How does the HTTP protocol achieve “secret interaction”?

[[261700]]

Do you know the interactive process of HTTP access?

As the title suggests, there may be many people who don’t understand it. This article will briefly introduce the data interaction process between your computer and the website when you visit a website.

Everyone knows that to visit a website, you use a browser. Enter the link you want to visit in the address bar and press Enter to open the corresponding website. Then you can browse the web content to your heart's content.

Do you know how WEB pages are presented?

Web page content will definitely not appear out of thin air. When you enter the URL (link) in the browser address bar, the WEB browser will send the corresponding WEB request information to the target website (server). When the target website server receives the request, the server responds with the corresponding content to your browser (client), so that you can see the web page content.

However, this is just the basic access process. This is also the data interaction process of HTTP or HTTPS protocol, but this seemingly very simple interaction process hides many small interaction processes. Let's study them one by one.

Difference between HTTP and HTTPS

First of all, let's do some research. When we browse the web, we rarely pay attention to what protocol the website uses to interact. There are two ways to interact with web data, one is called HTTP and the other is called HTTPS. We call these two methods HTTP protocol, but they have different technical points.

Generally speaking, if the webpage you visit does not require you to log in or does not have a login entrance, such a website usually uses HTTP, but this is not absolute, and some websites may not be like this. So what kind of website is called using the HTTP protocol? See the figure below:

This is a typical HTTP protocol interactive website. Look at the position of the mark in the picture. There is an "unsafe" prompt at the very beginning of the address bar, and there is no mark at the very beginning of the URL. In addition to this kind of HTTP protocol interactive website, there are HTTPS interactive websites. This kind of website is relatively common.

Generally speaking, when a website needs to be logged in or has a login entrance, or when the website provides user data, it is usually HTTPS. There are many such websites, such as online banking, mailboxes, etc., and the official website of Pinke Academy:

Looking at the address bar, it is obviously different from the website that interacts with the HTTP protocol. There is no unsafe mark in the address bar, and the HTTPS:// protocol is marked at the beginning of the URL, which is a typical HTTPS. I just said that as long as there is a login entrance or a website needs to be logged in, it basically uses HTTPS. Please note that this is not absolute. If you look at the 4399 game website above, you can also log in, but this website does not use the HTTPS protocol.

The above introduces two protocols. Are these two protocols just different in URL? The answer is definitely not. I just mentioned login. If there is login, it is usually HTTPS, and if there is no login, it is usually HTTP. Since it is related to login, it must be related to user data, so it needs to be secure. From the URL of the HTTP protocol in the above picture, we can see the unsafe prompt, which means that there is no security guarantee and user data may be stolen. Therefore, HTTPS is safe, while HTTP is not.

Their security is mainly reflected in the connection between your computer (client) and the target website server. When you visit a website, your login information and personal information are encrypted and transmitted. If a hacker obtains your data during the data transmission, don't worry. Hackers generally cannot crack your information. This process is safe. HTTP is different. Hackers can get your information without any effort. See the figure below:

From the above picture, we can see that the hacker stole the data of the user's interaction with the Web server on the network, but the information obtained is just garbled, which cannot be displayed normally and cannot be cracked. Therefore, even if the user sends important information such as username and password, there is no need to worry about it being stolen.

From the above picture, we can see that the HTTP protocol is used to transmit the username and password. Hackers obtain the interactive information in the network and can easily view the username information sent by the user. This is a very dangerous action. If you send a bank card account and password, the consequences will be very serious...

From the comparison of the two pictures above, it is not difficult to conclude that HTTPS is encrypted, while HTTP is not encrypted, so hackers can directly view the username and password. In real life, the websites we often use are basically based on the HTTPS protocol, so there is no need to panic, and daily use is actually very safe.

A question about encryption

01 Asymmetric Key Algorithm

The RSA encryption algorithm is used in the HTTPS protocol. This encryption algorithm is an asymmetric encryption algorithm and is widely used in web page encryption.

Asymmetric key algorithms generate two keys, a public key and a private key, one for encryption and the other for decryption, and the two keys are completely different and cannot be deduced from each other. The public key is sent to everyone, while the private key is kept by the owner himself.

Its working process is: if the user wants to encrypt something important, he will use the recipient's public key to encrypt the data, and then send the encrypted file to the receiving end. After the receiver receives the encrypted file, he can decrypt it with his own private key to get the plain text. As shown in the following figure:

The plain text is encrypted with the public key of the recipient to obtain the ciphertext. This process is the encryption process. There is no need to worry about the ciphertext being stolen when it is transmitted on the Internet. When the ciphertext is transmitted to the receiving end, the recipient uses his own private key to decrypt it. This process is the decryption process.

This method seems to be very useful, but it is not actually the case, because asymmetric key algorithms like this can only encrypt very small data. Files larger than a few hundred KB cannot be encrypted or require a very long time to encrypt. In actual applications, data transmission is more than a few hundred KB. Therefore, asymmetric key algorithms can only encrypt very small data such as keys. Yes, you read it right, encryption keys. So how do you encrypt such large data in actual applications? Let's talk about symmetric key algorithms.

02 Symmetric Key Algorithm

Common symmetric key algorithms include AES, DES, 3DES, etc. The difference between symmetric key algorithms and asymmetric key algorithms is that the same password is used for encryption and decryption of data, and this password is randomly generated by the computer. The characteristics of symmetric key algorithms are that the encryption speed is very fast and the size of the encrypted ciphertext data is not much different from the original plaintext data. For example, if 1K of data is encrypted, the encrypted ciphertext may only be 1.1K. Therefore, this encryption algorithm is more suitable for encrypting larger files.

When the client sends data to the server, it will use a symmetric key algorithm such as AES to encrypt the data to be encrypted. The encryption will generate a symmetric key password, and then this password will be used to encrypt the key using the RSA asymmetric key.

Why do we use RSA to encrypt keys? Obviously, I encrypt the data with a key. If the other party wants to open the data, they must use my key. So how can I send this key to the other party safely? It is to transmit it through RSA.

How HTTPS delivers user data completely and securely

Let's take a look at its encryption and decryption process:

1. The user sends a request to the server, and the server responds with the corresponding request information (the server will bring a certificate and a server public key in this response information).

2. After receiving the certificate, the client will first determine the validity of the certificate (in fact, the role of the certificate is for the server to identify itself to you, so that you know that the server that responds to your WEB information is the one you want to access).

3. The client encrypts the data to be sent using a symmetric key algorithm and puts the generated ciphertext aside.

4. Use the public key sent by the server to encrypt the ciphertext to generate the encrypted password.

5. Package this encrypted password together with the ciphertext encrypted using the symmetric key algorithm and send it to the server.

6. After receiving these things, the server first takes out the encrypted password, decrypts it with its own private key, obtains the ciphertext, and then decrypts the ciphertext using the symmetric key algorithm. In this way, the server receives the data sent by the client.

The process is as follows:

The above encryption process can ensure the security of data. This is a classic data encryption communication process. This solution is used in many places. The only difference is the encryption algorithm.