I’ve written about HTTP in the past. If you don’t know HTTP before reading this article, you should read 5 Minutes to Understand the HTTP Protocol. The main reference for this article is to explain HTTPS in terms of carrier pigeons

First, HTTP problems

1.1 Possible eavesdropping

  1. HTTP does not provide encryption. HTTP packets are sent in plain text
  2. Because the Internet is made up of network facilities that connect all parts of the world, all data sent and received through some device can be intercepted or accessed. (For example, Wireshark is a familiar tool for capturing packets.)

1.2 Authentication Issues

  1. Unable to confirm that the server you are sending to is the real target server (probably disguised)
  2. It is not possible to determine whether the client returned is the one received with true intent (possibly a disguised client)
  3. It is impossible to determine whether the other party is communicating has access permission. Some important information on the Web server will be accepted even if it is meaningless request only to be sent to a specific user. Denial of Service (DoS) attacks on massive requests cannot be prevented.

1.3 Possible tampering

1. Request or Response A MAN-in-the-middle attack (MITM) in which an attacker intercepts and modifies content in transit.

2. HTTPS introduction

2.1 What is HTTPS

Hypertext Transfer Protocol Secure (Hypertext Transfer Protocol Secure) HTTPS, often called HTTP over TLS, HTTP over SSL, or HTTP Secure, is a transport protocol for Secure communication over a computer network. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. HTTPS is developed to provide identity authentication for web servers and protect the privacy and integrity of exchanged data.

2.2 How can HTTPS solve the preceding problems

HTTPS is the Transport Layer Security (TLS) protocol used for communication interfaces. The TLS protocol uses the master-slave architecture to create secure connections between two applications over the network, preventing eavesdropping and tampering during data exchange.

2.3 Relationship between SSL and TLS

  1. Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer (SSL), is a Security protocol designed to provide Security and data integrity for Internet communications.
  2. When Netscape introduced the first version of its web browser, Netscape Navigator, in 1994, it introduced the HTTPS protocol, which uses SSL for encryption, which is the origin of SSL.
  3. IETF standardized SSL and published the first version of TLS standard document in 1999. This was followed by RFC 5246 (August 2008) and RFC 6176 (March 2011). This protocol is widely supported in applications such as browsers, E-mail, instant messaging, VoIP, and network fax.

2.4 the TLS/SSL protocol

The HTTPS protocol basically relies on TLS/SSL, and TLS/SSL relies on three basic algorithms: Hash function, symmetric encryption and asymmetric encryption, which uses asymmetric encryption to realize identity authentication and key negotiation, symmetric encryption algorithm uses the negotiated key to encrypt data, based on the hash function to verify the integrity of information.

For details about the SSL/TLS protocol operation mechanism, see Professor Ruan’s overview of the SSL/TLS protocol operation mechanism

RSA encryption algorithm principle can be seen in the ruan teacher these two articles RSA algorithm principle (a), RSA algorithm principle (two)

2.5 Use carrier pigeons as an explanation

Cryptography is a difficult and abstract subject, and on the Internet any activity can be thought of as sending and receiving information from a server. We can assume that these messages are carried by homing pigeons.

Let’s talk about Alice, Bob and Mallory before we get to that. They are universal roles widely applied to the fields of cryptography and physics. These names are used to illustrate the topic. If the sentence is something like “A wants to send a message to B”, the more complex the topic becomes, the more difficult and confusing it becomes. In a typical protocol operation, this character is not necessarily a “human” but may be a trusted automated agent (such as a computer program). The use of these names is instructive and sometimes humorous.

2.5.1 Preliminary communication

If Alice wanted to send Bob a message, she would tie it to the leg of a carrier pigeon and send it to Bob. Bob got the message and read it, and it was perfect.

But what if Mallory intercepted Alice’s pigeon and manipulated the message? Bob would have no way of knowing that Alice’s message had been modified in the process.

This is how HTTP works. It looks scary, right? I don’t send my bank credentials over HTTP, and neither should you.

