HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:
1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following tasks:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.
Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:
Asymmetric Encryption algorithm: RSA,DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.
Reproduced How HTTPS works