HTTP network protocol (IV) and http network protocol

Source: Internet
Author: User
Tags ssl connection

HTTP network protocol (IV) and http network protocol
Secure Web HTTPS

HTTP has three obvious disadvantages:

  • Communication uses plain text (not encrypted), and the content may be eavesdropped.
  • If you do not verify the identity of the contact, you may experience disguise.
  • Unable to prove the integrity of the message, so it may have been tampered.
    Although there is no encryption mechanism in the HTTP protocol, you can use the encrypted HTTP Communication content in combination with SSL or TLS.
    The HTTP protocol has the following risks during communication:
  • It cannot be determined whether the Web server sent the request to the target is the server that returns the response based on the actual intention. It may be a disguised Web server.
  • It cannot be determined whether the client returned by the response is the client that receives the response based on the actual intention. It may be a disguised client.
  • You cannot determine whether the target user has the access permission. Because important information is stored on some Web servers, you only want to grant permissions to specific users.
  • You cannot determine where the request comes from.
  • Even meaningless requests are fully received according to the order and cannot prevent Dos attacks (Dos attacks) under massive requests ).
  • The request or response content may be intercepted and tampered with by attackers during transmission.

Even if encryption and authentication are added to HTTP and packet Integrity Protection (integrity refers to information accuracy), the communication layer is different.

SSL adopts an encryption method called public key encryption. Its encryption algorithm is public, but the key is kept confidential. The key is used during encryption and decryption.
Encryption and decryption are also called shared key encryption and symmetric key encryption.
Public key encryption uses an asymmetric key. One is called a private key, and the other is called a public key. A private key cannot be known to anyone else, and a public key can be released at will, any one can obtain the public key. the sender of the ciphertext uses the public key of the other party for encryption. After receiving the encrypted information, the other party uses its own private key for decryption, in this way, you do not need to send private keys for decryption, and do not have to worry that keys are stolen by attackers.

HTTPS adopts the hybrid encryption mechanism in combination with the preceding two encryption methods, because the public encryption makes encryption processing more complex and less efficient than the shared key encryption method, HTTPS uses the public key encryption method in the key exchange process, and the shared key encryption method is used for the subsequent establishment of the communication exchange message segment.

To authenticate that the server you access is the one you originally expected, you need a third-party organization that both clients and servers can trust-a digital certificate authority, the server sends the Public Key Certificate (also known as the digital certificate) issued by the digital certification authority to the client for public key encrypted communication, the client that receives the certificate can use the public key of the digital certificate authority to verify the digital signature on the certificate, it means that the public key of the server is trustworthy and the server is the service you expected to access. The whole process

The HTTPS communication procedure is as follows:

  • The Client starts SSL communication by sending the Client Hello message. The message contains the specified SSL version supported by the Client and the list of encrypted components.
  • When the server can perform SSL communication, the server uses the Sever Hello message as the response. Like the client, the message contains the SSL version and the encryption component, the content of the server's encryption component is chosen from the received client's encryption component.
  • The server then sends the Certificate message, which contains the Public Key Certificate.
  • Finally, the Server sends the Hello Done message to the client, and the SSL handshake negotiation in the initial phase ends.
  • After the first handshake of SSL, the Client uses the Client Key Exchange message as a response. The message contains a random password string called Pre-master secret in communication encryption, the process uses the public key from the server for encryption.
  • Then, the customer continues to send the Change Cipher Spec packet, and the message will prompt the server. The communication after the packet will adopt Pre-master secret encryption.
  • The client sends the Finished message. The message contains the overall verification value of all packets connected to the current time. Whether the handshake negotiation succeeds depends on whether the server can correctly encrypt the message.
  • The server also sends the Change Cipher Spec packet.
  • The server also sends Finished packets.
  • After the Finished Packet Exchange between the server and the client is complete, even if the SSL connection is established, of course, the communication will be protected by SSL. From then on, the application layer protocol communication will begin, that is, sending HTTP requests.
  • The Application Layer sends an HTTP response.
  • The client is disconnected.

    Overall HTTPS communication process

    HTTPS uses the SSL independent protocol. According to the above process, we know that this protocol requires a lot of CPU and memory resources, so the communication is slow and the network load is large.

Confirm access user Identity Authentication

The HTTP Communication Process uses various authentication methods to determine its identity. The verification information usually involves the following:

  • Password: only the string information that the current user will know.
  • Dynamic token: Only one-time password displayed on the device.
  • Digital authentication: only personal information is supported.
  • Biological authentication: Personal physiological information such as fingerprints and Iris.
  • IC Card: only information held by me.

Common HTTPS authentication methods: BASIC Authentication (BASIC Authentication), DIGEST authentication (DIGEST authentication), SSL client authentication, and FormBase authentication (form-based authentication ).
BASIC Authentication steps:

  • When the requested resource requires BASIC authentication, the server returns a response with the WWW-Authenticate header field along with the Status Code 401. This field contains the authentication method (BASIC) and Request-URI security domain string (realm ).
  • To pass BASIC authentication, the client receiving Status Code 401 sends the user ID and password to the server. The sent string consists of the user ID and password, the two are connected by a colon (:) And then Base64 encoded. For example, if the user ID is guest and the password is guest, the connection is guest: guest, Which is base64-encoded by the browser, send a request.
  • The server that receives the Authorization Request containing the header field verifies the correctness of the authentication information. If the verification succeeds, a response containing the Request-URI resource is returned.