2.5.2 Covert Passwords

So if Alice and Bob are very smart. They agreed to use a secret code to write their messages. They move each letter of the message three places forward in alphabetical order. For example, D→A, E→B, F→C. Thus, the original “secret message” becomes “pbzobq JBPPXDB.”

Now, if Mallory intercepts the carrier pigeon again, she can’t make any meaningful changes and she won’t know what the message is, because she doesn’t know what the secret code is. Bob, on the other hand, could easily reverse the code, deciphering the contents of the message using rules such as A → D, B → E, C → F. The encrypted message pbzobq JBPPXDB is decrypted and restored to Secret Message.

This is symmetric key encryption, because if you know how to encrypt a piece of information you can also decrypt that piece of information. The above codes are often referred to as Caesar codes. In real life, we use more exotic and complex passwords, but the principle is the same.

2.5.3 How do we determine the key?

Symmetric key encryption is very secure if no one but the sender and receiver knows what key is being used. In Caesar encryption, the key is the offset of how many bits each letter has to move to get to the encrypted letter. In my previous distance, I used an offset of 3, but I could have used 4 or 12.

The problem is that if Alice and Bob don’t bump heads before they start sending messages using homing pigeons, they don’t have a safe way to establish the key. If they pass the key themselves, Mallory intercepts the message and finds the key. This allows Mallory to read Alice and Bob’s messages before or after they start encrypting them and manipulate them as she wishes.

This is a classic example of a man-in-the-middle attack, and the only way to avoid it is for the sender and sender to modify their coding system together.

2.5.4 Deliver boxes through carrier pigeons

So Alice and Bob came up with a better system. When Bob wants to send a message to Alice, he does it as follows:

Bob sends Alice a pigeon without any message. Alice returns the dove to Bob with a box with an open lock. Alice keeps the key to the lock. Bob puts the letter in the box, locks it and gives it to Alice. Alice received the box, opened it with the key and read the message.Copy the code

So Mallory can’t manipulate the message by intercepting the pigeon, because she doesn’t have a key to open the box. Follow the same procedure when Alice wants to send a message to Bob.

The process Alice and Bob use is often called asymmetric key encryption. It’s asymmetric because even if you encode the message (lock the box) you can’t decipher it (open the locked box).

In technical terms, the box is called a public key and the key used to open the box is called a private key.

2.5.5 How To Trust a Box

But there are still problems. When Bob receives the box how can he be sure that it came from Alice and not Mallory who intercepted the pigeon and replaced it with a box that she has a key to open?

Alice decided to sign the box so that Bob could check the signature when he received it to be sure it was from Alice.

So how does Bob recognize Alice’s signature from the very beginning? That’s a good question. Alice and Bob did have this problem, so they decided to have Ted mark the box instead of Alice.

So who is Ted? Ted is well known as a trustworthy guy. He would sign anyone and everyone trusted him to sign the box only for legitimate people.

If Ted can confirm that the person asking for an autograph is Alice, he will sign Alice’s box. So Mallory couldn’t have gotten a box signed by Ted on Alice’s behalf, because Bob knew Ted would only give autographs to people he had confirmed, so Mallory could spot the trick.

Ted’s role is known in technical terms as a certification body. The browser package you are reading this article with contains the signatures of many certification bodies.

So when you first access a site you can trust the box from that site because you trust Ted and Ted will tell you that the box is legitimate.

2.5.6 Heavy Boxes

Alice and Bob now have a reliable system for communicating, but they also realize that it would be slower for pigeons to carry boxes than it would be to just carry letters.

So they decided that the only way to encode information was with symmetric encryption (remember Kaiser encryption?). Use the pass-through box method (asymmetric encryption).

In this way, the advantages of both can be achieved, the reliability of asymmetric encryption and the high efficiency of symmetric encryption.

We wouldn’t use carrier pigeons in the real world, but asymmetric encryption is still slower to encode information than symmetric encryption, so we only use asymmetric encryption when exchanging encoding keys.

So now you know how HTTPS works

Reference:

  1. Use carrier pigeons to explain HTTPS
  2. Hypertext Transfer Security protocol
  3. Transport layer security protocol