http://blog.csdn.net/wangjun5159/article/details/51510594
http://blog.csdn.net/aqiangsz/article/details/53611665
We all know that HTTPS can encrypt information to prevent sensitive information from being acquired by a third party. So many of the bank's web sites or email and other security-level services will use the HTTPS protocol.
Introduction to HTTPS
HTTPS is actually made up of two parts: http + ssl/tls, which is a module that adds a layer of encryption information to the HTTP. The information transmission of both the server and the client is encrypted by TLS, so the data transferred is encrypted. Specifically how to encrypt, decrypt, verify, and look at the image below.
1. Client initiates HTTPS request
There's nothing to say about this: the user enters an HTTPS URL in the browser and connects to the server's 443 port.
2. Service-side configuration
HTTPS protocol server must have a set of digital certificates, can make their own, can also apply to the organization. The difference is that the certificate issued by yourself requires client-side validation to continue access, and the certificate requested by the trusted company does not eject the prompt page (Startssl is a good choice with 1 years of free service). This set of certificates is actually a pair of public and private keys. If you don't understand the public and private key, can be imagined as a key and a lock, only you are the only person in the world with this key, you can give the lock to others, other people can use this locks to lock up the important things, and then sent to you, because only you alone have this key, So only you can see what is locked up by this lock.
3. Transfer Certificate
This certificate is actually the public key, but contains a lot of information, such as the certification authority, expiration time, and so on.
4. Client Resolution Certificate
This part of the work is done with the client's TLS, first verifying that the public key is valid, such as the authority, expiration time, and so on, if an exception is found, a warning box pops up, prompting the certificate to have a problem. If the certificate is not a problem, then a random value is generated. The random value is then encrypted with the certificate. As it says above, lock the random value with a lock so that you don't see the locked content unless you have a key.
5. Transmission of encrypted information
This part of the transmission is encrypted with the certificate of the random value, the purpose is to allow the server to get this random value, the client and the server at the end of the communication can be encrypted by this random value to decrypt.
6. Service Segment Decryption Information
When the server is decrypted with the private key, it obtains the random value (private key) transmitted by the client, and then the content is symmetric encrypted by the value. Symmetric encryption is, the information and private key through some kind of algorithm mix together, so unless the private key, otherwise can not get content, and just the client and server know the private key, so long as the encryption algorithm is tough enough, the private key is complex enough, the data is safe enough.
7. Transmission of encrypted information
This part of the information is the service segment with the private key encrypted information, can be restored at the client.
8. Client Decryption Information
The client uses the previously generated private key to decrypt the message from the service segment, thus obtaining the decrypted content. The whole process of the third party even if the monitoring of data, also helpless.