First, security features
In the article what is HTTP, we learned that HTTP has the following problems in the communication process:
- Communication uses clear text (not encrypted) and the content can be monitored
- The identity of the communicating party is not verified, so it is possible to encounter camouflage
The emergence of HTTPS is to solve these problems. HTTPS is built on SSL and its security is guaranteed by SSL
With SSL, HTTP has the encryption, certificate, and integrity protection features of HTTPS
Secure Sockets Layer (SLL) and its successor Transport Layer Security (TLS) are a Security protocol that provides Security and data integrity for network communication
Two, how to do
SSL relies on three main means to achieve these functions:
- Symmetric encryption: Encrypts data with negotiated keys
- Asymmetric encryption: Implements identity authentication and key negotiation
- Algorithm: verify the integrity of information
- Digital signature: authentication
Symmetric encryption
Symmetric encryption means that encryption and decryption use the same key, which is symmetric. As long as the security of the key is ensured, the whole communication process can be said to be confidential
Asymmetric encryption
Asymmetric secret, there are two keys, one is called public key, one is called private key. The two keys are different. The public key can be used by anyone, but the key needs to be kept secret
Mixed encryption
In HTTPS communication, symmetric encryption and asymmetric encryption are used, that is, hybrid encryption
In symmetric encryption, if the security of the key can be guaranteed, the whole communication process can be said to have confidentiality
HTTPS uses asymmetric encryption to solve the problem of key exchange
The sender uses the other party’s public key to encrypt the “symmetric key”, and the other party uses its own key to decrypt the “symmetric key”.
In this way, symmetric encryption can be used to communicate with each other on the premise that the exchanged keys are secure
For example
The website keeps the secret key and distributes the public key arbitrarily on the Internet. You want to log in to the website as long as the public key is encrypted, and the ciphertext can only be decrypted by the key holder. Hackers can’t break the ciphertext because they don’t have a key
In the process of network transmission, the data may be tampered with, and the hacker can fake the identity to release the public key, if you get a fake public key, then the mixed encryption is not much use, your data is still solved by the hacker
Therefore, on the basis of the above encryption needs to add integrity, authentication features, to achieve real security, to achieve this function is the digest algorithm
The algorithm
The main means to achieve integrity is the summary algorithm, which is often said hash function, hash function
It can be interpreted as a special compression algorithm that compresses arbitrary length of data into a fixed length, unique summary string, creating a digital fingerprint for the data.
The algorithm ensures that the digital abstract is equivalent to the original text. Therefore, as long as we attach an abstract to the original text, we can ensure the integrity of the data
For example, you send a message saying “Transfer 100 yuan” and then add a summary of SHA-2. The site also calculates a summary of the message and compares the two “fingerprints”. If they match, the message is complete and reliable and has not been modified
A digital signature
A digital signature can confirm that a message is actually signed and sent by the sender, because no one can impersonate the sender’s signature
The principle is actually very simple, is to use the key encryption, public key decryption
A signature, like a public key, is fully public and can be accessed by anyone. But this signature can only be unlocked using the public key corresponding to the private key. Once you get the abstract and verify the integrity of the original text, you can prove that the message was actually sent by you just like signing a document
As with the message itself, since anyone can publish a public key, we also lack the means to prevent hackers from forging a public key, that is, how do you know that the public key is yours
This requires a third party, a certificate verification authority
CA verification body
A digital certificate Authority is in the position of being a third-party organization that can be trusted by both client and server
CA’s signature authentication requirements for the public key include serial number, purpose, issuer, validity time and so on. These are put into a package and then signed to prove all kinds of information associated with the public key completely, forming a “digital certificate”.
The process is as follows:
- The server operator applies for a public key from a digital certificate authority
- After identifying the applicant, the digital certificate Authority will digitally sign the applied public key
- This signed public key is then assigned and bound together in the public key certificate
- The server sends the digital certificate issued by a digital certificate authority (DCA) to the customer service for asymmetric encryption
The client receiving the certificate can use the public key of the DIGITAL Certificate Authority to verify the digital signature on the certificate. Once the verification succeeds, it proves that:
- The public key of the authentication server is a real and valid digital certificate authority
- The server’s public key is trusted
Third, summary
It can be seen that although HTTPS and HTTP are only one SSL, communication security is greatly guaranteed. The four features of communication are solved as follows:
- Confidentiality: Hybrid algorithms
- Integrity: Summary algorithm
- Authentication: digital signature
- Undeniable: digital signature
In addition, a third-party certificate authority is introduced to ensure the security of public keys
Easy to understand
HTTP is an open letter that anyone can read and maliciously modify
To a secret need to detain dart, SSL is yuen, escorted HTTPS, in order to prevent the service side of falsely or other companies that literally into the service side, there will be a split roller (symmetric encryption), in order to show that companies that did not secretly in the letter, the letter inside put a piece of the puzzle, the server will view the puzzle (asymmetric encryption) can you spell it. In order to make the puzzle invisible to others, the puzzle will be encrypted (summary algorithm). The server will have an intermediate post office (CA verification agency) to ensure that the letter is sent by someone they know. The customer needs to get the special postmark of the post office and compare it with the server.