HTTPS one-way authentication and two-way authentication

1. First understand asymmetric encryption and symmetric encryption
(1) An asymmetric encryption algorithm requires two keys: Public key (PublicKey) and private key (Privatekey). The public key is a pair with the private key, and if the data is encrypted with a public key,
Only the corresponding private key can be decrypted, and if the data is encrypted with a private key, then only the corresponding public key can be decrypted. Because encryption and decryption are using two different keys,
So this algorithm is called Asymmetric encryption algorithm. The basic process of asymmetric encryption algorithm for secret information exchange is:
Party a generates a pair of keys and exposes one of them as a public key to the other party, and the party B who obtains the public key encrypts the secret information and sends it to party a after using the key;
The client then decrypts the encrypted information with another private key that it saves.
Asymmetric Encryption Principle:
1.A to send information to B, a creates a pair of public and private keys for encryption and decryption.
The private key of the 2.A is confidential, A's public key tells B;b's private key secret, and B's public key tells A.
3.A to send a message to B, a uses the public key of B to encrypt the information because a knows the public key of B.
4.A sends this message to B (the message has been encrypted with B's public key).
5.B after receiving this message, B decrypts a message with its private key. All other people who receive this message cannot decrypt it, because only B has a private key for B.
(2) Symmetric encryption algorithm is an early application of encryption algorithm, technology mature. In a symmetric encryption algorithm, the sender of the data transmits the plaintext (raw data) together with the encryption key by a special encryption algorithm,
Make it into a complex cipher cipher sent out. After receiving the ciphertext, if you want to interpret the original text, you need to decrypt the ciphertext by using the encryption key and the inverse algorithm of the same algorithm.
To restore it to readable plaintext. In the symmetric encryption algorithm, only one key is used, both parties use this key to encrypt and decrypt the data.
This requires the decryption party to know the encryption key beforehand. The symmetric encryption algorithm is characterized by its openness, low computational capacity, fast encryption speed and high encryption efficiency.
The disadvantage is that both sides of the transaction use the same key, the security is not guaranteed. In addition, each time a pair of users use a symmetric encryption algorithm, they need to use a unique key that no one else knows.
This will increase the number of keys held by both parties to the receiving letter exponentially, and the key management becomes a burden to the user.
Symmetric encryption algorithm is difficult to use in distributed network system, mainly because of difficulty in key management and high cost of use.
The symmetric encryption algorithms widely used in the computer network are DES, idea and AES.

2. One-way certification:
HTTPS requires a handshake before a socket connection is established.
(1) The client sends the SSL protocol version number, the encryption algorithm kind, the random number and so on to the service side information.
(2) The service side returns the SSL protocol version number, the encryption algorithm type, the random number and so on the client, and also returns the server side certificate, namely the public key certificate
(3) The client uses the information returned by the service to verify the legality of the server, including whether the certificate expires, whether the CA of the hairstyle server certificate is reliable, and whether the returned public key can correctly unlock the digital signature in the returned certificate
, the domain name on the server certificate matches the actual domain name of the server, and after validation passes, the communication continues, otherwise, the communication is terminated
(4) The client sends its own symmetric encryption scheme to the server to choose from.
(5) The server side chooses the encryption method with the most encryption in the encryption scheme provided by the client.
(6) The server returns the selected encryption scheme to the client by clear text.
(7) After the client receives the encryption method returned by the server, it uses the encryption method to generate a random code, which is used as a symmetric encryption key in the communication process.
The encrypted random code is sent to the server using the public key returned by the service side.
(8) After the server receives the encrypted information returned by the client, it uses its own private key to decrypt and obtain the symmetric encryption key.
In the next session, the server and client will use this password for symmetric encryption to ensure the security of the information during the communication.
3. Two-way authentication
Two-way authentication and the principle of one-way authentication is almost the same, except that the client needs authentication Service side, increase the service side of the client authentication.
(1) The client sends the SSL protocol version number, the encryption algorithm kind, the random number and so on to the service side information.
(2) The service side returns the SSL protocol version number, the encryption algorithm type, the random number and so on the client, and also returns the server side certificate, namely the public key certificate.
(3) The client uses the information returned by the service to verify the legality of the server, including:
Whether the certificate expires
Whether the CA of the hairstyle server certificate is reliable
Whether the returned public key will correctly unlock the digital signature in the returned certificate
Whether the domain name on the server certificate matches the actual domain name of the server
After the validation passes, the communication continues, otherwise, the communication is terminated
(4) The server requires the client to send the client's certificate, and the client sends its own certificate to the server
(5) Verify the client's certificate, pass the authentication, get the client's public key
(6) The client sends its own symmetric encryption scheme to the server to choose from.
(7) The server side chooses the encryption method with the most encryption in the encryption scheme provided by the client
(8) Encrypt the encryption scheme by using the public key obtained before returning to the client
(9) After the client receives the cryptographic scheme ciphertext returned by the server, it uses its own private key to decrypt, obtains the specific encryption method, and then generates the random code of the encryption mode, which is used as the key in the encryption process.
Used to encrypt the public key obtained from the server-side certificate before it is sent to the server
(10) After the server receives the message sent by the client, decrypts it with its own private key, obtains the symmetric encrypted key, in the next session,
The server and client will use this password for symmetric encryption to ensure the security of the information during the communication.

HTTPS one-way authentication and two-way authentication