HTTP is transmitted in plaintext, so the communication between the client and server is visible to the naked eye. Therefore, you can use any packet capture tool, such as WireShark, to capture the communication content.
Therefore, there are the following three risks:
- Risk of eavesdropping, such as access to communications over communications links.
- Tampering risks, such as forced placement of spam, visual pollution.
- Impersonation risk, such as impersonation taobao website.
HTTPS encrypts packets using SSL and TLS on the basis of HTTP, providing reasonable protection against eavesdropping and man-in-the-middle attacks.
The overall communication process can be divided into three stages:
1. TCP three-way handshake 2. TLS connection 3
The TCP three-way handshake has been analyzed before. If you are not familiar with it, you can learn the following steps: Build your network knowledge system – TCP
This article mainly explains the second point: TLS connection.
What is SSL/TLS
Transport Layer Security (TLS) is a Transport Layer Security protocol. Formerly known as Secure Sockets Layer (SSL), Secure Sockets Layer (SSL). It works between the transport layer and the application layer.
2, TLS connection
Like TCP, TLS requires a handshake, but requires four handshakes. These four handshakes can be roughly divided into ten steps:
First handshake
(1) the Client Hello!
The Client will first send a “Client Hello” message, which means “Hello” to the server. The contents of the message body:
1. TLS version number. 2. List of supported Cipher Suite components. The encryption component refers to the encryption algorithm and key length used. 3. A Client Random number.
Second handshake
(2) Server Hello!
This time the Server sends a “Server Hello” message, and the Server greets the client. The contents of the message body:
1. TLS version number. 2. Select the encryption component. The selected encryption component is selected from the list of supported encryption components that the client just sent to the server. 3. A Random number (Server Random)
(3) Certificate
The server sends a ca-signed public key certificate to the client.
(4) Server Key Exchange
The Server sends a parameter (Server Params) to the client to implement the ECDHE algorithm. To prevent forgery, Server Params is signed with the Server private key.
ECDHE is a key exchange algorithm.
(5) Server Hello Done
Notifies the client that the first negotiation ends.
So far, Client Random, Server Random, Server Params are shared between the Client and Server through plaintext. In addition, the client obtains the public key certificate of the server, and then verifies the validity of the public key certificate.
Third handshake
6. The Client Key Exchange
The Client sends another parameter (Client Params) to implement the ECDHE algorithm.
So far, both the Client and the Server have two parameters required by the ECDHE algorithm: Server Params and Client Params.
Both Client and Server can use ECDHE algorithm to calculate a new random key string according to Server Params and Client Params: Pre-master secret, and then combine Client Random, Server Random, and pre-master secret to generate a master key. Finally, other keys are derived from the master key: session key used by the client for sending, session key used by the server for sending, etc.
All landowners Change Cipher Spec
Informs the server that subsequent communications are encrypted using the calculated session secret key.
Today Finished (Encrypted Handshake Message)
Contains the whole checksum (digest) of all the packets connected so far, encrypted and sent to the server.
Whether the handshake negotiation is successful depends on whether the server can decrypt the message correctly.
The fourth handshake
Pet-name ruby Change Cipher Spec
The server also sends a Change Cipher Spec packet.
Attending Finished (Encrypted Handshake Message)
The server also sent a Finished packet.
3, summarize
At this point, if the encryption and decryption of the client and server have been verified, the TLS handshake process will officially end, and the obtained session secret key will be used to encrypt the HTTP request and response.
In TLS, the client and server negotiate with each other, give some parameters, and calculate the symmetric secret key of communication through ECDHE algorithm.