What does HTTPS solve?

Because HTTP is transmitted in plaintext, there are several drawbacks:

  1. Requests are vulnerable to eavesdropping. All the places a request passes through (wifi, router, carrier, packet capture tool, etc.) can intercept and listen to the request.
  2. Clients and servers are easily counterfeited and cannot authenticate each other.
  3. Request data is vulnerable to tampering. With 1

The emergence of HyperText Transfer Protocol Secure (HTTPS) successfully solves the security problems caused by HTTP, where S stands for security. Its implementation is actually on the basis of HTTP to increase SSL (Secure Sockets Layer) /TSL (Transport Layer security protocol) encryption.

Evolution of HTTPS encryption

Before I read an article using a carrier pigeon to explain the process of HTTPS transmission, easy to understand, let me instantly understand the public key, private key and other obscure terms.

Preliminary signalling

Alice sends a message to Jack through a carrier pigeon. Bad Bob hijacks their carrier pigeon and tampers the message, but Jack has no idea.

This is the obvious security flaw of the HTTP protocol.

Negotiated key

Alice and Jack realized this and decided to encrypt their message with A set of codes, such as moving each letter of the message three places forward in order, for example, D→A, E→B, F→C. Thus, the original “secret message” becomes “pbzobq JBPPXDB.”

That way, even if Bob intercepted the message, he wouldn’t be able to decrypt it and get the original message.

After receiving the information, Jack decodes the information according to the same decoding rules and gets the real information.

This is symmetric key encryption. That is, encryption and decryption with the same set of keys.

How are keys transmitted?

The above method is more convenient, but how do Alice and Jack tell each other the symmetric encryption key without meeting each other?

If we still send the key in the letter, Bob will intercept it and it will be a failure.

Carrier pigeon box

Alice and Jack thought of a better way:

When Alice wanted to send a message to Jack, Jack sent an unlocked box, and only Jack had the key of the box. After receiving the box, Alice stored the letter in the box, locked it and sent it out. After receiving the box, Jack opened the box with the only key to obtain informationCopy the code

In this way, even if Bob intercepted an empty or locked box, he would get no information.

This type of box and key encryption is called asymmetric encryption. Chests and keys, what we call public and private keys, match each other and only the other can unlock them.

But there is still a problem. If Bob intercepts the empty box halfway and changes it to another empty box where he only has the key, Alice knows nothing about it and puts the letter in Bob’s box for transmission. Bob can open the box to know the contents of Alice’s letter. (🤷 ♀ ️)

Everyone can have their own box and key, which is equivalent to owning their own public and private keys. Bob sends His public key to Alice, who does not recognize it.

Confirm the person’s identity

The reason for the problem is that Alice and Jack can’t identify each other.

So they found a trusted man in the village, Ted, to sign the box. Ted would sign anyone, and they trusted him enough to sign only trustworthy people. With this signature Alice can confirm that the box came from Jack yes.

Now Alice and Jack can make a reliable transmission.

Bob couldn’t get hold of a box with Jack’s name on it.

Ted — it’s actually a certification body.

Final plan

Alice and Jack realize that pigeons are much slower to carry boxes than letters, so they finally decide to use only boxes (aka asymmetric encryption) to transmit the keys to the symmetric encryption algorithm.

Normal mail transmission is symmetric encryption.

In this way, both the high efficiency of symmetric encryption and the reliability of asymmetric encryption are achieved.

This is how HTTPS transfers information.

HTTPS workflow

Document the whole process in HTTPS terms.

Certificate Verification Procedure

Before using HTTPS, the server applies for a digital certificate from the CA. The certificate contains information about the certificate owner, certificate validity period, and public key. The server sends the certificate except the private key to the client.

After receiving the certificate, the client compares the information about the certificate owner with that of the website to be accessed, and then communicates with the client.

Note: the middle man only modifies the public key of the certificate after intercepting the certificate. Only the middle man has the private key. The client is not aware.

How do I verify that the certificate has not been tampered with?

Add a digital signature to the certificate using the certificate private key.

Server certificate to the client before the body content encrypted with the private key to certificate (plus digital signature) server to certificate the encrypted content, original certificate content is sent to the client after the client receives, use the public key to decrypt the signature block after decryption certificate to get if consistent with the certification body, the content of the certificate has not been tampered withCopy the code

As CA is a public trusted identity, the public key and hash algorithm information of the certificate are built into the system or browser.

Make sure the certificate has not been tampered with, and make sure the owner of the certificate is the same as the URL you want to visit, you can prove that you are the real server I am looking for! (🤦 ♀ ️)

Asymmetric encryption part

After authenticating the server, the process of transferring the key (symmetric encryption key) begins.

The client encrypts the key with the public key in the certificate and transmits it to the server.

The server uses the private key to decrypt and obtain the key.

At this point, the client and server have the keys to use symmetric encryption for subsequent requests.

Symmetric encryption part

The client uses the symmetric encryption key to encrypt the message, and the server uses the corresponding key to decode the message.

Conduct normal secure communications…

For HTTPS certificates, the public key is used for encryption, the private key is used for decryption, and can also be used to add digital signatures. After the client verifies that the certificate has not been tampered with, it can verify the identity of the server by verifying the owner of the certificate.

conclusion

With HTTPS, the part of HTTP that transfers data remains the same, except that it adds a process for confirming the identity of the recipient and encrypting subsequent requests before they can be transmitted.

References:

Juejin. Cn/post / 684490… Juejin. Cn/post / 684490… Juejin. Cn/post / 684490…