Shulou(Shulou.com)05/31 Report--

How to understand HTTPS two-way authentication, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

First, the basis of HTTPS 1. What are HTTP and HTTPS?

HTTP: hypertext transfer Protocol (HyperText Transfer Protocol) is the most widely used network protocol on the Internet. It is a client-side and server-side request and response standard (TCP). It is used to transfer hypertext from the WWW server to the local browser. It can make the browser more efficient and reduce the network transmission.

HTTPS: hypertext transfer Security Protocol (HyperText Transfer Protocol Secure) is a HTTP channel aimed at security. To put it simply, it is the secure version of HTTP, that is, adding a SSL/TLS layer under HTTP. The security basis of HTTPS is SSL/TLS, so the details of encryption need SSL/TLS. The main function of HTTPS protocol can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

2. What is the difference between SSL and TLS

SSL: secure Sockets layer (Secure Socket Layer) is a protocol layer between reliable connection-oriented network layer protocols and application layer protocols. SSL ensures privacy by authenticating each other, using digital signatures, and using encryption to ensure secure communication between the client and the server. The protocol consists of two layers: SSL recording protocol and SSL handshake protocol.

TLS: transport layer Security Protocol (Transport Layer Security) is used to provide confidentiality and data integrity between two applications. The protocol consists of two layers: TLS recording protocol and TLS handshake protocol.

Conclusion: there are three versions of SSL, but only version 3 is used now, which is the standardized product of SSL. There are three versions of TLS1.0, TLS1.1 and TLS1.2. There is almost no difference between TLS1.0 and SSL3.0. In fact, we all use TLS now, but because we are accustomed to the title of SSL in history, we usually call it SSL.

3. What is CRL?

CRL: certificate revocation list (Certificate Revocation List). Clients can rely on this cache for subsequent verification of server certificates by periodically going to CA to request a list of revoked certificates as a local cache. But this solution requires the client to manage a local cache, which is tantamount to leaving all the responsibility to the client. The bandwidth and stability of the server where the client accesses the CA is questionable, so this solution is destined to be lost to the server solution.

4. What is OCSP?

OCSP: online Certificate status Protocol (Online Certificate Status Protocol). In the use of TLS, the client cannot determine whether a certificate that has not expired has been revoked. Because CA in most cases after issuing a certificate is waiting for the certificate to expire naturally, and if CA for some reason to artificially revoke a certificate, there is no way. At this time, after the client gets a certificate from the server, it goes to the interface of the OCSP server to verify whether the certificate has expired.

5. What is HSTS?

HSTS:http strict transmission security (HTTP Strict-Transport-Security), HSTS is the international Internet engineering organization IETF is implementing a new Web security protocol, after the website uses HSTS, users do not need to manually enter HTTPS in the address bar, the browser will automatically use HTTPS to access the website address, so as to ensure that users always visit the encrypted links of the website and protect the security of data transmission. When HSTS is set on the server, insecure requests will not be accessible

2. HTTPS flow chart

Third, answer the noun of HTTPS message 1. Session Identifier

Session Identifier (session Identifier) is the Session ID generated in the TLS handshake. The server can save the Session ID negotiated information, and the browser can save the Session ID and bring it in the subsequent ClientHello handshake. if the server can find the matching information, it can complete a quick handshake.

2. Session Ticket

Session Identifier mechanism has some disadvantages, such as: 1) in load balancing, there is often no synchronous Session information between multiple machines, and if the client does not fall on the same machine for two requests, the matching information cannot be found; 2) the information corresponding to Session ID stored on the server is difficult to control the expiration time, too short to work, too long and takes up a lot of resources on the server.

Session Ticket (session record sheet) can solve these problems. Session Ticket is the session information encrypted with a security key known only to the server, and finally saved in the browser. If the browser carries Session Ticket with ClientHello, the quick handshake can be completed as long as the server can decrypt it successfully.

3. Client Key Exchange and Server Key Exchange

In addition to RSA and DH_DSS,DH_RSA, the cipher suite commonly used in the protocol, the random number C (pre-master key) is calculated by both parties instead of being transmitted on the channel. For example, if you are using TLS_DHE_XXX, etc., the random number C (pre-master key) is calculated separately from server key Exchange and client key exchange (dh negotiation, where both parties contribute some common information, but the random number C (pre-master key) is only generated locally, not in the TCP packet).

4. HTTPS grab packet message analysis details 1. Client hello

①, tls version supported by the sending client

②, list of symmetric encryption supported by the sending client

③, random number A

2. Server hello

①, tls version selected by the server

Symmetric encryption algorithm selected by ② and server

③, server certificate

④, random number B

⑤ 、 Server Key Exchange

⑥, requiring the client to return the client certificate (unique to https two-way authentication)

3. The client sends information such as certificates

①, client certificate (unique to https two-way authentication)

② 、 Client Key Exchange

Handshake data of ③ and client private key signature (unique to https two-way authentication)

④, symmetric encryption Notification

⑤, handshake data encrypted using a symmetric encryption key calculated by random numbers A, B, and C (pre master key)

4. The server completes the handshake

① 、 New Session Ticket

②, symmetric encryption Notification

③, handshake data encrypted using a symmetric encryption key calculated by random numbers A, B, and C (pre master key)

The answer to the question about how to understand HTTPS two-way authentication is shared here. I hope the above content can be of some help to everyone. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.