HTTPS protocol understanding, and resolution of related protocols

HTTPS protocol understanding, and resolution of related protocols

About HTTPS

　　HTTPS(full name: Hyper Text Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP . That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). The system was originally developed by Netscape (Netscape) and built into its browser Netscape navigator, providing an authentication and encryption method of communication. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments.

The difference between HTTPS and HTTP

The Hypertext Transfer Protocol HTTP protocol is used to pass information between a Web browser and a Web server. The HTTP protocol sends content in plaintext, does not provide data encryption in any way, and if an attacker intercepts a transmission message between a Web browser and a Web server, it can read the information directly, so HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password, etc.。 To address this flaw in the HTTP protocol, you need to use a different protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS.　　For the security of data transmission, HTTPS joins the SSL protocol on the basis of HTTP, SSL relies on the certificate to verify the identity of the server, and encrypts the communication between the browser and the server. The main differences between HTTPS and HTTP are the following four points: first, HTTPS protocol need to request a certificate to CA, the general free certificate is very small and requires a fee. Two httpis the Hypertext Transfer Protocol, the information is plaintextTransmission HTTPSis SSL with security EncryptTransport protocol. Third, HTTP and HTTPS use a completely different way of connection, using the The port is not the same, the former is 80, the latter is 443. Four, HTTP connection is very simple, is stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol to encrypt the transmission and authentication, which is more secure than the HTTP protocol.

Solve the problem

first, trust the host problemThe server using HTTPS must request a certificate from the CA (Certificate authority) to prove the server's purpose type. The client trusts this host only when the certificate is used for the corresponding server. So all the banking system websites, the key parts of the application are HTTPS. The client trusts the host by trusting the certificate. In fact, this is inefficient, but banks are more focused on security. This does not make any sense to the local area network servers that provide services. A server in a local area network, the use of the certificate, whether it is published by itself or from the public, its clients are one of their own, so the client in the LAN will certainly trust the server. Second, the communication process of data disclosure and tampering1. HTTPS in the general sense is that the server has a certificate. A) The main purpose is to ensure that the server is the server he claims, which is the same as the 1th. b) All communication between the server and the client is encrypted. I. Specifically, it is Client GenerationOne symmetric key， through the serverOf CertificateTo exchanging Keys, that is, the handshake process in the general sense. II. All the information that follows is encrypted. Even if a third party intercepts, it doesn't make any sense, because he doesn't have a key, and of course it doesn't make sense to tamper with it. 2. In the case of a small client requirement, the client must also have a certificate. A) Here the client certificate, in fact, similar to the presentation of personal information, In addition to the username/password, there is also a CA certified identity。 Because personal certificates are generally not emulated by others, all this can be a deeper confirmation of their identity. b) Most of the current professional editions of personal banking are this practice, the specific certificate may be to take a U-Shield as a backup carrier.

Insufficient

It's secure DependentThe correct implementation of the browser and the server software, the actual encryption algorithm support. A common misconception is that "bank users use HTTPS online: they can fully and thoroughly protect their bank card numbers from theft." "In fact, with The portion of the server's encrypted connection that protects the bank card number, only the user-to-server connection and the server itself. Does not absolutely ensure that the server itself is safe, which has even been exploited by attackers, a common example of phishing attacks that mimic bank domain names.　　A few rare attacks occur when a website transmits customer data, and an attacker attempts to eavesdrop on the data in transit. Commercial websites are expected to quickly introduce new special handlers to the financial gateway as soon as possible, preserving only the transmission code (transaction number). But they often store bank card numbers in the same database. 　　Few of those databases and servers can be attacked and compromised by unauthorized users. Before TLS 1.1, this paragraph was only for the condition prior to TLS 1.1. Because SSL is at the next level of HTTP and does not understand higher-level protocols, SSL servers are typically only allowed to be certified to specific ip/port combinations.　　This means that it is often not possible to combine HTTPS with HTTP normally on a virtual host (domain-based). This has been updated by the upcoming TLS 1.1-type full support for domain-based virtual hosts.

