Https and SSL learning notes (1) and httpsssl learning notes

Https and SSL learning notes (1) and httpsssl learning notes

1. What is HTTPS?

Before talking about HTTPS, you must first talk about HTTP. We usually use the HTTP protocol to browse Web pages, and the data transmitted between HTTP protocols is in plain text. In this way, transmission of sensitive information is not secure and can be easily stolen. In response to this demand, Netscape designed the SSL protocol to encrypt the data transmitted over HTTP, so HTTPS was born. The last SSL version is 3.0. Later, IETF upgraded SSL3.0, so TLS was available. In fact, the current HTTPS protocol is TLS, but SSL is still supported by browsers.

2. How HTTPS works

HTTPS requires a handshake between the client and the server before data transmission. In this process, determine the password information required for data transmission. During the handshake process, asymmetric encryption algorithms, symmetric encryption algorithms, and HASH algorithms are mainly used.

The handshaking process is described as follows:

(1) The client (browser) sends a set of encryption algorithms supported by the client to the server;

(2) The server selects an encryption algorithm and a HASH algorithm, and sends its identity information to the browser in the form of a certificate, the certificate contains Domain Name Information, Certificate Authority, and encrypted public key.

(3) After obtaining the certificate, the browser needs to do the following:

(A) verify the validity of the certificate, such as whether the certificate authority can trust the certificate, and whether the domain name in the certificate is consistent with the domain name being accessed. If the certificate is trusted, a lock (1) appears next to the website. Otherwise, a message indicating that the certificate is untrusted is displayed.

(B) If the browser deems the certificate to be trusted or the user accepts an untrusted certificate, the browser randomly generates a random number and encrypts it with the public key returned in step (2;

(C) Use the agreed HASH to calculate the handshake message, encrypt it with the random number generated above, and finally send all the generated information to the server together.

(4) The server needs to do the following after receiving the information:

(A) Use your own private key to decrypt the information and retrieve the password. Then, use the password to decrypt the handshake information and check whether the HASH is consistent.

(B) Use a password to encrypt a handshake and send it to the browser.

(5) the browser decrypts and computes the HASH of the handshake message. If it is consistent with the HASH sent by the server, the handshake ends. In the future, the communication between the browser and the client will be encrypted using the random password generated by the browser.

Why the above operations?

The main purpose is to confirm that both parties have obtained the same password and can successfully encrypt and decrypt it, and perform a test for subsequent data transmission.

3. asymmetric encryption algorithms, symmetric encryption algorithms, and HASH Algorithms

The asymmetric encryption algorithm is used to encrypt the random password generated by the browser. Because this password is the key to HTTPS data transmission, this encryption algorithm is used. Asymmetric encryption algorithms generate public and private keys. The public keys are used to encrypt data and therefore can be transmitted at will. The private key is used to decrypt data. It is kept by the server and cannot be leaked.
Symmetric encryption algorithms are used to encrypt the actually transmitted data.
The HASH encryption algorithm is used to verify data integrity.

Content reference http://www.guokr.com/post/114121/