Shulou(Shulou.com)06/02 Report--

This article to share with you is about HTTPS running process, Xiaobian think quite practical, so share to everyone to learn, I hope you can read this article after some gains, not much to say, follow Xiaobian to see it.

1. Basic concepts of encryption

plaintext: HTTP is transmitted in plaintext, plaintext is the original data that has not been encrypted

Key: Usually a string or number used in encryption/decryption algorithms. Public and private keys are keys, but public keys are generally open to the public.

Use when encrypting; use when decrypting private keys that are not disclosed;

asymmetric encryption algorithm (public key encryption)

RSA, DSA/DSS, Elgamal, Rabin, D-H, ECC, etc., in the process of mutual authentication between the client and the server side is not the encryption algorithm

RSA cryptosystem is public key cryptosystem, RSA a pair of public key and private key can be used to encrypt and decrypt. For example, public key encryption can only be decrypted with private key, private key encryption can only be decrypted with public key, and the encrypted content of one party can only be decrypted with the other party.

Symmetric encryption algorithm (private key encryption)

AES, DES, 3DES, TDES, Blowfish, RC4, RC5, IDEA, etc., the encryption key used is the same as the decryption key. The encryption algorithm used is public. If security is to be guaranteed, the key cannot be disclosed to the public. It is usually used to encrypt the message body.

HASH algorithm

MD5, SHA1, SHA256 are used to verify that information has not been tampered with. It is mainly used to generate signatures, which are added to the back of the information and can prove that the information has not been modified. Generally, the hash calculation of the information is encrypted with a hash value (this encryption is generally symmetric encryption) as a signature and sent together with the information. After receiving the message, the recipient recalculates the hash value of the message and compares it with the hash value attached to the message. If so, the information is deemed not to have been modified. On the contrary, it is considered modified and not handled. There may be a case where the hacker modified the information and changed the hash value. So that they match, so hash values are generally encrypted and then sent out with information to ensure that hash values will not be modified;

digital certificate

It mainly includes certificate issuing authority, certificate validity period, public key, certificate owner, signature algorithm, fingerprint and fingerprint algorithm. A digital certificate guarantees that the public key in it belongs to the certificate holder.

Principles of Digital Signature

The plaintext is encrypted by Hash algorithm to generate digest, and then the message body digest is encrypted with private key to obtain signature. This whole is returned when required by the next level certificate or client. The main function of digital signature is to cooperate with Hash algorithm to ensure that information has not been tampered with. When https authentication is passed, symmetric encryption is generally used because RSA public key system is more expensive. So digital signatures exist only in the verification phase.

certificate chain

Certificate is hierarchical, certificate chain is composed of multiple certificates, one level at a time. Only by obtaining the public key of the superior certificate can the certificate of this level be decrypted. Only the lowest level of certificates is self-signed and issued to itself.

II. HTTPS verification process

This part looks at more, mainly summarized, divided into 5 articles.

The client initiates an http request to connect to port 443 of the server.

2) The server returns its own information to the client in the form of a digital certificate (certificate content includes key public key, website address, certificate authority, expiration date, etc.). The certificate has a public key to encrypt information, and the private key is held by the server.

3) Verify the validity of the certificate

After receiving the response from the server, the client will first verify the validity of the certificate (whether the address contained in the certificate is consistent with the address being accessed, and whether the certificate expires).

4) Generate a random cipher (RSA signature)

If the authentication passes, or the user accepts an untrusted certificate, the browser generates a random string, asks the server to encrypt the random string with a private key, and returns the result, which the client decrypts with a public key. If it is consistent with the previous random string, it means that the server is indeed the holder of the private key.

5) Generate symmetric encryption algorithm

After verifying the identity of the server, the client generates a symmetric encryption algorithm and corresponding key, which are encrypted with the public key and sent to the server. It is useless to be intercepted by hackers at this time, because only the private key of the server can decrypt it. The client and server can then encrypt and decrypt communications using this symmetric encryption algorithm.

