What is HTTPS? What is SSL/TLS?
1. Security features
A communication process is considered “secure” if it has four features: confidentiality, integrity, identity authentication, and non-repudiation.
Secrecy/Confidentiality refers to the Confidentiality of data, which can only be accessed by trusted persons and is not visible to others. Simply put, it means that people who are not involved should not be allowed to see things that should not be observed.
Integrity (also known as consistency) is the data in the transmission process is not modified, no more, no less, “perfect” in the original state.
Authentication means to verify the true identity of the other party, or “prove that you are really you”, and ensure that messages can only be sent to trusted people.
The fourth attribute is non-repudiation. It is also called non-repudiation. It means that you cannot deny an action that has already taken place, that you cannot “break your word” or “cheat on your ability”.
2. What is HTTPS?
HTTPS is a “very simple” protocol with a default port number of 443. The rest of the request-response mode, packet structure, request method, URI, header field, connection management, and so on are all HTTP. Nothing new.
Why should HTTPS provide security features such as confidentiality and integrity?
The key is the “S” in HTTPS’s name, which changes the underlying HTTP transport protocol from TCP/IP to SSL/TLS.HTTP over TCP/IP“Turned into”HTTP over SSL/TLS“, allows HTTP to run on secure SSL/TLS protocols, and calls special secure interfaces instead of using Socket API for sending and receiving packets.
3.SSL/TLS
SSL, or secure Sockets Layer, is layer 5 (session layer) in the OSI model
TLS is composed of several sub-protocols, such as recording protocol, handshake protocol, warning protocol, password change protocol and extension protocol. It uses many cutting-edge cryptography technologies, such as symmetric encryption, asymmetric encryption and identity authentication.
TLS password suite name is very standard, the format is very fixed. The basic form is “key exchange algorithm + signature algorithm + symmetric encryption algorithm + digest algorithm”.
4.OpenSSL
It is a well-known open source cryptography library and toolkit, almost support all public encryption algorithms and protocols, has become a de facto standard, many applications will use it as the underlying library to achieve TLS functions, including common Web servers Apache, Nginx and so on.
summary
- Because HTTP is a plaintext transmission, it is insecure and vulnerable to hacking or tampering.
- Communication security must have confidentiality, integrity, identity authentication and non-repudiation at the same time.
- The syntax and semantics of HTTPS are still HTTP, but the underlying protocol is changed from TCP/IP to SSL/TLS.
- SSL/TLS is an authoritative standard in the field of information security. It uses a variety of advanced encryption technologies to ensure communication security.
- OpenSSL is a well-known open source cryptography toolkit, which is a concrete implementation of SSL/TLS.
Two, symmetric encryption and asymmetric encryption
1. Symmetric encryption
“Symmetric encryption” is well understood, which means that encryption and decryption use the same key, is “symmetric”. As long as the security of the key is ensured, the whole communication process can be said to be confidential.
TLS algorithms AES and ChaCha20 are commonly used.
2. Asymmetric encryption
It has two keys, a public key and a private key. The two keys are different, “asymmetric,” and the public key can be made public for anyone to use, while the private key must be kept strictly secret.
After the public key is encrypted, the private key can be decrypted only. Conversely, the private key can be decrypted only with the public key.
3. Mixed encryption
Symmetric encryption and asymmetric encryption together, they learn from each other, that is, efficient encryption and decryption, and safe key exchange. This is the hybrid encryption now used in TLS.
summary
- The core idea of encryption algorithm is to “transform a small secret (key) into a big secret (ciphertext message)”, keep the small secret, also keep the big secret;
- Symmetric encryption uses only one key for fast operation. The key must be kept secret and cannot be exchanged securely. AES and ChaCha20 are commonly used.
- Asymmetric encryption uses two keys: public key and private key. The public key can be distributed at will while the private key is kept secret, which solves the key exchange problem but is slow. RSA and ECC are commonly used.
- Combining symmetric and asymmetric encryption results in “good and fast” hybrid encryption, which is used in TLS.
Digital signature and certificate
1. Integrity
The algorithm ensures that the digital abstract is equivalent to the original text.
2. Digital signature
The “private key” in asymmetric encryption, using the private key and the digest algorithm, can implement “digital signature” as well as “authentication” and “non-repudiation”.
3. Digital certificates and CAS
It is like the public security Bureau, the Ministry of Education and the notary center in the network world. It has high credibility. It signs each public key with its own reputation to ensure that the public key can not be forged and is credible.
CA’s signature authentication on the public key is also in a format. It is not simply bound to the identity of the holder, but also includes serial number, purpose, issuer, validity time, etc. These are put into a package and then signed to prove all kinds of information associated with the public key completely, forming a “digital Certificate”.
summary
- Abstract: Algorithms are used to achieve integrity and generate unique “fingerprints” for data. The commonly used algorithm is SHA-2.
- Digital signature is the encryption of the abstract by the private key, which can be verified by the public key after decryption to achieve identity authentication and non-repudiation.
- The distribution of public keys requires the use of digital certificates, which must be verified by the CA trust chain, otherwise it is not trusted.
- CA, as the source of trust chain, is sometimes not trusted. The solutions include CRL, OCSP and trust termination.
TLS1.2 connection process analysis
- The HTTPS protocol performs the TCP handshake with the server and then the TLS handshake to establish a secure connection.
- The goal of the handshake is to exchange symmetric keys securely, which requires three random numbers. The third random number, “pre-master”, must be encrypted and transmitted, and must not be cracked by hackers.
- “Hello” message Exchange random number, “Key Exchange” message Exchange “pre-master”;
- Before Change Cipher Spec, all packets are transmitted in plain text, and all packets are encrypted with symmetric keys.
Five, TLS1.3 feature analysis
- TLS1.3 is “disguised” as TLS1.2 in order to be compatible with “older” protocols such as 1.1 and 1.2, and new features are implemented in “extensions”.
- 1.1 and 1.2 Found a lot of security risks in practice, so TLS1.3 significantly deleted the encryption algorithm, only reserved ECDHE, AES, ChaCha20, SHA-2 and a few other algorithms, to strengthen security;
- TLS1.3 also simplifies the handshake process, requiring only one message round trip for a full handshake, which improves performance.
HTTPS optimization
- There are various hardware and software ways to reduce network and computing time and make HTTPS as fast as HTTP. The most feasible is software optimization.
- The ECDHE elliptic curve cipher suite should be used as much as possible to save bandwidth and computation, and to achieve “False Start”.
- Enable the OCSP Stapling function on the server to prevent clients from accessing the CA to verify certificates.
- Session multiplexing has the same effect as Cache. If the client successfully establishes a connection, you can use credentials such as Session ID and Session Ticket to skip key exchange and certificate authentication and directly start encrypted communication.
Should I migrate to HTTPS?
- Moving from HTTP to HTTPS is “inevitable” and should be done as soon as possible;
- To upgrade HTTPS, you need to apply for a digital certificate. You can choose Let’s Encrypt for free.
- When configuring HTTPS, select a proper TLS version and password suite to enhance security.
- The original HTTP site can be retained as a transition, using a 301 redirect to HTTPS.