HTTPS those things (i) HTTPS principle (reprint)

Original address: http://www.guokr.com/post/114121/

Wedge

Rumor Shredder The release of the public Wi-Fi will jeopardize the security of the bank account in the previous days? , the paper introduces some cases of network encrypted transmission using HTTPS, and from the reply, there are some disputes. With the increasing popularity of the network, the application is more and more widespread, some network security issues will increasingly arouse the attention of netizens, here and everyone together to talk about Tls/ssl that is what we often say HTTPS, from the principle to the actual application to see what it really is, And what issues to pay attention to and the relevant security tips for using HTTPS.

Network security is a whole event that involves the security of personal computers, the security of protocols, the security of data transmission, and the security of software development companies and websites, and simply relying on an HTTPS protocol does not solve all problems. It is hoped that by explaining the security-related issues of the next 1.1 points, more people will have a better understanding of network security and thus more secure use of the network.

The article will be long, with a temporary plan divided into three parts:

The first part mainly describes the principle of HTTPS; the second part mainly describes the process of SSL certificate verification and some considerations for use; The third part presents some instances of HTTPS attacks.

First, what is HTTPS

Before talking about HTTPS, say what is Http,http is a protocol that we use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very insecure to use the HTTP protocol to transmit private information. To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used for the time being.

Friends who are interested in history can refer to Http://en.wikipedia.org/wiki/Transport_Layer_Security, which has a detailed description of Tls/ssl.

Second, is HTTPS safe?

The answer is yes, it's safe. Google has moved to aggressively promote the use of HTTPS, in the next few weeks, Google will be all the world's local domain name to enable HTTPS, users just log in before the search with Google account, all the search operations will be encrypted using the TLS protocol, see:/http thenextweb.com/google/2012/03/05/google-calls-for-a-more-secure-web-expands-ssl-encryption-to-local-domains/.

Third, the working principle of HTTPS

HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:

1. The browser sends a set of cryptographic rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following work:

• Verify the legality of the certificate (the authority that issued the certificate is legitimate, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
• If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
• Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.

4. After the Web site receives the data from the browser, do the following:

• Use your private key to decrypt the information, use the password to decrypt the handshake message from the browser, and verify that the hash is consistent with the browser.
• Encrypt a handshake message with a password and send it to the browser.

5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.

Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:

• Asymmetric Encryption algorithm: RSA,DSA/DSS
• Symmetric encryption algorithm: Aes,rc4,3des
• Hash algorithm: md5,sha1,sha256

The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.

If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information. It is because HTTPS is very safe, attackers can not find the place to start, so more is the use of fake certificates to deceive clients, so as to obtain clear text information, but these methods can be identified, I will be in the subsequent article to tell. But 2010 years, security experts found a vulnerability in the TLS 1.0 protocol: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, In fact, this type of attack, known as Beast, has been discovered by security experts since 2002, but not publicly. The vulnerability has now been fixed by Microsoft and Google. See: Http://support.microsoft.com/kb/2643584/en-us https://src.chromium.org/viewvc/chrome?view=rev&revision= 90643

The HTTPS simplified version works as well in symmetric and asymmetric cryptography.

HTTPS those things (i) HTTPS principle (reprint)