This is the sixth day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021.

1. The main disadvantages of HTTP

  • Communications use clear text and can be eavesdropped.
  • The identity of the communicating party is not verified and therefore may encounter camouflage.
  • Packet integrity cannot be guaranteed and may be tampered with.

2. What is HTTPS?

  • HTTPS = HTTP + encryption + Authentication + integrity protection. Therefore, HTTP with encryption and authentication mechanisms is called HTTPS.
  • HTTPS is not a new protocol at the application layer. It is HTTP wrapped in SSL.
  • Typically, HTTP communicates directly with TCP. When SSL is used, it communicates first with SSL and then with TCP.
  • SSL is a protocol independent of HTTP and is used in many ways. It uses an encryption process called public-key encryption.

3.HTTPS encryption mode

  • Shared key encryption (symmetric key encryption) : encryption and decryption using the same key.
  • Public-key encryption (asymmetric encryption) : This method has two keys, a private key and a public key.

HTTPS uses a mixture of public key encryption and shared key encryption. Because of the complexity of public key encryption mechanism, it is inefficient to use it in communication. Therefore, HTTPS uses public key encryption to send the shared key to the peer first, and then uses shared encryption to communicate.

There is one problem with public keys: there is no way to prove that the key itself is real. To solve this problem, use digital certificate Authentication (CA) and public key certificates of the relevant agency approach.

4. Secure HTTPS communication process

    1. The client sends an HTTPS request to the server to start SSL communication.
    1. The server uses its own public key to log in to the DIGITAL certificate Authority and obtains the public key certificate (server public key + digital signature of the digital certificate Authority).
    1. The server sends the public key certificate to the client.
    1. After the client obtains the public key certificate:
      1. Verify that a public key certificate is valid and trusted by a digital certificate Authority.
      1. After verifying that the public key certificate is valid and trusted, the client generates a random password and encrypts it with the public key in the public key certificate (that is, the server public key).
      1. Sends information with encrypted random numbers to the server.
    1. After the server receives the message from the client:
      1. Decrypt information with a private key to remove random number passwords.
      1. After the content is symmetrically encrypted, the random number is sent to the back client.
    1. The client decrypts the encrypted information sent by the server through random numbers.
    1. All subsequent communication data will be encrypted and decrypted by symmetric encryption algorithm using the random number password generated by the previous client.

HTTP encryption algorithms and HASH algorithms are as follows:

  • Asymmetric encryption algorithms: RSA, DSA/DSS
  • Symmetric encryption algorithm: AES, RC4, 3DES
  • HASH algorithms: MD5, SHA1, SHA256

5. Location of SSL

SSL is between the HTTP application layer and the TCP transport layer. Application layer data is no longer passed directly to the transport layer, but to the SSL layer, which encrypts the data received from the application layer and then passes it to the transport layer.