Whether it’s instant messaging or other applications, HTTPS is definitely the right thing to do in today’s security-conscious world. For IM developers, TLS is fine for long connections, and HTTPS is fine for short connections, but I’d like to ask you a basic visual question: is HTTPS symmetric or asymmetric?

To answer this question, we need to take a look at HTTPS technology. This article will take you to understand whether HTTPS uses symmetric or asymmetric encryption, and how it is used

HTTPS soul torture

As the cost of HTTPS has dropped, most sites are now using HTTPS. Everyone knows that HTTPS is more secure than HTTP, and has heard of concepts related to HTTPS such as SSL, asymmetric encryption, CA certificates, etc.

But it may not answer the following three soul tests:

  • 1) Why is HTTPS secure?
  • 2) How to implement the underlying principle of HTTPS?
  • 3) Is HTTPS safe?

Don’t worry, this article will answer the question “Is HTTPS symmetric or asymmetric?” At the same time, you will understand the above problems by thoroughly explaining HTTPS security in principle.

2. Implementation principle of HTTPS

You’ve probably heard that THE HTTPS protocol is secure because it encrypts the transmitted data using asymmetric encryption. However, IN fact, HTTPS uses symmetric encryption for content transmission. Asymmetric encryption only applies to certificate verification.

The HTTPS process consists of certificate authentication and data transmission. The detailed interaction process is as follows:

① Certificate verification stage:

  • 1) The browser initiates an HTTPS request;
  • 2) The server returns the HTTPS certificate.
  • 3) The client verifies whether the certificate is valid. If the certificate is invalid, an alarm is generated.

② Data transmission stage:

  • When the certificate is valid, a random number is generated locally.
  • Encrypts the random number through the public key and transmits the encrypted random number to the server.
  • The server decrypts the random number through the private key.
  • The server uses the random number from the client to construct a symmetric encryption algorithm, encrypts the returned result and transmits it.

3. Why is symmetric encryption used for data transmission?

** First of all: ** Asymmetric encryption is very inefficient in encryption and decryption, and HTTP application scenarios usually have a large number of end-to-end interactions, asymmetric encryption efficiency is unacceptable.

** In the HTTPS scenario, only the server saves the private key, and a pair of public and private keys can only realize one-way encryption and decryption. Therefore, the content transmission encryption in HTTPS adopts symmetric encryption instead of asymmetric encryption.

4. Why do YOU need a CA certification body to issue a certificate?

HTTP is considered insecure because the transmission process is easy to be tapped by listeners and forged servers, while HTTPS mainly solves the security problem of network transmission.

First, we assume that there is no certification authority and that anyone can create a certificate, which presents a security risk known as the classic “man-in-the-middle” problem.

The detailed process of man-in-the-middle attack is as follows:

As shown in the figure above, the process principle is as follows:

  • 1) Local requests are hijacked (e.g. DNS hijacking, etc.) and all requests are sent to the middleman’s server;
  • 2) The middleman server returns the middleman’s own certificate;
  • 3) The client creates a random number, encrypts the random number through the public key of the middleman certificate, and sends the random number to the middleman. Then the client constructs symmetric encryption based on the random number to encrypt and transmit the transmitted content.
  • 4) Because the middleman has the random number of the client, it can decrypt the content through the symmetric encryption algorithm;
  • 5) The middleman initiates a request to the regular website with the content requested by the client;
  • 6) Because the communication between the middleman and the server is legal, the regular website returns the encrypted data through the established secure channel;
  • 7) Middlemen decrypt the content by means of symmetric encryption algorithms established with regular websites;
  • 8) The middleman encrypts and transmits the data returned by the regular content through the symmetric encryption algorithm established with the client;
  • 9) The client decrypts the returned result data through the symmetric encryption algorithm established with the middleman.

Due to the lack of certificate verification, although the client initiates an HTTPS request, the client is completely unaware that its network has been intercepted and the transmitted content is stolen by a middleman.

5. How does the browser ensure the validity of the CA certificate?

5.1 What Information does a Certificate Contain?

  • 1) Information of the issuing authority;
  • 2) Public key;
  • 3) Company information;
  • 4) Domain name;
  • 5) Term of validity;
  • 6) Fingerprints;
  • 7)…

5.2 What is the Validity basis of the Certificate?

  • 1) First of all: the authority is to have certification, not just any institution is qualified to issue a certificate, or it is not called the authority;
  • 2) In addition: The credibility of the certificate is based on the trust system, and the authority needs to endorse the certificate issued by the authority. As long as the certificate is generated by the authority, we consider it legitimate.

