Https highlights, httpswww.baidu.com

Https highlights, httpswww.baidu.com

• Differences between http and https

1. the https protocol must apply for a certificate from the ca.

2. http is Hypertext Transfer Protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transmission protocol.

3. http and https use completely different connection methods, with different ports. The default http port is 80 and https is 443.

4. The http connection is simple and stateless. the HTTPS protocol is a network protocol built by the SSL + HTTP protocol that supports encrypted transmission and identity authentication, which is safer than the http protocol.

• Key SSL

1. the ssl protocol is located between the TCP/IP protocol and various application layers to provide security support for data communication.

2. the ssl protocol is divided into two layers: the ssl record protocol and the ssl handshake protocol.

The ssl record protocol is built on reliable transmission protocols (such as tcp) to provide high-level protocols with support for data encapsulation, compression, encryption, and other basic functions.

The ssl handshake protocol is built on the ssl record protocol. It is used for identity authentication, negotiation encryption algorithm, and encryption key exchange before the actual data transmission starts.

3. Services provided by the ssl protocol mainly include

1) authenticate users and servers to ensure that data is sent to the correct client and server

2) data encryption to prevent data theft

3) maintain data integrity and ensure that data is not changed during transmission.

4. ssl protocol Workflow

Server Authentication phase:

1) the client sends a start message "hello" to the server to start a new session connection.

2) The server determines whether to generate a new CMK based on the customer's information. If necessary, the server will include the information required for the generated CMK in response to the customer's "hello" information.

3) The customer generates a master key based on the server response information and encrypts it with the public key of the server and then transmits it to the server.

4) The server decrypts the CMK and returns a message for the customer to authenticate the server with the CMK.

User authentication stage

The authenticated server sends a question to the customer. The customer returns the question after the digital signature and the public key to provide the authentication to the server.

• Handshake process

To better understand and understand the SSL protocol, we will introduce the handshake protocol of the SSL protocol. SSL uses both public key encryption and symmetric encryption. Although symmetric encryption is faster than public key encryption, public key encryption provides better identity authentication. The SSL handshake protocol is very effective for customers and servers to complete identity authentication. The main process is as follows:

1) The client browser sends the version number of the client SSL protocol, the type of encryption algorithm, the random number generated, and various information required for communication between other servers and clients to the server.

2) the server sends the version number of the SSL protocol, the type of the encryption algorithm, the random number and other related information to the client. At the same time, the server also sends its own certificate to the client.

3) The customer uses the information sent from the server to verify the server's legitimacy. The server's legitimacy includes: whether the certificate expires, and whether the CA that issues the server certificate is reliable, whether the public key of the issuer certificate can properly unbind the "digital signature of the issuer" of the server certificate, and whether the domain name on the server certificate matches the actual Domain Name of the server. If the legality verification fails, the communication will be disconnected. If the legality verification passes, the fourth step will continue.

4) The user end generates a random "symmetric password" for subsequent communication, and then encrypts it with the server's public key (the server's public key is obtained from the server certificate in step 2, then, pass the encrypted "pre-master password" to the server.

5) if the server requires the customer's identity authentication (optional during the handshake process), you can create a random number and then sign the data, send the random number containing the signature together with the customer's own certificate and the encrypted "pre-master password" to the server.

6) if the server requires the customer's identity authentication, the server must check the validity of the customer's certificate and the random number of signatures. The specific validity verification process includes: whether the customer's certificate is valid on the date of use, whether the CA that provides the certificate is reliable, whether the public key of the CA can properly unbind the digital signature of the CA issued by the client certificate, and check whether the customer certificate is in the certificate abolition list (CRL. If the verification fails, the communication will be interrupted immediately. If the verification passes, the server will unbind the encrypted "pre-master password" with its own private key ", then, execute a series of steps to generate the master communication password (the client will generate the same master communication password in the same way ).

7) the server and client use the same master password, that is, the "Call password". A symmetric key is used for encryption and decryption of secure data communication over the SSL protocol. At the same time, data communication integrity must be completed during SSL communication to prevent any changes in data communication.

8) the client sends a message to the server, specifying that the master password in Step 7 will be used for subsequent data communication as a symmetric key, and notifying the Server client that the handshake process ends.

9) The server sends a message to the client, indicating that the next data communication will use the master password in Step 7 as a symmetric key, and notifying the client that the handshake process ends.

10) the handshake of SSL ends, and the data communication of the SSL Secure Channel begins. The customer and the server start to use the same symmetric key for data communication, and the integrity of the communication is verified.