DOCX

What is the HTTPS? Why HTTPS is Safe?

By Philip Perez,2012-07-23 12:59
389 views 0
What is the HTTPS? Why HTTPS is Safe?

What is the HTTPS?

Whether you're using your phone or computer, you can't live without data.

Now the Internet is using HTTP (Hyper Text Transfer Protocol).

So, when we were surfing the Internet, we found that all URLs had http://

Simply put, the HTTP protocol defines a set of specifications that allow the client or browser to communicate with the server and complete the data transfer.

However, HTTP uses clear text, such as when you enter an account/password to submit login:

Client/BrowserUsername=ceelog & password=123456ServerInter mediatorClient/BrowserUsername=ceelog & password=123456ServerInter mediator

Client/Browser

Username=ceelog & password=123456

Server

Inter mediator

Client/Browser

Username=ceelog & password=123456

Server

Inter mediator

Clear text transmission

There is a chance that the Inter mediator wiretaps, causing the data to leak, so it's not safe to say that HTTP is not secure, and the modern browser will be in the address bar indicating that the connection is not secure.

Google browser security tips

To solve the problem of secure transmission, people invented HTTPS, which is HTTP + Secure.

Why is HTTPS safe?

As long as the data is encrypted, the communication is secure, provided that no third party can decrypt it.

Client/Browser(Encrypted transfer)khen!@#FSD@#$ceelog&password=123456ServerInter mediatorClient/Browser(Encrypted transfer)khen!@#FSD@#$ceelog&password=123456ServerInter mediator

Client/Browser

(Encrypted transfer)khen!@#FSD@#$

ceelog&password=123456

Server

Inter mediator

Client/Browser

(Encrypted transfer)khen!@#FSD@#$

ceelog&password=123456

Server

Inter mediator

Encrypted transfer

In the example above, the data for communication was encrypted, and it was not able to know the content of the data even if the broker had tapped it.

Google browser security tips

How does HTTPS achieve secure communication?

Encrypted transmission is secure, but how can the server decrypt the data when the client encrypts it? And how do you make sure that the middleman eavesdrops on the secret?

The answer is: using symmetric encryption.

What is symmetric encryption?

Single, communication both sides have a same key (the so-called symmetry), the client can up the data, send to the server, the server then use decryption keys. Similarly, when the server is encrypted and lost to the client, the client can decrypt it with the key.

Then the new question arises: how do you assign two identical keys to both parties before communicating?

If there are only two people who want to communicate, it can be a simple matter of meeting a person in private and using it in the future. However, the actual communication is often between a server and thousands of clients, and it is not always possible for everyone to meet the server in private.

In addition, even using the symmetric encryption technology, if one party improper safekeeping, may also be the key was stolen to copy a, so there are a lot of potential safety problems, it is best to each client and server communication every time with different keys.

A simple solution: the client before each request communication, to consult and server, through a certain way, only the two sides know symmetric key.

This process is called the Key Exchange.

The key exchange algorithm has many implementations; there are some familiar, Defy-Hellman key exchange algorithm and RSA key exchange algorithm.

This article uses a simpler RSA key exchange as an example.

RSA Key exchange algorithm needs, in short, the client to the server to provide a Pre-Master-Key, and then recycled into Master-Key communication both sides, according to the Master-Key needed to produce a series of subsequent Key, including data transmission using symmetric key.

So, how does the client tell the server the pre-master-key? Is it transmitted in plain text?

As we said earlier, there is no secure communication that is not encrypted.

It seems to be in the loop: to encrypt the communication, you need to pass the pre-master Key to the server, but this transfer must be encrypted.

We introduced a new encryption technique: asymmetric encryption.

What is asymmetric encryption?

In simple terms, a server can generate a pair of different keys (so-called asymmetric), a private save, called a private key; One is open to all, called the public key.

This has the nature of the key: only the private key can be decrypted after the public key is encrypted, and only the public key can decrypt the data after the private key is encrypted.

Asymmetric encryption is a classic realization of RSA algorithm, the encryption algorithm as early as 1977 by Ron Rivest, ADI Shamir and Leonard Adelman together; RSA is the three surnames beginning of letters together.

With asymmetric encryption, things can be done well.

The client sends the Pre-Master-Key to the server by encrypting the public Key of the server.

Because only the server has the private Key, only the server can decrypt the data and get the Pre-Master-Key sent by the client.

Interaction process:

1. The client asks the server for the Public key;

2. The server sends the public key to the client (there is no need for confidentiality because the public key is public to all);

3. The client uses the server's Public key to encrypt the Pre-Master-Key into a secret message to the server;

4. The server uses the private key Private Key to decrypt the secret text to retrieve the Pre-Master-Key sent by the client.

It looks perfect, but the second step raises a new question.

Because the Internet is open, the server sends to the client's public key may be in the process of transmission subjected to intercept and tamper (Man-in-the-middle-attack, abbreviation: MITM).