we talk about HTTPS, let's talk about what HTTP,HTTP is, which is a protocol we usually use when browsing the web. The data transmitted by HTTP protocol is unencrypted, that is, plaintext, so it is very insecure to use HTTP protocol to transmit private information. In order to ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, thus giving birth to HTTPS. SSL is currently version 3.0, defined by IETF (Internet Engineering Task Force) in RFC 6101, and then IETF upgraded SSL 3.0, which led to the emergence of TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, our current HTTPS uses the TLS protocol, but because SSL appeared earlier and is still supported by current browsers, SSL is still synonymous with HTTPS, but both TLS and SSL happened in the last century. The last version of SSL is 3.0. in the future, TLS will inherit the fine pedigree of SSL and continue to provide encryption services for us. The current version of TLS is 1.2, which is defined in RFC 5246 and has not been widely used yet.

Second, is HTTPS safe after all?

The answer is yes. It's safe. Google has taken action to promote the use of HTTPS. In the next few weeks, Google will enable HTTPS for all local domain names around the world, as long as users log in with their Google account before the search, and all search operations will be encrypted using the TLS protocol.

Third, the working principle of HTTPS

HTTPS needs a handshake between the client (browser) and the server (website) before transmitting data, and the password information of the encrypted data transmitted by both parties will be established in the handshake process. The TLS/SSL protocol is not only a set of encrypted transmission protocols, but also a work of art carefully designed by artists. Asymmetric encryption, symmetric encryption and HASH algorithms are used in TLS/SSL. A brief description of the handshake process is as follows:

1. The browser sends a set of encryption rules that it supports to the website.

two。 The website selects a set of encryption algorithms and HASH algorithms, and sends its identity information back to the browser in the form of a certificate. The certificate contains information such as the address of the website, the encrypted public key, and the authority of the certificate.

3. After obtaining the website certificate, the browser should do the following work:

A) verify the validity of the certificate (whether the authority issuing the certificate is legal, whether the address of the website contained in the certificate is the same as the address being visited, etc.), and if the certificate is trusted, a small lock will be displayed in the browser bar, otherwise it will be prompted that the certificate is not trusted.

B) if the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random password and encrypts it with the public key provided in the certificate.

C) calculate the handshake message using the agreed HASH, encrypt the message with the generated random number, and finally send all the previously generated information to the website.

4. After receiving the data from the browser, the website should do the following:

A) use your own private key to decrypt the information and take out the password, use the password to decrypt the handshake message sent by the browser, and verify that the HASH is consistent with the message sent by the browser.

B) encrypt a handshake message with a password and send it to the browser.

5. The browser decrypts and calculates the HASH of the handshake message. If it is consistent with the HASH sent by the server, the handshake process ends, and then all communication data will be encrypted by the random password generated by the previous browser and encrypted by the symmetric encryption algorithm.

Here, browsers and websites send encrypted handshake messages to each other and verify, in order to ensure that both sides get the same password, and can encrypt and decrypt data normally, and do a test for subsequent real data transmission. In addition, the encryption and HASH algorithms commonly used by HTTPS are as follows:

Asymmetric encryption algorithm: RSA,DSA/DSS

Symmetric encryption algorithm: AES,RC4,3DES

HASH algorithm: MD5,SHA1,SHA256

The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, the symmetric encryption algorithm is used to encrypt the real transmitted data, and the HASH algorithm is used to verify the integrity of the data. Because the secret code generated by the browser is the key to the encryption of the whole data, an asymmetric encryption algorithm is used to encrypt it during transmission. Asymmetric encryption algorithm will generate public key and private key, the public key can only be used to encrypt data, so it can be transmitted at will, while the private key of the website is used to decrypt the data, so the website will take very careful care of their own private key to prevent leakage.

If there is any error in the TLS handshake, the encrypted connection will be broken, thus blocking the transmission of private information. It is precisely because HTTPS is so secure that people cannot find a place to start from it, so they often use fake certificates to deceive the client in order to obtain plaintext information, but these methods can be identified, which I will talk about in later articles.

Reference link above: http://www.guokr.com/post/114121/

# understanding how me:HTTPS works is divided into two steps

Step 1: browser-> website

Browser: first HASH the handshake information, then encrypt it with a string of random numbers generated by yourself (browser), and encrypt the random number password using the public key sent by the website. Send the encryption result of the handshake information, the encryption result of the password and the HASH result of the handshake information to the website.

Website: use your own private key to decrypt the password generated by the browser (this uses an asymmetric encryption algorithm), then use the password to decrypt the encryption result of the handshake information, and verify whether the hash value of the encrypted information is consistent with that sent by the browser.

Step 2: website-> browser

Website: the website encrypts a handshake message with a password (which was previously decrypted with a private key, that is, generated by the browser), and sends the encrypted result of the handshake message and the HASH of the handshake message to the browser.

Browser: the browser decrypts and calculates the HASH of the handshake message. If it is consistent with the HASH sent by the server, the handshake process ends.

After that

All communication data will be encrypted by a random password generated by the previous browser and encrypted using a symmetric encryption algorithm.

Here, the browser and the website send encrypted handshake messages to each other and verify, in order to ensure that both sides have obtained the same password, and can encrypt and decrypt the data normally, and do a test for the subsequent transmission of real data.

Look at this, url.

Http://www.codeceo.com/article/ssl-time-https-slower-http.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.