Vernacular operation principle


What is HTTPS? How does it work?

HTTPS (full name: Hyper Text Transfer Protocol over secure socket layer) is an HTTP channel aiming at security. In short, it is the secure version of HTTP, that is, the SSL layer is added under http.

Vernacular operation principle

A long time ago, there was no HTTPS at that time. Everyone still talked about martial ethics. Since Ma Baoguo withdrew from the Wulin, the Wulin began to fluctuate and everything became unsafe.

At this time, the transmission security of HTTP has become an urgent problem.

So, how to solve it?

Smart as me, you will think of data encryption. pretty good. This is the first step in the evolution of HTTPS.

Vernacular operation principle

This method belongs to symmetric encryption. Both parties have the same key and the information can be transmitted safely. However, the disadvantages of this method are:

(1) The number of different clients and servers is huge, so both sides need to maintain a large number of keys, and the maintenance cost is very high

(2) Because the security level of each client and server is different, the key is easy to be disclosed

Step 2: since the key maintenance is so cumbersome when using symmetric encryption, let’s try asymmetric encryption.

Vernacular operation principle

As shown in the above figure, the client encrypts the requested content with the public key, and the server decrypts the content with the private key, and vice versa. However, the above process also has disadvantages:

(1) The public key is public (that is, hackers will also have a public key), so in step ④, if the information encrypted by the private key is intercepted by hackers, they can use the public key to decrypt and obtain the content.

Step 3: since asymmetric encryption also has defects, we will combine symmetric encryption and asymmetric encryption, take their essence and discard their dross, and give full play to their respective advantages.

Vernacular operation principle

As shown in the figure above

(1) In step ③, the client says: (let’s use symmetric encryption for subsequent calls, which is the symmetric encryption algorithm and symmetric key) this paragraph is encrypted with the public key and then transmitted to the server.

(2) After receiving the information, the server decrypts it with the private key, extracts the symmetric encryption algorithm and symmetric key, and the server says: (OK) symmetric key encryption.

(3) The subsequent transmission of information between the two can use symmetric encryption.

Problems encountered:

(1) How does the client get the public key

(2) How to confirm that the server is real and not a hacker

Step 4: obtain the public key and confirm the server identity

Vernacular operation principle

1. Get public key

(1) Provide an address to download the public key, and let the client download it before calling back. (disadvantages: the download address may be false; it is also troublesome for the client to download the public key before returning a call)

(2) At the beginning of the reply, the server sends the public key to the client (disadvantage: hackers impersonate the server and send fake public keys to the client)

2. Is there a way to obtain the public key safely and prevent hackers from impersonating? Then you need the ultimate weapon: SSL certificate.

Vernacular operation principle

As shown in the above figure, in step ②, the server sends an SSL certificate to the client. The specific contents contained in the SSL certificate include:

(1) Certificate issuing authority CA

(2) Validity of certificate

(3) Public key

(4) Certificate owner

(5) Signature


3. When the client receives the SSL certificate sent by the server, it will verify the authenticity of the certificate. Take the browser as an example, as follows:

(1) First, the browser reads the certificate owner, validity period and other information in the certificate for one-to-one verification

(2) The browser starts to find the built-in trusted certificate issuing authority Ca in the operating system and compare it with the issuer Ca in the certificate sent by the server to verify whether the certificate is issued by a legal authority

(3) If it cannot be found, the browser will report an error, indicating that the certificate sent by the server is untrusted.

(4) If found, the browser will take the public key of the issuer Ca from the operating system, and then decrypt the signature in the certificate sent by the server

(5) The browser uses the same hash algorithm to calculate the hash value of the certificate sent by the server, and compares the calculated hash value with the signature in the certificate

(6) If the comparison results are consistent, it proves that the certificate sent by the server is legal and has not been impersonated

(7) At this point, the browser can read the public key in the certificate for subsequent encryption

4. Therefore, by sending SSL certificate, we can not only solve the problem of public key acquisition, but also solve the problem of hacker impersonation. Kill two birds with one stone, and the HTTPS encryption process is also formed.

