Difference between Http and Https
1. What is?
SSL stands for Secure Socket Layer. It is the predecessor of TLS.
TLS the short form of Transport Layer Security, which is a cryptographic protocol that provides secure communication over a computer network.
2. Why?
- Authentication
- TLS verifies the identity of the communicating parties, which normally be clients and servers.
- Confidentiality
- TLS protects the exchanged data from unauthorized access by encrypting it with symmetric encryption algorithms.
- Integrity
- TLS recognizes any alteration of data during transmission by checking the message authentication code, which we will learn about in a moment.
3. How TLS work? (2 phases or say 2 protocols)
Handshake protocol
- Negotiate the protocol version
- Select cryptographic algorithm (or cipher suites)
- Authenticate each other by asymmetric cryptography
- Establish a shared secret key that will be used for symmetric encryption in the next phase.
- Record protocol
- All outgoing messages will be encrypted with the shared secret key established in the handshake.
- Then the encrypted messages are transmited to the other side.
- They will be verified to see if there’s any modification during transmission or not.
- If not, the messages will be decrypted with the same symmetric secret key.
In this phase, the client and server will:
So the main purpose of the handshake is for authentication and key exchange.
In this phase:
So we will achieve both confidentiality and integrity in this record protocol.
And because the amount of encrypted data in this phase is large, this is often called bulk encryption.
Symmetric cryptography can’t provide authentication. Key is shared can not provide authentication.
Asymmetric cryptography it’s much slower than symmetric cryptography, from 100 times to even 10000 times slower.
4. Symmetric cryptography
If only shared key, simple as you image. Hacker may steal shared key.
4.1 Bit-flipping attack
4.2 Authenticated Encryption (AE)
Shared key, Nounce(Randome factor) as input for Encrption Alogrithm for Text, MAC Algorithm for author. MAC for author identity. With nouce padded into text, MAC tagged with text (also put into the encrpted message).
With only shared key, we can do reverse decryptino easily.
Some sever address, port... called Asscoiated Data may also need encryption, so we have variant encrption AEAD.
No more details about how untag. But that does somehow promise we can compare MAC tag to verify identity.
4.3 Secret key exchange
5. Asymmetric cryptography
5.1 Man-in-middle hack
5.2 Digital certificate
5.3 Certificate Authority - chain of trust
5.4 Digital signature
To sign a certificate:
- The signer first need to hash it.
- Then the hash value is encrypted using the signer’s private key.
- The result will be the digital signature.
- Then this signature will be attached to the original document.
To verify a certifiate:
- First we detach the signature from the document
- Decrypt it with the signer’s public key to get a hash value.
- Then we hash the document with the same hash algorithm used in the signing process.
- The result is another hash value.
- Then we just compare the 2 hash values.
- If they’re the same then the signature is valid.
Details in reference. Won't need this in most cases.
Reference:
A complete overview of SSL/TLS and its cryptographic system
https://dev.to/techschoolguru/a-complete-overview-of-ssl-tls-and-its-cryptographic-system-36pd
评论
发表评论