Https provides Secure web communication

Https provides Secure web communication

1. principles: 1) Understanding encryption algorithms: Classification of encryption algorithms: symmetric encryption and asymmetric encryption. symmetric encryption: encryption and decryption use the same key. The advantage is that it is fast, and the disadvantage is that it is difficult to share the key. Typical symmetric encryption algorithms include DES, AES, RC5, and 3DES. B. asymmetric encryption: generate a secret pair (Public Key and private key). The encryption process can be private key encryption, Public Key decryption, or public key encryption; in general, the private key is stored by the server and shared to the client using public and private solutions. It features that neither the Public Key nor the private key can be used to reverse the other half of the key pair, ensuring the security of the key. The disadvantage is that the encryption speed is extremely slow, and it is not suitable for encrypting large amounts of data. Typical asymmetric encryption algorithms include RSA/DSA. How do I select an encryption algorithm? If symmetric encryption is selected, the password sharing (transmission) process is insecure. If asymmetric encryption is selected, the encryption speed is slow. A perfect solution: symmetric encryption keys are used to encrypt data. asymmetric encryption is used to protect symmetric encryption keys for fast and secure data encryption. This ensures data privacy. 2) Certificate Server: CA still has the following problem in the above solution: how to confirm that the public key is shared (transmitted) by the real key pair owner. The solution to this problem is certificate authentication. The CA server provides the certificate authentication service. Certificate authentication process:. the server generates key pairs (public and private keys) and authentication requests. the CA server issues the root certificate, c. the server obtains the root certificate and shares it with the client. The client imports the root certificate. d. during communication, the client verifies the validity of the public key based on the root certificate. certificate servers are divided into public certificate servers (such as Microsoft and google) and private certificate servers (openssl implementation) built by enterprises ). The certificate authentication server provides data inconsistency and denial. 3) Digital Signature: HASH still has a problem in the above scheme: it cannot judge the integrity of data during transmission (whether it has been tampered ). Typical HASH algorithms: MD5, SHA1, SHA256, and SHA512. The server uses the HASH algorithm to calculate the hash of the data to be transmitted and publish the data. After the data is uploaded from the server to the client, the client uses the same hash algorithm to calculate the hash value. If it is consistent with the digital signature published by the server, the data is not tampered with, and vice versa. This ensures data integrity. 4) Understand how https works: https (Hypertext Transfer Protocol over Secure Socket Layer), that is, SSL is added to http, and the default port is 443.SSL: Secure Socket Layer, netscape is designed mainly for secure transmission. Https communication process:. the client requests an https Link (implemented through https: //). The server returns the certificate (carrying the public key, certificate authority, and a set of encryption algorithms and HASH algorithms) to the client. B. after receiving the certificate, the client verifies the validity of the certificate, generates a random password (using the negotiated symmetric encryption algorithm), and uses the public key for encryption, use the agreed HASH to calculate the handshake message and encrypt the message with a random password. C. The client sends the random password encrypted by the public key and the HASH digital signature encrypted by the random password to the server. D. After receiving the random password and digital signature, the server (website) decrypts the random password with the private key, decrypts the random password to obtain the digital signature, and verifies the integrity of the handshake message with the digital signature. A random password is used to encrypt a handshake message and send it to the client (browser ). E. The browser decrypts the handshake and computes the handshake hash to ensure data integrity. The subsequent communication data is encrypted using a random password (symmetric algorithm ).