Therefore, HTTPS transmission is more secure than http

(1) All information is encrypted, and hackers can’t eavesdrop.

(2) It has a verification mechanism. Once it is tampered with, both sides of the communication will find it immediately.

(3) Provide identity certificate to prevent identity from being impersonated.

I also recommend the following two articles:

Question 1: what is SSL / TLS?

SSL (secure socket layer): developed by Netscape in 1994, SSL protocol is located between TCP / IP protocol and various application layer protocols to provide security support for data communication.

TLS (Transport Layer Security): its predecessor is SSL. Its initial versions (SSL 1.0, SSL 2.0 and SSL 3.0) were developed by Netscape. It was standardized and renamed by IETF since 3.1 in 1999. So far, there are three versions of TLS 1.0, TLS 1.1 and TLS 1.2. SSL3.0 and tls1.0 have been rarely used due to security vulnerabilities. TLS 1.3 will be greatly changed and is currently being promoted. At present, TLS 1.1 and TLS 1.2 are the most widely used.

Question 2: what are the encryption algorithms?

1. Symmetric encryption

There are two types: streaming and grouping. Both encryption and decryption use the same key.

For example: DES, aes-gcm, cha20-poly1305, etc

2. Asymmetric encryption

The key used for encryption and decryption are different. They are called public key and private key respectively. The public key and algorithm are public, and the private key is confidential. Asymmetric encryption algorithm has low performance, but strong security. Due to its encryption characteristics, the length of data that asymmetric encryption algorithm can encrypt is also limited.

For example: RSA, DSA, ECDSA, DH, ecdhe

3. Hash algorithm

The length of any length of information is usually much smaller than that of information, and the algorithm is irreversible.

For example: MD5, SHA-1, SHA-2, SHA-256, etc

4. Digital signature

Signature is to add a paragraph of content (the value of the information after hashing) to the back of the information, which can prove that the information has not been modified. The hash value is usually encrypted (that is, signed) and sent together with the information to ensure that the hash value is not modified.

Question 3: can the middleman get the server public key through the third-party public key and then crack the symmetric secret key?

I feel like I can, but I can’t tamper with it. Because the middleman can also get the public key of the certification authority, decrypt the server public key, decrypt the randomly generated symmetric secret key through the server public key, and then view the encrypted data? It seems that some packet capture tools can decrypt the encrypted data after they trust their certificates. But if this happens, eavesdropping cannot be prevented. Did I get it wrong? Please give me some advice!

Question 4: can the broker tamper with the server certificate?

No, because the certificate is encrypted through the private key of the certificate authority, it is impossible to obtain the private key of the certificate authority if you want to tamper with the certificate.


OpenSSL generate certificate

In most development and debugging processes, we need local debugginghttpsWe need to have a certificate locally, andopensslIt is such an integration tool; through the use ofopensslTo complete local debugginghttpsYour request.

  1. opensslbrief introduction
  2. Self signed certificate
  3. Local private CA certificate

opensslIntroduction to

OpenSSL is an open source project, which mainly includes the following three components:

  1. OpenSSL: a versatile command line tool
  2. Libcrypto: encryption algorithm library
  3. Libssl: encryption module application library, which implements SSL and TLS

OpenSSL can realize secret key certificate management, symmetric encryption and asymmetric encryptionMore introductionandOfficial websiteandIntroduction to OpenSSL

Self signed certificate

In order to be able tohttpsOur request to go to the local needs, we also have local needshttpsService, then the certificate is inevitable. However, in general, we do not use the online certificate, because we need to enable the service locally. If the certificate uses the online certificate, then the online private key and other privacy information are required for the local service, which can easily lead to the disclosure of the private key, so it is unsafe, so we need to generate a local certificate;

As mentioned earlier, a certificate needs to be passedCA organizationFor authentication signature, should we also apply for authentication for the certificate used in our local test? But no, because this is only used locally, we only need to have a certificate and add trust manually. Then the self signed certificate can solve this problem.

