Shulou(Shulou.com)06/01 Report--

This article shares with you the content of an example analysis of the principles of HTTPS. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

The realization principle of HTTPS

You may have heard that the HTTPS protocol is secure because the HTTPS protocol encrypts the transmitted data, and the encryption process uses asymmetric encryption. But in fact, HTTPS uses symmetric encryption in the encryption of content transmission, and asymmetric encryption only works in the certificate verification phase.

The whole process of HTTPS is divided into certificate verification and data transfer phase. The specific interaction process is as follows:

① Certificate Verification Pha

Browser initiates HTTPS request

The server returns the HTTPS certificate

The client verifies whether the certificate is legal, and prompts the alarm if it is illegal.

② data transfer phase

1. When the certificate is verified to be legal, generate random numbers locally

two。 Encrypt the random number through the public key, and transmit the encrypted random number to the server

3. The server decrypts the random number through the private key

4. The server constructs a symmetric encryption algorithm through the random number passed in by the client, and encrypts the returned results and transmits them.

Why is data transmission symmetrically encrypted?

First of all, the encryption and decryption efficiency of asymmetric encryption is very low, but there is usually a lot of end-to-end interaction in http application scenarios, so the efficiency of asymmetric encryption is unacceptable.

In addition, in the HTTPS scenario, only the server keeps the private key, and a pair of public and private keys can only achieve one-way encryption and decryption, so the content transmission encryption in HTTPS is symmetrical encryption rather than asymmetric encryption.

Why is it necessary for CA certification bodies to issue certificates?

HTTP protocol is considered to be insecure because the transmission process is easy to be traced by the listener to monitor and forge the server, while HTTPS protocol mainly solves the security problem of network transmission.

First of all, we assume that there is no certification authority, anyone can make a certificate, which brings the security risk is the classic "man-in-the-middle attack" problem.

The specific process of man-in-the-middle attack is as follows:

Process principle:

1. Local requests are hijacked (such as DNS hijacking, etc.), and all requests are sent to the middleman's server

two。 The middleman server returns the middleman's own certificate

3. The client creates a random number, encrypts the random number through the public key of the man-in-the-middle certificate, then transmits it to the middleman, and then uses the random number to construct symmetrical encryption to encrypt the transmission.

4. Because the middleman has the random number of the client, he can decrypt the content through the symmetric encryption algorithm.

5. The middleman initiates a request to the regular website with the request content of the client.

6. Because the communication process between the middleman and the server is legal, the regular website returns encrypted data through the established secure channel.

7. The middleman decrypts the content by using the symmetrical encryption algorithm established with the regular website.

8. The middleman encrypts and transmits the data returned by regular content through the symmetric encryption algorithm established with the client.

9. The client decrypts the returned result data through a symmetric encryption algorithm established with the middleman.

Due to the lack of verification of the certificate, although the client initiates a HTTPS request, the client has no idea that its network has been intercepted and the transmission content is completely stolen by the middleman.

How do browsers ensure the legitimacy of CA certificates?

1. What information does the certificate contain?

Authority information

Public key

Company information

domain name

Validity period

Fingerprint

.

two。 What is the basis for the legality of the certificate?

First of all, authoritative organizations must have certification, not any organization is qualified to issue certificates, otherwise it is not called authoritative institutions.

In addition, the credibility of the certificate is based on the trust system, and the authority needs to endorse the certificate it issues. as long as it is the certificate generated by the authority, we think it is legal.

So the authority will review the information of the applicant, and different levels of authority have different requirements for the audit, so the certificate is also divided into free, cheap and expensive.

3. How does the browser verify the validity of the certificate?

When the browser initiates a HTTPS request, the server returns the SSL certificate of the website, and the browser needs to verify the certificate as follows:

1. Verify that the domain name, validity period and other information is correct. All the certificates contain this information, so it is easy to complete the verification.

two。 Determine whether the source of the certificate is legitimate. Each issued certificate can find the corresponding root certificate according to the verification chain. The operating system and browser will store the root certificate of the authority locally, and the local root certificate can be used to verify the source of the certificate issued by the corresponding organization.

3. Determine whether the certificate has been tampered with. Need to check with the CA server

4. Determine whether the certificate has been revoked. Implemented through CRL (Certificate Revocation List Certificate revocation list) and OCSP (Online Certificate Status Protocol online Certificate status Protocol), where OCSP can be used in step 3 to reduce interaction with the CA server and improve verification efficiency

The browser considers the certificate to be legal only if any of the above steps are satisfied.

Here's a question I've been thinking about for a long time, but the answer is actually very simple:

Since the certificate is public, if I want to launch a man-in-the-middle attack and download a certificate on the official website as my server certificate, then the client will definitely agree that the certificate is legal. How to avoid the false use of this certificate?

In fact, this is the use of public and private keys in unencrypted symmetry, although the middleman can get the certificate, but the private key cannot be obtained, and it is impossible for a public key to calculate its corresponding private key. Even if the middleman gets the certificate, he cannot pretend to be a legitimate server, because the encrypted data passed in by the client cannot be decrypted.

4. Can only certification bodies generate certificates?

If you need the browser not to prompt for security risks, you can only use a certificate issued by the certification authority. However, browsers usually only indicate security risks and do not limit the access of the website, so technically anyone can generate a certificate and complete the HTTPS transmission of the website as long as there is a certificate. For example, the early 12306 implemented HTTPS access in the form of manually installing private certificates.

What if the local random number is stolen?

Certificate verification is implemented by asymmetric encryption, but the transmission process is symmetrical encryption, in which the important random numbers in symmetric encryption algorithms are generated locally and stored locally. How can HTTPS ensure that random numbers will not be stolen?

In fact, HTTPS does not include the security guarantee for random numbers. HTTPS only ensures the security of the transmission process, while random numbers are stored locally, and local security belongs to another security category. Measures to be taken include installing antivirus software, anti-Trojans, browser upgrades and repairing vulnerabilities.

Will you be caught if you use HTTPS?

The data of HTTPS is encrypted. Normally, the packet content captured by the packet capture tool after the request is encrypted and cannot be viewed directly. Follow Wechat official account: Java technology stack, reply in the background: tools, you can get my N latest development tools tutorials, all of which are practical information.

However, as mentioned earlier, browsers will only alert you to security risks, and you can continue to visit the site and complete the request if the user is authorized. Therefore, as long as the client is our own terminal, we can set up a middleman network when we authorize it, and the packet grabbing tool is used as the agent of the middleman.

Usually, the way to use the HTTPS packet capture tool is to generate a certificate, and the user needs to manually install the certificate into the client, and then all the requests initiated by the terminal interact with the packet capture tool through the certificate, and then the packet capture tool forwards the request to the server. Finally, the result returned by the server is output in the console and returned to the terminal, thus completing the closed loop of the whole request.

Since HTTPS can't prevent scratching, what's the point of HTTPS?

A: the client initiates the HTTPS request, the server returns the certificate, and the client verifies the certificate. After verification, the random number used to modify the symmetric encryption algorithm is locally generated, and the random number is encrypted and transmitted to the server through the public key in the certificate. After receiving, the server decrypts the random number through the private key, and then the data is encrypted and decrypted by the symmetric encryption algorithm.

Q: why do I need a certificate?

A: prevent "man-in-the-middle" attacks and provide identification for the website.

Q: will you get caught using HTTPS?

A: will be caught, HTTPS only prevents users from unknowingly monitoring communications. If users take the initiative to grant credit, they can build a "man-in-the-middle" network, and the agent software can decrypt the transmitted content.

Thank you for reading! This is the end of this article on "sample Analysis of HTTPS principles". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.