Difference between Http and Https

1. What is?

SSL stands for Secure Socket Layer. It is the predecessor of TLS.

TLS the short form of Transport Layer Security, which is a cryptographic protocol that provides secure communication over a computer network.

2. Why?

  • Authentication
    • TLS verifies the identity of the communicating parties, which normally be clients and servers.
  • Confidentiality
    • TLS protects the exchanged data from unauthorized access by encrypting it with symmetric encryption algorithms.
  • Integrity
    • TLS recognizes any alteration of data during transmission by checking the message authentication code, which we will learn about in a moment.

3. How TLS work? (2 phases or say 2 protocols)

Handshake protocol

  1. Negotiate the protocol version
  1. Select cryptographic algorithm (or cipher suites)
  1. Authenticate each other by asymmetric cryptography
  1. Establish a shared secret key that will be used for symmetric encryption in the next phase.
  • Record protocol
  1. All outgoing messages will be encrypted with the shared secret key established in the handshake.
  1. Then the encrypted messages are transmited to the other side.
  1. They will be verified to see if there’s any modification during transmission or not.
  1. If not, the messages will be decrypted with the same symmetric secret key.
Why not just asymmetric?

In this phase, the client and server will:

So the main purpose of the handshake is for authentication and key exchange.

  • In this phase:

        So we will achieve both confidentiality and integrity in this record protocol.

        And because the amount of encrypted data in this phase is large, this is often called bulk encryption.

        Symmetric cryptography can’t provide authentication. Key is shared can not provide authentication.

        Asymmetric cryptography it’s much slower than symmetric cryptography,  from 100 times to even 10000 times slower.

        4. Symmetric cryptography

        If only shared key, simple as you image. Hacker may steal shared key.

        4.1 Bit-flipping attack

        Without decrypting data, just flip bits. Hacker can alert message.

        4.2 Authenticated Encryption (AE)

        Shared key, Nounce(Randome factor) as input for Encrption Alogrithm for Text,  MAC Algorithm for author. MAC for author identity. With nouce padded into text, MAC tagged with text (also put into the encrpted message). 
        With only shared key, we can do reverse decryptino easily.
        Some sever address, port... called Asscoiated Data may also need encryption, so we have variant encrption AEAD.
        No more details about how untag. But that does somehow promise we can compare MAC tag to verify identity.

        4.3 Secret key exchange

        Some mathmatic methods to share it in security way. Details in article.

        5. Asymmetric cryptography

        5.1 Man-in-middle hack

        Replace public key with hacker's one and hacker will fake as client. So message can be decrpyted.

        5.2 Digital certificate

        Make public key be verified by trusted 3rd party. 3rd part will use its own priavte key to sign certificate and send back.
        Client can verify certificate with 3rd party - Certificate Authority

        5.3 Certificate Authority - chain of trust

        CA can sign diretly or sign other intermediate CA.
        Your operating systems and browsers store a list of certificates of trusted root certificate authorities. That way they can easily verify the authenticity of all certificates.

        5.4 Digital signature

        To sign a certificate:

        • The signer first need to hash it.
        • Then the hash value is encrypted using the signer’s private key.
        • The result will be the digital signature.
        • Then this signature will be attached to the original document.

        To verify a certifiate:

        • First we detach the signature from the document
        • Decrypt it with the signer’s public key to get a hash value.
        • Then we hash the document with the same hash algorithm used in the signing process.
        • The result is another hash value.
        • Then we just compare the 2 hash values.
        • If they’re the same then the signature is valid.
        5. Handshack protocl

        Details in reference. Won't need this in most cases.

        Reference:

        A complete overview of SSL/TLS and its cryptographic system

        https://dev.to/techschoolguru/a-complete-overview-of-ssl-tls-and-its-cryptographic-system-36pd

        评论

        发表评论

        此博客中的热门博文

        Ch1 - Scale from zero to millions of users

        DB Non-relational DB might be right if: Your application requires super-low latency Your data are unstrctured, or you do not have any relationship data. You only need to serialize and desrialize data(JSON, XML, YAML, etc.) You need to store a massive amount of data. Scaling Vertical Scaling: Add power to your server(RAM, CPU, etc.) Horizontal Scaling: Add number of servers in pool. Vertical Scaling better fit low traffic case . Advantages:  Simplicity. Disadvantages:  Vertical has limit, no unlimited CPU power... Vertical does not have failover and redundancy. Horizontal scaling better for large scale app . If rootcuase is traffic increasing cause custoemr experience slower use load balancer better. Load balancer For better security, private IPs are used for communication between servers. A private IP is an IP address reachable only between servers in same network. With load balancer and second server we now can cover failover case. DB replication A manager DB generally only supports w
        阅读全文