1. Introduction to HTTPS
HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is a secure HTTP channel, in short, a secure version of HTTP. HTTPS is HTTP in an SSL shell. HTTPS is not a protocol at the application layer, but the HTTP communication interface is replaced by SSL and TSL protocols.
1.1 HTTP data transfer
The browser first sends an HTTPS operation request, and then the server returns the HTTPS certificate. If the client verifies that the certificate is invalid, an alarm will be prompted. When the certificate is valid, a random number will be generated locally, the random number will be encrypted by the public key , and then the encrypted random number will be transmitted to the server, and the server will decrypt the transmitted random number through the private key. The incoming random number constructs a symmetric encryption algorithm to encrypt and transmit the content of the returned result.
1.2 The role of HTTP
- Content encryption: establish an information security channel to ensure the security of data transmission;
- Authentication: Confirming the authenticity of a website
- Data integrity: prevent content from being impersonated or tampered with by third parties
2. the difference between HTTP and HTTPS
- HTTP URLs start with "http://" and use port 80 by default, while HTTPS URLs start with "https://" and use port 443 by default.
- The HTTP protocol needs to apply for a certificate from the CA
- HTTP is a hypertext transfer protocol, and information is transmitted in clear text; HTTPS is a secure ssl encrypted transfer protocol.
- The HTTP connection is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL/TSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the HTTP protocol.
- HTTPS encrypts and decrypts data, making it slower than HTTP
- HTTPS requires asymmetric encryption and decryption, and requires a three-way handshake.
3. Symmetric encryption and asymmetric encryption
3.1 Symmetric encryption
There is only one key, encryption and decryption are the same password, and the encryption and decryption speed is fast. Typical symmetric encryption algorithms include DES, AES, etc.;
3.2 Asymmetric encryption
The keys appear in pairs (and the private key cannot be deduced from the public key, and the public key cannot be deduced from the private key), and different keys are used for encryption and decryption (public key encryption requires private key decryption, and private key encryption requires public key decryption). Symmetric encryption is slow, and typical asymmetric encryption algorithms include RSA, DSA, etc.
Encrypted transmission of files using public keys: First, the sender encrypts the message using the receiver's public key and a public encryption algorithm, and transmits the message to the receiver through the network, and then the receiver decrypts the message with the receiver's private key to get its original plaintext.
4. SSL and TSL
All devices connected to the Internet have a common point, and they rely on the Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protocols to protect the information in transit. Both SSL and TSL are cryptographic protocols designed to provide secure communications over insecure infrastructure.
4.1 SSL (Secure Sockets Layer , Secure Sockets Layer)
SSL is a standard security technology used to establish encrypted connections between servers and clients. SSL provides data encryption, server authentication, message integrity, and client-selected client authentication for TCP/IP connections.
The main purpose of SSL is to provide privacy and reliability between two communication applications and it consists of 3 elements.
- The handshake protocol, responsible for negotiating the encryption parameters used for the session between the client and the server. When an SSL client and server first start communicating, they agree on a protocol version, choose an encryption algorithm, choose mutual authentication, and use public key techniques to generate a shared key.
- Record protocol for exchanging application layer data. Application messages are split into manageable chunks, compressed and MAC (message authentication codes) applied, and the result encrypted and transmitted. The receiver receives the data and decrypts it, verifies the MAC, decompresses and reassembles it, and submits the result to the application protocol.
- A warning protocol to indicate when an error has occurred or when a session between two hosts is terminated.
4.2 TLS (Transport Layer Security)
Based on the success of SSL, the IETF defined a new protocol called TSL. It is built on the basis of SSL3.0 Western Medicine Specification, a standard protocol for transport layer security. However, there are significant differences between SSL and TSL, mainly in the encryption algorithms they support,
Advantages of TLS
- Use keyed hashing for message authentication: TLS uses a "keyed hashing of message authentication code" HMAC, which ensures that records cannot be altered when they are transmitted over an open network. SSL v3.0 also provides Keyed message authentication, but HMAC is more secure than the (Message Authentication Code) MAC feature used by SSL v3.0.
- Enhanced Pseudo-Random Function (PRF): PRF generates key data. In TLS, HMAC defines PRF. PRF uses two hashing algorithms to ensure its security. If either algorithm is exposed, the data is still safe as long as the second algorithm is not exposed.
- Improved Completed Message Verification: Both TLS and SSLv3.0 provide Completed messages to both endpoints, which certify that the exchanged messages have not been altered. However, TLS bases this completed message on top of the PRF and HMAC values, which is also more secure than SSLv3.0.
- Consistent certificate handling: Unlike SSLv3.0, TLS attempts to specify the types of certificates that must be exchanged between TLS.
- Specific Alert Messages: TLS provides more specific and additional alerts to indicate problems detected by either session endpoint. TLS also records when certain alerts should be sent.