HTTPS Protocol (4)

Schema hierarchy

HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, and the security base of HTTPS is SSL.

SSL (secure Sockets layer Secure socket), and its successor Transport Layer Security (Transport layer Security,tls) is a security protocol that provides security and data integrity for network traffic. TLS encrypts the network connection with SSL at the transport layer.

The port used for HTTPS is 443

Encryption algorithm

There are two basic types of encryption and decryption algorithms:
1) Symmetric encryption: The key is only one, encryption and decryption for the same key, and the decryption speed is fast, the typical symmetric encryption algorithm has DES, AES and so on;
2) Asymmetric encryption: The key in pairs appear (and according to the public key can not infer the private key, according to the private key can not infer the public key), encryption and decryption using different keys (public key encryption requires private key decryption, private key encryption requires public key decryption), relatively symmetric encryption speed is slow, the typical asymmetric encryption algorithm has RSA, DSA, etc.

Communication process for HTTPS

How HTTPS works

HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:

1) The browser sends a set of encryption rules that it supports to the Web site.
2) The website chooses a set of encryption algorithm and hash algorithm, and sends its identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.

3) After obtaining the website certificate, the browser will do the following tasks:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.

　　　
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.

c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.

4) After the website receives the data from the browser to do the following actions:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5) The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.

Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:

• Asymmetric Encryption algorithm: RSA,DSA/DSS
• Symmetric encryption algorithm: Aes,rc4,3des
• Hash algorithm: md5,sha1,sha256
  
  

The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.

If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information. It is because HTTPS is very safe, attackers can not find the place to start, so more is the use of fake certificates to deceive the client, so as to obtain clear text information, but these methods can be identified.

HTTPS Protocol (4)