Writing in the front

HTTPS for most client developers, if not more in-depth research, for the development and use of HTTP level of the use of no obvious difference, or the same to the server to initiate interface requests, access to returned data; In the interview, often will find a lot of front-end development of the students understanding of the working process of the HTTPS is very fuzzy, member itself is also a front-end developer, at the beginning in the process of learning about HTTPS, also refer to a lot of Internet related technical articles, found some articles is not too good understanding, especially for the small white. It’s the end of 2021, and to complete my plan for this month’s article, I want to introduce HTTPS in an easy-to-understand way.

1. A quick word about HTTP

HTTP is short for Hyper Text Transfer Protocol, which belongs to the uppermost application layer Protocol in the OSI reference model.

Disadvantages of the HTTP protocol:

  • The communication process uses plaintext transmission,Information is easy to steal
  • Unable to verify the identities of communication parties,Identities are easy to disguise
  • The integrity of communication packets is not verified.Information is vulnerable to tampering

2. What is HTTPS?

HTTPS stands for Hyper Text Transfer Protocol over SecureSocket Layer. It is a secure HTTP channel. Based on HTTP, the security of the transmission process is guaranteed by transmission encryption and identity authentication. Therefore, HTTPS is mainly used to make up for the shortcomings of HTTP communication:

  • Transmission encryption
  • Identity authentication of communication parties

To understand the HTTPS workflow, you need to understand the following concepts:

2. 1 TLS/SSL

SSL (Secure Socket Layer), a protocol between reliable connection-oriented network Layer protocols and application-layer protocols;

TLS :(Transport Layer Security), used to provide confidentiality and data integrity between two applications;

When HTTP is used, HTTP communicates directly with TCP. Default port: 80

When USING HTTPS, you need to communicate with SSL first, and then with SSL and TCP. Default port: 443

HTTPS = HTTP + TLS/SSL

2. 2 Symmetric encryption

What is symmetric encryption? The encryption/decryption parties use the same set of keys, which can be used to encrypt a piece of content or decrypt a set of content.

Symmetric encryption features:

  • High encryption efficiency;
  • There are certain security problems, the key stored in the client may be stolen;
2. 3 Asymmetric encryption

Asymmetric encryption means that there are two types of keys: public key and private key. The public key is usually stored on the client, and the private key is usually stored on the server. Data encrypted with a public key can be decrypted only with the private key, and data encrypted with the private key can be decrypted only with the public key.

Asymmetric encryption features:

  • High security, because the data encrypted by the public key stored on the client can be decrypted only by the private key, there is no need to worry about the public key being stolen.
  • Low encryption efficiency;
2. 4 Understand Hash algorithms

The Hash algorithm, also known as the Hash algorithm, is to change the input of arbitrary length into the output of fixed length through the Hash function. The output is the Hash value. Can be used to indicate the uniqueness of input information with a short message. Common Hash algorithms include MD5 and SHA1.

Features of the Hash algorithm:

  • Forward fast: Given the specified plaintext and Hash algorithm, the output Hash value can be computed in limited resources and time.
  • Reverse difficulty: in finite time, it is almost impossible to infer plaintext.
  • Input sensitivity: small changes in the plaintext, resulting in very large differences in hash values.

3. HTTPS encryption mechanism

In interviews, a lot of people ask, what is HTTPS encrypted with? The answer is that HTTPS uses a hybrid encryption mechanism, namely asymmetric encryption and symmetric encryption to achieve secure channels.

Symmetric encryption has high encryption efficiency. However, it is difficult to exchange keys securely between the communication parties using symmetric encryption. When the client initiates the first request, plaintext communication must be adopted.

Asymmetric encryption provides high security. However, because SSL communication is required first, both the client and the server need to encrypt and decrypt each request and response. Therefore, the communication efficiency is low and the client cannot quickly respond to the request.

Therefore, HTTPS combines the features of symmetric encryption and asymmetric encryption. When the client and server communicate with each other for the first time, the random key is transmitted in asymmetric encryption. In subsequent requests, the key generated for the first time is used for symmetric encryption.

4. The CA

After knowing the HTTPS encryption mechanism, we know that the first communication between the client and the server is in the form of asymmetric encryption. Then, we now face the biggest problem: how to negotiate the shared public key between the client and the server?

