Shulou(Shulou.com)06/03 Report--

What is the principle of HTTPS communication? I believe that many inexperienced people are at a loss about this, so this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The principle of HTTPS communication is that HTTPS is "HTTP over SSL/TLS", and HTTPS has one more layer of "SSL/TLS" than HTTP. Before transmitting data, HTTPS needs a handshake between the client and the server, and the password information of both parties to encrypt the transmitted data will be established in the handshake process.

Brief introduction:

HTTP protocol (HyperText Transfer Protocol, Hypertext transfer Protocol): is the application layer communication protocol between client browsers or other programs and Web servers. HTTPS (full name: HyperText Transfer Protocol over Secure Socket Layer) can be understood as HTTP+SSL/TLS, that is, adding SSL layer under HTTP. The security foundation of HTTPS is SSL, so the encrypted details need SSL for secure HTTP data transmission.

The difference between HTTPS and HTTP:

A. https agreement requires you to apply for a certificate from ca. Generally speaking, there are few free certificates and you need to pay a fee.

B. Http is a hypertext transfer protocol and information is plaintext transmission, while https is a secure ssl encrypted transmission protocol.

C. Http and https use completely different connections and different ports, the former being 80 and the latter 443.

D. The connection of http is simple and stateless; HTTPS protocol is a network protocol built by SSL+HTTP protocol for encrypted transmission and identity authentication, which is more secure than http protocol.

The role of HTTPS

Its main function can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

A. in a general sense, https means that the server has a certificate. The main purpose is to ensure that the server is what he claims to be the server, which is the same as the first point; all communication between the server and the client is encrypted.

b. Specifically, the client generates a symmetrical key and exchanges the key through the server's certificate, that is, the general handshake process. This section will be described in more detail below.

c. Then all the messages are encrypted. Even if a third party intercepts it, it doesn't make any sense, because he doesn't have a key, and of course there's no point in tampering.

D. If there are a few requirements for the client, the client must also have a certificate.

Why the HTTPS protocol is required:

HTTP protocol is an unencrypted plaintext transmission protocol. If Client (APP, browser) uses HTTP to transmit data, it will disclose the transmission content and may be hijacked by the middleman to modify the transmission content. As shown in the following figure, a typical APP HTTP communication is hijacked and modified by an operator to insert an advertisement:

In order to protect the information security of users, protect their own business interests and reduce the attack surface, we need to ensure the security of the communication channel. HTTPS with convenient development is a better way.

HTTPS communication principle

HTTPS is HTTP over SSL/TLS,HTTP is the application layer protocol, TCP is the transport layer protocol, between the application layer and the transport layer, a secure socket layer SSL/TLS is added:

As shown in the figure above, HTTPS has one more layer of SSL/TLS,SSL/ TLS layer than HTTP, which is responsible for the negotiation of encryption and decryption algorithms, key exchange and communication connection between the client and the server.

HTTPS needs a handshake between the client (browser) and the server (website) before transmitting data, and the password information of the encrypted data transmitted by both parties will be established in the handshake process. The TLS/SSL protocol is not only a set of encrypted transmission protocols, but also a work of art carefully designed by artists. Asymmetric encryption, symmetric encryption and HASH algorithms are used in TLS/SSL. The handshake process is as follows:

(1) client_hello

The client initiates a request to transmit request information in clear text, including version information, cipher suite candidate list, compression algorithm candidate list, random number, extension field and other information. The relevant information is as follows:

The highest supported version of TSL protocol, version, is SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 from low to high. Currently, versions lower than TLSv1 are no longer used.

List of cipher suites cipher suites supported by the client, each cipher suite corresponds to a combination of four functions in the previous TLS principles: authentication algorithm Au (authentication), key exchange algorithm KeyExchange (key agreement), symmetric encryption algorithm Enc (information encryption) and information digest Mac (integrity check)

List of supported compression algorithms compression methods for subsequent information compression transmission

Random number random_C, used for subsequent key generation

The extension field extensions supports the relevant parameters of protocols and algorithms and other auxiliary information. The common SNI belongs to the extension field. The role of this field will be discussed separately later.

(2) server_hello+server_certificate+sever_hello_done

Server_hello, the server returns the result of the negotiation, including the selected protocol version version, the selected encryption suite cipher suite, the selected compression algorithm compression method, the random number random_S, etc., in which the random number is used for subsequent key negotiation

Server_certificates, server-side configuration of the corresponding certificate chain for authentication and key exchange

Server_hello_done, notifies the client that the server_hello message is sent to an end

(3)。 Certificate verification

The client verifies the validity of the certificate, and the subsequent communication will be carried out only if the verification is passed, otherwise prompts and actions will be made according to the error conditions. Validity verification includes the following:

The credibility trusted certificate path of [certificate chain], as described earlier.

There are two ways to revoke revocation certificate: offline CRL and online OCSP. Different client behaviors will be different.

Validity period expiry date, whether the certificate is within the valid time range

Domain name domain, check whether the certificate domain name matches the current access domain name, and analyze the matching rules later

(4) client_key_exchange+change_cipher_spec+encrypted_handshake_message

(a) client_key_exchange. After the validity verification is passed, the client calculates and generates a random number Pre-master, which is encrypted with the certificate public key and sent to the server.

(B) at this point, the client has obtained all the information needed to calculate the negotiation key: two plaintext random numbers random_C and random_S and the Pre-master generated by their own calculation, and calculate the negotiation key

Enc_key=Fuc (random_C, random_S, Pre-Master)

(C) change_cipher_spec, where the client informs the server that the subsequent communication is encrypted using the negotiated communication key and encryption algorithm.

(d) encrypted_handshake_message, which combines the hash values of all previous communication parameters with other relevant information to generate a piece of data, encrypts it with the algorithm using the negotiation key session secret, and then sends it to the server for data and handshake verification

(5) change_cipher_spec+encrypted_handshake_message

(a) the server decrypts the encrypted Pre-master data with the private key, and calculates the negotiation key: enc_key=Fuc (random_C, random_S, Pre-Master) based on the two plaintext random numbers random_C and random_S exchanged previously.

(B) calculate the hash value of all previously received information, and then decrypt the encrypted_handshake_message sent by the client to verify the correctness of the data and key

(C) change_cipher_spec, after the verification is passed, the server also sends change_cipher_spec to inform the client that the subsequent communication is encrypted using the negotiated key and algorithm.

(d) encrypted_handshake_message, the server also generates a piece of data with all the current communication parameter information and encrypts it with the algorithm using the negotiation key enc_key and sends it to the client

(6)。 End of handshake

The client calculates the hash values of all received messages, decrypts the encrypted_handshake_message with a negotiated key, verifies the data and keys sent by the server, and then shakes hands.

(7)。 Encrypted communication

Start using the negotiation key to encrypt communication with the algorithm. The timing diagram is as follows:

Verify the certificate

In (3) Certificate verification, the client verifies the certificate sent by the server. Let's take a look at what has been done in this process.

1. Verify the issuer and validity period

2. Verify whether it is in the trust list

2. Verify the legitimacy

When verifying the certificate, the client reads the relevant plaintext information in the certificate, calculates the information summary using the same hash function, and then decrypts the signature data using the public key of the corresponding CA (taken locally). If the information summary of the certificate is consistent, it can confirm the legitimacy of the certificate, that is, the public key is legal.

Certificate content:

Clear text of the applicant's public key, applicant's organization information and personal information, CA information of the issuing agency, validity time, certificate serial number, etc., including a signature

The generation of signature: the hash function is used to calculate the information summary of the public plaintext information, and then the private key of CA is used to encrypt the information digest, and the ciphertext is signed.

Tips

1. Client uses the public key sent by Server to encrypt the data, and sends the encrypted data to Server,Server for decryption using the private key, which is asymmetric encryption.

2. When both Client and Server have mastered the negotiation key enc_key, both parties use the key for encryption and decryption, which is symmetrical encryption.

Overview of encryption algorithms

The function realization of TLS/SSL mainly depends on three kinds of basic algorithms: hash function Hash, symmetric encryption and asymmetric encryption, which uses asymmetric encryption to realize identity authentication and key negotiation. Symmetric encryption algorithm uses negotiated key to encrypt data, and verifies the integrity of information based on hash function.

1. Symmetric encryption

There are two kinds of streaming and grouping, and both encryption and decryption use the same key.

For example: DES, AES-GCM, ChaCha20-Poly1305, etc.

2. Asymmetric encryption

The key used in encryption is different from that used in decryption, which is called public key, private key, public key and algorithm, and private key is secret. The performance of asymmetric encryption algorithm is low, but the security is super. Because of its encryption characteristics, the data length that asymmetric encryption algorithm can encrypt is limited.

For example: RSA, DSA, ECDSA, DH, ECDHE

3. Hash algorithm

The arbitrary length of information is converted into a shorter fixed-length value, which is usually much smaller than the information, and the algorithm is irreversible.

For example: MD5, SHA-1, SHA-2, SHA-256, etc.

4. Digital signature

A signature is to add a piece of content to the end of the message (the value of the message after hash) to prove that the information has not been modified. The hash value is usually encrypted (that is, signed) and then sent with the message to ensure that the hash value is not modified.

Two-way authentication:

The server can also require the authentication client, that is, two-way authentication, and the client can send client_certificate_request information in process 2, and the client first sends client_certificate and certificate_verify_message information in process 4, and the certificate verification method is basically the same. Certificate_verify_message is a segment encrypted by client's private key to get data based on the negotiated communication information, and the server can use the corresponding public key to decrypt and verify.

After reading the above, have you mastered the principle and method of HTTPS communication? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.