Original address: http://blog.csdn.net/clh604/article/details/22179907
Write too good, is I always want to find content, see this to https immediately understand more
Http://www.cnblogs.com/zhuqil/archive/2012/07/23/2604572.html
We all know that HTTPS encrypts information so that sensitive information is not available to third parties. Therefore, many bank websites or e-mail boxes and other security-level services will use the HTTPS protocol.
About HTTPS
HTTPS is actually made up of two parts: http + SSL/TLS, which adds a layer of encryption information to the HTTP module. The transfer of information between the server and the client is encrypted through TLS, so the transmitted data is encrypted. Specifically how to encrypt, decrypt, verify, and see.
1. Client initiates HTTPS request
This is nothing to say, is the user in the browser input an HTTPS URL, and then connect to the server port 443.
2. Configuration of the server side
Servers that use the HTTPS protocol must have a digital certificate that they can make themselves or apply to the organization. The difference is that the certificate you issued requires client authentication to continue access, and the certificate requested by a trusted company does not pop up on the hint page (Startssl is a good choice, with 1 years of free service). This set of certificates is actually a pair of public and private keys. If you do not understand the public key and the private key, you can imagine a key and a lock, but the whole world only you have this key, you can give the lock to others, others can use the locks to lock up important things, and then sent to you, because only you have this key, So only you can see what is locked up by this lock.
3. Transferring certificates
This certificate is actually the public key, but contains a lot of information, such as the certificate Authority, expiration time and so on.
4. Client Resolution Certificate
This part of the work is done with the client's TLS, first verify that the public key is valid, such as the authority, expiration time, and so on, if an exception is found, a warning box pops up, prompting for a problem with the certificate. If there is no problem with the certificate, then a value is generated. The random value is then encrypted with a certificate. As it says above, lock the random values with locks so that the locked content is not visible unless you have a key.
5. Transmitting encrypted information
This part transmits the random value that is encrypted with the certificate, the purpose is to let the server to get this random value, the client and the service side of the communication can be encrypted by this random value to decrypt.
6. Service Segment Decryption Information
After the server is decrypted with the private key, a random value (private key) is obtained from the client, and then the content is symmetric encrypted by this value. The so-called symmetric encryption is that the information and the private key through an algorithm mixed together, so that unless the private key is known, or can not get the content, and just the client and the server know the private key, so long as the encryption algorithm is sturdy enough, the private key is complex enough, the data is safe enough.
7. Transfer of encrypted information
This part of the information is the service segment with the private key encrypted information, can be restored on the client
8. Client Decryption Information
The client uses the previously generated private key to decrypt the information passed by the service segment and obtains the decrypted content. The process the third party, even if he hears the data, is helpless.
Location of SSL
SSL is between the application layer and the TCP layer. The application layer data is no longer passed directly to the transport layer, but is passed to the SSL layer, whichencrypts the data received from the application layer and adds its own SSL header.
RSA performance is very low, because of the search for large prime numbers, large number of calculations, data segmentation takes a lot of CPU cycles, so the general HTTPS connection only in the first handshake using asymmetric encryption, through the handshake exchange symmetric encryption key, after the communication away symmetric encryption.
Http://www.cnblogs.com/ttltry-air/archive/2012/08/20/2647898.html
HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A specific description of the handshake process is as follows:
1. The browser sends a set of cryptographic rules that it supports to the Web site.
2. The site selects a set of encryption algorithm and hash algorithm , and sends its own identity information back to the browser in the form of a certificate . The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After the browser obtains the website certificate, the browser does the following work :
a) verifying the legality of the certificate (The certificate Authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
B) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) use , and finally sends all previously generated information to the Web site.
4. After the website receives the data from the browser, do the following:
a)
B) encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and computes the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends , All communication data will then be encrypted with the random password generated by the previous browser and the encryption is made using the symmetric encryption algorithm.
Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:
Asymmetric encryption algorithm: RSA, DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256
Summarize:
Server generates public and private keys with RSA
Put the public key in the certificate sent to the client, the private key to save itself
The client first checks the validity of the certificate to an authoritative server, if the certificate is valid, the client generates a random number, the random number acts as the key of the communication, we call it the symmetric key, encrypts the random number with the public key, and then sends it to the server
The server uses the key to decrypt the symmetric key, and then the two sides encrypt and decrypt the symmetric key to communicate.
HTTPS principle: Certificate delivery, validation and data encryption, decryption process resolution