banner
jzman

jzman

Coding、思考、自觉。
github
首页标签作品集

Introduction to HTTPS and Encryption Algorithms

#网络18
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
HTTPS is a secure version of HTTP that includes encryption and authentication mechanisms. It uses SSL and TLS protocols to encrypt communication and ensure the integrity of data. HTTPS addresses the vulnerabilities of HTTP, such as the potential for eavesdropping, identity impersonation, and tampering. It employs public key encryption, where a public key is used to encrypt data and a private key is used to decrypt it. Public key certificates issued by certificate authorities are used to ensure the authenticity of public keys. However, implementing HTTPS can slow down communication and increase hardware costs. As a result, many websites still use HTTP instead of HTTPS.

PS: Persistence is the greatest transcendence.

Recently, someone asked about HTTPS-related knowledge. Although I can use it, I only have a partial understanding of it. Today, I will summarize some knowledge points related to HTTPS. This article mainly covers theoretical knowledge, and the next article will provide a practical case. The main content is as follows:

  1. What is HTTPS
  2. Disadvantages of HTTP
  3. Public key encryption technology
  4. HTTPS encrypted transmission
  5. Public key certificate
  6. SSL and TLS
  7. Why not use HTTPS

What is HTTPS#

Simply put, HTTPS (HTTP Secure) is HTTP with added encryption and authentication mechanisms.

HTTPS is not a new protocol compared to HTTP. It uses the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols in the HTTP communication interface to achieve communication. This means that HTTP communicates with SSL first, and then SSL communicates with TCP, instead of HTTP directly communicating with TCP. The relationship between HTTP and HTTPS is shown below:

image

Disadvantages of HTTP#

The disadvantages of HTTP are as follows:

  1. Communication is in plain text, and the transmitted content may be intercepted.
  2. It does not verify the identity of the communicating parties, making it easy to impersonate requests.
  3. It cannot guarantee the integrity of the messages and may be tampered with.

Public Key Encryption Technology#

In symmetric key encryption and asymmetric key encryption algorithms, the encryption algorithm is public, while the key is kept secret. Encryption and decryption both require a key, and without the key, decryption is not possible. Conversely, if the key is intercepted, the encrypted content may be cracked.

  • Symmetric Key Encryption

This encryption method is also known as shared key encryption. It uses the same key for encryption and decryption. During communication, the key needs to be transmitted to the other party for decryption. However, the key transmission process can also be intercepted, so the security of this encryption method depends on how to securely transmit the key. The diagram below illustrates this:

image

  • Asymmetric Key Encryption

This method is also known as public key encryption. It uses a pair of asymmetric keys: a public key and a private key. The public key can be freely sent, while the private key must be kept secret.

The sender encrypts the message using the recipient's public key, and the recipient decrypts it using their own private key. This method does not require the transmission of the private key for decryption, so there is no need to worry about the private key being intercepted. The diagram below illustrates this:

image

HTTPS Encrypted Transmission#

Since the original HTTP communicates directly with TCP, the working mechanism of the TCP/IP protocol family allows the communication content to be intercepted on the transmission link. As the name suggests, the Internet is composed of networks that can be connected to the whole world, and the communication devices on the communication line are not all private. This also makes communication insecure. Therefore, HTTPS was born. So how does HTTPS encrypt communication?

HTTPS uses a hybrid encryption mechanism. If the key exchange can be guaranteed to be secure, the entire communication can be performed using symmetric key encryption. If the security of the key exchange cannot be guaranteed, asymmetric encryption can be used during the key exchange process, followed by symmetric encryption. The purpose of doing this is that symmetric key encryption is faster than asymmetric key encryption.

But does encryption make it secure? Will it not be intercepted? In fact, even if the communication is encrypted, the communication content can still be intercepted using technical means. However, after the communication is encrypted, it is not easy to understand the specific message information, which achieves the purpose of encryption.

During the HTTPS encrypted transmission process, the public key needs to be transmitted. How is the correctness of the public key ensured? It is ensured by the public key certificate issued by a certificate authority.

Public Key Certificate#

Here, we need to mention the certificate authority (CA) and the public key certificate issued by related agencies. The certificate authority is a trusted third-party organization that both the client and the server can trust. The specific business process is as follows:

  1. The server operator applies for a public key from the certificate authority.
  2. After verifying the identity, the certificate authority digitally signs the applied public key and binds it with the public key certificate. The server sends this public key certificate, issued by the certificate authority, to the client.
  3. After receiving the public key certificate issued by the certificate authority, the client verifies the digital signature to confirm that the public key is genuine and trustworthy.
  4. After confirming, the client encrypts the message using the public key.
  5. The server decrypts the message using the private key.

The specific business process is shown in the following diagram:

image

In the third step, to ensure the secure transmission of the certificate authority's public key to the client, most browser developers embed the public keys of commonly used certificate authorities in the browser when releasing browser versions.

SSL and TLS#

HTTPS uses the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. SSL technology was initially advocated by the browser developer Netscape Communications Corporation and developed versions before SSL 3.0. The main authority has now been transferred to the Internet Engineering Task Force (IETF).

The IETF uses SSL 3.0 as the benchmark and has also developed TLS 1.0, TLS 1.1, and TLS 1.2. TLS is a protocol developed based on SSL and is sometimes referred to as SSL. The current mainstream versions are SSL 3.0 and TLS 1.0.

SSL and TLS can be understood as TLS being an upgraded version of SSL. TLS is based on SSL. The specific differences between the two are left to professionals. Here, let's briefly introduce the background of SSL and TLS.

Why Not Use HTTPS#

HTTPS is secure and reliable because it uses SSL (including TLS). However, SSL encryption slows down the entire communication process. Frequent encryption and decryption consume hardware resources on the server and client.

SSL not only slows down communication but also consumes CPU and memory resources, resulting in slower processing speed. Compared to HTTP, network load may be 2 to 100 times slower, as shown in the following diagram:

image

If HTTPS is used, it means increasing hardware costs. In addition, purchasing certificates from certificate authorities also incurs expenses.

The above reasons are why most websites still use HTTP despite the security and reliability of HTTPS.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.