HTTPS protocol Workflow

I was asked to review the HTTPS workflow.

Referring to HTTPS, have to mention SSL

Ssl

1. Secure Socket LAYER,SSL protocol is a protocol that securely exchanges information between a Web browser and a Web server.

2. Three features of the SSL protocol

Ø confidentiality: After the session key is defined in the handshake protocol, all messages are encrypted.

Ø Authentication: Optional client authentication, and mandatory server-side authentication.

Ø integrity: Messages delivered include message integrity checks (using MAC).

3. Location of SSL

The client has several steps to communicate with the Web server using HTTPS.

1) The client requests an SSL connection and sends a set of cryptographic rules that it supports to the Web site.

2) The website chooses a set of encryption algorithm and hash algorithm, and sends its identity information back to the browser in the form of a certificate. The certificate contains the website address, the encrypted public key, and the certificate authority and other information

3) After obtaining the website certificate, the browser will do the following tasks:

Ø verify the legality of the certificate

Ø If the certificate is trusted, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.

Ø use a well-agreed hash to calculate the handshake message,

Ø encrypts the message using the generated random number, and finally sends all previously generated information to the Web site.

4) After the website receives the data from the browser to do the following actions:

Ø Use your private key to decrypt the information and remove the password

Ø use the password to decrypt the handshake message from the browser and verify that the hash is consistent with the browser.

Ø encrypt a handshake message with a password and send it to the browser

5) The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake ends.

6) Encrypt and transmit the transmitted data using the random password and symmetric encryption algorithm.

4. The secret and hash algorithms are as follows:

1) Asymmetric encryption algorithm: RSA,DSA/DSS, used to encrypt the generated password during the handshake.

2) symmetric encryption algorithm: Aes,rc4,3des, which is used to encrypt the data that is actually transmitted.

3) hash algorithm: md5,sha1,sha256, verify the integrity of the data.

5. The difference between HTTP and https:

1) The HTTPS protocol requires the application of a certificate.

2) HTTP is a Hypertext Transfer Protocol, plaintext transmission, HTTPS is using a secure SSL encryption transport protocol.

3) HTTP port 80,;https port 443.

4) HTTP connection is simple and stateless; HTTPS is a network protocol that can be encrypted, transmitted and authenticated by the Ssl+http protocol component.

HTTPS protocol Workflow