III. HTTPS Operation Principle

We can thoroughly understand how HTTPS works through four questions, starting with digital certificates.

HTTPS security mainly depends on the verification of digital certificates and asymmetric encryption mechanism, look at step 3), how does the client determine the legitimacy of certificates?

Let's first take a look at what digital certificates have.

Issuer--Issuer of certificates

The authority issuing the certificate, indicating which company created the certificate (not the company using the certificate). If something goes wrong, the specific issuing agency is responsible.

Valid from, Valid to--Validity of the certificate

The lifetime of the certificate. After this period, the certificate will be invalid and cannot be used.

Public key--public key

At the beginning, I introduced the concept of public key, which is used to encrypt messages.

Subject--Subject

A certificate is issued to the person to whom it was issued, generally the name of an individual or company or the name of an institution or the URL of a company website.

Signature algorithm--The algorithm used for the signature

The encryption algorithm used for the digital signature of a digital certificate, according to which a fingerprint can be decrypted. The result of fingerprint encryption is a digital signature.

Thumbprint, Thumbprint algorithm-Fingerprint and fingerprint algorithm (a HASH algorithm)

Fingerprints and fingerprint algorithms are encrypted using the certificate authority's private key and placed with the certificate. It is mainly used to ensure the integrity of the certificate and ensure that the certificate has not been modified. When the user opens the certificate, the hash value of the certificate calculated according to the fingerprint algorithm is the same as the initial value, indicating that it has not been modified.

a)

The big question comes back, how does the client detect that the digital certificate is legitimate and belongs to the requested company?

First the application reads the Issuer in the certificate, and then it looks for the certificate of the trusted authority built into the operating system or browser (why does the operating system have a certificate of a trusted authority? Let's see how this works before we answer.) If not found on the certificate is parallel imports, certificates have problems, procedures to error messages. If found, or the user confirms using the certificate. They will take the public key of the superior certificate, decrypt the certificate of this level, and get the digital fingerprint. Then, the public key of the certificate of this level is calculated by digital digest algorithm (fingerprint encryption algorithm provided in the certificate), and the result is compared with the fingerprint obtained by decryption. If so, the certificate has not been modified. The public key can be used with confidence, and handshake communication can begin.

b)

Next, why does the operating system have a certificate issuing authority certificate?

In fact, in addition to issuing certificates to others, certificate issuing authorities also have their own certificates. When the operating system is installed, the digital certificates of the trusted certificate issuing authority have been installed in the operating system by Microsoft. According to the evaluation of some authoritative security organizations, some certificate issuing authorities with good reputation and certain security certification are selected, and these certificates are installed in the operating system by default and set as trusted digital certificates. The issuing authority holds a private key corresponding to its own digital certificate, and will use this private key to encrypt all its issued certificates and fingerprints as a digital signature.

c)

In step 4), the client generates a random number and encrypts it with a public key, so that the server decrypts it with a private key to ensure whether the other party really holds the private key. However, hackers can also send strings to the server to encrypt with the private key, and get the encrypted information, thus finding patterns that cause the security of the private key to decline. How?

The server does not encrypt the string, but hashes the string and sends it to the client after encryption. After receiving it, the client decrypts the hash value and compares it with the hash value of the original string to determine whether the other party holds the private key.

d)

In the process of communication, hackers can intercept encrypted content, although they cannot understand the specific content, but they can make trouble, modify the content or repeatedly send the content. How to solve this problem?

Add a version number or random value to the contents of the communication. If the information with the same version number or random value is received, both parties immediately stop communicating. If you have been disturbed, you will not be able to communicate normally, because someone has controlled your router and can target you. Therefore, some departments with strong security do not use public networks, but internal networks, which are generally not broken.

The above is what the running process in HTTPS has, Xiaobian believes that some knowledge points may be what we see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.