Therefore, the authority will review the information of the applicant, and the requirements of the authority of different levels are not the same, so the certificate is also divided into free, cheap and expensive.

5.3 How do Browsers Verify the Validity of Certificates?

When the browser initiates an HTTPS request, the server returns the website’s SSL certificate. The browser needs to verify the certificate as follows:

  • 1) Verify whether the domain name, validity period and other information are correct: the certificate contains these information, which is easier to complete the verification;
  • 2) Check whether the source of the certificate is legitimate: Each issued certificate can be found according to the authentication chain. The operating system and browser will store the root certificate of the authority locally and use the local root certificate to authenticate the source of the certificate issued by the corresponding authority (as shown in the following figure) :

  • 3) Check whether the certificate is tampered: Verify the certificate with the CA server.
  • 4) Determine whether the certificate has been revoked: Through Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP), OCSP can be used in step 3 to reduce interaction with the CA server and improve verification efficiency.

The browser considers the certificate to be valid only if the preceding steps are fulfilled.

Here’s a question I’ve been thinking about for a long time with a simple answer:

Since the certificate is public, if I want to launch a man-in-the-middle attack, I download a certificate from the official website as my server certificate, and the client will definitely agree that the certificate is legitimate. How can I avoid the situation of fake certificate? In fact, this is the use of public and private keys in unencrypted symmetry. Although the middleman can get the certificate, the private key cannot be obtained. It is impossible to calculate the corresponding private key of a public key.

5.4 Can Only Certification Authorities Generate Certificates?

If you want the browser to avoid security risks, you can only use the certificate issued by the certification authority. However, browsers usually just warn of security risks and do not restrict access to websites, so technically anyone can generate a certificate that can complete HTTPS transfer of a website.

For example, early 12306 uses the form of manually installed private certificate to achieve HTTPS access:

6, local random number is stolen how to do?

Asymmetric encryption is used for certificate authentication, but symmetric encryption is used for transmission. Important random numbers in the symmetric encryption algorithm are generated and stored locally. How does HTTPS prevent random numbers from being stolen?

In fact, HTTPS does not guarantee the security of random numbers. HTTPS only guarantees the security of transmission, and random numbers are stored locally. Local security belongs to another security category.

7. Will HTTPS be used to catch packets?

HTTPS data is encrypted. Generally, packets captured by the packet capture tool are in the encrypted state and cannot be viewed.

However, as mentioned above, the browser will only alert you to security risks if the user is authorized to continue accessing the site and complete the request. Therefore, as long as the client is our own terminal, we can set up the middleman network under the condition of authorization, and the packet capture tool is the agent acting as the middleman. The use of the HTTPS caught tool is usually generates a certificate, the user needs to manually install the certificate to the client, then the terminal by all the request through the certificate completed and caught tools of interaction, and then caught tools forward requests to the server, finally, the server returns the results in the console output and then returned to the terminal, Thus completing the loop of the entire request.

If HTTPS can’t prevent packet capture, what’s the point of HTTPS?

HTTPS prevents communication links from being monitored without users’ knowledge. However, HTTPS does not provide protection against packet capture with active credit, because users are already aware of risks in this scenario. To prevent packet capture, application-level security protection is required, such as proprietary symmetric encryption, and anti-decompilation hardening on mobile terminals to prevent local algorithms from being cracked.

8. Summary of this paper

The following is a summary of the whole paper in the form of short Q&A.

Q: Why is HTTPS secure?

**A: ** HTTPS ensures the transmission security, prevents the transmission process from being monitored and data from being stolen, and can confirm the authenticity of the website.

Q: How does HTTPS transfer work?

**A: ** The client initiates an HTTPS request, the server returns a certificate, and the client authenticates the certificate. After the certificate passes the verification, the client locally generates a random number used to transform the symmetric encryption algorithm. The public key encrypts the random number and sends it to the server. The subsequent data interaction is encrypted and decrypted using symmetric encryption algorithms.

Q: Why do YOU need a certificate?

**A: ** protects against “man-in-the-middle” attacks and provides proof of identity for websites.

Q: Can PACKETS be captured if HTTPS is used?

**A: ** will be captured. HTTPS only prevents the user from being monitored without his/her knowledge. If the user takes the initiative to grant credit, it is possible to build A “man in the middle” network, and the agent software can decrypt the transmitted content.

Ok, back to the subject matter of this article, let’s summarize and review.

Q: Does HTTPS use symmetric or asymmetric encryption?

A: HTTPS uses symmetric encryption for content transmission. Asymmetric encryption only applies to certificate verification.

9. Post a learning process map