Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "analyzing the HTTPS principle of computer network". In the operation process of actual cases, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations. I hope you can read carefully and learn something!

HTTP's biggest drawback-insecure

HTTP is replaced by HTTPS, the biggest reason is insecure, as for why insecure, look at the following picture will be clear.

Figure 1. HTTP data transfer process

As can be seen from the figure, HTTP in the process of transmitting data, all data are transmitted in plain text, naturally there is no security, especially some sensitive data, such as user passwords and credit card information, once obtained by a third party, the consequences are unimaginable. Some people may say that I can encrypt sensitive data on the front page, such as MD5 salt encryption. It's too easy to think like that. First of all, MD5 is not an encryption algorithm, its full name is Message Digest Algorithm MD5, which means Message Digest Algorithm. It is an irreversible hash algorithm, that is, the data processed by MD5 at the front end cannot be recovered at the server side. Take password as an example here. The front end processes the user password through MD5 and sends the obtained hash value to the server. Since the server cannot recover the password, it will directly use this hash value to process the user request. Therefore, after obtaining this hash value, the third party can bypass the front-end login page and directly access the server, causing security problems. In addition, MD5 algorithm itself also has defects in security, here will not expand to talk about.

Hashing algorithms like MD5 and SHA-1 do not make HTTP more secure. To make HTTP more secure, you have to use a real encryption algorithm, because encryption algorithms can encrypt and restore data with a key, as long as you make sure that the key is not obtained by third parties, and that ensures that data transmission is secure. And this is exactly the HTTPS solution, so let's take a look at the encryption algorithm.

2. Encryption algorithm

HTTPS solution to the problem of data transmission security is to use encryption algorithms, specifically hybrid encryption algorithms, that is, symmetric encryption and asymmetric encryption mixed use, here it is necessary to understand the differences between the two encryption algorithms and advantages and disadvantages.

2.1 symmetric encryption

Symmetric encryption, as its name implies, encryption and decryption use the same key. Common symmetric encryption algorithms include DES, 3DES and AES. Its advantages and disadvantages are as follows:

Advantages: open algorithm, small amount of calculation, fast encryption speed, high encryption efficiency, suitable for encrypting relatively large data.

Disadvantages:

Both parties need to use the same key, and it is impossible to avoid the transmission of the key, and the key cannot be guaranteed not to be intercepted in the transmission process, so the security of symmetric encryption cannot be guaranteed.

Each time a symmetric encryption algorithm is used by each pair of users, a unique key that no one else knows is required, which will cause the number of keys owned by both parties to increase dramatically, and key management will become a burden for both parties. Symmetric encryption algorithms are difficult to use in distributed network systems, mainly because of the difficulty of key management and the high cost of use.

This article does not give a detailed introduction to the specific encryption algorithm. Interested students can refer to the symmetric encryption algorithm for detailed explanation. If the symmetric encryption algorithm is directly used in HTTP, the following effects will be achieved:

Figure 2. symmetric encryption data transmission process

It can be seen from the figure that the encrypted data is irregular in the transmission process, even if intercepted by a third party, the data cannot be decrypted without a key, which ensures the security of the data. But there is a fatal problem, that is, since both parties want to use the same key, it is necessary to transmit the key to the other party before transmitting the data, so that the key is likely to be intercepted in the process, so that encrypted data can be easily decrypted. How to ensure the security of the key during transmission? This requires asymmetric encryption.

2.2 asymmetric encryption

Asymmetric encryption, as the name suggests, requires encryption and decryption using two different keys: a public key and a private key. The public key and private key are a pair. If the data is encrypted with the public key, only the corresponding private key can be decrypted; if the data is encrypted with the private key, only the corresponding public key can be decrypted. The basic process of asymmetric encryption algorithm to realize confidential information exchange is: Party A generates a pair of keys and discloses one of them as a public key; Party B who obtains the public key encrypts the confidential information with the public key and then sends it to Party A; Party A decrypts the encrypted information with its own private key. If you don't understand the public key and the private key, you can imagine a key and a lock, but only you have this key in the world, you can give the lock to others, others can use this lock to lock important things, and then send it to you, because only you have this key, so only you can see what is locked by this lock. The commonly used asymmetric encryption algorithm is RSA algorithm. Students who want to know more about it here: RSA algorithm detailed explanation 1, RSA algorithm detailed explanation 2, its advantages and disadvantages are as follows:

Advantages: The algorithm is open, encryption and decryption use different keys, private keys do not need to be transmitted in the network, and security is high.

