backgroundrecently based on interest in learning the next HTTPS-related knowledge, in this record learning experience. in the process of accessing information on the Internet, we have access to the most information encrypted transmission way is also HTTPS. Whenever a site is visited, a green icon appears in the address bar of the browser, which means that the site supports the HTTPS message transfer method. We know that HTTPS is a hybrid of our common HTTP protocol with a cryptographic protocol, which is http+s. This S can be either TLS (Secure Transport Layer protocol) or SSL (Secure Sockets Layer), but I would agree with another abstract generalization, http+security. But to talk about why HTTPS is safe, you have to start with HTTP for security reasons. Suppose you are sitting in the classroom now, and now you very much want to talk to the charming TA beside the aisle, generally this time you will use "pass the note" way to communicate. This approach is similar to the basic operating mode of the TCP/IP protocol:
- Draw attention to each other through petty gestures;
- The other person responds to you in a variety of possible ways (gaze, body language, etc.);
- You confirm that the other person perceives you and pass the note on to each other;
- The other reads the note;
- The other person gives you a response after reading;
How is this process familiar? if you want to pass the note TA distance you very far what to do? HTTP protocol refers to the note that you want to pass to the TA is who, or TA's seat, and then only the way to the students to get the note after the note according to the instructions in turn the note passed on the OK. this time the problem comes: the way the students can fully watch and know what you wrote on the note. This is one of the problems that the HTTP transport faces: A man-in-the-middle attack, in which an attacker on a delivery path can sniff or eavesdrop on the contents of the transmitted data. EncryptHTTPS addresses this issue by using the "encryption" approach. The most famous original encryption method is symmetric encryption algorithm, is the two sides agreed to a code, with what letter to replace what letter. A symmetric algorithm called AES (Advanced Encryption algorithm) is now generally used. symmetric encryption algorithms both encrypt and decrypt keys that need to be used are the same. AES Mathematically guarantees that if you use a key long enough, the hack is almost impossible (unless the photon computer is created)Let's assume that without the key key , the cipher can not be cracked, and then go back to the classroom. You will use the content of the AES encrypted miso to write on the note, is about to spread out when you suddenly thought, TA no key How to decrypt the content ah, or, how should I give ta? If the key is also written on the note, then the middleman can still crack the content of the eavesdropping note. Perhaps in the real world you have other ways to put key through some kind of safe channel to TA's hand, but the Internet is more difficult to achieve, after all, the data must go through those routes. so the intelligent man invented another encryption algorithm--Asymmetric encryption algorithm. This encryption algorithm generates two keys (Key1 and Key2). Generally key1 encrypted data, key1 itself can not be decrypted, need to key2 to decrypt; everything key2 encrypted data, Key2 itself can not be decrypted, only key1 can decrypt.
At present, this algorithm has many, the most commonly used is RSA. The mathematical principle is that the product of two large primes is easy to calculate, but it is complex to use this product to figure out which two primes are multiplied. Fortunately, with the current technology, it is difficult to decompose large numbers, especially when the large number is large enough (usually 2 of the 10 bits), even if it is a supercomputer, decryption takes a very long time.
This asymmetric encryption method is now used in our classroom to pass the note in the scene.
- You use RSA technology to generate a pair of keys K1 and K2 before you write the note content.
- You put the K1 with the Ming Interfax out, the road may be intercepted, but no use, K1 encrypted data need K2 to be able to crack, and K2 in your own hands.
- K1 to the target, the target person will prepare a transfer key to be used for symmetric encryption (AES) key, and then use the received K1 to encrypt the key, pass it to you.
- You use the K2 of the hand to solve key, the whole classroom only you and your target people have this symmetric encryption key, you two can chat not afraid of eavesdropping ~
you might have a problem here, why not encrypt the information directly with asymmetric encryption, but encrypt the AES key?
Because the average time spent on asymmetric encryption and decryption is longer, in order to save time and improve efficiency, we usually just use it to exchange keys instead of transmitting data directly. but is it really possible to use asymmetric encryption to protect against man-in-the-middle attacks?
It looks safe, but in fact it's not in the way of a nasty man-in-the-middle attack. Suppose you are a, your destination is B, and now you want to approach a malicious classmate M. The bad thing about a middleman is that it pretends to be your goal.
- When you want to complete the first key exchange with B, M buckles the note, pretends to be B and forges a key, and then encrypts the key back to you with the K1 you sent.
- You thought you and B completed the key exchange, and actually you were and M completed the key exchange.
- Colleague M and B complete a key exchange, let B think and A you complete the key exchange.
- Now that the overall encryption process becomes a (encrypted link 1)->m (plaintext)->b (encrypted link 2), then M can still know all the messages of a and B transmissions.
this time is to reflect the difference between HTTPS and the note. In the classroom, you communicate with an object that is almost equal to you, and when you visit a website, the other person is often a large (or well-known) service person who has plenty of resources, and perhaps they can prove their legitimacy to you. at this point we need to introduce a very authoritative third party, an organization dedicated to authenticating the legality of the website, which can be called CA (Certificate Authority). Each website provider can request a certificate from a CA that allows them to bring a CA signature when establishing a secure connection. CA security is verified by the operating system or browser. your Windows, Mac, Linux, Chrome, Safari, etc. will be installed with a list of CA certificates that they consider safe, and only the websites with which you establish a secure connection have the signatures of those CAs, and the operating system and browser will consider the link to be secure. Otherwise, there may be a man-in-the-middle attack. once a CA-issued certificate is used in an illegal way, all certificates previously issued by the CA are considered unsafe, which allows all CAs to be very careful when issuing certificates, so CA certificates are generally trustworthy.
SummaryThe addition of an S (Security) technology behind HTTP is a hybrid of three technologies, symmetric encryption + Asymmetric encryption + CA authentication. Of course, this is basically the basic principle of HTTPS, the actual HTTPS protocol is more complicated than the above description, and any one of the steps, the entire process will not be safe. This is why the HTTPS protocol upgrade from SSL 1.0 to SSL 3.0, and then TLS 1.0 is now replaced by TLS 1.3, which is behind the details of the optimization, in case there are any mistakes. The TLS protocol increases the security of the transport layer over the SSL protocol. Transfer from http://bugly.qq.com/bbs/forum.php?mod=viewthread&tid=1074 |
