Minutes to make you understand HTTPS

One, HTTP problem 1.1 may be eavesdropping

1. HTTP itself does not have the function of encryption, HTTP messages are sent using plaintext
2. Since the internet is made up of networking facilities in various parts of the world, all data sent and received through certain devices may be intercepted or spied on. (For example, we are familiar with the grab Bag tool: Wireshark)

1.2 Certification issues

1. Unable to confirm that the server you are sending to is the true target server (the server may be spoofed)
2. Unable to determine whether the returned client is a client that is receiving the true intent (possibly a spoofed client)
3. There is no way to determine whether the person communicating is having access, some important information on the WEB server, and only wants to send to a specific user even if a meaningless request is received. Unable to block DoS attacks under massive requests (denial of service, denial of services attacks).

1.3 could have been tampered with

1. Request or response in transit, an attack by an attacker intercepting and tampering with the content is called a man-in-the-middle attack (Man-in-the-middle attack,mitm).

Ii. HTTPS Introduction 2.1 What is HTTPS

Hypertext Transfer Security Protocol (English: hypertext Transfer Protocol Secure, abbreviation: HTTPS, often referred to as HTTP over tls,http over SSL or HTTP Secure) is a transport protocol for secure communication over a computer network. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. The main purpose of HTTPS development is to provide authentication to the Web server and to protect the privacy and integrity of the exchanged data.

2.2 HTTPS How to solve the above problems

HTTPS is used in the Communication Interface section with TLS (Transport Layer Security Transport Layer Secure Protocol), the TLS protocol uses a master-slave architecture model to create secure connections across the network between two applications, preventing eavesdropping and tampering when exchanging data.

2.3 The relationship between SSL and TLS

1. The Transport Layer Security Protocol (English: Transport layer Safety, abbreviated as TLS), and its predecessor Secure Sockets Layer (Secure Sockets layer, abbreviated as SSL) is a security protocol designed to provide security and data integrity assurance for Internet communications.
2. Netscape (Netscape) launched the first version of the Web browser in 1994, Netscape Navigator, the introduction of the HTTPS protocol, SSL encryption, which is the origin of SSL.
3. The IETF standardizes SSL, releasing the first version of the TLS standard file in 1999. RFC 5246 (August 2008) and RFC 6176 (March 2011) were subsequently released. This protocol is widely supported in applications such as browsers, e-mail, instant messaging, VoIP, and network faxing.

2.4 Tls/ssl Protocol

The main functions of the HTTPS protocol are basically dependent on the TLS/SSL protocol, and the function realization of TLS/SSL mainly relies on three basic algorithms: 散列函数 , 对称加密 and 非对称加密 , it realizes the authentication and key negotiation using asymmetric encryption, and the symmetric encryption algorithm uses the negotiated key to encrypt the data. Verifies the integrity of the information based on the hash function.

The operation mechanism of SSL/TLS protocol can see the overview of teacher Ruan's SSL/TLS protocol operating mechanism

The principle of RSA encryption algorithm can see the two articles of teacher Ruan the principle of RSA algorithm (a), the principle of RSA algorithm (ii)

2.5 Using homing pigeons to explain

Cryptography is a hard-to-understand discipline that is also very abstract, and any activity on the Internet can be thought of as sending and receiving information from a server. We can assume that these messages are delivered with homing pigeons.

Let's talk about Alice, Bob and Mallory before we go. They are widely used as a universal role in the field of cryptography and physics. These names are for the purpose of explaining the topic, and if the sentence is similar to "A wants to send a message to B", the more complex the issue becomes, the more difficult it will be to understand and easily confuse. In the typical protocol operation, these characters are not necessarily a "human", but may be a trustworthy automatic agent (such as computer programs). The use of these names helps illustrate the structure and sometimes is used as humor.

2.5.1 Preliminary communication

If Alice wanted to send a message to Bob, she would tie the message to the leg of the carrier pigeon and sent it to Bob. Bob received the information, and read the information, very perfect.

But what if Mallory intercepted Alice's pigeons and tampered with the information? Bob had no way of knowing that Alice's message had been altered during the transmission.

That's how HTTP works. It looks awful, doesn't it? I will not send my bank credit certificate via HTTP, and neither should you.

