This article will take you through the problems of HTTP and introduce how HTTPS ensures security. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
Problems with HTTP
1, Eavesdropping risk: Communication use Plain text (not encrypted), the content may be eavesdropped (a third party may learn the communication content)
2, Risk of impersonation: The identity of the communicating party is not verified, so there is a possibility of encountering disguise
3, Tampering risk: The integrity of the message cannot be proven, so it may have been tampered
HTTPS
You can see HTTPS websites, and a lock mark will appear in the address bar of the browser.
HTTPS is not a new protocol for the application layer. Usually HTTP communicates directly with TCP, while HTTPS first communicates with the security layer (SSL/TLS), and then the security layer communicates with the TCP layer.
The SSL/TLS protocol was born to solve the problems of HTTP mentioned above. Let’s take a look at how it is solved. :
1. All information is encrypted and transmitted, and third parties cannot eavesdrop.
2. Equipped with identity verification to prevent identity impersonation
3. Has a verification mechanism , once tampered with, both communicating parties will immediately discover it
Encryption
##Symmetric encryption
Encryption The method of using the same secret key for decryption is called shared key encryption, also called symmetric key encryption.
client_random and a series of encryption methods
server_randomand encryption method
, server_random
and encryption methodUse the encryption method to mix the two random numbers
client_random
and server_random
to generate a secret key. This key is the password for communication between the browser and the server. Existing problems: The third party can obtain
, server_random
and the encryption method in the middle. Since this encryption method can be decrypted at the same time, the middleman can successfully decipher the password. By decrypting and obtaining the data, it is easy to crack this encryption method.
##The browser sends a series of encryption methods to the server
The data transmission phase still uses symmetric encryption, but we use non-symmetric encryption keys. Symmetrically encrypted transmission.
The browser sends client_random and a list of encryption methods to the server.
So far, the server and browser have the same client_random
, server_random
and pre_master
, and then the server and browser The server will use these three sets of random numbers to generate a symmetric secret key. With the symmetric secret key, both parties can use symmetric encryption to transmit data.
CA (digital certificate)
uses a symmetric and asymmetric hybrid method to achieve encrypted transmission of data. But there is still a problem, the server may be impersonated by hackers. In this way, the browser accesses the hacker's server, and the hacker can implement the public key and private key on his own server. However, the browser does not fully know that the hacker's site is being visited.
The server needs to prove its identity and needs to use a certificate issued by an authoritative organization. This authoritative organization is the CA (Certificate Authority). The issued certificate is called a digital certificate (Digital Certificate).
For the browser, the digital certificate has two functions:
Prove the identity of the server to the browser through the digital certificate
The digital certificate contains the server public key
Let’s take a look at the HTTPS request process containing the digital certificate
Compared to the HTTPS request process without digital certificates, the following two main changes have been made
The server does not directly return the public key to the browser, but returns the number Certificate, and the public key is included in the digital certificate;
There is an additional certificate verification operation on the browser side. After the certificate is verified, the subsequent process continues.
Reference
How to explain asymmetry in easy-to-understand terms Encryption?
(1.6w words) The soul of the browser Ask, how many can you pick up?
Recommended tutorial: Web server security
The above is the detailed content of How does HTTPS ensure security? (detailed explanation). For more information, please follow other related articles on the PHP Chinese website!