Shulou(Shulou.com)05/31 Report--

This article is about how to understand HTTPS and SSL one-way verification and two-way verification, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article, without saying much, follow the editor to have a look.

This paper mainly introduces HTTPS and SSL one-way verification and two-way verification.

HTTPS introduction

HTTPS is a transmission protocol that communicates securely through the computer network. It communicates through HTTP, establishes a secure channel using SSL/TLS, and encrypts data packets. The main purpose of HTTPS is to provide authentication to the web server while protecting the security and integrity of the exchanged data.

HTTP introduction

HTTP is a hypertext transfer protocol, which is based on request and response, stateless, application layer protocol, often based on TCP/IP protocol to transmit data, the Internet is the most widely used network protocol, all WWW files must comply with this standard.

SSL/TLS introduction

TLS encrypts the network connection at the transport layer, the predecessor is SSL protocol, issued by Netscape in 1995, to ensure that data is safely transmitted on the Internet, using data encryption (Encryption) technology to ensure that data will not be intercepted or eavesdropped in the process of network transmission.

Symmetrical encryption and asymmetric encryption are used in data encryption. When TCP protocol establishes a transmission connection, SSL first uses the public key of asymmetric encryption to encrypt the key of symmetrical encryption. After the connection is established, SSL uses symmetrical encryption for the transmission content.

Symmetric encryption, high speed, large encrypted content, used to encrypt messages during the session.

Asymmetric encryption, the encryption speed is slower, but can provide better identity authentication technology, which can be used to encrypt symmetric encryption keys.

OSI model

HTTPS and HTTP protocols are located in the application layer, SSL\ TLS protocol is located between the transport layer and the application layer, TCP protocol is located in the transport layer, and IP protocol is located in the network layer. As shown in the following figure:

Figure 1 Protocol model

SSL one-way authentication

When the client executes the HTTPS request, the connection needs to be established and released by the TCP protocol. This involves three handshakes and four waves in the TCP protocol. For those who want to understand the working principle of TCP three-way handshake and the summary of frequently asked questions in interview and the working principle of four waving hands of TCP and the summary of frequently asked questions in interview, please click the link to view.

After the TCP connection is established, for HTTP, the server can send data to the client. But for HTTPS, it also runs SSL/TLS protocol, SSL/TLS protocol is divided into two layers, the first layer is recording protocol, which is mainly used for encryption and compression of transmission data, and the second layer is handshake protocol, which is based on layer 1 protocol, which is mainly used for identity authentication, encryption algorithm negotiation and key exchange before data transmission.

SSL one-way verification process:

Figure 2 SSL one-way verification process

SSL one-way verification has a total of four steps

1) in the first step, the client initiates a Client Hello to the server, and the request includes:

a. List of SSL/TLS protocol versions supported by the client

b. List of symmetric encryption algorithms supported by the client

c. Random number A generated by the client

2) in the second step, the server responds to the client Server Hello, which includes:

a. SSL/TLS protocol version supported by both parties

b. Symmetrical encryption algorithm supported by both sides

c. Certificate in the server KeyStore

d. Random number B generated on the server side

3) in the third step, the client receives a response from the server, and the client checks whether the server-side certificate is valid. The verification content is as follows:

a. Whether the server-side certificate expires

b. Whether the server-side certificate is revoked

c. Whether the server-side certificate is trusted

d. Whether the server certificate domain name is consistent with the client request domain name.

After the verification is passed, the client responds to the server, and the response includes:

a. The client generates a "random number C", which is also known as "pre-master-key", and then encrypts the "random number C" using the public key in the server-side certificate, and sends the encrypted "random number C" to the server.

4) in the fourth step, the server uses the private key in the KeyStore to decrypt the encrypted "random number C" to get the "random number C". At this time, both the client and the server get the random number A, random number B and random number C. the double hair uses the same key exchange algorithm to calculate the same symmetric encryption key through these three random numbers. This symmetric encryption key is used as the symmetric encryption key for client-side and server-side data transmission.

On the server side and the client side, the handshake ends, and then the data can be transmitted using symmetric encryption.

SSL two-way authentication

In the process of SSL one-way authentication, the client verifies the server side to which it accesses, and the server side does not verify the client side. If the server authenticates the client, you need to turn on server-side authentication, which is two-way authentication.

The difference between SSL two-way authentication and one-way authentication is that:

a. In the second step, when the server responds to the Server Hello message of the client for the first time, the client is required to provide the client certificate.

b. In step 3, after the client verifies the server-side certificate, two pieces of information will be added to the response:

A) client certificate

B) client certificate verification message (CertificateVerify message): the client combines all previously received and sent messages, uses the hash algorithm to get a hash value, and then signs the hash with the private key of the client KeyStore, which is CertificateVerify message

c. After the server receives the client certificate, it will do the following:

A) confirm that the certificate sent by the client is valid and legal

B) verify the signature in the received message with the public key in the client certificate to determine that the certificate was issued by the client

On the server side and the client side, the handshake ends, and then the data can be transmitted using symmetric encryption.

The above is how to understand HTTPS and SSL one-way verification and two-way verification, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.