理解 HTTPS 协议 已翻译 100%

oschina 投递于 2015/05/29 14:27 (共 8 段, 翻译完成于 05-30)
阅读 11663
收藏 209
4
加载中

These days we see most of the sites using the HTTPS protocol for serving the webpages.More commonly we can see the HTTPS protocol on the sites which contains confidential information such as the websites of the banks.

If we go to google and check the address in the address bar we will see something as the following address

HTTPS protocol

As we can see above  “https” is highlighted in green and lock symbol is displayed before it to indicate that the web page is being requested over the https protocol.

HTTPS is a version of the HTTP protocol used for securely transmitting the data between the browser and server.

The communication between the browser and server happens over the HTTP protocol.Client submits information to the server which is sent in an unencrypted form over the network when we use the HTTP protocol.

已有 1 人翻译此段
我来翻译

So if some intruder has access to the physical network through which the browser and the server are communicating then he will be able to access the information which is being transmitted between the web browser and the web server

HTTPS
HTTP is fine in many scenarios in which we don’t need much security to encrypt the data.But for applications such as the banking applications which sends data such as the credit card details and other confidential information this may be a security threat.If there is an intruder watching over the communications channel he may easily get access of the confidential information provided by the end user.

已有 1 人翻译此段
我来翻译

HTTPS ensures secure communication

To prevent such a security threat HTTPS is used.HTTPS is a protocol for securing the data which is transmitted between the web browser and the web server.

HTTP is HTTP protocol+SSL protocol.SSL is a protocol which provides safe communication over network by encrypting the information. It uses asymmetric cryptography which means that the public key is distributed freely while the private key is available only to the recipient of the message.

HTTPS protocol provides two advantages over the normal HTTP protocol:

  • It ensures that the user is communicating with the correct website ,the one he intends to communicate and not some intruder.

  • It ensures that the contents of the communication between the web browser and the web server are encrypted and hence are not accessible to the intruder.

So in HTTPS ,SSL takes care of securing the data being transmitted between the client and the web server.

已有 1 人翻译此段
我来翻译

HTTPS Process

To understand how the HTTPS protocol works we should understand how the encryption and decryption process works.
Encryption means we transform the text into some other form so that it is non readable by others.
Decryption means that we transform the encrypted text back to the original form.

Encryption and decryption process may also use keys to encrypt and decrypt the information.So if some information is encrypted using a key then it can be decrypted using the same key.This is called Symetric key as the same key is used for both encryption and decryption.

If we use one key to encrypt the string and a different key to decrypt the string then this key is called asymmetric key.The key which we use for encrypting the string is called public key while the key  which we use for decrypting the string is called the private key.

ENCRYPTION IN HTTPS

已有 1 人翻译此段
我来翻译

So now we understand that HTTPS is used to securely transmit the information between the web server and web browser.There is a well defined process which happens while transmitting the information using the HTTPS protocol.

Following process happens when the browser requests a page using the HTTPS protocol

1.Browser makes a https request to the server ,server listens on the port 443 which is the port which web servers uses to listen for the requests made using the HTTPS protocol

2.Once the connection between the web browser and the web server succeeds the SSL handshake process happens.

已有 1 人翻译此段
我来翻译

In the handshake process brwoser and server agree on things such as which encryption algorithm to use for encrypting the data.So handshake process is agreement between the web browser and web server about how to encrypt the data.Following happens in the handshake process:

  • Browser sends a hello message to the server with some details about itself to the web server such as the SSL version it supports.

  • Server responds with a similar server hello message which contains details such as the SSL version which will be used for the communication.

  • Web Server sends a certificate to the browser which contains the public key which is used to encrypt the data.Certificate also contains other details such as the issuer of the certificate,validity of the certificate and the server identity.So the browser is ensured that the server is the one it intended to connect.

  • Browser verifies the server certificate and sends a certificate verify message to inform the server that the certificate is verified.

  • Browser sends a “Change cipher spec command” telling the server that the data which it will send now to the server will be encrypted.

  • Server responds with a similar “Change cipher spec command” telling the browser that the data which it will now send to the browser will be encrypted

已有 1 人翻译此段
我来翻译

If we click the lock symbol in chrome we can see the digital certificate sent by the server.