2.5.2 Secret code.

So if Alice and Bob are very witty. They agreed to use a concealed password to write their message. They will move each letter in the message forward by three digits in the order of the alphabet. For example, D→a,e→b,f→c. As a result, the message "secret message" becomes "PBZOBQ jbppxdb".

Now if Mallory intercepts the homing pigeon again, she can neither make meaningful changes nor know the contents of the message, because she doesn't know what the secret code is. However, Bob can easily reverse the password, relying on a→d, b→e, c→f and other rules to decipher the content of the message. The encrypted message "PBZOBQ jbppxdb" will be cracked and reverted to "secret message".

That's 对称密匙加密 because if you know how to encrypt a piece of information, you can also decrypt the message. The above password is usually called Caesar code. In real life, we use more exotic and complex passwords, but the same principle.

2.5.3 How do we determine the key?

Symmetric key encryption is very secure if no one knows what key is used except the sender and the recipient. In Caesar encryption, the secret key is the offset of how many bits each letter changes to the encrypted letter. In my previous distance, I used an offset of 3, but I can also use 4 or 12.

The problem is that if Alice and Bob don't overdo it before they start using carrier pigeons, they don't have a safe way to establish the key. If they were to pass the key in their letters, Mallory intercepted the message and found the key. This makes it possible for Mallory to read the contents of their messages and tamper with the information as she wishes before or after Alice and Bob begin to encrypt their messages.

This is a 中间人攻击 typical example, the only way to avoid this problem is to send and receive the two parties together to modify their coding system.

2.5.4 passing the box through a homing pigeon

So Alice and Bob came up with a better system. When Bob wants to send Alice a message, he will follow the steps below:

鲍勃向爱丽丝送一只没有携带任何信息的鸽子。爱丽丝给鲍勃送回鸽子，并且这只鸽子带有一个有开着的锁的盒子，爱丽丝保管着锁的钥匙。鲍勃把信放进盒子中，把锁锁上然后把盒子送给爱丽丝。爱丽丝收到盒子，用钥匙打开然后阅读信息。

Thus Mallory could not tamper with the information by intercepting the pigeons because she did not open the key to the box. When Alice wants to send a message to Bob, the same process follows.

The process used by Alice and Bob is often called 非对称密钥加密 . The reason for this asymmetry is that even if you encode the information (Lock the box) it is not possible to decipher the message (Open the Locked box).

In terminology, the box is called 公匙 and the key used to open the box is called 私匙 .

2.5.5 How to trust the box

But you will find that there are still problems. When Bob received the box, how could he be sure that the box came from Alice instead of Mallory intercepting the pigeon and swapping a box where she had the key to open it?

Alice decided to sign the box, so that when Bob received the box, he could check the signature to make sure it was the box that Alice had sent out.

So how did Bob start to recognize Alice's signature? That's a good question. Alice and Bob did have the problem, so they decided to let Ted mark the box instead of Alice.

So who's Ted? Ted is famous for being a trustworthy guy. He's going to sign anyone and everyone trusts him. Only sign the box to the legal person.

If Ted could confirm that the person requesting the signature was Alice, he would sign the box on Alice. So Mallory could not have had a box with Ted on his name, because Bob knew that Ted would only sign the person he had confirmed, thus detecting Mallory's deception.

Ted's role is called in the terminology 认证机构 . The browser package you use to read this article contains signatures from many certification authorities.

So when you first access a website you can trust the box from this site because you trust Ted and Ted will tell you that the box is legal.

2.5.6 a heavy box

Now that Alice and Bob have a reliable system to communicate, they also realize that it is slower for pigeons to carry a box than to carry a letter.

So they decided to encode the information only in the choice of symmetric encryption (remember the Caesar encryption method?). ), use the method of passing the box (asymmetric encryption).

In this way, the advantages of the two are both, the reliability of asymmetric encryption and the efficiency of symmetric encryption.

In the real world we do not use carrier pigeons such a slow means of delivering, but using asymmetric encryption to encode information is still slower than the use of symmetric encryption technology, so we only exchange the encoded key when the use of asymmetric encryption technology.

So believe that now you have learned how HTTPS works ~

Reference:

1. Use homing pigeon to explain HTTPS
2. Hypertext Transfer Security Protocol
3. Transport Layer Security Protocol

Minutes to make you understand HTTPS