This is the 25th day of my participation in the August Challenge
HTTPS is introduced
HTTPS, in what is now the site with more common baidu, taobao, ali, jingdong sites such as access is the HTTPS protocol, during the interview, the interviewer asked also like HTTPS encryption related principle, anyway, I was asked during the interview once, did not to know, at that time, there is no answer. In the original micro channel small program development, micro channel requires small program back-end domain name access must be HTTPS. So what is the difference between HTTP and HTTPS, and how to ensure HTTPS security, the following one analysis. HTTP also called hypertext transfer protocol, is a based on the request and response, stateless application layer protocol, based on the TCP/IP protocol transfer text, but at the time of transmission is a fatal weakness, that text is expressly transmission, easily captured in the process of transmission, and then change the relevant content inside, in order to the safety of the transmission of text, The HTTPS protocol is based on the HTTP protocol to ensure the security of text transmission. The HTTPS protocol is simple to understand is the upgrading of the HTTP protocol, in the HTTP largely increase the data encryption, at the time of transmission to encrypted transmission of text content, and then sent to the server, the encrypted cryptograph service side after received ciphertext, to decrypt the cipher first, and then on the business logic of the subsequent operation.
HTTPS Encryption Principle
HTTP + SSL/TLS = HTTPS, which is like adding a lock to HTTP. The secret key between the client and server is like the key of the lock. Let’s understand what SSL/TLS is used for. Secure Sockets Layer (SSLSecure Socket Protocol) and their successorsTransport layer securityTransport Layer Security (TLS) is enabledNetwork communicationProvide security andData integrityA security protocol. The TLS and SSLThe transport layerwithThe application layerEncrypts the network connection between. [Baidu Baike]Secure Transport layer protocol(TLS) used in two communicationsThe applicationProvide confidentiality between andData integrity. To realize the process of encryption and decryption, it should be composed of five parts: plaintext, ciphertext, secret key, encryption, decryption, these five parts constitute a ring.It can be seen that the secret key plays a very important role in this, in which the encryption algorithm is also more key, let’s first understand the more commonly used encryption algorithm.
The encryption algorithm
Symmetric encryption
Symmetric encryption, also known as single-key encryption, refers to encryption and decryption with the same secret key, its main advantages are: encryption, decryption operation speed, high efficiency. Both the sending end and the receiving end encrypt the data and then add or subtract the data with the same secret key at both ends to ensure data security. Common algorithms: AES, DES, RC4, 3DES, triple-DES, and RC2
Asymmetric encryption
Asymmetric encryption differs from symmetric encryption by using different secret keys. Asymmetric encryption uses different secret keys for encryption and decryption, which are called public keys and secret keys. The algorithm of the public key is public, while the private key stored on the server is confidential. Asymmetric encryption is more secure than symmetric encryption and belongs to super level. However, asymmetric encryption algorithm has low performance, takes a long time to encrypt and decrypt, and has limited length of encrypted data. Common algorithms: RSA, DSA, ECDSA, DH, ECDHE symmetric encryption and asymmetric encryption each have their own advantages and disadvantages, HTTPS will be combined with the two, to take their own advantages to play the biggest role **
Hash algorithm (hash algorithm)
Is one-way hash algorithm, for different encrypted information generated by the ciphertext is different, the same cipher has been generated by the information, to produce ciphertext is unable to reverse encrypted cryptograph information (excluding brute force), can be task information is converted to a shorter length of fixed length values, such as MD5, will generate 32-bit think encrypted information. For hash algorithm is used more in our website to download software, will attach corresponding MD5 value, we can download software to do the MD5 value, then provides a MD5 value compare with’s official website, if the value is not the same as the representative change software being malicious string, not the official provide software, security problems. Common algorithms are MD5 and SHA-256
HTTPS encryption and decryption process
HTTPS request process description:
- The client sends a request to the server, and the server responds to the request from the client. During this process, the server transmits the certificate information (version information, encryption algorithm, random number) to the client.
- The client receives the certificate from the server and verifies the validity of the certificate. If the certificate verification fails, the client considers that the certificate is incorrect and a message is displayed to the user. Continue with the following operations after the certificate is verified successfully;
- After confirming that the certificate is ok, the client generates a new 46-byte random number, encrypts this random number through the public key of the digital certificate given by the server, and sends it to the server.
- After receiving the ciphertext, the server uses its own private key to decrypt the ciphertext and obtain the random number generated on the client as the key for subsequent symmetric encryption
- After the authentication between the client and server is complete, the subsequent data is transmitted in symmetric encryption mode
In the whole interaction project, three random numbers are sent:
- The client provides the protocol version number, a random number (Client Random), and the encryption mode supported by the client
- The server confirms the encryption mode used by both parties and gives the digital certificate to the client. The server generates a random number (Server Random).
- The client verifies that the certificate is ok, then generates a new 46-byte random number (premaster Secret), The client generates the session key for later use based on the previous (Client Random) + (Server Random) + (Premaster Secret), encrypts the certificate with the public key, and uses the negotiated HASH algorithm. Obtain the HASH value from the encrypted ciphertext. Finally, (premaster Secret), the symmetric encrypted ciphertext for subsequent communication, and the encrypted HASH value are all sent to the service.
At this time, the client image server has 3 data:
- (Session Key) = (Client Random) + (Server Random) + (Premaster Secret) Ciphertext encrypted using the certificate public key
- HASH value of the encrypted ciphertext
- (premaster secret)
- The server receives data from the client
- Verify that the encrypted ciphertext is correct based on the HASH algorithm. (Compare the HASH value obtained using the same HASH algorithm with the HASH value sent from the client.)
- Use the private key to decrypt the ciphertext and verify that the Premaster Secret is the same as the one sent by the client
- After data verification is complete, the session key is used to encrypt a handshake message using a symmetric encryption algorithm, and then the handshake message and HASH value are returned to the client
- After receiving the handshake message and HASH value, the client decrypts the handshake message and compares the HASH value. If the handshake is consistent with the HASH value, the handshake ends and subsequent data transmission starts
** Client and server interaction, through asymmetric encryption to obtain the back of the data transmission encryption of the secret key, and then use the secret key to obtain the symmetric way to transmit data, a good use of symmetric encryption and asymmetric encryption a bit integrated together. 支那