Self signed certificateTell me more about it, the core of the self signed certificate is to sign your own application [this is how the CA root certificate is generated]; The certificate obtained by signing the self generated certificate application CSR with its own private key.

adoptSelf signed certificateWe gothttpsThe certificate required by the service needs to be trusted according to different local environments, so we can start locallyhttpsThe service will be correctly recognized by the browser. The whole process is as follows:

  1. Generate secret key

    openssl genrsa -des3 -out cwj.key 2048

    Use the above command to generate a local private key. Later, you need to use the private key to generate the certificate request CSR and use the private key to self sign the certificate request CSR

  2. Generate certificate request CSR

    openssl req -new -key cwj.key -out cwj.csr

    You need to fill in a series of information, including location, company, domain name, email, etc. here, the production will automatically match the public key with the private key of the server, and the public key is included in the CSR;

  3. Use the private key to complete self signature and generate a complete certificate

    openssl x509 -req -sha256 -days 3650 -in cwj.csr -signkey cwj.key -out cwj.crt

    Use the secret key produced before to sign the certificate application CSR and obtain a complete certificate;

This does meet some of the requirements. You only need to use the certificate and private key to starthttpsService and trust the certificate locally. The advantages are as follows:

  1. Local self signature without Ca root certificate;
  2. Simple process

However, there are some disadvantages:

  1. The certificate cannot be revoked, and the private key needs to be saved, but it is harmless for local debugging only;
  2. Multiple domain names require multiple certificates, and multiple certificates need to be generated according to the domain name. The customer service side needs to trust these certificates respectively. [howeveropensslYou can also generate multi domain name certificates. One certificate can be used by multiple domain names, which is generally usedopenssl.cnfConfiguration file to generate]

So there are other ways: to simulate complete, reallyhttpsService, we can generate a CA root certificate locally and sign all other local certificates through the CA’s private key. Only if the local CA root certificate is trusted, the signed certificate will be trusted. This is the evolutionary method mentioned belowLocal private CA root certificate

Local private CA root certificatePseudo CA root certificate

The overall process of this method is to generate a CA certificate locally, which is similar to the existence of a CA organization [temporarily calledPseudo CA root certificate】PassPseudo CA root certificateTo sign all other local certificates. We trust this locallyPseudo CA root certificate, then passPseudo CA root certificateSigned certificates are trusted. It avoids the need to generate multiple domain namesSelf signed certificateAnd the complex behavior of separate trust.

  1. Pseudo CA root certificateGenerate and add trust

    openssl genrsa -des3 -out ca.key 2048
    openssl req -new -key ca.key -out ca.csr
    openssl x509 -req -sha256 -days 3650 -in ca.csr -signkey ca.key -out ca.crt

    As you can see, the CA root certificate is an example of a self signed certificate;

  2. Local single domain name certificate key, application for CSR

    openssl genrsa -des3 -out cwj.key 2048
    openssl req -new -key cwj.key -out cwj.csr

    Generate a certificate request;

  3. Pseudo CA root certificatePrivate key signature of other application CSR

    openssl x509 -req -sha256 -days 3650 -in cwj.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cwj.crt

More OpenSSL; In this way, the problem of certificate is solved. Depending on the situation, which scheme the user uses to generate the certificate.

The trust certificate requires some operations. Different systems have different processes. MAC trusts in the key chain, and windows needs to import the certificate;

Nginx deployment HTTPS practice

Local startuphttpsThere are many ways to provide services. Let’s talk about it herenginxHTTPS module of nginx official website, the private key and certificate are mainly used; According to the previously mentioned certificates generated by different methods and the server private key [the local CA root certificate also needs to be trusted locally].

server {
        listen       443 ssl;

        ssl_certificate      /cwjhttps/cwj.crt;
        ssl_certificate_key  /cwjhttps/cwj.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   /cwjhttps;
            index  home.html index.htm test.html;

The above contents are sorted from the network. If there is infringement, please inform to delete.

This work adoptsCC agreement, reprint must indicate the author and the link to this article