preface
Hello everyone, I am Lin Sanxin, with the most easy to understand the most difficult knowledge points is my motto, the basis is advanced premise is my initial mind.
I’m sure you often deal with HTTPS, such as requesting interfaces, visiting websites and so on. Then we often think:
HTTPS
Is what?HTTPS
What does it have to do with HTTP?- Why are all the websites now
HTTPS
Rather thanHTTP
?
What is HTTPS?
HTTPS is simply HTTP + SSL/TLS. What is HTTP? This is beyond the scope of today’s discussion. SSL is the predecessor of TLS. Most browsers now do not support SSL, so TLS is widely used today. However, because SSL is well-known, it is still referred to as SSL/TLS. HTTP + SSL/TLS is more secure, so HTTPS is more secure
Symmetric encryption
What is?
What is symmetric encryption? Let me give you an example. When you are chatting with your girlfriend, you don’t want others to know what you are talking about. So you make a pact with your girlfriend that the messages sent by both parties should be in reverse order.
This is called symmetric encryption, because the keys are the same:
Weaknesses?
In the beginning, both parties must negotiate this key (secret key) what should be, and the process may be hackers listening to, once has the third person know this key, so the two of you information, hackers were cracked and is easy to be stopped and fake information, in this case, the other party may not receive your information, is received by the hackers fake information, For example, in the following example, you send hahahahahahahahaha, and the other person receives it is indeed hee hee hee:
Asymmetric encryption
Public and private keys
Now, on the server side, two keys are generated, key A and key B, and the two keys are related: Key A can only be used to decrypt what is encrypted by key B, and then the server sends the key A to the client. Each time the client sends A message, it needs to use key A for encryption, and then sends the message to the server, and the server decrypts it with key B to get the message from the client:
In fact, key A is the public key, because both the client and the server know it, and key B is the private key, because key B is safe on the server from the beginning to the end
Asymmetric encryption
Asymmetric encryption is a kind of based on public key, private key encryption and asymmetric encryption than symmetric encryption security is stronger, because hackers can only know the public key, and it is impossible to know the private key, and the public key can only use the private key to decrypt the encrypted data, so after hackers steal the public key can decrypt the client sent to the client’s information
disadvantages
We just said asymmetric encryption is more secure than symmetric encryption, but asymmetric encryption also has disadvantages. As we said, at first the server generates the public key, the secret key, and then sends the public key to the client, while the private key stays on the server. Then pass the client process, the public key may be blocked by hackers access to the public, and public key, the hacker hackers fake the hacker editions of the private key, and send the hacker edition public key to the client, the client is not informed, the data with the hacker edition public key to encrypt data and to send, then hackers only need to use the hacker edition decrypted get client to send information, In addition, it forges its own hacker information, encrypts it with the original public key, and sends it to the server. The server then decrypts it with the original private key to obtain the hacker information
What kind of encryption is HTTPS?
In fact, HTTPS uses symmetric encryption + asymmetric encryption, let’s continue to read!
certificate
We just said asymmetric encryption has its drawbacks, so how can we prevent this? At this point we need to apply for a certificate from a certificate Authority (CA)
Composition of certificate
steps
1. The server sends the public key to the ca and applies for a certificate from the CA
2,Certification Authority
I have a couple of my ownPublic key, secret key
, the use ofThe public key
encryptedkey1
And generate one based on the server urlCertificate signing
, and also usedThe secret key
Encrypt theCertificate signing
. And made intocertificate
To use thiscertificate
Send to the server
3. When the client communicates with the server, the server transmits the certificate to the client instead of directly passing the server’s public key to the client
4. After receiving the certificate, the client checks the authenticity of the certificate. A word of caution: today’s browsers store the names of major certification authorities and their corresponding public keys. Therefore, after receiving the certificate, the client only needs to find the corresponding public key from the browser and decrypt the certificate signature. Then, the client generates a certificate signature based on the decrypted signature rule. If the two signatures are consistent, the certificate passes. Once passed, the client decrypts the server public key KEY1 again using the agency public key
5, the client generates a symmetric secret key KEY2, and then uses the existing server public key KEY1 to encrypt key2 and send it to the server. After receiving it, the server uses the server secret key to decrypt it. At this time, both the client and the server have a symmetric secret key KEY2
6, after this, the client and the server through the symmetrical secret key key2 for symmetric encryption communication, namely before back to the first scene, you using reverse algorithm for encryption on the phone with your girl friend, but the reverse algorithm under the certificate of guarantee, will not be a third party by hackers know, as long as you are with your girl friend, and the certificate authority to know:
Will certificates be intercepted?
It doesn’t matter if the certificate is intercepted, because the signature in the certificate is generated from the server’s web address, encrypted with the certificate authority’s secret key, and cannot be tampered with. Or the hacker can create a fake certificate and send it to the client, but this is useless, after all, browsers already maintain a collection of legitimate certification authorities, the hacker is not in this collection oh ~~~~~
SSL/TLS
We said HTTPS = HTTP + SSL/TLS, and these operations take place at the SSL layer
Note: The TLS protocol is an upgraded version of SSL 3.0, which has the same general principle with SSL.
reference
- What is the HTTPS protocol?
- What is HTTPS?
conclusion
I am Lin Sanxin, an enthusiastic front-end novice programmer. If you progress, like the front end, want to learn the front end, then we can make friends, touch fish ha ha, touch fish, point this –> touch fish boiling point