General contents of this article:

  • Understand the concept of HTTPS

  • What is symmetric encryption and asymmetric encryption?

  • What is a digital signature? How do you make it? How to check?

  • When is symmetric encryption? When is asymmetric encryption? When do we do algorithmic encryption? What algorithm?

  • What are the third parties?

  • What is HTTPS? The specific process

  • The difference between HTTPS and HTTP

  • Why don’t all websites use HTTPS these days?

HTTPS establishes a security layer between HTTP and TCP. In the communication between HTTP and TCP, HTTP must pass a security layer, encrypt the data packet, and then send the encrypted data packet to TCP. The corresponding TCP must decrypt the data packet before sending it to HTTP.

I. Basic concepts and understanding

The implementation of TLS/SSL relies on three basic algorithms

Hash function, symmetric encryption and asymmetric encryption, which uses the asymmetric encryption to achieve identity authentication and key negotiation, the symmetric encryption algorithm uses the negotiated key to encrypt data, and verifies the integrity of information based on the hash function.

Asymmetric encryption is to achieve identity authentication and key negotiation;

Symmetric encryption is to encrypt information;

What is the difference between SSL and TLS?

Both SSL and TLS are encryption protocols, which can be used to encrypt data at the transport layer where there is a network request. SSL is the predecessor of TLS. Netscape released SSL 2.0 in 1995 and did not release SSL 1.0. Version 2.0 was short-lived due to vulnerabilities, and netscape released SSL3.0 in 1996. Then, in 1999, netscape released TLS1.0 based on SSL3.0 (although the changes to TLS1.0 were minor, they were significant).

We should be using TLS now because SSL2.0 and SSL3.0 were deprecated in 2011 and 2015, respectively, and because of vulnerabilities, you have to disable them manually if your server is configured with SSL. Some services require the TLS version. You can check SSL Server Test to see the configuration of the Server’s certificate and protocol.

The current mainstream TLS version is 1.2.

This section describes the relationship between SSL/TLS and certificates

To ensure network security, we need to issue a certificate to the server. The certificate can be generated by ourselves, but it is not secure and can be forged by others. Therefore, we usually buy the certificate from a third-party certification authority. So the question is, are certificates related to protocols, and do we need to distinguish between SSL certificates and TLS certificates? The answer is no, the certificate does not depend on the protocol, it has nothing to do with the protocol, we don’t need to worry about it, we use SSL certificate and TLS certificate, the protocol is determined by the server configuration, the certificate is used with the protocol.

What is the difference between a private key, a public key, and a symmetric key? What are they?

There is only one symmetric key, which can be a string or a number. The corresponding encryption method is symmetric encryption.

Public and private keys come in pairs. The public key is called the public key, and the private key is known only to oneself

Here’s an example:

Party A and Party B prepare to communicate with each other. For security purposes, data encryption is adopted. In this case, A has its own public and private keys, A public and A private, and B has its own public and private keys, B public and B private. Before communication, both parties need to exchange public keys. In this case, user A has private keys and user B has private keys and user B has private keys and user A has private keys

During communication, user A uses user B to encrypt sensitive information and uses user A’s private signature. After receiving the information, USER B uses user B to decrypt the sensitive information and user A to verify the signature. And vice versa.

It can be concluded from the above:

1. The public key and private key are paired. A public key is called a public key. A private key is used to encrypt sensitive information. A private key is used to sign information. So the role of the public key is to ensure data security, and the role of the private key is to mark the sender of information.

3. The data encrypted with the public key can be decrypted only by the corresponding private key. The data signed with the private key can be authenticated only by the corresponding public key.

4. The encryption and decryption using public and private keys is called asymmetric encryption.

5. It is possible for both parties to use the same pair of public and private keys.

Symmetric encryption

In this way, encryption and decryption use the same key. Both encryption and decryption use keys. In symmetric encryption mode, you must also send the key to the other party.

Q1: Many clients, it is impossible to use the same secret key for information encryption, how to do?

Solution: One client uses one key for encryption

Q2: Since different clients use different keys, how can symmetric encryption keys be transmitted?

Solution: only “one end generates a secret key and then transfers it to the other end over HTTP”

Q3: How does this process of transmitting the key guarantee encryption? “If it is intercepted by a middleman, the key will also be obtained,” then you will say that the key is encrypted, then how to save the process of encrypting the key, is the process of encryption?

Solution: Asymmetric encryption

Why use asymmetric encryption

In symmetric encryption mode, you must also send the key to the other party. But how exactly do you deliver it safely? When forwarding a key over the Internet, if the communication is monitored, the key can fall into the hands of an attacker and the encryption loses its meaning. You also have to manage to secure the keys you receive, so use asymmetric encryption.

