banner
jzman

jzman

Coding、思考、自觉。
github
首页标签作品集

Introduction to HTTPS and Encryption Algorithms

#网络39
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the basics of HTTPS, including its definition, advantages over HTTP, and the use of public key encryption. It explains the differences between symmetric and asymmetric encryption and how HTTPS uses a combination of both. The article also mentions the importance of public key certificates issued by certificate authorities to ensure the authenticity of public keys. It further discusses the use of SSL and TLS protocols in HTTPS and the potential drawbacks of using HTTPS, such as slower communication speed and increased hardware costs. Despite its security benefits, many websites still use HTTP due to these reasons.

PS: Persistence is the greatest transcendence.

Recently, someone asked about HTTPS-related knowledge. Although I can use it, I only have a partial understanding of it. Today, I will summarize some HTTPS-related knowledge points. This article mainly covers the theoretical knowledge, and the next article will provide a practical case study. The main contents are as follows:

  1. What is HTTPS?
  2. Disadvantages of HTTP
  3. Public key encryption technology
  4. HTTPS encrypted transmission
  5. Public key certificates
  6. SSL and TLS
  7. Why not use HTTPS?

What is HTTPS?#

Simply put, HTTPS (HTTP Secure) is HTTP with added encryption and authentication mechanisms.

HTTPS is not a new protocol compared to HTTP. It uses the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols in the communication interface of HTTP. This means that HTTP communicates with SSL first, and then SSL communicates with TCP, instead of HTTP directly communicating with TCP. The diagram below illustrates the difference between HTTP and HTTPS:

image

Disadvantages of HTTP#

The disadvantages of HTTP are as follows:

  1. Communication is in plain text, and the transmitted content may be intercepted.
  2. It does not verify the identity of the communicating parties, making it easy for impersonation and malicious requests.
  3. It cannot guarantee the integrity of the messages and may be susceptible to tampering.

Public Key Encryption Technology#

In symmetric key encryption and asymmetric key encryption algorithms, the encryption algorithm is public, while the key is kept secret. Encryption and decryption both require the key, and without the key, decryption is not possible. Conversely, if the key is intercepted, the encrypted content may be decrypted.

  • Symmetric Key Encryption

This encryption method is also known as shared key encryption. It uses the same key for encryption and decryption. During communication, the key needs to be transmitted to the other party for decryption. However, the key transmission process can also be intercepted, so the security of this encryption method relies on securely transmitting the key. The diagram below illustrates this process:

image

  • Asymmetric Key Encryption

This method is also known as public key encryption. It uses a pair of asymmetric keys: a public key and a private key. The public key can be freely distributed, while the private key must be kept secret.

The sender encrypts the message using the recipient's public key, and the recipient decrypts it using their private key. This method eliminates the need to transmit the private key for decryption, thus avoiding the risk of interception. The diagram below illustrates this process:

image

HTTPS Encrypted Transmission#

Since the original HTTP communicates directly with TCP, the nature of the TCP/IP protocol makes it possible for the communication content to be intercepted during transmission. As the Internet is composed of networks that can be accessed globally, the communication devices on the transmission path are not all private, which compromises communication security. To address this, HTTPS was introduced. But how does HTTPS achieve encryption?

HTTPS uses a hybrid encryption mechanism. If the key exchange can be securely established, the communication can be conducted solely using symmetric key encryption. If the security of key exchange cannot be guaranteed, asymmetric encryption can be used during the key exchange process, followed by symmetric encryption. This is because symmetric key encryption is faster than asymmetric key encryption.

However, does encryption guarantee security and prevent eavesdropping? In reality, even if communication is encrypted, the content can still be intercepted using technical means. However, encrypted communication makes it difficult to understand the specific message content, achieving the goal of encryption.

During HTTPS encrypted transmission, the public key needs to be transmitted. To ensure the correctness of the public key, it is verified using a public key certificate issued by a Certificate Authority (CA).

Public Key Certificates#

This brings us to the topic of public key certificates issued by Certificate Authorities (CAs) and related organizations. CAs are trusted third-party organizations that both the server and client can rely on. The specific process is as follows:

  1. The server operator applies for a public key from a CA.
  2. After verifying the identity, the CA digitally signs the requested public key and binds it with a public key certificate. The server sends this certificate, issued by the CA, to the client.
  3. The client receives the public key certificate from the CA and verifies it by checking the digital signature. This ensures that the public key is genuine and trustworthy.
  4. Once verified, the client uses the public key to encrypt the message.
  5. The server uses its private key to decrypt the message.

The process is illustrated in the diagram below:

image

In the third step, to ensure the secure transmission of the CA's public key to the client, most browser developers include the public keys of commonly used CAs in the browser.

SSL and TLS#

HTTPS uses the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. SSL technology was initially advocated by the browser developer Netscape Communications Corporation and was developed before SSL 3.0. The main responsibility has now been transferred to the Internet Engineering Task Force (IETF).

The IETF used SSL 3.0 as a basis and subsequently developed TLS 1.0, TLS 1.1, and TLS 1.2. TLS is a protocol based on SSL and is sometimes referred to as SSL. The current mainstream versions are SSL 3.0 and TLS 1.0.

SSL and TLS can be understood as TLS being an upgraded version of SSL. TLS is based on SSL. The specific differences between the two are better explained by professionals. Here, we briefly introduce the background of SSL and TLS.

Why Not Use HTTPS#

HTTPS is secure and reliable due to the use of SSL (including TLS). However, SSL encryption slows down the entire communication process and consumes hardware resources on both the server and client sides due to frequent encryption and decryption.

SSL not only slows down communication but also consumes CPU and memory resources, resulting in slower processing speeds. Compared to HTTP, network load may be 2 to 100 times slower, as shown in the diagram below:

image

Using HTTPS means increasing hardware costs, and purchasing certificates from Certificate Authorities also incurs expenses.

These are the reasons why most websites still use HTTP, despite the security and reliability of HTTPS.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.