Entire authentication process

Disadvantages of BASIC Authentication:

  • This authentication is performed on non-encrypted communication lines such as HTTP, which is easy to intercept and eavesdrop. (Note: Base64 encoding is used for encryption, but for transmitting information through communication)
  • The browser cannot cancel authentication.

DIGEST authentication steps:

  • The server returns a response with the WWW-Authenticate header field along with the Status Code 401. This field contains the temporary question code (random number, nonce ). the header field WWW-Authenticate must contain the realm and nonce fields (nonce is an arbitrary random string generated every time with the returned 401 response ).
  • After receiving the client with Status Code 401, extract the Authorization information of the first field in the returned response, and add usename, uri, response field information (response is also called Request-Digest. It stores the password string after MD5 calculation to form a response code .)
  • The server that receives the Authorization Request containing the header field verifies the correctness of the authentication information. If the verification succeeds, a response containing the Request-URI resource is returned.

Entire authentication process

DIGEST authentication has a higher security level than BASCI authentication. It can provide a protection mechanism to prevent password eavesdropping, but there is no protection mechanism to prevent disguised users.
SSL client authentication steps:

  • When the server receives a Request to authenticate the resource, it sends a Certificate Request message, requesting the client to provide the client Certificate (which must be purchased from the certification authority)
  • The user selects the Client Certificate to be sent, and the Client sends the Client Certificate information to the server in the form of Client Certificate message.
  • The server verifies the client certificate. After the verification is passed, you can obtain the public key of the client in the certificate, and then start HTTPS encrypted communication.

SSL client authentication requires the customer to hold the client certificate to complete the authentication, so the customer needs to pay for the certificate.
Form authentication:

  • The client user ID, password, and other login information are placed in the physical part of the message. The request is usually sent to the server using the POST method, HTTPS communication is used to display HTML form images and send user input data.
  • The server issues the SessionID used to identify the user and authenticates the login information sent from the client, then, bind the user's authentication status to SessionID and record it on the server (when a response is returned to the client, SessionID is written in the first field Set-Cookie ).
  • After the client receives the SessionID sent from the server, it will save it as a Cookie locally. When the next request is sent to the server, the browser will automatically send the Cookie, so the SessionID will also be sent to the server, the server uses this ID to authenticate the user.

Form authentication: Form authentication is the most common authentication method. This authentication method is not defined in HTTP. It is generally provided by Web applications for login information interfaces, to make it more friendly and user interaction, the user enters the information in the form interface according to the prompts and instructions, and then submits the information to the Web application for verification.

HTTP-based bottleneck

HTTP Communication Protocol has the following bottlenecks:

  • A connection can send only one request.
  • The request can only start from the client. The client cannot receive commands other than the response.
  • The request/response header is sent without compression. The more the header information, the higher the latency.
  • Sending lengthy headers causes a lot of waste each time they send the same headers.
  • You can select any data compression format, which is not forcibly compressed and sent.

Introduce Ajax technology to Solve Partial page updates and reduce the data transmitted in the response (Ajax is an asynchronous communication method that effectively utilizes JavaScript and DOM operations to replace and load partial Web pages .)
Comet technology is introduced to solve the problem of real-time update. It simulates the function of pushing the server to the client through delayed response. The general communication is as follows:
Generally, when the server receives a request, it immediately returns a response after processing. To implement the push function, Comet puts the response in the suspended state. When the server updates the content, then, the response is returned. Therefore, the server can immediately report an update to the client. (Because the response needs to be retained, a connection lasts longer, so more resources are consumed ).
The introduction of SPDY technology allows HTTP to obtain the following functions:

  • Multiplexing stream: through a single TCP connection, multiple HTTP requests can be processed without restrictions. All requests are processed on one TCP connection. Therefore, TCP processing efficiency is improved.
  • Request priority: SPDY assigns priority to requests one by one to solve the problem of slow response caused by low bandwidth when sending multiple requests at the same time.
  • Compressing the HTTP header: compresses the HTTP request and response headers to reduce the number of data packets produced by communication and the number of bytes sent.
  • Push function: supports the server to actively push data to the client, so that the server can return data without waiting for the client to send a request.
  • Server prompt: the server can actively notify the client of the amount of resources required for the request, so when the client has cached the requested resources, it can avoid sending unnecessary requests.

Introduce the WebSocket protocol to solve some HTTP bottlenecks. the Protocol has the following main features:

  • * Push function: the server can actively push data to the client.
  • Reduce Traffic: As long as a WebSocket connection is established, you want to maintain the connection state. Compared with HTTP, not only does the total overhead of each connection decrease, but also because the header information of WebSocket is small, the traffic is also reduced.

However, WebSocket communication is based on HTTP. Therefore, you need to use the HTTP Upgrade header field to inform the server of the change in the communication protocol to achieve the handshake. The whole process

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.