Disadvantages: The amount of computation is relatively large, and the encryption and decryption speed is much slower than symmetric encryption.

Due to the strong security of asymmetric encryption, it can be used to perfectly solve the key leakage problem of symmetric encryption. The effect diagram is as follows:

Figure 3. The client sends the KEY to the server via asymmetric encryption

In the above process, the client first returns the key KEY used for symmetric encryption to the client through asymmetric encryption, and then both parties use KEY to encrypt the interactive data symmetrically. In the process of asymmetric encryption data transmission, even if a third party obtains the public key and the encrypted KEY, it cannot crack the KEY without the private key (the private key exists in the server, and the risk of leakage is very small), which also ensures the security of the next symmetric encryption data. The above flowchart is the prototype of HTTPS, HTTPS just combines the advantages of these two encryption algorithms, not only to ensure communication security, but also to ensure the efficiency of data transmission.

3. Detailed explanation of HTTPS principle

Take a look at Wikipedia's definition of HTTPS.

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL.

HTTPS (Hypertext Transfer Protocol Secure) is an extension based on HTTP, used for secure communication on computer networks, and has been widely used on the Internet. In HTTPS, the original HTTP protocol is encrypted by TLS (Secure Transport Layer Protocol) or its predecessor SSL (Secure Sockets Layer). HTTPS is often referred to as HTTP over TLS or HTTP over SSL.

It can be seen that HTTPS is not an independent communication protocol, but an extension of HTTP to ensure communication security. The relationship between the two is as follows:

Figure 4. HTTP and HTTPS

HTTPS = HTTP + SSL / TLS.

Next is the most important HTTPS principle analysis, the old rules first on the picture.

Figure 5. HTTPS encryption, decryption, authentication, and data transfer processes

Don't be afraid to look dazzled, but listen to me carefully. The whole communication process of HTTPS can be divided into two stages: certificate verification and data transmission stage, and the data transmission stage can be divided into asymmetric encryption and symmetric encryption. The specific process is explained according to the serial number in the figure.

1. The client requests an HTTPS URL and connects to port 443 of the server (HTTPS default port, similar to HTTP port 80).

2. Servers using HTTPS protocol must have a set of digital CA (Certification Authority) certificates, certificates are required to apply for, and issued by a special digital certificate certification authority (CA) after a very strict audit (of course, it is expensive, the higher the security level, the more expensive). A certificate is issued with a private key and a public key. The private key is kept by the server itself and cannot be leaked. The public key is the information attached to the certificate that can be made public. The certificate itself also carries a certificate electronic signature, which is used to verify the integrity and authenticity of the certificate and prevent tampering with the certificate.

3. The server responds to the client request by passing the certificate to the client. The certificate contains the public key and a lot of other information, such as certificate authority information, company information and certificate validity period. Chrome Click on the lock icon in the address bar and then click on the certificate to see the certificate details.

Figure 6. CA Certificate of Station B

4. The client parses the certificate and validates it. If the certificate is not issued by a trusted authority, or if the domain name in the certificate does not match the actual domain name, or if the certificate has expired, a warning is displayed to the visitor, who can choose whether to continue the communication. It looks like this:

Figure 7. Browser Security Warning

If there is no problem with the certificate, the client takes the server's public key A from the server certificate. The client then generates a random key KEY and encrypts it using public key A.

5. The client sends the encrypted random code KEY to the server as the key for symmetric encryption.

6. After receiving the random key, the server decrypts it using private key B. After these steps, the client and server finally establish a secure connection, perfectly solving the key leakage problem of symmetric encryption, and then can communicate happily with symmetric encryption.

7. The server symmetrically encrypts the data using a secret key (random key) and sends it to the client, and the client decrypts the data using the same secret key (random key).

8. Both parties happily transmit all data using symmetric encryption.

Well, the above is a detailed explanation of the principle of HTTPS, such a beautiful diagram with such a detailed process analysis, you can not understand it haha.

"Analysis of computer network HTTPS principle" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.