Shulou(Shulou.com)06/01 Report--

How to analyze the principles of HTTPS and SSL, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

HTTPS refers to the combination of HTTP and SSL to achieve secure communication between web browsers and servers. HTTPS is integrated into today's web operating systems and web browsers, and it depends on whether the web server supports the HTTPS protocol. This paper focuses on the principle of HTTPS and SSL certificate, and does not involve the specific implementation. Before we begin to describe the principles, let's clarify a few basic concepts of network security.

one。 Basic concept 1. Symmetric encryption algorithm

A symmetric encryption algorithm consists of five parts:

Plaintext: original message or data

Encryption algorithm

Secret key

Ciphertext: the result of using a key to calculate plaintext through an encryption algorithm

Decryption algorithm: use ciphertext and the same key to generate the original text through the decryption algorithm

two。 Asymmetric encryption algorithm

Unlike symmetric encryption algorithms, asymmetric encryption algorithms use different encryption keys and decryption keys.

3. Public key Cryptography and RSA

Public key cryptography is one of the symmetric encryption algorithms. In the public key cryptosystem, there is a public key and a key, the public key is open to everyone to use, and the key is known only to themselves. Usually the public key is encrypted according to one key and decrypted according to another key.

RSA public key cryptography algorithm is one of the public key cryptography algorithms. Both encryption and decryption in RSA can use public key or private key, but the ciphertext encrypted with public key can only be decrypted with private key, and the ciphertext encrypted with private key can be decrypted intelligently with public key.

II. The principle of SSL certificate

Here only describes the principle of SSL certificates, as to how to apply for certificates, how to generate certificates, how to deploy certificates can be obtained by Google. Before introducing the SSL certificate, you need to know the fingerprint and fingerprint algorithm of the certificate.

Fingerprint is to add a paragraph after the certificate information (certificate authority, company name, certificate validity, etc.) to ensure that the information has not been modified. The specific operation is to send out the original information together with the fingerprint calculated by the fingerprint algorithm (a hash algorithm). After receiving this data, the user first uses the same fingerprint algorithm to calculate the results of the original information, and compares the results with the fingerprints. If the results are consistent, the information has not been modified. Of course, this process is dangerous, hackers can modify the content and re-generate fingerprints through the fingerprint algorithm. Here we need to use encryption algorithm to solve this hidden trouble.

Suppose a company B company applies for a SSL certificate from the certification authority xxx CA, and he will get a certificate similar to the following picture.

After B company gets this certificate, it will be sent to the user in the process of communicating with the user. The user will first detect the authority of the method certificate. If it is a universally recognized certificate authority, the operating system will have its information and public key built in when it leaves the factory, such as xxx CA. If it is an untrusted certificate authority, the application (such as browser) will issue a warning. If it is a trusted certificate authority, the operating system will issue a warning. The application will use the preset xxx CA public key to decrypt the final fingerprint content and the fingerprint algorithm, and then compare the previous certificate content with the fingerprint content after calculating with the fingerprint algorithm. Because the fingerprint content is encrypted by the only private key of the certificate authority, as long as the comparison successfully indicates that the certificate has not been modified. Then the user can safely use the company's public key.

III. The principle of HTTPS

The emergence of HTTPS is to solve the problem of unsafe data transmission in network communication. Let's take login as an example, first look at the simplest process of network communication, and then analyze the unsafe factors and solutions in this process step by step.

1. The simplest communication process

There are too many slots in this communication process, and such a network communication process belongs to the level of primary school students. first of all, the most obvious mistake is as a client how to know that the response must be the target server. Hackers can camouflage this server in a hundred ways. Easily get the user name and password of the user, so the picture can only use "some address" to identify the server. In order to solve this problem, you first need to ask the browser to confirm the identity of the other person, so there is the following communication process.

two。 Confirm server identity

To verify the identity of the server, you need to use the RSA algorithm mentioned earlier. Because the RSA algorithm has the following features, it can be used to confirm the identity of the server only:

Uniqueness of private key

Confidentiality of the private key (only the server knows the private key)

Only public key can be used to decrypt ciphertext encrypted with private key (characteristic of symmetric encryption algorithm)

The content in "()" is the content encrypted by the server with a private key. Generally, the server will encrypt the plaintext, and the browser will first decrypt the ciphertext with the public key after receiving the message. As can be known from the previous feature 3, the public key and decryption algorithm can solve the plaintext. If it cannot be solved, it means that the other party is not the target server, and the browser will compare it with the plaintext after decryption. The uniqueness and confidentiality of the private key can confirm that the other party is the target server. However, after confirming the identity of the server, in the process of sending data to the server, if the data is intercepted by the hacker, our user name and password will also fall into the hands of the hacker, so the next step is to encrypt the data sent.

3. Communication content encryption

The browser encrypts the user name and password with the public key, because

Ciphertext encrypted with public key can only be decrypted with private key

So the ciphertext can only be decrypted by the server with a private key, and even if the hacker gets the ciphertext, it cannot be decrypted. However, there is a problem when the server returns information to the customer. Because the public key is public, anyone can get the data and decrypt it using the public key, so there are still insecure factors. As a result, there is one more step in the communication process between the customer and the browser.

4. Encrypt information using a user-defined symmetric encryption algorithm

In order to make the information sent by the browser and the server cannot be decrypted by others, a symmetric encryption algorithm is used here, and the encryption of the algorithm and key is encrypted with the public key in the browser. This ensures that only the server can decrypt the content with the private key, that is, the symmetric encryption algorithm and key can only be obtained by the server. When the server gets the symmetric encryption algorithm and key, the following communication can be completed using this symmetric encryption algorithm. Because the symmetric encryption algorithm and key are known only to the client and the server, the subsequent communication encryption process can not be cracked.

At this point, it is basically the whole process of HTTPS communication, which seems to be difficult for hackers to crack, but notice that all the previous processes default to the premise that the customer already has a public key. If the acquisition of the public key is only carried out between the client and the server, there are great security risks. The most direct problem is how to determine that the public key obtained by the user is the public key of the target server. Propositions such as "proving that the certificate that can prove your identity is yours", the best solution is to introduce a trusted third party to "prove that the credential" belongs to the server. So the SSL certificate is used here. As mentioned earlier, the public key can be safely handed over to the user by sending the SSL certificate server, and the third party here is the certificate authority. So we get a complete HTTPS communication process.

So far, I have basically finished the principle of SSL certificate and HTTPS, of course, there are still many details in the actual communication process, but it does not hinder the understanding of the principle. Many information-sensitive operations in the actual development and production process can be realized with reference to this idea, and there are unreasonable and erroneous places in the article welcome to correct.

After reading the above, have you mastered how to analyze the principles of HTTPS and SSL? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.