Shulou(Shulou.com)06/02 Report--

This article mainly explains the basic principles of https. The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn the basic principles of https.

With the vigorous implementation of https certificates in Google browser, almost all large websites have deployed https certificates. When we develop, we often use https, such as WeChat Mini Programs. Wechat officially requires that asynchronous requests sent within Mini Program must be https protocol.

Https has many advantages. If you use https protocol to transmit information, the security of the information will be guaranteed. Using http to transmit information is almost equivalent to streaking, as shown in the figure:

Https needs to encrypt the information when transmitting it. There are two encryption methods used by https, namely symmetric encryption and asymmetric encryption. First, let's take a look at the diagram of symmetric encryption:

A feature of symmetric encryption is that the keys at both ends of the endpoint are the same and cannot be known by a third party.

But if you look closely, there is a disadvantage in symmetric encryption, that is, how the secret keys are exchanged. This means that how the client gives the secret key to the server, or how the server gives the secret key to the client, but it cannot be known by a third party, because the third party also gets the secret key, so the information is not secure.

Because only the client and the server know the secret key to achieve encryption and decryption, if only the client or only one of the server holds the secret key, it can not complete the whole process of encryption and decryption.

So how to solve this problem? Let's put it aside and take a look at asymmetric encryption.

Asymmetric encryption requires two different keys, unlike symmetric encryption, which is a private key and a public key, and the two keys are paired. Public and private keys have the following characteristics:

1. Public key encryption must use a matching private key to decrypt.

2. Private key encryption must use a matching public key to decrypt.

3. The private key must be kept strictly confidential and cannot be disclosed. Asymmetric encryption is based on the strict confidentiality of the private key.

4. the public key can be distributed to anyone at will.

Compared with symmetric encryption, the main function of asymmetric encryption is to make up for the problem of symmetric encryption key distribution.

Let's use a picture to demonstrate asymmetric encryption:

As we can see from the picture, the public key of asymmetric encryption can be distributed to anyone at will, and the private key must be saved by itself and cannot be given to others. When the information is exchanged, we only need to use the public key to encrypt the private key to decrypt, or the private key to encrypt the public key to decrypt.

The above scheme looks beautiful, but there are two very big loopholes that cannot be solved:

1. Public and private key encryption and decryption is very time-consuming, but the user experience of web does not allow us to use public and private key encryption directly.

2. The distribution of the public key is a problem. If the server sends the public key as a response to the client, but the process is hijacked by a middleman, and then the middleman pretends to be the server and sends a fake public key to the client, the client does not know the existence of the middleman, encrypts the information with a fake public key, and the middleman gets the private key that matches the false public key, and the information is leaked, as shown in the figure:

Observe the middleman in the picture. The middleman hijacks the real public key, generates a pair of public and private keys, and communicates with the client with this pair of public and private keys.

We can combine symmetric encryption with asymmetric encryption, exchange the secret key of symmetric encryption with asymmetric encryption, and then use the secret key of symmetric encryption to encrypt the interactive information.

It is also important to note that the encryption of https must be implemented with the help of a third party, that is, the CA certificate. Why do you need this thing?

Because when we distribute the public key, in order to prevent it from being replaced or stolen by the middleman, we need to do special treatment for the public key, which is usually encryption, but after encryption, how can the encrypted key be given to the client? This forms an endless loop, so it is necessary to introduce a third-party institution, the CA certificate authority.

All operating systems and browsers have built-in public keys of various authoritative certificates, that is, the public key of CA. In short, our operating system has built-in CA public key. What we need to do is to go to these institutions to apply for our public key certificate, which is encrypted by the CA private key that matches the public key of CA.

When the client communicates with the server, the server sends the public key certificate to the client, and the client gets the certificate, decrypts and verifies the certificate with the authoritative CA public key built in by the system and browser, and gets the public key of the server.

Then the symmetric key is encrypted with the server public key and sent to the server, and the server decrypts the symmetric key with the server's own private key, so that the data can be exchanged with the symmetric key.

The flow chart is as follows:

Take a closer look at the picture above:

In the first step, the client sends the request, and the server sends the certificate to the client. The essence of the certificate is the content of the private key encryption of the third party CA, which is the public key of the server.

Second, after receiving the certificate, the client uses the CA public key built in by the operating system and the browser to match and verify the certificate. If it can be decrypted, it means that the website is secure.

The third step is to decrypt the certificate with the CA public key and decrypt the server public key. At this point, the client securely gets the server-side public key.

The fourth step is to generate a random number and send it to the server by encrypting the random number with the server public key.

In the fifth step, the server decrypts the information with the server private key to get the random number

In the remaining steps, both the client and the server have the same random number, that is, with the same symmetric key, you can communicate securely.

Thank you for your reading, the above is the content of "the basic principles of https", after the study of this article, I believe you have a deeper understanding of the basic principles of https, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.