Asymmetric encryption

The algorithms used are RSA, ECC, DH, etc

Encryption uses an asymmetric pair of keys. One is called the private key and the other is called the public key. As the name implies, a private key cannot be made known to anyone else, while a public key can be released at will and accessible to anyone.

The specific practices

The sender uses the public key to encrypt the key. After receiving the encrypted information, the sender uses its private key to decrypt the encrypted information. In this way, symmetric encryption is used to exchange packets on the premise that the exchanged keys are secure. In this way, there is no need to send the private key used for decryption, and there is no need to worry that the private key will be eavesdropped and stolen by an attacker.

Asymmetric encryption has the following characteristics:

  • There is a pair of secret keys, public key and private key.
  • Public key encryption, only the private key can unlock the contents, private key encryption, all public key can unlock, here said [public key can unlock, referred to a pair of secret keys].
  • The public key can be sent to all clients, and the private key is stored only on the server.
  • Information is transmitted one-to-many, and the server only needs to maintain a private key to be able to encrypt communication with multiple clients.

Asymmetric encryption has the following disadvantages:

  • The public key is public. Therefore, hackers can use the public key to decrypt the information encrypted by the private key and obtain its contents.
  • The public key does not contain information about the server. The asymmetric encryption algorithm cannot ensure the validity of the server identity, and there is a risk of man-to-man attack. The public key sent by the server to the client may be intercepted and tampered with by the man-to-man during transmission.
  • Asymmetric encryption consumes some time in the process of data encryption and decryption, which reduces the efficiency of data transmission.

The difference between symmetric encryption and asymmetric secret keys:

  • Symmetric encryption requires sending the generated secret key to the other party. Asymmetric encryption does not require sending a private key for decryption.
  • Security: Symmetric encryption sends secret keys easily into the hands of attackers, so that the meaning of encryption is lost; The public secret key of asymmetric encryption can be published at will and made available to anyone
  • The advantage of symmetric encryption is that the efficiency of decryption is faster; The advantage of asymmetric encryption is that it makes the content uncrackable, because even if you intercept the data, you can’t crack the content without the corresponding private key

Symmetric encryption + Asymmetric encryption (HTTPS uses this method)

HTTPS combines symmetric encryption with asymmetric encryption to take full advantage of the advantages of both. Asymmetric encryption is used in the key exchange phase, and symmetric encryption is used in the subsequent communication exchange message phase.

The method is as follows: The sender uses the public key to encrypt the key. After receiving the encrypted information, the sender uses its private key to decrypt the encrypted information. In this way, symmetric encryption is used to exchange packets on the premise that the exchanged keys are secure. Therefore, HTTPS uses both symmetric and asymmetric encryption.

What is the difference between CA authentication and third-party authentication

The third party certification refers to the entity that has the qualification audit and certification which has no practical interest relationship with both parties of the transaction and is recognized and authorized by the state, including many such as CA certification, CE certification, QA/QC certification and so on. Take CE certification for example, if the product wants to circulate freely in the EU market, it must be certified by the country and affixed with the “CE” mark to show that the product complies with the basic requirements of the EU directive on “New Method of Technical Harmonization and Standardization”, which is a mandatory requirement for the product put forward by the EU law.

The CA authentication is performed by the CA center. The Certificate Authority (CA) is the Authority responsible for issuing and managing digital certificates. As a trusted third party in e-commerce transactions, the CA is responsible for verifying the legitimacy of public keys in the public key system. CA authentication is a kind of third-party authentication and applies to e-commerce.

Attached: I think third-party authentication can also be called third-party digital certificate authentication

Two, digital signature + third-party authentication

Data cannot be decrypted, but may be tampered with. To solve the problem of packet tampering, compare the digital signature

Although the data cannot be decrypted, it may be tampered with. How to verify the integrity of the data? That is to verify the digital signature.

Let’s start with the abstract: Do a HASH (SHA1, SHA2) of the text to be transmitted.

How do I generate a digital signature

A piece of text —- Hash function —- message digest —- Private key encryption —- digital signature

The Hash function is used to generate a message digest, which is encrypted with the sender’s private key to generate a digital signature and sent along with the original text to the receiver. Next comes the process of the receiver verifying the digital signature.

In fact, the sender is Sever and the receiver is Client.

Verify (compare) digital signature process

After receiving the original text and the digital signature, they need to compare and verify.

Step: 1. Digital signature ---- sender's public key decryption ---- message digest 1 2. Text ---- Hash function ---- Message digest 2 3. Comparison between message digest 1 and Message digest 2 If they are the same, the received information is complete and has not been modified during transmission. Otherwise, the information is modified.Copy the code

The receiver can decrypt the encrypted digest only with the sender’s public key, and then use the HASH function to generate a digest of the received text that is compared to the digest obtained in the previous step.