About SSL

　　SSL Security Sockets layer Secure Sockets Layer, and its successor Transport Layer Security (Transport layer Security,tls) is a security protocol that provides security and data integrity for network traffic. TLS encrypts the network connection with SSL at the transport layer.

SSL Protocol primary service 1) Authenticate users and servers, ensure data is sent to the correct client and server 2) encrypt data to prevent data from being stolen halfway through 3) maintain data integrity and ensure that data is not changed during transmission. SSL Protocol Workflow Server Certification phase: 1) client to server SendOne Start Information"Hello" to StartA new Session Connection; 2) The server determines whether a new master key needs to be generated based on the customer's information, and, if necessary, the server will contain the information required to generate the master key in response to the customer's "Hello" information; 3) the customer generates a master key based on the received server response information and encrypts the server's public key to the server ; 4) The server recovers the master key and returns it to the client to authenticate the server with a master key.

User Authentication phase:

Prior to this, the server has passed the customer certification, this phase is mainly to complete the customer certification. The certified server sends a question to the customer, and the customer returns a (digital) signature question and its public key, thereby providing authentication to the server.

The role of the SSL handshake Protocol

• Verifying entity Identities
• Negotiated secret key exchange algorithm
• Compression algorithms and encryption algorithms
• Complete key exchange and generate secret keys, etc.

The handshake process for SSL

SSL protocol The use of public key cryptography and the use of symmetric encryption technology, although symmetric encryption technology is faster than public-key cryptography, public-key cryptography provides better authentication technology. SSL Handshake Protocol is very effective for the client and the server to complete mutual authentication, the main process is as follows: ① client's browser to the server to transmit the client SSL protocol version number, the type of encryption algorithm, the resulting random number, and other server and client communication between the various information required. The ② server transmits the version number of the SSL protocol to the client, the type of encryption algorithm, the random number, and other related information, and the server also transmits its own certificate to the client. ③ customers use the information sent by the server to verify the legitimacy of the server, the legitimacy of the server includes: whether the certificate expires, the issuing server certificate of the CA is reliable, the publisher certificate's public key can correctly unlock the server certificate "publisher's digital signature", the server certificate on the domain name and the server's actual domain name match. If the legitimacy verification is not passed, the communication will be disconnected, and if the legitimacy validation passes, the fourth step will continue. The ④ client randomly generates a "symmetric password" for subsequent communication, encrypts it with the server's public key (obtained from the server's certificate in step ②), and then passes the encrypted "pre-master password" to the server. ⑤ If the server requires a customer's authentication (optional during the handshake), the user can create a random number and then sign the data to the server with the random number of signatures, along with the client's own certificate and the encrypted "pre-master password". ⑥ If the server requires customer authentication, the server must verify the legitimacy of the client certificate and the signature random number, the specific legality verification process includes: whether the customer's certificate use date is valid, to provide a certificate to the client CA is reliable, the issuing CA's public key can correctly unlock the client certificate of the issuing CA's digital signature, Check that the client's certificate is in the certificate revocation list (CRL). If the test is not passed, the communication is interrupted immediately; If authenticated, the server will use its own private key to unlock the encrypted "master password" and then perform a series of steps to generate the primary communication password (the client will also generate the same master communication password in the same way). ⑦ server and client use the same master password as the "Call password", a symmetric key for the SSL protocol of Secure data communication encryption and decryption communication. At the same time in the process of SSL communication to complete the integrity of data communication, to prevent any changes in data communication. The ⑧ client sends a message to the server that indicates that subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the server client that the handshake process is complete. The ⑨ server sends a message to the client indicating that the subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the client that the server side of the handshake process is complete. ⑩ssl The handshake part ends, the SSL secure channel data communication begins, and the client and the server begin to use the sameThe key is called the data communication, while the integrity of the communication test.

HTTPS protocol understanding, and resolution of related protocols