HTTPS

作者: 小丸子啦啦啦呀 | 来源:发表于2022-03-28 15:23 被阅读0次

What is HTTPS,Why it is neccessary?

HTTPS is Hyper text transport protocol secure.
HTTP + encryption + certification + integration protection = HTTPS

SSL Secure Socket Layer (安全套接层)is replaced by TLS Transport Security Layer (安全层传输协议) now.

Before: HTTP <=> TCP
After: HTTP <=> TLS<=> TCP

HTTP does not guarantee security. It has 3 there 3 weak points:

  • Q1. Transmit data in clear text;
  • Q2. No verification of each other's identity;
  • Q3. No way to know if the data is complete and correct.

For Q1, How to encrypt & decrypt?

Let's get to konw 2 Encryption and decryption mechanisms first.

Common key crypto system (共享密钥加密 / 对称加密)

Let's say, A is client, B is Server, A want to send private data to B, How to protect them by Public-key cryptography?
Using same key to encrypt and decrypt . A using this key to encrypt data then send it to B, B using the same key to decrypt the ciphertext(密文). The question is, the key should be generated and send to both client and server in advance, If hacker steal the key on the road, this will be very dangerous.
In other word, the transfer of keys is inherently dangerous. If we can ensure the safety of the key, we can also ensure the safety of real data.

Public-key cryptography 公开密钥加密方法,非对称加密

Let's reuse the eaxmple above. Using Public-key cryptography, there is a public key for anyone, and a private key just for the one who recieve private data.
A using public key to encrypt data, B using private key to decrypt data. The important point is the private key is owned by only one person, it's generated by themselves and no need to transform in internet, while the public key are allowed to distribute to anyone but it's only used to decrypt. For a hacker, he can only get the public key and this key is useless to him.

It seems that Public-key cryptography is safer than Common key crypto system, so should we deprecate Common key crypto system for Public-key cryptography everywhere?
The answer is no. For efficeincy consideration, HTTPs uses both of them according to detail conditions.

so, What are these conditions?
Firstly, if you can ensure the safety of common key, just using Common key crypto system.
Secondly, if you care abount the efficiency very much, and the data you will transform are not private.

But, How to ensure that the public key we got is real. the "real" means not changed by hackers?

Find a third-party agency that we are trust to issue the certification. the agency we call it as "CA",the Certificate Authority.

Public-key cryptography.png

What is certification?

From the picture above, we can see that the certification includes 2 parts:

  1. Public key of server, it makes client to trust the key is real;
  2. Digital signature, it makes client to trust the key is from real server.

As we konw from the picture, Client need the CA's public key to validate the signature, it means this key should transmit from CA to client, this is dangerous, so Usually most of browser will pre-install the public key of common seen CA.

Can block chain replace CA?

What is the detailed communication process?

image.png image.png

For Q2, how to identify the object I'm talking to?

As we said above, certification contains a signature of server, so client can identify them. But How it works?
Blow is the detail of digital signature:

image.png

It turns out that CA got the public key of server then encypt it with it's own private key. wait wait, according to what we say above, private key is used to decrypt,why it is used to encrypt here? OK, actually, It's not so accurate to call it "encrypt" here, because we just use private key as a function, we call this function then get a crypto. CA put the crypto behind the certification, when client get the certification, it will using CA's publick key to restore the real signature of server.

For Q3, how to ensure the completement of data?

image.png

is the HTTPs a silver bullet?

Obviously not.


image.png

References

  • 《图解HTTP》
  • 《计算机网络第五版》

相关文章

  • https VS https

    HTTPS=SSL+HTTPHTTP协议传输的数据是未加密的 ,也就是明文,因此使用HTTP协议传输隐私信息非常不...

  • HTTPS

    什么是HTTPS HTTPS(全称:Hypertext Transfer Protocol over Secure...

  • HTTPS

    HTTP 有以下安全性问题: 使用明文进行通信,内容可能会被窃听;(请求时,需加密) 不验证通信方的身份,通信方的...

  • HTTPS

    站点证书的有效性 SSL 自身不要求用户检查Web服务器证书,但大部分现代浏览器都会对证书进行简单的完整性检查,并...

  • Https

    我们都知道HTTPS能够加密信息,以免敏感信息被第三方获取。所以很多银行网站或电子邮箱等等安全级别较高的服务都会采...

  • HTTPS

    1.为什么要有HTTPS2.HTTPS的工作原理3.密码学4.HTTPS的优缺点5.在iOS中使用HTTPS 为什...

  • HTTPS

    精悍小文:https是如何工作的? - 简书 急速开发系列——打造完善的https使用方案 - 简书

  • https

    摘自[白话Https]https://www.cnblogs.com/xinzhao/p/4949344.html...

  • HTTPS

    一、背景 对于大规模的购物、银行事务或访问机密数据来说,这些重要的事务需要将 HTTP和数字加密技术结合起来使用,...

  • HTTPS

    在 HTTP 协议中有可能存在信息窃听或身份伪装等安全问题。使用 HTTPS 通信机制可以有效地防止这些问题。本篇...

网友评论

      本文标题:HTTPS

      本文链接:https://www.haomeiwen.com/subject/mmxdjrtx.html