Digital Certificate HTTPS

 

3.Browser generates a symmetric key and encrypts it using the public key it got from the server in the certificate.Browser sends this encrypted symmetric key to the server.This symmetric key is used for encryption and decryption for the entire session.

As we know that digital certificate is used to provide the public key.There are two important terms to understand in relation to the digital certificates .

已有 1 人翻译此段
我来翻译

X.509 is a standard used to define the format of the digital certificate such as what information the digital certificate will contain.X.509 certificates includes some of the following information:

  • Version   Specifies the X.509 version

  • Serial number   The unique number assigned to the certificate for distinguishing the certificate

  • Issuer name  This is usually Certification Authority

  • Public key  The public key of the certificate.

Certification authority or CA is an entity which issues digital certificates.We need to get the digital certificate from the CA.Digital Certificates are signed by the CA which ensures the validity of the certificate.

已有 1 人翻译此段
我来翻译
本文中的所有译文仅用于学习和交流目的,转载请务必注明文章译者、出处、和本文链接。
我们的翻译工作遵照 CC 协议,如果我们的工作有侵犯到您的权益,请及时联系我们。
加载中

评论(21)

baozhuni
baozhuni
最近恰好在写 爬虫,此文有用。
灵魂架构师
灵魂架构师

引用来自“China首席吹牛官”的评论

浏览器公钥加密,服务器私钥解密。服务器用什么加密,浏览器怎么解密?
他们先用非对称加密算法交换密钥,握手成功后的通讯都是基于对称加密的,密钥就是刚开始交换的。
山下狮子
山下狮子
https 为啥安全需要了解tcp/ip那四层,在哪一层加了密,公钥私钥的问题,还有证书的认定。https 首先了解ssl吧,网上能搜到的。
首席吹牛官
首席吹牛官

引用来自“China首席吹牛官”的评论

浏览器公钥加密,服务器私钥解密。服务器用什么加密,浏览器怎么解密?

引用来自“xiaohui_hubei”的评论

浏览器和服务器用会话过程中协商好的对称密钥加密

引用来自“-卓然-”的评论

也可以服务器私钥加密,浏览器公钥解密

引用来自“China首席吹牛官”的评论

请问一下,大家的公钥都是一样的吗?

引用来自“-卓然-”的评论

一般公钥是不同的,可以了解下RSA加解密原理http://blog.csdn.net/q376420785/article/details/8557266
那我拿到你的密钥,是否可以解密?
-卓然-
-卓然-

引用来自“China首席吹牛官”的评论

浏览器公钥加密,服务器私钥解密。服务器用什么加密,浏览器怎么解密?

引用来自“xiaohui_hubei”的评论

浏览器和服务器用会话过程中协商好的对称密钥加密

引用来自“-卓然-”的评论

也可以服务器私钥加密,浏览器公钥解密

引用来自“xiaohui_hubei”的评论

使用非对称加密也可以,但是很慢,一般只用来加密关键数据
是的
-卓然-
-卓然-

引用来自“China首席吹牛官”的评论

浏览器公钥加密,服务器私钥解密。服务器用什么加密,浏览器怎么解密?

引用来自“xiaohui_hubei”的评论

浏览器和服务器用会话过程中协商好的对称密钥加密

引用来自“-卓然-”的评论

也可以服务器私钥加密,浏览器公钥解密

引用来自“China首席吹牛官”的评论

请问一下,大家的公钥都是一样的吗?
一般公钥是不同的,可以了解下RSA加解密原理http://blog.csdn.net/q376420785/article/details/8557266
右耳朵猫whinc
右耳朵猫whinc

引用来自“xiaohui_hubei”的评论

能在文章开始贴出原文出处吗?

引用来自“叶秀兰”的评论

web 页面有
嗯,之前是在 APP 上浏览的没有显示原文出处,现在在 Web 页面上浏览有
Feng_Yu
Feng_Yu
我朝cnnic还会给GFW颁发伪造的中间人攻击证书
blu10ph
blu10ph
好歹说下报文结构啊~
叶秀兰
叶秀兰

引用来自“xiaohui_hubei”的评论

能在文章开始贴出原文出处吗?
web 页面有
返回顶部
顶部