HTTPS principle: Certificate delivery, validation and data encryption, decryption process resolution

Write too good, is I always want to find content, see this to https immediately understand more

Http://www.cnblogs.com/zhuqil/archive/2012/07/23/2604572.html

We all know that HTTPS encrypts information so that sensitive information is not available to third parties. Therefore, many bank websites or e-mail boxes and other security-level services will use the HTTPS protocol.

About HTTPS

HTTPS is actually made up of two parts: http + SSL /TLS, which adds a layer of encryption information to the HTTP module. The transfer of information between the server and the client is encrypted through TLS, so the transmitted data is encrypted. Specifically how to encrypt, decrypt, verify, and see.

1. Client initiates HTTPS request

This is nothing to say, is the user in the browser input an HTTPS URL, and then connect to the server port 443.

2. Configuration of the server side

Servers that use the HTTPS protocol must have a digital certificate that they can make themselves or apply to the organization. The difference is that the certificate you issued requires client authentication to continue access, and the certificate requested by a trusted company does not pop up on the hint page (Startssl is a good choice, with 1 years of free service). This set of certificates is actually a pair of public and private keys. If you do not understand the public key and the private key, you can imagine a key and a lock, but the whole world only you have this key, you can give the lock to others, others can use the locks to lock up important things, and then sent to you, because only you have this key, So only you can see what is locked up by this lock.

3. Transferring certificates

This certificate is actually the public key, but contains a lot of information, such as the certificate Authority, expiration time and so on.

4. Client Resolution Certificate

This part of the work is done with the client's TLS, first verify that the public key is valid, such as the authority, expiration time, and so on, if an exception is found, a warning box pops up, prompting for a problem with the certificate. If there is no problem with the certificate, then a value is generated. The random value is then encrypted with a certificate. As it says above, lock the random values with locks so that the locked content is not visible unless you have a key.

5. Transmitting encrypted information

This part transmits the random value that is encrypted with the certificate, the purpose is to let the server to get this random value, the client and the service side of the communication can be encrypted by this random value to decrypt.

6. Service Segment Decryption Information

After the server is decrypted with the private key, a random value (private key) is obtained from the client, and then the content is symmetric encrypted by this value. The so-called symmetric encryption is that the information and the private key through an algorithm mixed together, so that unless the private key is known, or can not get the content, and just the client and the server know the private key, so long as the encryption algorithm is sturdy enough, the private key is complex enough, the data is safe enough.

7. Transfer of encrypted information

This part of the information is the service segment with the private key encrypted information, can be restored on the client

8. Client Decryption Information

The client uses the previously generated private key to decrypt the information passed by the service segment and obtains the decrypted content. The process the third party, even if he hears the data, is helpless.

Zhu Qilin
Source:http://zhuqil.cnblogs.com
This article is copyright to the author and the blog Park, Welcome to reprint, but without the consent of the author must retain this paragraph, and in the article page obvious location to the original link, otherwise reserves the right to pursue legal responsibility.

Location of SSL

ssl Between the application layer and the tcp between layers. The application layer data is no longer passed directly to the transport layer, but is passed to the ssl layer, ssl Layer encrypts the data received from the application layer and adds its own ssl head.

RSA performance is very low, because of the search for large prime numbers, large number of calculations, data segmentation takes a lot of CPU cycles, so the general HTTPS connection only in the first handshake using asymmetric encryption, through the handshake exchange symmetric encryption key, after the communication away symmetric encryption.

Http://www.cnblogs.com/ttltry-air/archive/2012/08/20/2647898.html

HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork,Tls/ssl using asymmetric encryption, symmetric encryption and hash algorithm . A specific description of the handshake process is as follows:

1. The browser sends a set of cryptographic rules that it supports to the Web site.  
2. The Web site selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser as a certificate . The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.  
3. After the browser obtains the website certificate, the browser does the following work :  
a)   Verify the legality of the certificate (whether the issuing authority is legal, If the certificate contains a Web address that matches the address you are accessing, then a small lock will appear in the browser bar if it is trusted, or the certificate will not be prompted for the letter.  
B) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.  
c)   computes the handshake message using the agreed hash algorithm, encrypts the message using the generated random number , and finally sends all previously generated information to the Web site.  
4. After the Web site receives the data from the browser, do the following:  
a) Use your private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.  
B) encrypts a handshake message with a password and sends it to the browser.  
5. The browser decrypts and computes the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, using the symmetric encryption algorithm.

Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:

Asymmetric Encryption algorithm: RSA,DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256

Summarize:

Server generates public and private keys with RSA

Put the public key in the certificate sent to the client, the private key to save itself

The client first checks the validity of the certificate to an authoritative server, if the certificate is valid, the client generates a random number, the random number acts as the key of the communication, we call it the symmetric key, encrypts the random number with the public key, and then sends it to the server

The server uses the key to decrypt the symmetric key, and then the two sides encrypt and decrypt the symmetric key to communicate.

HTTPS principle: Certificate delivery, validation and data encryption, decryption process resolution