Some might say, isn’t a public key available to everyone? Isn’t the public key safe from theft?

If the public key obtained by the client is tampered with by a third party, and the client uses the tampered public key to encrypt content transmission, at this time, can the third party steal the client request information and decrypt it with its own fake private key to obtain the client request information? Is this a terrible bug? What to do?

It’s time to show how important it is. Yes, it’s the CA certificate Authority.

4.1 A website (server) applies for a certificate from a CA

As a website builder, it can also be understood as a server. If you want to deploy your own service using HTTPS protocol for secure communication, you must first apply for your own digital certificate from the CA certificate authority.

How to apply?

  • The website administrator generates the public key, website domain name, validity period, and public key of the server using the Hash algorithmThe information in this paper,Submit to the CA certificate authority.
  • CA uses its own private key to encrypt the applicant’s information summary and generateA digital signature.
  • The CA uses its own private key and willA digital signature, public key, domain name and other information encryption, generationThe digital certificate.
  • CA will generate the digital certificate back to the applicant, the applicant will obtainThe digital certificateConfigure it on its own server.
4. The client obtains the public key of the CA

Now that we know that a digital certificate is a piece of content encrypted by a CA certificate authority using its own private key, how does a client get the CA certificate authority’s public key? Because the private key encrypts the content, we need to decrypt it with the corresponding public key to obtain the public key of the server.

The answer is that browser manufacturers embed the public key of the common certification authority in the browser before releasing the browser version.

5. HTTPS workflow

To establish an HTTPS secure communication channel, the client must send a request to the specified server (with a digital certificate configured). The general process is as follows:

5. 1 The client initiates a request

The client initiates a request and sends the SSL/TLS version supported by the client, the encryption algorithm supported by the client, and the randomly generated client random number client_random_1 to the server.

5. 2 The server responds to the request and returns the request

The server is configured with a digital certificate. Upon receiving the first request from the client, the server digital certificate and a random number server_random_1 generated by the server are sent to the client according to the SSL/TSL version supported by the client and the encryption algorithm supported by the client.

5. 3 The client verifies the validity of the digital certificate

After obtaining the digital certificate returned by the server, the client iterates through the CA institutions one by one according to the list of CA institutions implanted in the browser and decrypts the digital certificate using the public key of the CA institution.

  • First of all,, if the digital certificate cannot be decrypted according to the internal CA list, it indicates that the digital certificate is faulty and the authentication fails. A message is displayed indicating that the client user is not trusted.
  • The secondIf the digital certificate can be decrypted properly, the client will obtain information such as the public key of the server, the digital signature of the server, and the domain name bound to the public key. In this case, the client will Hash the obtained public key of the serverInformation Summary AdecryptedA digital signatureThen use the CA public key to decrypt itInformation Summary BIn this case, you can verify whether the public key has been tampered with by comparing two information summaries.
  • The lastIf the public key is authenticated successfully, a random number is generated againsecret_random
5. 4 The client negotiates the communication key with the server

After the certificate is verified successfully, the client sends the secret_random number generated randomly to the server using the server’s public key encryption. The server decrypts the secret_random number using its own private key. At this time, the server generates the session_key using the three random numbers shared by both parties according to the encryption methods agreed on at both ends, encrypts the transmission content with the session_key, and sends the secret_random number to the client.

The clients use the same algorithm to generate the client’s session key (session_key) using the three random numbers shared by the two sides as the symmetric encryption key to transmit encrypted/decrypted data to each other.

6. Write at the end

As you can see, HTTPS uses a hybrid encryption mechanism. Asymmetric encryption is used to negotiate a key. In the subsequent communication, symmetric encryption algorithms are used to encrypt and decrypt data using the negotiated key.

Why do we need three random numbers in the previous key negotiation? This is probably because not all hosts can generate completely random numbers. The randomness of a single random number is relatively weak, so using three random numbers together to generate a key can make the generated key more unpredictable.

Why are there still so many HTTP services? Because compared with the simple HTTP service, HTTPS needs to pay some costs, such as the application to buy a digital certificate; HTTP does not perform certificate verification, negotiate keys, and encrypt/decrypt communication data, making HTTP services more responsive than HTTPS.