HTTPS
What is HTTPS,Why it is neccessary?
HTTPS is Hyper text transport protocol secure.
HTTP + encryption + certification + integration protection = HTTPS
SSL Secure Socket Layer (安全套接层)is replaced by TLS Transport Security Layer (安全层传输协议) now.
Before: HTTP <=> TCP
After: HTTP <=> TLS<=> TCP
HTTP does not guarantee security. It has 3 there 3 weak points:
- Q1. Transmit data in clear text;
- Q2. No verification of each other's identity;
- Q3. No way to know if the data is complete and correct.
For Q1, How to encrypt & decrypt?
Let's get to konw 2 Encryption and decryption mechanisms first.
Common key crypto system (共享密钥加密 / 对称加密)
Let's say, A is client, B is Server, A want to send private data to B, How to protect them by Public-key cryptography?
Using same key to encrypt and decrypt . A using this key to encrypt data then send it to B, B using the same key to decrypt the ciphertext(密文). The question is, the key should be generated and send to both client and server in advance, If hacker steal the key on the road, this will be very dangerous.
In other word, the transfer of keys is inherently dangerous. If we can ensure the safety of the key, we can also ensure the safety of real data.
Public-key cryptography 公开密钥加密方法,非对称加密
Let's reuse the eaxmple above. Using Public-key cryptography, there is a public key for anyone, and a private key just for the one who recieve private data.
A using public key to encrypt data, B using private key to decrypt data. The important point is the private key is owned by only one person, it's generated by themselves and no need to transform in internet, while the public key are allowed to distribute to anyone but it's only used to decrypt. For a hacker, he can only get the public key and this key is useless to him.
It seems that Public-key cryptography is safer than Common key crypto system, so should we deprecate Common key crypto system for Public-key cryptography everywhere?
The answer is no. For efficeincy consideration, HTTPs uses both of them according to detail conditions.
so, What are these conditions?
Firstly, if you can ensure the safety of common key, just using Common key crypto system.
Secondly, if you care abount the efficiency very much, and the data you will transform are not private.
But, How to ensure that the public key we got is real. the "real" means not changed by hackers?
Find a third-party agency that we are trust to issue the certification. the agency we call it as "CA",the Certificate Authority.
Public-key cryptography.png
What is certification?
From the picture above, we can see that the certification includes 2 parts:
- Public key of server, it makes client to trust the key is real;
- Digital signature, it makes client to trust the key is from real server.
As we konw from the picture, Client need the CA's public key to validate the signature, it means this key should transmit from CA to client, this is dangerous, so Usually most of browser will pre-install the public key of common seen CA.
Can block chain replace CA?
What is the detailed communication process?
image.png
image.png
For Q2, how to identify the object I'm talking to?
As we said above, certification contains a signature of server, so client can identify them. But How it works?
Blow is the detail of digital signature:
image.png
It turns out that CA got the public key of server then encypt it with it's own private key. wait wait, according to what we say above, private key is used to decrypt,why it is used to encrypt here? OK, actually, It's not so accurate to call it "encrypt" here, because we just use private key as a function, we call this function then get a crypto. CA put the crypto behind the certification, when client get the certification, it will using CA's publick key to restore the real signature of server.
For Q3, how to ensure the completement of data?
image.png
is the HTTPs a silver bullet?
Obviously not.
image.png
References
- 《图解HTTP》
- 《计算机网络第五版》
