Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to understand HTTPS". In daily operation, I believe many people have doubts about how to understand HTTPS. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to understand HTTPS"! Next, please follow the editor to study!

1. Start with the encryption algorithm

Asymmetric encryption:

In a nutshell: public key encrypted ciphertext can only be decrypted with private key, private key encrypted ciphertext can only be decrypted with public key.

A private key can generate a public key, but the public key can hardly be reversed.

For example:

Think of a 3-digit number randomly, multiply this number by 91, and then tell me the last three digits of the product, and I can guess what the other person is thinking!

For example, 123, calculate that 123 * 91 equals 11193, and tell me the last three 193 of the result.

At this point, I just need to multiply the corresponding result by 11, and the last three digits of the product are just what I started to think about. You can verify it. 193 * 11 = 2123 = "123.

The principle is very simple: 91 times 11 equals 1001, and any three digits multiplied by 1001, the last three digits remain the same. (of course, you can use 2001 or 3001 as long as you can solve the factor.)

According to this principle, we can construct an encryption and decryption system with larger encryption value. For example, after any number is multiplied by 10000000001, the last 10 bits will not change, and then 10000000001 will be factorized by a computer, and a ten-bit asymmetric encryption system will be constructed.

Symmetrical encryption

The same key is used for encryption and decryption, such as symmetric encryption DES, AES, etc.

Summary

Compared with asymmetric encryption algorithm, symmetric encryption is much more efficient and faster in encryption and decryption. But the defect is that it is difficult to manage and distribute the key, it is not very secure, and the key is easy to be lost or stolen. Relatively speaking, asymmetric encryption only exposes the public key, and it is more secure to keep the private key on your own.

2.HTTPS principle

Shortcomings of HTTP protocol

Clear text communication-content will be monitored

Do not verify the identity of the communicator-you may encounter camouflage

Do not verify the integrity of the content-the content has been tampered with

Introduction to HTTPS

HTTPS protocol (HyperText Transfer Protocol over Seure Socket Layer) can be understood as HTTPS = HTTP + SSL/TLS, which increases the security of HTTP through SSL/TLS.

SSL (TLS)

SSL (Secure Socket Layer, secure Sockets layer): developed by Netscape in 1994, SSL protocol is located between TCP/IP protocol and various application layer protocols to provide security support for data communication.

TLS (Transport Layer Security, Transport layer Security): its predecessor is SSL. Its first versions (SSL 1.0, SSL 2.0, SSL 3.0) were developed by Netscape. Since 1999, they have been standardized and renamed by IETF. Up to now, there have been three versions of TLS 1.0, TLS 1.1 and TLS 1.2. SSL3.0 and TLS1.0 have been rarely used because of security vulnerabilities. TLS 1.3 changes will be relatively large, is still in the draft stage, currently the most widely used are TLS 1.1, TLS 1.2.

Certificat

Why do I need a third party to issue a certificate?

The public key sent by the server to the client will still be hijacked and the content of the transmission will still be decrypted. The hijacker can use his own private key to generate a new public key, modify the content and encrypt it with his own private key, and then send the modified content and the generated public key to the client. Therefore, it is necessary to introduce third-party institutions to issue certificates.

3. A complete HTTPS communication

Sum up in one sentence

SSL connections are established through digital certificates and asymmetric encryption, and keys used for symmetric encryption are generated and transmitted. Subsequent HTTP communications use symmetric encryption to protect content. It not only ensures safety, but also improves efficiency.

The client requests the server to establish a SSL connection for the first time.

The server returns the digital certificate issued by CA, which also contains the key for asymmetric encryption.

After establishing a connection with the server, the client sends a random password string called Pre-master secret (encrypted with the public key)-at this point only the server can decrypt the password string

The server decrypts the Pre-master secret through the private key, and calculates the key master of the symmetric encryption (usually the AES algorithm) through a certain algorithm (the client will also use the same algorithm to calculate the master)

SSL connection is established successfully, HTTP communication is carried out, and AES symmetry algorithm is used to encrypt and decrypt the content.

Is 4.HTTPS necessarily safe?

The data of HTTPS is encrypted. Normally, the packet content captured by the packet capture tool after the request is encrypted and cannot be viewed directly.

However, as long as the client is authorized, the middleman network can be set up, and the packet grabbing tool is used as the agent of the middleman.

Usually, the way to use the HTTPS packet capture tool (Charles) is to generate a certificate, and the user needs to manually install the certificate into the client. Then all requests initiated by the terminal interact with the packet capture tool through the certificate, and then the packet capture tool forwards the request to the server. Finally, the result returned by the server is output in the console and returned to the terminal, thus completing the closed loop of the whole request.

HTTPS can prevent the communication link from being monitored unknowingly, and does not provide protection for packet capture operations of active credit, because the user is already aware of the risk in this scenario. To prevent packets from being caught, we need to adopt application-level security protection, such as private symmetric encryption, and do a good job of anti-decompilation reinforcement on the mobile side to prevent local algorithms from being cracked.

At this point, the study of "how to understand HTTPS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.