HTTPS is introduced
HTTPS is a transport protocol for secure communication over the computer network. It uses SSL/TLS to establish secure channels and encrypt data packets. The main purpose of HTTPS is to provide identity authentication for web servers and protect the security and integrity of exchanged data.
SSL/TLS
TLS encrypts network connections at the transport layer. The predecessor of THE SSL protocol, TLS was released by Netscape in 1995 to secure data transmission over the Internet. Encryption technology is used to ensure that data cannot be intercepted or eavesdropped during network transmission.
Data encryption uses symmetric encryption and asymmetric encryption. When TCP establishes a transmission connection, SSL encrypts the symmetric encrypted key using the asymmetric encrypted public key. After the connection is established, SSL encrypts the transmitted content using symmetric encryption.
Symmetric encryption, with high speed and large encrypted content, is used to encrypt messages during sessions.
Asymmetric encryption: the encryption speed is slow, but it provides better identity authentication technology to encrypt symmetric encryption keys.
1. One-way authentication
In one-way authentication, the client authenticates the server.Https
The establishment ofSocket
Before connection, you need to shake hands as follows:
- The client sends information such as the SSL protocol version number, encryption algorithm type, and random number to the server.
- The server returns information such as the SSL protocol version number, encryption algorithm type, and random number to the client. In addition, the server certificate, namely the public key certificate, is also returned.
- The client uses the information returned by the server to verify the validity of the server, including:
- Whether the certificate expires.
- Whether the CA of the issuer certificate is reliable.
- Whether the returned public key can unlock the digital signature in the returned certificate correctly.
- Check whether the domain name in the server certificate matches the actual domain name of the server.
After the authentication passes, the communication continues. Otherwise, the communication is terminated. 4. The client sends the supported symmetric encryption scheme to the server for the server to select. 5. The server selects the encryption mode with the highest encryption degree among the encryption schemes provided by the client. 6. The server returns the selected encryption scheme to the client in plaintext. 7. After receiving the encryption mode returned by the server, the client uses the encryption mode to generate a random code, which is used as the symmetric encryption key during communication. The client uses the public key returned by the server to encrypt the random code, and sends the encrypted random code to the server. 8. After receiving the encryption information returned by the client, the server decrypts the information using its own private key to obtain the symmetric encryption key.
In subsequent sessions, the server and client use this password for symmetric encryption to ensure information security during communication.
2. Two-way authentication
The principles of bidirectional authentication and unidirectional authentication are similar except that the client needs to authenticate the server and the server needs to authenticate the client. The process is as follows:
- The client sends information such as the SSL protocol version number, encryption algorithm type, and random number to the server.
- The server returns information such as the SSL protocol version number, encryption algorithm type, and random number to the client. In addition, the server certificate, namely the public key certificate, is also returned.
- The client uses the information returned by the server to verify the validity of the server, including:
- Whether the certificate expires.
- Whether the CA of the issuer certificate is reliable.
- Whether the returned public key can unlock the digital signature in the returned certificate correctly.
- Check whether the domain name in the server certificate matches the actual domain name of the server.
After the authentication passes, the communication continues. Otherwise, the communication is terminated. 4. The server asks the client to send its certificate, and the client sends its certificate to the server. 5. Verify the certificate of the client. After the certificate is verified, the public key of the client is obtained. 6. The client sends the supported symmetric encryption scheme to the server for the server to select. 7. The server selects the encryption mode with the highest encryption degree among the encryption schemes provided by the client. 8. The server encrypts the encryption scheme using the public key obtained from the client and returns the encryption scheme to the client. 9. After receiving the encryption scheme ciphertext from the server, the client uses its private key to decrypt it and obtain the encryption mode. Then, the client generates the random code of the encryption mode, uses the public key obtained from the server certificate for encryption, and sends it to the server. 10. After receiving the message from the client, the server uses its own private key to decrypt the message and obtain the symmetric encryption key.
In subsequent sessions, the server and client use this password for symmetric encryption to ensure information security during communication.
Refer to the link
- Https unidirectional authentication and bidirectional authentication
Personal website
- Github Pages
- Gitee Pages