How does HTTPS ensure security? (detailed explanation)

This article will take you through the problems of HTTP and introduce how HTTPS ensures security. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

Problems with HTTP

1, Eavesdropping risk: Communication use Plain text (not encrypted), the content may be eavesdropped (a third party may learn the communication content)

2, Risk of impersonation: The identity of the communicating party is not verified, so there is a possibility of encountering disguise

3, Tampering risk: The integrity of the message cannot be proven, so it may have been tampered

HTTPS

You can see HTTPS websites, and a lock mark will appear in the address bar of the browser.

HTTPS is not a new protocol for the application layer. Usually HTTP communicates directly with TCP, while HTTPS first communicates with the security layer (SSL/TLS), and then the security layer communicates with the TCP layer.

The SSL/TLS protocol was born to solve the problems of HTTP mentioned above. Let’s take a look at how it is solved. :

1. All information is encrypted and transmitted, and third parties cannot eavesdrop.

2. Equipped with identity verification to prevent identity impersonation

3. Has a verification mechanism , once tampered with, both communicating parties will immediately discover it

Encryption

##Symmetric encryption

Encryption The method of using the same secret key for decryption is called shared key encryption, also called symmetric key encryption.

• The browser sends to the server

  client_random and a series of encryption methods

• The server sends it to the browser

  server_randomand encryption method

##The existing browser and server have three identical credentials:

client_random

, server_random and encryption methodUse the encryption method to mix the two random numbers client_random
and server_random to generate a secret key. This key is the password for communication between the browser and the server. Existing problems: The third party can obtain

client_random

, server_random and the encryption method in the middle. Since this encryption method can be decrypted at the same time, the middleman can successfully decipher the password. By decrypting and obtaining the data, it is easy to crack this encryption method.

Asymmetric encryption

##The browser sends a series of encryption methods to the server

• The server sends the encryption method and public key to the browser

• The browser then encrypts the data and transmits it to the server through the public key, and the server receives the data Decrypt using private key. When the server sends data to the browser, it uses the private key to encrypt it. The browser receives the data sent from the server and uses the public key to decrypt it.

Existing problems:

The efficiency of asymmetric encryption is too low
• , which will seriously affect the speed of encryption and decryption, and then affect the user's ability to open the page speed.

The data security sent by the server to the browser cannot be guaranteed
• . The server's data can only be encrypted with the private key (because if it uses the public key, the browser cannot It cannot be decrypted). Once the middleman gets the public key, he can decrypt the data sent from the server, and it is cracked again.

HTTPS uses a combination of symmetric encryption and asymmetric encryption

The data transmission phase still uses symmetric encryption, but we use non-symmetric encryption keys. Symmetrically encrypted transmission.

The browser sends client_random and a list of encryption methods to the server.

• The server receives it and returns server_random, encryption method and public key.

• The browser receives it, then generates another random number pre_master, encrypts it with the public key, and transmits it to the server. (Key operation!)

• The server uses the private key to decrypt the encrypted pre_master.

So far, the server and browser have the same client_random, server_random and pre_master, and then the server and browser The server will use these three sets of random numbers to generate a symmetric secret key. With the symmetric secret key, both parties can use symmetric encryption to transmit data.

CA (digital certificate)

uses a symmetric and asymmetric hybrid method to achieve encrypted transmission of data. But there is still a problem, the server may be impersonated by hackers. In this way, the browser accesses the hacker's server, and the hacker can implement the public key and private key on his own server. However, the browser does not fully know that the hacker's site is being visited.

The server needs to prove its identity and needs to use a certificate issued by an authoritative organization. This authoritative organization is the CA (Certificate Authority). The issued certificate is called a digital certificate (Digital Certificate).

For the browser, the digital certificate has two functions:

• Prove the identity of the server to the browser through the digital certificate

• The digital certificate contains the server public key

Let’s take a look at the HTTPS request process containing the digital certificate

Compared to the HTTPS request process without digital certificates, the following two main changes have been made

• The server does not directly return the public key to the browser, but returns the number Certificate, and the public key is included in the digital certificate;

• There is an additional certificate verification operation on the browser side. After the certificate is verified, the subsequent process continues.

Reference

• How to explain asymmetry in easy-to-understand terms Encryption?

• #Ten minutes to understand the HTTP and HTTPS protocols?

• HTTPS Principle Analysis - Going deeper with questions

• Illustrated HTTP

• Browser working principle and practice

• (1.6w words) The soul of the browser Ask, how many can you pick up?

Recommended tutorial: Web server security

The above is the detailed content of How does HTTPS ensure security? (detailed explanation). For more information, please follow other related articles on the PHP Chinese website!