Header
HTTP and HTTPS are often encountered in our daily development.
As we all know, most Android application development uses HTTP protocol when requesting API network interface; Using a browser to open a web page also uses the HTTP protocol. It seems that HTTP is really widely used, but HTTP is not secure. Using network packet capture tools you can know the contents of the transmission, take in a glance. For example, I often use Fiddler to capture packages and collect interesting APIS.
So how do you keep HTTP secure? Almost everyone blurts out: Use the HTTPS protocol. 99.9 percent of people know that HTTPS encrypts what they transmit, but ask them how they do it and many are left speechless.
In order to prevent this kind of awkward situation, so today you have to read the content of this article. Later can install a pussy, ha ha!
Body
Encryption type
First popular science, encryption algorithm is basically divided into two types:
- Symmetric encryption, more representative is AES encryption algorithm;
- Asymmetric encryption, commonly used RSA encryption algorithm is asymmetric encryption;
Symmetric encryption means that both parties have a common key and use this key to encrypt and decrypt data. This encryption method is fast, but not as secure as asymmetric encryption.
For example, now the outstanding student Xiaoming has the answer to a math problem: 123. He wants to pass the answer to xiao Hong, whom he has always had a crush on. So they both agreed on a key before the exam: 456. Xiao Ming then encrypted the answer content through the key, i.e. 123 + 456 = 579, wrote 579 on a piece of paper and threw it to Xiao Hong. If someone picks up a little piece of paper and doesn’t know they’re encrypted, they’ll see 579 on it and think it’s 579; If xiao Hong picked it up, she took out the key to decrypt it, 579-456 = 123, and got the correct answer.
This is the so-called symmetric encryption, encryption and decryption efficiency is high, fast, but either side accidentally divulge the key, so anyone can know the transmission content.
With symmetric encryption out of the way, let’s see what asymmetric encryption is.
Asymmetric encryption is when there are two keys, public and private. The private key is kept secret from anyone; Public keys can be made public to others.
After cheating last time, Xiao Hong discovered that symmetric encryption is a terrible thing if the key is leaked. So she and Xiao Ming decided to use asymmetric encryption. Xiao Hong generates a pair of public and private keys, and then exposes the public key, and Ming gets the public key. Xiao Ming gets the public key, encrypts the answer through the public key, and then transmits it to Xiao Hong, who then decrypts the answer by using her private key. If in this process, other people get the transmitted content, and they only have red public key, there is no way to decrypt, so there is no answer, only red can decrypt.
Therefore, compared with symmetric encryption, asymmetric encryption has higher security, but the encryption and decryption time is longer and the speed is slower.
The specific application of symmetric encryption and asymmetric encryption I still have deep experience, because the company is doing financial payment, so encryption and decryption basically see every day.
HTTPS
With encryption types out of the way, let’s look at HTTPS.
Let’s start with a formula:
HTTPS = HTTP + SSL
As you can see from this formula, HTTPS and HTTP are the only difference between SSL. So we can guess that HTTPS encryption is done in SSL.
So what we’re trying to figure out is what’s going on in SSL, right?
This starts with CA certificates. A CA certificate is a digital certificate issued by the CA. As for the authority of CA, there is no doubt that everyone trusts it. A CA certificate generally contains the following contents:
- Certificate authority and version
- Certificate user
- Public key of certificate
- Validity period of the certificate
- Digital signature Hash value and signature Hash algorithm of the certificate
- …
Just let’s put the client how to verify the CA certificate steps.
The Hash value in the CA certificate is actually the encrypted value of the certificate private key (the private key of the certificate is not in the CA certificate). After obtaining the certificate, the client uses the public key in the certificate to decrypt the Hash value to obtain hash-a. Then use the signature Hash algorithm in the certificate to generate a hash-b. Finally, compare the values of hash-a and hash-b. If it is, then the certificate is correct and the server can be trusted. If they are not, the certificate is wrong and may have been tampered with, prompting the browser to fail to establish an HTTPS connection. In addition, the system also verifies the validity time and domain name of the CA certificate.
Let’s take A closer look at the SSL handshake setup in HTTPS, assuming we have client A and server B:
- First of all, client A visits server B, for example, we use the browser to open A web page www.baidu.com, at this time, the browser is client A, Baidu’s server is server B. In this case, client A generates A random number 1 and informs server B of the random number 1, SSL version number supported by client A, and encryption algorithm.
- After server B knows the information, it verifies the encryption algorithm of both sides. Then, the server generates A random number B and returns it to client A together with the certificate issued by the CA.
- After client A obtains the CA certificate, it verifies the validity of the CERTIFICATE. The verification method is described above. After the verification succeeds, the client generates a random number 3, encrypts the number with the public key in the certificate, and sends the number to server B.
- Server B gets the encrypted random number 3 and decrypts it using the private key to get the real random number 3.
- Finally, both client A and server B have random numbers 1, 2, and 3, and then use these three random numbers to generate A conversation key. After the transmission of content is the use of dialogue key encryption and decryption. This is the use of symmetric encryption, generally used are AES algorithm.
- Client A notifies server B that the subsequent communication will be completed with the dialog key, and notifies server B that client A’s handshake is complete.
- Server B notifies client A that the subsequent communication will be done with the dialog key, and notifies client A that server B’s handshake is complete.
- The SSL handshake ends, and data communication over the SSL secure channel starts. Client A and server B use the same conversation key for data communication.
This concludes the SSL handshake process. Maybe the above process is too complicated, so let’s simply say:
- The client establishes an SSL handshake with the server, and the client uses the CA certificate to confirm the identity of the server.
- Pass three random numbers to each other, and then generate a key through this random number;
- Confirm the key and shake hands.
- At the beginning of data communication, the same conversation key is used for encryption and decryption.
We can find that both symmetric and asymmetric encryption are used in the process of HTTPS encryption principle. It not only takes advantage of the high security of asymmetric encryption, but also takes advantage of the advantages of high speed and efficiency of symmetric encryption. It’s really well designed, it’s amazing.
Footer
Ok, HTTPS encryption principle to this about, do not know the computer before you have to understand it?
If you don’t understand, you can leave a message below.
bye ~~
References
- Data encryption process of SSL protocol in detail