Before talking about HTTPS, we must first understand HTTP, because HTTP is the basis of HTTPS communication. HTTP (HyperText Transport Protocol) Hypertext Transfer Protocol, which is used to transmit client-side and server-side data.
HTTP is very simple and convenient to use, but it has the following three fatal problems:
Using clear text communication, the content can be eavesdropped.
If the true identity of the communicating party is not verified, the person may be disguised.
The integrity of the message cannot be proven and it is easily tampered with.
In view of the above problems, the current system will use HTTPS instead of HTTP.
First of all, HTTPS is not a new protocol, but adds an encryption mechanism SSL (Secure Socket Layer) or TLS (Transport) based on the HTTP protocol. Layer Security). HTTPS = HTTP encryption, authentication and integrity protection.
SSL and TLS:
SSL (Secure Socket Layer) was first developed by browser developer Netscape, which developed SSL 3.0 and versions before 3.0, and then SSL was handed over to the Internet Engineering Task Force (IETF). The IETF developed TLS 1.0 based on SSL 3.0, so TLS can be considered a "new version" of SSL.
As for HTTPS, the first thing to solve is the trust problem, that is, the problem of identity verification. If the trust problem is not solved, there will be server camouflage, that is, " Man-in-the-middle attack" problem. The so-called man-in-the-middle attack means that under normal circumstances, the client and server should interact directly, but here a "bad guy" (man-in-the-middle) emerges, which is included between the client and server for Stealing and tampering with the communication content between the two parties,
is shown in the figure below:
HTTPS uses digital certificates to solve the trust problem The solution is that when the server is first created, it will first apply for a reliable digital certificate from a third-party platform recognized by everyone, and then when the client accesses (server), the server will first give the client a number Certificate to prove that you are a reliable server and not a "middleman". At this time, the browser will be responsible for validating and checking the validity of the digital certificate. If there is a problem with the digital certificate, the client will stop communication immediately. If there is no problem, the subsequent process will be executed.
As shown below Shown:
With the digital certificate, you can verify the true identity of the server. This solves the problem of "man-in-the-middle attack" and also solves the problem. The problem of disguise.
Although we have solved the trust problem above, because the two parties communicate in clear text, there is still a risk of the communication content being eavesdropped during communication. , what should we do at this time? So we thought of using encryption to solve the problem of information exposure.
Encryption is mainly divided into two categories: Symmetric encryption and asymmetric encryption.
In symmetric encryption, there is a shared secret key. Through this shared secret key, information encryption and information decryption can be achieved. It is characterized by fast encryption and decryption speeds. , but due to the problem of shared secret keys, once the shared secret keys are intercepted, the so-called encryption and decoding are empty talk.
In asymmetric encryption, there is a pair of secret keys: a public key and a private key. The public key can be used to encrypt information, but it cannot be decrypted. The private key can be used to decrypt information. Its characteristic is that the server saves the private key and does not expose it to the outside world. It only sends the public key to the client. Even if others get the public key, they cannot decrypt the encrypted information. Therefore, this method is more secure, but asymmetric encryption The execution speed is relatively slow.
So should we use symmetric encryption or asymmetric encryption in HTTPS? Use symmetric encryption, which is fast but insecure; use asymmetric encryption, which is secure but slow. Only children make the choice, adults do, so HTTPS uses both asymmetric encryption and symmetric encryption. Its entire interaction process is like this:
The HTTPS execution process is as follows:
The client uses HTTPS to access the server.
The server returns a digital certificate and uses asymmetric encryption to generate a public key to the client (the server keeps the private key itself).
The client verifies whether the digital certificate is valid. If it is invalid, the access is terminated. If valid:
Use symmetric encryption to generate a shared secret key;
Use symmetric encryption shared secret key to encrypt data;
Use asymmetric encryption public key encryption (generated by symmetric encryption) shared secret key.
Send the encrypted secret key and data to the server.
The server uses the private key to decrypt the client's shared secret key (generated using symmetric encryption), and then uses the shared secret key to decrypt the specific content of the data.
After that, the client and server interact using the content encrypted by the shared secret key.
In this way, HTTPS not only ensures security but also ensures efficiency, which can be said to have the best of both worlds.
Using encryption also indirectly ensures the integrity of the data. If there is incomplete data or redundant data, an error will be reported during decryption, thus indirectly ensuring the data. of completeness.
The above is the detailed content of What are the reasons and advantages of using HTTPS in Java?. For more information, please follow other related articles on the PHP Chinese website!