The trend of HTTPS and SSH from the growth history of Dongdong

Dongdong wants to visit the xx website, and the underlying network is set up:

The link layer physically connects the networks.

The network layer can navigate from Dongdong's host to the host of xx server according to IP routing rules.

The transport layer transmits data from the browser process of Dongdong to the xx service process of the server.

Then the application layer parses the http content and performs different processing and display.

Based on the infrastructure of these networks, Dongdong can visit the xx website he likes.

But if Dongdong wants to store some of his own data on the xx website, he has to add his own identification, that is, a user name, and a password to prove that it is him.

The process of creating this identity is registration, and the process of proving that this identity is your own is logging in.

But after a while, Dongdong found something wrong. How did Xiao Wang next door know that he visited xx website?

He must have intercepted me halfway and either saw my username and password or the content I visited.

What to do?

encryption!

I put the contents in a box, lock it up and pass it over, and they can open it with the corresponding key. Others cannot read the contents without the key. This kind of key is called a symmetric key.

But how can I pass the key on without others knowing?

Dongdong fell into deep thought.

At this time, Guangguang introduced him to a magical lock. This lock needs different keys to open and unlock, called an asymmetric key, which is said to solve the problem.

Dongdong thought for a while and said, yes, if different keys are used to unlock and unlock the door, then the xx server only needs to give me one key. I put the content in it and only he can unlock it.

This solves the problem of symmetric key transfer, and the other party can then conduct encrypted communication after obtaining the key.

Later, Dongdong learned that this encryption technology is called RSA, which can generate two keys.

Keep one key private and make one key public.

The key left behind is your own and is called a private key.

The public key is available to everyone and is called the public key.

Public key encryption can only be decrypted by the private key, and private key encryption can only be decrypted by the public key.

Because the public key is public, only I can decrypt what others have encrypted. This is called encryption.

Only I have the private key. After I encrypt it, others can reveal it, but they all know that it was encrypted by me and can prove my identity. This is called a signature.

Encryption and signing are used to solve different problems.

Back to Dongdong's question, there are so many locked boxes and public keys in the world, how do I know that this box and public key are the ones given to me by the xx server?

It would be nice if there was an authoritative organization that could verify the authenticity of a public key.

This organization is called CA, which is specifically used to identify the authenticity of public keys. The public key certified as authentic by this organization is called a digital certificate.

Now Dongdong's computer has saved which CAs he trusts, and when he visits the xx website, he will get its digital certificate. After comparing, it is issued by the CA I trust. Then pass the symmetric key to him, and then we will use the symmetric key to encrypt the communication message.

After that, Dongdong can happily visit the xx website without worrying about the snooping of Xiaowang next door.

Let’s take a look at the technology involved:

The core is the RSA algorithm used for asymmetric encryption, which can generate two keys, one for public and one for private, for encryption and signing. In this way, the symmetric key is transmitted, and then the information is encrypted and transmitted. The public key also needs to be authenticated. This is done by the CA, which is a trusted organization stored in the computer. The public key they authenticate is called a digital certificate.

So at which layer of the network is this technology located?

The encrypted transmission from process to process is obviously the transport layer, and this protocol is called SSL. After the release of versions 1.0, 2.0, and 3.0, a bug was found, which was later fixed. It felt that the change was relatively large, so it was renamed TSL.

The next layer is http to access website content.

So this kind of secure communication is SSL + HTTP or TLS + HTTP, together called https.

CA-certified certificates can also be called https digital certificates, ssl digital certificates, tls digital certificates, etc.

Later, Dongdong became a programmer. He not only browsed the web pages of xx website through the web, but also linked to the server to execute some scripts, which became a lot more professional.

Just like visiting xx website, you also need to log in. Can you still use https?

No, not every website needs to be certified by a CA. Otherwise, with so many servers inside, do we need to certify them all before we can access them?

So to simplify it, the xx server gives me the public key directly and lets me choose whether to trust it:

In this way, as long as I trust the public key, I can prove that it is the xx server, and then pass the username and password to it, and after verification, I can log in to the server. This is called the ssh protocol.

It looks not much different from https, except that the public key does not need CA certification.

As if that weren't enough, it's so troublesome to have to enter my username and password every time. How can I prove my identity without entering a password?

Dongdong remembered that RSA private key can be used for signing. Then I give the public key to the xx server and encrypt a random content with the private key. If he can decrypt it, doesn't it prove that I am me?

So Dongdong improved the ssh protocol. Instead of trusting the server's public key and then sending the username and password, the server returns a random number. I use my private key to encrypt the random number (that is, sign it), and if the other side can decrypt it, it proves that I am me.

Private key signature can achieve the purpose of proving identity, so why use username and password? It is also more secure.

In this way, Dongdong can log in to the xx server without a password and execute various commands.

It’s just that at the beginning you need to generate public and private keys locally and tell the xx website the public key.

Looking back at the http and ssh we have used along the way, although both are based on public and private keys, there are indeed some differences:

• https is oriented towards ordinary users, who authenticate their identities through usernames and passwords. They only need to agree to the digital certificate on the browser to obtain the symmetric key and then encrypt the communication data. For ordinary users, there is only a small key icon in the browser address bar, and nothing else can be felt.
• ssh is oriented towards professional users, who can authenticate their identities by username and password or by a set of public and private keys. Moreover, there are many servers, so CA authentication is not required. You can just check it yourself in the console. Private key signature replaces username and password, and can log in without password.

In fact, there are only two differences: one is whether the public key is CA certified, and the other is whether the authentication identity uses a username and password or a public or private key.

Of course, they are used for different purposes, one is for secure browsing of web pages, and the other is for remote command execution.

Because of their different orientations, https and ssh have developed into different protocols based on the public and private key mechanism of RSA. Dongdong has also grown from an ordinary computer user to a professional programmer.