HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer maybe Hypertext Transfer Protocol Secure, Hypertext Transfer Security Protocol (HTTP), a secure HTTP channel for security purposes, is simply a secure version of HTTP. That is, SSL layer is added under HTTP, and the security base of HTTPS is SSL, so SSL is required for encryption details.
Because the HTTP protocol is plaintext, there are three major risks:
- The Risk of Eavesdropping: Third Parties Can Intercept and View Your Content
- Danger of tampering: Third parties can intercept and modify your content
- The Risk of Being Faked: A third party can communicate with you disguised as a party of communication
The emergence of HTTPS is the result of the above three security risks.
The difference between HTTPS and HTTP
The Hypertext Transfer Protocol (HTTP) protocol is used to pass information between a Web browser and a Web server. The HTTP protocol sends content in clear text and does not provide any form of data encryption, If an attacker intercepts a message between a Web browser and a Web server, the message can be read directly, so the HTTP protocol is not suitable for transmitting sensitive information, such as credit card numbers, passwords, and so on.
To address this flaw in the HTTP protocol, you need to use another protocol: the hypertext transport security protocol HTTPS. For the security of data transmission, HTTPS adds the SSL protocol to the HTTP, which relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.
The main differences between HTTPS and HTTP are the following four points:
- the https agreement requires a certificate to be applied for by CA. generally free certificate or for a very small fee.
- http is a hypertext transfer protocol, the information is plaintext transfer, and https is a secure ssl encryption transport protocol.
- http and https use a completely different way of connecting, as do the ports used, 80 and 443, respectively, for the former and for the latter.
- The http connection is simple and stateless; The HTTPS protocol is a network protocol built by SSL+HTTP protocol that can encrypt and authenticate data, and is more secure than the HTTP protocol.
SSL (Secure Sockets Layer Security) and its successor Transport Layer Security (TLS) is a Security protocol that provides Security and data integrity for network communication. The TLS and SSL encrypt network connections in the transport layer.
Symmetric encryption is also called private key encryption, in which the sender and the receiver of a message use the same key to encrypt and decrypt data. The characteristic of symmetric encryption is that the algorithm is open, encrypted and decrypted, and is suitable for encryption of large amounts of data, The most common symmetric encryption algorithms are DES, 3DES, TDEA, Blowfish, RC5, and IDEA.
The encryption process is as follows: plaintext + encryption algorithm + private key => ciphertext
The decryption process is as follows: ciphertext + decryption algorithm + private key => plaintext
The private key in the encryption process is the same as the private key used in the decryption process, which is why the encryption is called “symmetry”. Because the symmetric encryption algorithm is public, once the private key is disclosed, the ciphertext can be easily cracked, so the disadvantage of symmetric encryption is the difficulty of key security management.
Asymmetric encryption is also known as public key encryption. Asymmetric encryption is more secure than symmetric encryption. Symmetricly encrypted communication uses the same key, and if one party’s key is compromised, the whole communication is cracked. Asymmetric encryption uses a pair of keys, public key and private key, and they appear in pairs. The private key is kept by itself and cannot be disclosed to the public. The public key is the public key that anyone can get. Encrypt with either the public key or the private key, and decrypt with the other.
Ciphertext encrypted by the public key can only be decrypted by the private key, as follows:
Plaintext + Encryption + Public key => Ciphertext, Ciphertext + Decryption Algorithm + Private key => Plaintext
Ciphertext encrypted by the private key can only be decrypted by the public key, as follows:
Plaintext + Encryption Algorithm + Private Key => Ciphertext, Ciphertext + Decryption Algorithm + Public Key => Plaintext
The disadvantage of asymmetric encryption is that encryption and decryption take a long time and are slow, and are only suitable for encryption of a small amount of data.
The main algorithms used in asymmetric encryption are: RSA, Elgamal, Rabin, D-H, ECC ( elliptic curve encryption algorithm), and so on.
Workflow of SSL protocol
Server authentication stage:
1) the client sends a start message “Hello” to the server to start a new session connection;
2) The server determines whether a new master key needs to be generated based on the client’s information, and if required, the server will include the information required to generate the master key in response to the client’s “Hello” information;
3) the client generates a master key based on the response information received from the server and encrypts it with the public key of the server to the server;
4) The server restores the master key and returns to the customer a message authenticated with the master key to allow the client to authenticate the server.
User authentication phase
Prior to this, the server had passed the customer authentication, this stage mainly completes the customer authentication. The authenticated server sends a question to the client, who returns the (digital) signature question and its public key, thereby providing authentication to the server.
For more articles you can follow us on: