The original address: www.360doc.com/showweb/0/0…

This article is good, the principle of HTTPS is clear, and easy to understand, I suggest you read.

HTTPS

As the cost of HTTPS has dropped, most sites are now using HTTPS. We all know that HTTPS is more secure than HTTP, and we have heard of SSL, asymmetric encryption, CA certificates, etc., related to HTTPS protocol, but the following three questions may not be answered:

  1. Why is HTTPS secure?
  2. How to implement the underlying principles of HTTPS?
  3. Is HTTPS always safe?

This article will be layer by layer, from the principle of HTTPS security explain through.

HTTPS implementation principle

You’ve probably heard that THE HTTPS protocol is secure because it encrypts the transmitted data using asymmetric encryption. However, IN fact, HTTPS uses symmetric encryption for content transmission. Asymmetric encryption only applies to certificate verification.

The HTTPS process consists of certificate authentication and data transmission. The interaction process is as follows:

① Certificate verification phase

  1. The browser initiates an HTTPS request
  2. The server returns the HTTPS certificate
  3. The client verifies whether the certificate is valid. If the certificate is invalid, an alarm is generated

② Data transmission stage

  1. When the certificate is valid, a random number is generated locally
  2. The public key encrypts the random number and transmits the encrypted random number to the server
  3. The server decrypts random numbers using private keys
  4. The server uses the random number from the client to construct a symmetric encryption algorithm, encrypts the returned result and transmits it

Why is data transmitted symmetrically encrypted?

First of all, the efficiency of asymmetric encryption is very low, and there is usually a lot of end-to-end interaction in HTTP application scenarios, so the efficiency of asymmetric encryption is unacceptable.

In the HTTPS scenario, only the server saves the private key, and a pair of public and private keys can only realize one-way encryption and decryption. Therefore, the content transmission encryption in HTTPS adopts symmetric encryption instead of asymmetric encryption.

Why do I need a CA to issue a certificate?

HTTP is considered insecure because the transmission process is easy to be tapped by listeners and forged servers, while HTTPS mainly solves the security problem of network transmission.

First, we assume that there is no certification authority and that anyone can create a certificate, which presents a security risk known as the classic “man-in-the-middle” problem.

The detailed process of man-in-the-middle attack is as follows:

Process principle:

  1. Local requests are hijacked (e.g., DNS hijacking) and all requests are sent to the middleman’s server

  2. The middleman server returns the middleman’s own certificate

  3. The client creates a random number, encrypts the random number using the public key of the middleman certificate, and sends the random number to the middleman. Symmetric encryption is constructed based on the random number to encrypt and transmit the transmitted content

  4. Because the middleman has the random number of the client, it can decrypt the content through the symmetric encryption algorithm

  5. The middleman sends a request to the official website with the content requested by the client

  6. Because the process of communication between the middleman and the server is legal, the legitimate website returns encrypted data through a secure channel established

  7. Middlemen decrypt content using symmetric encryption algorithms established with legitimate websites

  8. The middleman encrypts and transmits the data returned by the regular content through the symmetric encryption algorithm established with the client

  9. The client decrypts the returned result data through a symmetric encryption algorithm established with the middleman

Due to the lack of certificate verification, although the client initiates an HTTPS request, the client is completely unaware that its network has been intercepted and the transmitted content is stolen by a middleman.

The article will be updated continuously. You can search “Maimo Coding” on wechat to read it for the first time. Every day to share quality articles, large factory experience, school recruitment experience, help the school recruitment interview, is worth paying attention to every programmer platform.