Here’s an example: Let’s say that message passing happens between Kobe and James. James sends the message to Kobe along with a digital signature. Kobe receives the message and verifies the digital signature to verify that the received message was sent by James. Of course, this process assumes that Kobe knows James’s public key. The problem, like the message itself, is that the public key can’t be sent directly to Kobe over an insecure network, or how does the public key prove to be James’s?

At this point, the Certificate Authority (CA) needs to be introduced. There are not many cas. The Kobe client has all the certificates of the trusted CA built-in. The CA digitally signs James’s public key (and other information) and generates a certificate.

Why the sender’s public key? Is the process of requesting the public key a digital signature process or a digital signature verification process?

The following [Digital Certificate Authority Business Process] can give the answer, please continue to read.

Solve the problem that the identity of the communication party may be disguised — Digital Certificate (third-party authentication)

The client cannot identify whether the public key returned is from the middleman or the server, that is, the client may get a fake public key, this is the root of the problem, we can use some kind of specification to make the client and the server follow a certain convention, that is, through the “third party authentication mode”.

The DIGITAL Certificate Authority stands as a third-party authority that both the client and server can trust.

Business process of digital Certificate Authority

  1. The server operator submits the public key, organization information, and personal information (domain name) to the third-party organization (CA) and applies for authentication.
  2. CA verifies the authenticity of the information provided by the applicant through various online and offline means, such as whether the organization exists, whether the enterprise is legal, whether the ownership of the domain name, etc.
  3. If the information is approved, CA will issue a certificate to the applicant. A certificate contains the following information: the public key of the applicant, the organization and personal information of the applicant, the information of the issuing authority (CA), the validity period, the serial number of the certificate, and a signature. The signature generation algorithm is as follows: firstly, the hash function is used to calculate the information digest of the open plaintext information, then the CA private key is used to encrypt the information digest, and the ciphertext is the signature. [Digital Signature generation process]
  4. When the Client sends a request to the Server, the Server returns a certificate file.
  5. The Client reads the plaintext information in the certificate, uses the same hash function to calculate the information digest, decrypts the signature data with the public key of the corresponding CA, and compares the information digest of the certificate. If the information digest is consistent, the Client can verify the validity of the certificate, that is, the public key of the server is trustworthy. [Verification process of digital signature]
  6. The client also verifies the domain name and validity period related to the certificate. The client has built-in information about the trusted CA certificate (including the public key). If the CA is not trusted, the CA certificate cannot be found and the certificate is determined to be invalid.

If it is only third-party authentication, there is no digital signature (only the website information is encrypted with the private key of the third-party organization)

Third-party certification bodies are open platforms that middlemen can access.

Digital signature: Encrypts website information using a specific algorithm, such as MD5, and then encrypts the information using the private key of the server to form an encrypted digital signature.

The following could happen

As we know from the above, because there is no comparison process, the middleman also applies to the third-party certification authority, and then intercepts all the information and substitutes it with its own. The client can still decrypt the information and cannot judge whether it belongs to the server or the middleman, which finally results in data leakage

Functions of digital signatures

  1. You can be sure that the message was actually signed and sent by the sender, because no one else can fake the sender’s signature.
  2. A digital signature can determine the integrity of the message and prove whether the data has not been tampered with.

How does Client compare the two digital signatures?

  1. Browsers install the public keys of some of the more authoritative third-party certification bodies, such as VeriSign, Symantec, GlobalSign, etc.

  2. When verifying a digital signature, the system directly obtains the public key of the third party from the local device and decrypts the digital signature encrypted by the private key to obtain the real signature.

  3. Then the client uses the signature generation rule to generate signatures to check whether the two signatures match. If the matching authentication succeeds, the certificate fails to be obtained.

summary

  • CA is short for Certificate Authority
  • The client has built-in trusted CA certificate information (including the public key), and the certificate returned by the server contains the public key of the applicant.
  • The validity of the certificate depends on the comparison information summary
  • Whether the CA can be trusted depends on the CA that the client has built-in trust
  • The public key is requested from the server
  • Generation of digital signature: The website information is encrypted by a specific algorithm, such as MD5. After encryption, it is encrypted again with the private key of a third party (the Server’s private key)
  • A digital certificate contains two particularly important pieces of information: the web site’s public key and a digital signature
  • The identity of the communicating party may be disguised — a third party certificate
  • Data cannot be decrypted, but may be tampered with. To solve this problem, verify the digital signature
  • If only the third-party authentication is used, the digital signature is not used (only the private key of the third-party organization is used to encrypt the website information), resulting in data leakage. Therefore, HTTPS passes[Certificate + Digital Signature]To be safe

3. HTTPS workflow (TLS 1.2 handshake process)

  1. The Client initiates an HTTPS request to port 443. This process can be understood as the process of requesting a public key.

