Https essentials_html/css_WEB-ITnose

The difference between http and https

1. The https protocol requires applying for a certificate from ca

2. http is the hypertext transfer protocol. Information is transmitted in clear text, while https is a secure SSL encrypted transmission protocol

3. http and https use completely different connection methods and use different ports. The default port for http is 80, and for https Yes 443

4. The http connection is very simple and stateless; the HTTPS protocol is a network protocol built from the SSL HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.

Key SSL

1. The SSL protocol is located between the tcp/ip protocol and various application layers, providing security support for data communication.

2. The SSL protocol is divided into two layers: SSL record protocol and SSL handshake protocol

SSL record protocol, which is built on reliable transmission protocols (such as tcp) and provides high-level protocols Support for basic functions such as data encapsulation, compression, and encryption.

SSL handshake protocol, which is built on the SSL record protocol, is used for identity authentication, negotiation of encryption algorithms, exchange of encryption keys, etc. between the communicating parties before the actual data transmission begins.

3. The main services provided by the ssl protocol are

1) Authenticate users and servers to ensure that data is sent to the correct client and server

2) Encrypt data to prevent Data is stolen midway

3) Maintain the integrity of the data and ensure that the data is not changed during the transmission process.

4. Work flow of SSL protocol

Server authentication phase:

1) The client sends a start message "hello" to the server to start a new session connection

2) The server determines whether it needs to generate a new master key based on the client's information. If necessary, the server will include the information required for the generated master key when responding to the client's "hello" message

3) The client generates a master key based on the server response information received, encrypts it with the server's public key and sends it to the server

4) The server decrypts the master key and returns it to the client The information authenticated with the master key allows the client to authenticate the server

User authentication phase

The authenticated server sends a question to the client, and the client returns the digitally signed question and its public secret key, thereby providing authentication to the server

Handshake process

In order to better understand and understand the SSL protocol, here we focus on the handshake protocol of the SSL protocol. The SSL protocol uses both public key encryption technology and symmetric encryption technology. Although symmetric encryption technology is faster than public key encryption technology, public key encryption technology provides better identity authentication technology. The SSL handshake protocol is very effective in allowing the client and server to complete mutual identity authentication. The main process is as follows:

1) The client's browser transmits the version number of the client's SSL protocol to the server and encrypts it. The type of algorithm, the random numbers generated, and other various information required for communication between the server and the client.

2) The server transmits the SSL protocol version number, encryption algorithm type, random number and other related information to the client. At the same time, the server will also transmit its own certificate to the client.

3) The client uses the information transmitted from the server to verify the legitimacy of the server. The legitimacy of the server includes: whether the certificate has expired, whether the CA that issued the server certificate is reliable, and whether the public key of the issuer's certificate can be correctly unlocked. The "digital signature of the issuer" of the server certificate, and whether the domain name on the server certificate matches the actual domain name of the server. If the legality verification fails, the communication will be disconnected; if the legality verification passes, the fourth step will be continued.

4) The client randomly generates a "symmetric password" used for subsequent communication, and then encrypts it with the server's public key (the server's public key is obtained from the server's certificate in step ②), and then Pass the encrypted "pre-master password" to the server.

5) If the server requires the client's identity authentication (optional during the handshake process), the user can create a random number and then perform a data signature on it, combining this signed random number with the client's own certificate It is sent to the server together with the encrypted "pre-master password".

6) If the server requires the client's identity authentication, the server must verify the legitimacy of the client's certificate and signed random number. The specific legality verification process includes: whether the client's certificate usage date is valid, and whether the client's certificate is provided. Whether the CA is reliable, whether the public key of the issuing CA can correctly decrypt the digital signature of the issuing CA of the customer's certificate, and whether the customer's certificate is in the Certificate Revocation List (CRL). If the verification fails, the communication is immediately interrupted; if the verification passes, the server will use its own private key to decrypt the encrypted "pre-master password", and then perform a series of steps to generate the master communication password (the client will also generate it in the same way same master communications password).

7) The server and client use the same master password, which is the "call password". A symmetric key is used for encryption and decryption of secure data communication in the SSL protocol. At the same time, the integrity of data communication must be completed during the SSL communication process to prevent any changes in data communication.

8) The client sends a message to the server, indicating that the master password in step ⑦ will be used in subsequent data communications as a symmetric key, and notifies the server that the client's handshake process is complete.

9) The server sends a message to the client, indicating that the master password in step ⑦ will be used in subsequent data communications as a symmetric key, and notifies the client that the handshake process on the server side is complete.

10) The handshake part of SSL ends, and the data communication of the SSL secure channel begins. The client and the server begin to use the same symmetric key for data communication, and at the same time check the integrity of the communication.