A few previous blogs talked about HTTP Something about , Let's talk today HTTPS Things that are . because HTTP There is plaintext transmission in the protocol itself 、 Can't verify the identity of the communication party and the integrity of the message and other security aspects , That's why HTTPS The defects of .HTTPS It's not exactly an agreement , It is HTTP + SSL (TSL) The combination of .HTTP The message went through SSL The layer is encrypted and delivered to TCP Layer to transmit .SSL( Condom layer ) The main measures are RSA（ Asymmetric encryption ） And AES（ Symmetric encryption ） Combined encryption . Through the first RSA Interaction AES The key of , And then through AES Encrypt and decrypt messages . This blog is mainly about HTTPS The specific working process .
In the first part of this blog , Let's talk first RAS And AES These two encryption strategies , If you've done something about payment in the company , The security requirements for data transmission are relatively high , At this time, it is necessary to take some encryption measures to encrypt the transmitted message , Do it when necessary MD5 attestation . Of course, this part talks about RAS And AES It's simpler , About the specific content of these two , Please help yourself. Google Well . because HTTPS In the process of transmission RSA And AES encryption algorithm , So I'm talking about HTTP+SSL Before that , Let's have a brief talk AES And RSA.
AES, Full name ：Advanced Encryption Standard---- Advanced encryption standard . The encryption algorithm has a key , The key can be used to encrypt , It can also be used to decrypt , therefore AES It's symmetric encryption . This is below AES The process of encryption and decryption .Client End and Server There is a common Key, This Key It's for encryption and decryption . If a message is stolen in transit , Without this key, It is very difficult to crack the encrypted content , Of course, if the thief has key Words , It's easy to decrypt . So in AES in ,key Is the key . This is equivalent to the door key of your house , Whoever gets the key can open your door . Even if the door lock is strong , Safe again , Not in front of the key .
So for AES Encryption strategy for this Key We need to do a lot of secrecy , If you have time later, you can share some specific AES Encryption strategy . For example, every time you encrypt Key They are generated dynamically from a codebook , And this password book server and client have the same , Every time we transmit some parameters . These parameters are mapped by some algorithms , Take out the corresponding password from this key To decrypt . thus , It's equivalent to giving AES Added a layer of security door , It's harder to crack . The advantage of this is that it's encrypted every time key It's all different , And it needs the support of codebook and mapping algorithm .
RAS The name , It's the combination of the initials of the three inventors of the algorithm .RAS It's asymmetric encryption , In the process of encryption and decryption , You need two Key, A public key （public key）, One is the private key （private key）. The public key is responsible for encryption , And the private key is responsible for decryption . You can tell by the name , Public keys can be opened up , Anyone can hold a public key to encrypt . And the private key has to be protected , Because it's for decryption .
thus , Encryption and decryption can be handled with different keys . For encrypted playback , Even if you can encrypt messages , If there is no private words, you can not encrypt the content of the decryption . It's like a box , There is a lock on the box . You can put things in , And then lock the box . But if you don't have a key , I can't open the lock .
The diagram below is the one-way verification of the server RAS Asymmetric encryption algorithm ,Client Built in a public key , The public key is similar to Server The private key of the end is paired , therefore Client The client can use this built-in Public key encryption , And the server can use this private key To decrypt . At present, the most commonly used one-way authentication mechanism on the server side .
If you go through RAS The algorithm generates a private key and a public key , In the process of sending the public key to the client, it may be tampered with other public keys , The client does not know whether the public key is the public key corresponding to the private key of the server without other measures . This kind of self-made RAS The public key and private key may be tampered with in the process of public key distribution . Below is the Client from Server When the client gets the public key, it is tampered with by the middle , take public Instead of your own fake public key, Again, the middleman holds the fake public key The corresponding pseudo private key. If the client uses the fake public key For encrypted transmission , So the middleman can use his own private key To decrypt .
Let me give you an example of this problem .
Suppose you were in ancient times , You're out there , The wife has a son at home . You have a box in your house , There is a lock on the box , This is the tool you and your wife use to communicate . Your daughter-in-law is responsible for putting things in the box , Then lock it . You have a unique key , You're responsible for unlocking , Take things . But in the process of sending the box to the escort agency , By the escort agency “ Little black ” It's switched , The appearance of the box is the same , Locks look the same , But it's not your case anymore . Because it's a long way , There was nothing in ancient times iPhone What? , Your daughter-in-law can't tell if the box is original . Then I put some things in the box , Then the lock was handed over to the escort agency “ Little black ”.
because “ Little black ” The box that was replaced , So Xiaohei has the key to the box , And then you can open the box , Got something . The original box is in Xiaohei again , Xiaohei can put some worthless things into the original box for you . When you find that the contents of the box are not what you want , Finished , Xiao Hei resigned from the escort agency , We can't find anyone . Find someone from the escort agency to talk about it , But the escort agency said “ Little black ” It's a temporary worker in the escort agency , The responsible escort agency said , We can't afford to . Since you are powerless , That's it .（ The story is pure fiction , It's a coincidence ）
For more stories about cheaters, please move to the online drama 《 A hairtrick 》 Season 123 .
In order to prevent “ Little black ” Again , So issue an impartial agency to prove that the box your daughter-in-law receives is the one you sent out . stay RAS There is also a third party agency in encryption to play this role , Responsible for proving that the certificate received by the client is the certificate you sent , There is no tampering in the middle . This intermediate certification authority , It's array certification authority , The certificate it issues is what we often say CA certificate （CA , Certificate Authority）.
Let's describe the certificate signature in detail , The whole process of certificate distribution and certificate verification .
The screenshot below is some information about Apple's root certificate , As can be seen from below ,CA The content of the certificate includes encryption algorithm , Public key and digital signature .
Below is the details of public key and digital signature , When verifying the public key below , You need to use the built-in CA The public key decrypts the digital signature . And then the decrypted content , Generated with the public key Hash Value comparison , If the match is successful , So the certificate is CA A legal certificate issued by an organization .
We finished talking about it AES And RSA Encryption strategy , Then we talked about public keys with digital signatures . The above two parts are for HTTPS Make bedding , Let's take a look at HTTP+SSL How data is transmitted .
It was also said at the beginning ,HTTPS It's not a new communication protocol , It is HTTP And SSL（ or TSL） The combination of .SSL– Condom layer (Secure Socket Layer), TSL（Transport Layer Security Secure transport layer ） In order to SSL Protocols developed for prototypes ,IETF With SSL3.0 After setting the benchmark, we formulated TLS1.0、TLS1.1 and TLS1.2, The current mainstream version is SSL3.0 And TLS1.0.
HTTPS Is in the HTTP And TCP Add a... In the middle of the layer SSL layer . because HTTPS By HTTP With this layer of encryption process , therefore HTTPS It's faster than HTTP It's much slower .
SSL The encryption process of is RSA And AES Mixed in . In a nutshell , It is through RSA Encrypted way to exchange AES Encryption and decryption key , And then use AES Encrypted way to transmit messages . Below is the SSL Diagram of establishing connections and transferring data . In the figure below, it can be roughly divided into four steps ：
Code scanning, attention, surprise
（ Please indicate the author and source of this article Fang Zhipeng's blog ）