  2. After receiving the request, the Server returns the obtained digital certificate (or public key certificate) to the Client.

  3. After the browser is installed, the browser automatically carries the public keys of some authoritative third-party institutions and uses the matching public keys to decrypt digital signatures. The local signature is generated for the website information according to the signature generation rules, and then the two signatures are compared [(The decrypted signature is compared with the hash function generated for the website information. In fact, this is also the process of digital signature verification. The digital signature verification instance above does not pass the CA)]. If the two signatures match, the authentication succeeds (in other words, the certificate is valid and the client’s built-in CA is trusted). If the two signatures do not match, the certificate fails to be obtained.

  4. After securing the public key of the Server, the Client uses a pseudorandom number generator to randomly generate a symmetric key, encrypts the symmetric key using the [Server public key] (the public key of the certificate), and sends it to the Server.

The Server uses its own private key to decrypt the information, thus obtaining the symmetric key. At this point, both servers have the same symmetric key, which can then be used to encrypt/decrypt the transmitted information.

  1. The Server encrypts plaintext A using A symmetric key and sends it to the Client.

  2. The Client uses A symmetric key to decrypt the ciphertext of the response to obtain plaintext A.

  3. The Client sends another HTTPS request and encrypts the plaintext B using the symmetric key. The Server then decrypts the ciphertext using the symmetric key to obtain the plaintext B.

Functions of the requested public key:

  1. Decrypt the digital signature (the matching public key is the public key obtained by the server that matches the public key of the third-party organization provided by the browser)
  2. The encryption Client uses a pseudorandom number to randomly generate a symmetric secret key (this step starts symmetric encryption, sends the symmetric secret key to the Server, this step becomes secure after asymmetric encryption).

When does HTTPS work with asymmetric encryption and when is it symmetric encryption?

Server security to get the symmetric secret key, that is, Client and Server have the same [symmetric secret key] after the symmetric encryption; Recognize the previous asymmetric encryption. In other words, asymmetric encryption is used in the key exchange phase, and then symmetric encryption is used in the communication exchange message phase.

Iv. Differences between HTTP and HTTPS

  • HTTP is the plaintext transmission protocol. HTTPS is a network protocol built by SSL and HTTP that can be used for encrypted transmission and identity authentication. It is more secure than HTTP.
  • HTTPS is more secure than HTTP, more friendly to search engines, conducive to SEO, Google, Baidu priority index HTTPS pages;
  • HTTPS requires an SSL certificate, whereas HTTP does not.
  • The standard HTTPS port is 443, and the standard HTTP port is 80.
  • HTTPS is based on the transport layer and HTTP is based on the application layer.
  • HTTPS shows green security lock in the browser, HTTP does not show;

If HTTPS is so secure and reliable, why don’t all Web sites use HTTPS

  1. First, many people still feel that there is a threshold for HTTPS implementation, which is the need for an SSL certificate issued by an authoritative CA. Selecting, purchasing, and deploying certificates are time-consuming in the traditional mode.

  2. Second, HTTPS is generally considered to have a higher performance cost than HTTP because encrypted communication consumes more CPU and memory resources than plain text communication. If every communication is encrypted, it consumes a considerable amount of resources, and the number of requests that can be processed is bound to decrease when spread across a single computer. However, this is not the case, and users can solve this problem by performance tuning and deploying certificates in SLB or CDN. Take a practical example, during the “Double Eleven”, the website’s HTTPS Taobao and Tmall still ensured the smooth and smooth operation of the website and mobile terminal’s access, browsing and transaction. Tests have shown that many of the optimized pages perform as well or slightly better than HTTP, so HTTPS isn’t really slow after being optimized.

  3. In addition, the desire to save on the cost of purchasing certificates is also a factor. A certificate is essential for HTTPS communication. The certificate to be used must be purchased from the Certification Authority (CA).

  4. Finally, safety awareness. Compared with China, the security awareness and technology application of the Internet industry in foreign countries are relatively mature. The trend of HTTPS deployment is jointly promoted by the society, enterprises, and the government.

conclusion

HTTPS uses THE SSL/TLS protocol for encrypted transmission.

Client to the server’s public key (right), then the client randomly generated a “secret key” symmetric encryption, use “the public key encryption, transmission to the server, the server by decrypting again to get the” symmetrical secret key “, following all the information through the “symmetrical secret key encryption, complete the whole process of HTTPS. “Third party authentication”, and most importantly “digital signature”, avoids obtaining the public key from a middleman.

Blog.csdn.net/weixin_3879…

Juejin. Cn/post / 685728…

Segmentfault.com/a/119000001…

Juejin. Cn/post / 693969…