SSL protocol, HTTP and HTTPS and differences

SSL protocol

The handshake process of the SLL protocol

Before encrypting communication begins, the client and server must first establish the connection and exchange parameters, a process called handshake (handshake).

In the first step, the client gives the protocol version number, a random number generated by the client, and the encryption method supported by the client.

In the second step, the server confirms the encryption method used by both parties and gives the digital certificate, and a random number generated by the server (server random).

In the third step, the client confirms that the digital certificate is valid, then generates a new random number (Premaster secret) and uses the public key in the digital certificate to encrypt the random number and send it to the server.

Fourth, the server uses its own private key to obtain the random number (i.e. Premaster secret) of the client wire.

The fifth step, the client and the server based on the agreed encryption method, using the preceding three random numbers, generate a "dialog key" (Session keys), used to encrypt the next whole conversation process.

The role of the private key

1) A total of three random numbers are required to generate the dialog key.

(2) The conversation after the handshake uses "conversation key" encryption (symmetric encryption), the server's public and private keys are used only to encrypt and decrypt the "conversation key" (Asymmetric encryption), no other role.

(3) The server public key is placed in the server's digital certificate.

The handshake phase of the DH algorithm

The entire handshake phase is unencrypted (and cannot be encrypted) and is plaintext. So, if someone bugged the communication, he could know the encryption method chosen by both parties, and two of the three random numbers. The security of the entire call depends only on the third random number (Premaster secret) can be cracked.

In theory, if the server's public key is long enough (such as 2048-bit), then premaster secret can be guaranteed not to be cracked. But to be safe enough, we can consider the handshake phase algorithm from the default RSA algorithm, the Diffie-hellman algorithm (called the DH algorithm).

Using the DH algorithm, Premaster secret do not need to pass, the two sides as long as the exchange of their respective parameters, you can calculate this random number.

resumption of Session

The handshake phase is used to establish an SSL connection. If for some reason the conversation is interrupted, a handshake is required.

There are two ways to restore the original session: one called Session ID, and the other called session ticket.

The idea of Session ID is simple, that is, every conversation has a number (session ID). If the conversation is interrupted, the next time you reconnect, as long as the client gives the number, and the server has this numbered record, the two sides can reuse the existing "conversation key" without having to regenerate it.

Session ID is a method that is currently supported by all browsers, but its disadvantage is that the session ID is often kept on only one server. Therefore, if a client's request is sent to another server, the conversation cannot be resumed. The session ticket was created to solve this problem and is currently supported only by Firefox and Chrome browsers.

the difference between HTTPS and HTTPThe Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server. The HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so the HTTP protocol is not suitable for transmitting sensitive information such as credit card numbers, passwords, etc. To address this flaw in the HTTP protocol, you need to use a different protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. For the security of data transmission, HTTPS joins the SSL protocol based on HTTP, SSL relies on certificates to verify the identity of the server and to encrypt communication between the browser and the server. The main differences between HTTPS and HTTP are the following four points: first, the HTTPS protocol requires a certificate to the CA, the general free certificate is very small, need to pay. Second, HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission, HTTPS is a secure SSL encryption Transfer protocol. Third, HTTP and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443. Four, HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol to encrypt the transmission and authentication, which is more secure than the HTTP protocol.

　　

SSL protocol, HTTP and HTTPS and differences