HTTPS Encryption Principle

Geek Time: How browsers work and practice

HTTPS symmetric encryption

When it comes to encryption, the easiest way is to use symmetric encryption. Symmetric encryption means that both encryption and decryption use the same key.

Before HTTPS transfers data, the browser and server need to negotiate encryption methods, as shown in the figure

HTTPS negotiates the encryption and decryption mode first, which is the process of establishing secure connections through HTTPS. To make the encrypted key more difficult to crack, we let the server and client decide the key at the same time, the specific process is as follows:

The browser sends a list of the encryption suites it supports and a random client-random number. The encryption suites refer to the encryption methods, and the encryption suite list refers to the list of encryption methods the browser supports.
The server selects an encryption suite from the list of encryption suites, and then generates a random service-random number and returns the service-Random and the list of encryption suites to the browser.
Finally, the browser and server return confirmation messages, respectively.

So both the browser side and the server side have the same client-random and service-random, and then they mix client-Random and service-Random together to generate a master secret, With the master secret key and the encryption suite, both parties can carry out data encryption transmission.

Although this version works well, the process of transmitting client-random and service-random is in plain text, which means that the hacker can also get the negotiated encryption suite and the random numbers of both sides. Since the algorithm for composing keys using random numbers is public, after the hacker gets the random numbers, A key can also be synthesized so that the data can still be cracked, allowing hackers to use the key to forge or tamper with data.

2. HTTPS asymmetric encryption

Different from symmetric encryption, asymmetric encryption has A key and B keys. If you use A key to encrypt, you can only use B key to decrypt. Conversely, if you want the B key to encrypt, you can only decrypt it with the A key.

In HTTPS, the server sends one of the keys, called a public key, to the browser in plain text, and the one the server keeps is called a private key. As the name implies, a public key is available to everyone, while a private key is known only to the server and not to anyone. Here is the HTTPS protocol modified with asymmetric encryption:

First, the browser sends the list of encryption suites to the server.
Then the server will choose an encrypted suite, but unlike symmetric encryption, using asymmetric encryption server requires for the browser to encrypt the public key and private key, the server decrypts the HTTP data because the public key is encrypted using your browser to, so the server will send encrypted suite with a public key to the browser
Finally, the browser and server return confirmation messages.

In this way, the browser side has the server’s public key, which can be used to encrypt data when the browser sends data to the server side. Because the data encrypted by the public key can be decrypted only by the private key, even if a hacker intercepts the data and the public key, he cannot use the public key to decrypt the data.

Again, there are two problems

1. The first asymmetric encryption is inefficient. This severely affects the speed at which data can be encrypted and decrypted, which in turn affects the speed at which users can open pages.

2. The second problem is that the data sent by the server to the browser cannot be secured. Although the browser side can use the public key to encrypt, but the server side can only use the private key to encrypt, private key encryption only the public key can be decrypted, but hackers can also get the public key, so that can not ensure the security of the server side data.

Third, HTTP is symmetric encryption + asymmetric encryption

We finally chose a more perfect scheme, that is, symmetric encryption is still used in the data transmission stage, but the symmetric encryption key is transmitted by asymmetric encryption. Here is the modified version:

First, the browser sends the list of symmetric encryption suites, the list of asymmetric encryption suites, and the client-random random number to the server
The server saves the client-random random number, selects the suite of symmetric encryption and asymmetric encryption, generates the service-random random number, and sends the selected encryption suite, service-Random, and public key to the browser.
The browser saves the public key and generates a random number pre-master, encrypts the pre-master using the public key, and sends the encrypted data to the server.
Finally, the server takes out its own private key, decrypts the pre-master data, and returns a confirmation message.

At this point, the server and browser have client-random, service-Random, and pre-master in common. The server and browser then use these three sets of random numbers to generate symmetric keys, because the server and browser use the same set of methods to generate keys. So the resulting key is the same.

With a symmetric encryption key, the two parties can use symmetric encryption to transmit data.

Note that the pre-master is encrypted with a public key before transmission, so hackers cannot obtain the pre-master. In this way, hackers cannot generate a key, which ensures that hackers cannot decrypt the data during transmission.

Add a certificate

Symmetric and asymmetric data transmission security, but this way still exist problems, such as opening a url, but the hacker through the IP address of the DNS hijacking will address replaced the IP address of the hacker, so I visit is the hacker’s server, hackers can on your own server to realize the public key and private key, The browser, on the other hand, has no idea that it’s visiting a hacker’s site, so it needs proof

To prove that the server belongs to an official website, you need to use the Certificate issued by the Authority, which is called the Certificate Authority (CA). The Certificate issued by the Authority is called the Digital Certificate.

For browsers, digital certificates serve two purposes:

1. Verify the server’s identity to the browser through a digital certificate.

2. Yes The digital certificate contains the server public key.

Instead of returning the public key directly to the browser, the server returns the digital certificate, which contains the public key.
A certificate verification operation is added on the browser side. After the certificate is verified, the subsequent process is continued.

This is the third version of the encryption process.

At this point, you can request the server securely and transmit data securely

HTTPS symmetric encryption

2. HTTPS asymmetric encryption

Third, HTTP is symmetric encryption + asymmetric encryption

Add a certificate

Related Posts

The most intimate NPM private server building tutorial ever

Use the Intersection Observer interface for visual area rendering

The difference between the object.create () method and the new operation