2.HTTPS (hypertext transfer protocol based on secure socket layer): it can be understood as HTTP+SSL/TLS, that is, adding SSL layer under HTTP, and the security foundation of HTTPS is SSL, so the details of encryption need SSL for secure HTTP data transmission.
3.SSL (Secure Sockets Layer): 1994 was developed by Netscape. SSL protocol is located between TCP/IP protocol and various application layer protocols, which provides security support for data communication.
4.TLS (Transport Layer Security): Its predecessor is SSL, and its first version (SSL 1.0, SSL 2.0, SSL 3.0).
As shown in the above figure, compared with HTTP, HTTPS has an additional layer of SSL/TLS.
1, symmetric encryption
There are two types: streaming and packet, and both encryption and decryption use the same key.
For example: DES, AES-GCM, ChaCha20-Poly 1305, etc.
2. Asymmetric encryption
The keys used for encryption and decryption are different, called public key and private key respectively. The public key and algorithm are public, and the private key is confidential. Asymmetric encryption algorithm has low performance, but super security. Because of its encryption characteristics, the length of data that asymmetric encryption algorithm can encrypt is also limited.
For example: RSA, DSA, ECDSA, DH, ECDHE.
3. Hash algorithm
Converting information of any length into shorter fixed-length values is usually much shorter than information, and the algorithm is irreversible.
For example: MD5, SHA- 1, SHA-2, SHA-256, etc.
4. Digital signature
Signature is to add a piece of content (the value of the hashed information) after the information, which can prove that the information has not been modified. The hash value is usually encrypted (that is, signed) and then sent with the information to ensure that the hash value will not be modified.
C++ Audio and Video Development Learning Materials: Click Audio and Video Development (Materials and Documents+Video Tutorial+Interview Questions) (FFMPEG+WebRTC+RTMP+RTSP+HLS+RTP).
The data transmission between browser/server based on HTTP protocol is plaintext, without any encryption, or "streaking" in common parlance. What kind of problems will this cause? Let's give an example:
Insert a picture description here.
We simulated the interaction between the server and the client through two roles. We can see that the data communication between Xiao Ming and Xiao Hua is transmitted in clear text, so it is very likely that the middleman got the information and tampered with the data at this time. This behavior is called man-in-the-middle attack.
So the risks of HTTP transmission are:
(1) Eavesdropping risk: Hackers can learn the communication content.
(2) Tampering risk: Hackers can modify communication content.
(3) impersonation risk: hackers can impersonate others to participate in communication.
Haha, can't you surf the Internet happily at this time? Don't worry, we can encrypt plaintext at this time:
Is this much safer than before? But is it safe enough? Obviously not. If the information is intercepted by the middleman when Xiao Ming and Xiao Hua are chatting for the first time, does the middleman also have the key and can encrypt, decrypt and modify the data?
What can I do about it? Encrypted data is still not secure? Don't worry, we use symmetric encryption (in other words, the key we send can be encrypted and decrypted, so as long as the middleman gets the key message, it is transparent), and we can also use asymmetric encryption to encrypt data (asymmetric encryption usually consists of a private key and a public key). You can use public key encryption, private key decryption, or private key encryption and public key decryption), and the transmission of the key is additionally protected. When Xiao Ming and Xiao Hua establish communication, Xiao Hua sends the public key to Xiao Ming. After Xiao Ming gets the public key, he generates a key KEY2 and encrypts it with this key (Xiao Ming uses the public key to encrypt at this time).
In the communication process, even if the middleman gets the public key from the beginning, he can't decrypt the data without knowing the private key, and he still can't get the KEY2. After this encryption, is the data much safer? In this case, can you have a pleasant chat with your sister? Don't worry, as the saying goes, the magic is one foot high and one foot high. As the saying goes, hooligans are not terrible, they are afraid of being educated. In this state, our data is relatively safe, but what will happen if the middleman obtains the public key and sends it to Xiaoming as a pseudo public key?
Well, speaking of which, do you hate this middleman? Haha ~ ~ and as the saying goes, don't forget, the magic is one foot high and ten feet high. In this case, we can use a third-party certificate platform. The certificate platform has the function of generating certificates. The server (Xiaohua) can apply for a certificate from a certificate authority. The certification authority generates a public key and a private key through the information provided by Xiaohua, asymmetrically encrypts the data through the private key, generates a certificate and issues it to Xiaohua. Then Xiaohua can pass the certificate when interacting with the data at this time.
Xiao Ming only needs to know the issuing authority of the certificate, and he can easily get the public key of the certificate, so as to check the certificate and get the public key, and then carry out subsequent operations.
Then, at this time, the little friend is suspicious again. If the middleman obtains the certificate and forges it for Xiao Ming, how to break it?
Yes, yes, if you have this idea, it means that everyone is seriously thinking about it. Then we assume that the middleman has obtained the certificate, and the middleman can also obtain the public key from the certification authority, and the public key sent by the server can be obtained through the public key of the certification authority. At this time, the middleman can also generate his own public key, apply for a certificate from the certificate issuing authority, and send a fake certificate to Xiaoming. However, because the certificate is authenticated by signature, it includes information such as website, institution and legal person. ), Xiao Ming can easily find out that the certificate is illegal through the public key (URL) of the certificate.
What we shared above is the main idea of HTTPS, which adds SSL security layer. All the authentication processes described above are verified in SSL security layer. Today, I will share the implementation principles of HTTPS, and that's all. ﹏
Disadvantages of HTTPS:
(1)SSL certificate is expensive, and it is very complicated to deploy, update and maintain on the server.
(2)HTTPS reduces the speed of user access (multiple handshakes).
(3) After the website is changed to HTTPS, the way of jumping from HTTP to HTTPS increases the time-consuming for users to visit (most websites use 302 jump).
(The security algorithm involved in https will consume CPU resources and need to add a large number of machines (https access requires encryption and decryption).