HTTPS and SSL learning notes (i)

1. What is HTTPS

Before you say HTTPS, you have to say HTTP first. We usually browse the Web with the HTTP protocol, the HTTP protocol transmission between the data is clear, so for some sensitive information transmission is not safe, it is easy to be malicious steal. In response to this demand, Netscape designed the SSL protocol to encrypt the data transmitted by the HTTP protocol, and HTTPS was born. The last version of SSL was 3.0, and after the IETF upgraded to SSL3.0, TLS was available. In fact, the current HTTPS is the TLS protocol, but SSL is still supported by the browser.

2. How HTTPS works

HTTPS requires a handshake process between the client and the server before transmitting the data, in which the password information required for subsequent data transfer is determined. During the whole handshake, the asymmetric encryption algorithm, symmetric encryption algorithm and hash algorithm are used mainly.

The handshake process is described below:

(1) the client (browser) sends a set of encryption algorithms that it supports to the server;

(2) The server chooses a set of encryption algorithm and hash algorithm, and sends its identity information to the browser in the form of a certificate, which contains the domain name information, the certificate authority, the encrypted public key, and so on.

(3) After the browser obtains the certificate, must do the following several things

(a) Verify the legitimacy of the certificate, such as whether the certification authority is trustworthy, whether the domain name in the certificate is consistent with the domain name being accessed, and so on. If the certificate is trusted, a lock (1) appears next to the URL, otherwise the certificate is not trusted.

(b) If the browser considers the certificate to be trusted or the user accepts the untrusted certificate, the browser randomly generates a random number and encrypts it with the public key returned in step (2);

(c) Use the agreed hash to calculate the handshake message, encrypt it with the random number generated above, and then send all the generated information to the server.

(4) When the server receives this information, it needs to do the following several things

(a) Use its own private key to decrypt the information to remove the password, and then take the password to decrypt the handshake information to see if the hash is consistent.

(b) Encrypt a handshake message with a password and send it to the browser

(5) The browser decrypts and calculates the hash of the handshake message, and if the hash is consistent with the server, the handshake ends. Later communication between the browser and the client is encrypted by a random password generated by the browser.

Why do the above series of operations?

The main purpose is to confirm that both parties have obtained the same password, and that they can successfully encrypt and decrypt the data and make a test for subsequent transmissions.

3. Asymmetric encryption algorithm, symmetric encryption algorithm and hash algorithm

The asymmetric encryption algorithm is used to encrypt the random password generated by the browser, because this password is the key to HTTPS data transfer, so the encryption algorithm is used. Asymmetric encryption algorithms generate public and private keys, which are used to encrypt data, so they can be transferred arbitrarily. The private key is used to decrypt data and is stored by the server and is not compromised.

Symmetric encryption algorithms are used to encrypt data that is actually transferred.

The hash encryption algorithm is used to verify the integrity of the data.

The contents of this article refer to http://www.guokr.com/post/114121/

HTTPS and SSL learning notes (i)