Telling the story of HTTPS

Starring in the story:

Xiaohua is a freshman this year. This is the first time she has left her parents and gone to Beijing to study alone. Today is her mother's birthday. I wanted to give her a blessing, so I sent her a message:

The mother was very happy to receive the message. Her daughter was so busy that she still remembered her birthday. The two began to chat. The mother knew that her daughter had always been frugal, so she decided to send her some money.

Xiao Hei is a hacker who specializes in "stealing" things. He has been monitoring the conversation between the mother and daughter. He has been watching them chatting until they almost fell asleep.

When he saw the mother and daughter mention money, he immediately perked up and decided to make a fortune. Then he intercepted Xiaohua's message, replaced it with his carefully prepared content and sent it to Xiaohua's mother.

Xiaohua's mother then transferred the money to Xiaohua, but she never expected that Xiaohei had full control over the content of their conversation. Xiaohei ran away after getting the money.

"Note: HTTP protocol is built on top of TCP. Whether TCP is secure determines whether HTTP is secure. HTTP message content is not encrypted and can be easily monitored and tampered with. Xiao Hei monitored the chat between the mother and daughter and tampered with the content, pretending to be the daughter to chat. Therefore, HTTP has the following three problems:

• The content is not encrypted and can be easily monitored, as it is transmitted in plain text;
• The integrity of the content cannot be verified and is easily tampered with, which means that it is unknown whether the message has been modified;
• I can’t verify the other party’s identity. Who is the person I’m chatting with now? Is he reliable?”

After being cheated, Xiaohua felt very sad and told her computer teacher Wang Daqiang about it. Teacher Wang was very surprised to hear about the experience of being cheated. Why was the message tampered with? He immediately checked the chat software they used and found that the software directly used the TCP protocol without any security measures.

After studying the software, Daqiang said to Xiaohua: "There is a problem with this software. Don't use it in the future. Use software with security measures, such as software that uses TSL/SSL protocol."

Xiaohua asked, "What is TSL/SSL?" Daqiang saw Xiaohua's sincere expression and decided to tell her the principle of HTTPS, but thought that she might not understand it, so he decided to analyze the scene where she and her mother were deceived.

Since the chat content between Xiaohua and her mother is transmitted in plain text, why not just encrypt the content? Xiaohua and her mother agreed on a password, and all the content is encrypted and decrypted using this password.

"Note: This encryption method is called symmetric encryption. Encryption and decryption are all performed using the same password, so the password must be kept secure. Once leaked, the consequences will be serious."

Xiaohua immediately realized that something was wrong. How could she pass the password to her mother? The two parties could only meet and agree on a password later. But she thought of her father who was far away in the United States. If she asked him for money, she would need to fly to the United States to tell him the password. This was too troublesome.

Teacher Wang Daqiang said: "Don't worry, there is a better way." Then use two keys, one for encryption (called private key) and the other for decryption (called public key). The content encrypted with the private key can only be decrypted with the public key. The private key is only owned by you, and the public key can be given to others.

Xiaohua and her mother only need to give each other the public key. When Xiaohua sends a message to her mother, she encrypts it with her mother's public key. Only her mother has the private key, which means that only her mother can decrypt it.

"Note: This encryption method is called asymmetric encryption. There will be two keys. The content encrypted by one key can only be decrypted by the other key. As for why we say public key encryption and private key decryption, although both keys can be used for encryption and decryption, isn't it easier to understand the term public key encryption and private key decryption? The public key is known to everyone, but only you know the private key."

Xiaohua thought about it and felt that it was still a little unsafe, what if Xiaohei monitored her and her mother when they were exchanging public keys?

Xiaohua sent his public key xiaohua_pub to his mother, but it was replaced by Xiaohei, who then sent his public key xiaohei_pub to Xiaohua's mother. In this way, when Xiaohua's mother sent a message, she used Xiaohei's public key to encrypt it, and Xiaohei could decrypt it with his own private key after obtaining the message.

When the mother sent her public key to Xiaohua, it was also swapped by Xiaohei. At this time, Xiaohei had the public keys of both parties.

Xiao Hei overheard Xiao Hua asking her mother to send money and tampered with the message.

After listening to Xiaohua's doubts, Teacher Wang Daqiang gave him a thumbs up and said, "Don't be anxious, let me explain it slowly."

The problem now is that Xiao Hei swapped the public keys when exchanging them, so the next step is to solve this problem. How can we send the public key to the other party safely?

This seems to be a problem that can never be solved, after all, the public key must be transmitted. This seems to be a chicken-and-egg problem. Later, Xiaohua thought about his usual online shopping. He used to worry that the merchant would run away and not deliver the goods after he paid. Since the establishment of Taobao, a third-party organization, after all, Alibaba is a large company and trustworthy. Even if the merchant runs away, he can still contact Taobao.

Later, public key certification agencies emerged. There are few of these certification agencies, but they are very authoritative. They will establish a trust relationship with computer, browser and other manufacturers, and install the public key of the certification agency into the system in advance, so that there will be no transmission issues.

During the chat, Xiaohua found that the message sending and receiving was very slow, and later found that it was because the encryption algorithm took a long time. Xiaohua thought about it and realized that the only disadvantage of using symmetric encryption is that it is troublesome to exchange secret keys, but the speed is very fast. Then asymmetric encryption can be used to transmit the symmetric encryption key. After the key is successfully transmitted, symmetric encryption is used to encrypt the message.

At this point, do you understand how to ensure communication security?

"Note: HTTP is an application layer protocol, and HTTPS is not a new protocol. It just has one more layer (TSL/SSL) than the HTTP protocol to ensure data transmission security. TSL/SSL is also a protocol, and its main function is to ensure data transmission security. Most of them are implemented using OpenSSL. For example, TSL in Node is implemented based on OpenSSL."

Summarize

This article uses a story to introduce the insecurity of HTTP and the support behind the security of HTTPS, including the concepts of digital certificates, digital signatures, symmetric encryption, and asymmetric encryption. Of course, theory alone is not enough, and practice is needed to better understand. Come on, everyone.