XZ

Xiao Z's blog

Learn, build, share

An Analysis of HTTPS Principles and Theoretical Foundations

https protocolssl tls encryptionsymmetric encryptionasymmetric encryptionhttps handshake process
Published·Modified·

With the rapid development of the internet, network security has become increasingly important. The traditional HTTP protocol transmits data in plaintext; if an HTTP request is intercepted by a hacker, the content can be easily obtained, posing significant security risks. To solve this problem, Netscape developed the HTTPS protocol. HTTPS encrypts data for transmission, meaning only ciphertext is sent. Even if a hacker intercepts the data during transmission, it cannot be deciphered, ensuring the security of network communication.

Cryptography Basics

Before understanding the HTTPS protocol, we must first grasp some basic knowledge of cryptography.

  • Plaintext: Refers to the original data that has not been encrypted.
  • Ciphertext: Data that has been encrypted by an encryption algorithm to ensure the security of the original data. Ciphertext can also be decrypted to retrieve the original plaintext.
  • Key: A parameter input into the algorithm when converting plaintext to ciphertext or ciphertext to plaintext. Keys are divided into symmetric keys and asymmetric keys, used in symmetric encryption and asymmetric encryption respectively.

Symmetric Encryption

Symmetric encryption, also known as private key encryption, means that the sender and receiver of information use the same key to encrypt and decrypt data. The characteristics of symmetric encryption are that the algorithm is public, and encryption and decryption are fast, making it suitable for encrypting large amounts of data. Common symmetric encryption algorithms include DES, 3DES, TDEA, Blowfish, RC5, and IDEA.

  • Encryption process: Plaintext + Encryption Algorithm + Private Key => Ciphertext
  • Decryption process: Ciphertext + Decryption Algorithm + Private Key => Plaintext

To put it simply, imagine a box with two identical keys. A has one key, and B has the other. A puts a treasure map into the box and mails it to B via courier. Others without the key do not know what is inside. When B receives the box, they can use their key to open it and see the treasure map. This is symmetric encryption.

Asymmetric Encryption

Asymmetric encryption, also known as public key encryption, offers better security compared to symmetric encryption. In symmetric encryption, both communicating parties use the same key; if one party's key is leaked, the entire communication is compromised. Asymmetric encryption uses a pair of keys: a public key and a private key. The private key is kept by the owner and must not be leaked. The public key is public, and anyone can obtain it. Either the public key or the private key can be used for encryption, and the other is used for decryption.

Ciphertext encrypted with the public key can only be decrypted with the private key: Plaintext + Encryption Algorithm + Public Key => Ciphertext, Ciphertext + Decryption Algorithm + Private Key => Plaintext.

Ciphertext encrypted with the private key can only be decrypted with the public key: Plaintext + Encryption Algorithm + Private Key => Ciphertext, Ciphertext + Decryption Algorithm + Public Key => Plaintext.

Since encryption and decryption use two different keys, this is the reason for the term "asymmetric" in asymmetric encryption. The disadvantage of asymmetric encryption is that encryption and decryption take a long time and are slow, making it suitable only for encrypting small amounts of data. Main algorithms used in asymmetric encryption include RSA, Elgamal, Rabin, D-H, and ECC (Elliptic Curve Cryptography).

HTTPS Communication Process

HTTPS Protocol = HTTP Protocol + SSL/TLS Protocol. During HTTPS data transmission, SSL/TLS is used to encrypt and decrypt data, while HTTP is used to transmit the encrypted data. Thus, HTTPS is completed by the cooperation of HTTP and SSL/TLS.

To balance security and efficiency, HTTPS uses both symmetric and asymmetric encryption. Before transmitting content, asymmetric encryption is used to exchange the public key and the client key (this data is small). When formally transmitting content, the client key is used for symmetric encryption (considering transmission efficiency).

An HTTPS request actually involves two HTTP transmissions, which can be broken down into 8 steps:

  1. The client initiates an HTTPS request and connects to the server's port 443.
  2. The server has a key pair (public key and private key) used for asymmetric encryption. The server keeps the private key secret and cannot leak it, while the public key can be sent to anyone.
  3. The server sends its public key to the client.
  4. After receiving the server's public key, the client checks its validity. If the public key is found to be problematic, the HTTPS transmission cannot continue. Strictly speaking, this step involves verifying the legitimacy of the digital certificate sent by the server, which will be explained later. If the public key is qualified, the client generates a random value, which serves as the key for symmetric encryption. We call this key the "client key" to distinguish it conceptually from the server's key. The client then uses the server's public key to asymmetrically encrypt the client key, turning it into ciphertext. This concludes the first HTTP request in HTTPS.
  5. The client initiates the second HTTP request in HTTPS, sending the encrypted client key to the server.
  6. Upon receiving the ciphertext from the client, the server uses its private key to asymmetrically decrypt it. The decrypted plaintext is the client key. The server then uses the client key to symmetrically encrypt the data, turning it into ciphertext.
  7. The server sends the encrypted ciphertext to the client.
  8. The client receives the ciphertext sent by the server and symmetrically decrypts it using the client key to obtain the data sent by the server. This concludes the second HTTP request in HTTPS, and the entire HTTPS transmission is complete.

The entire process is shown in the figure below:

Summary

  1. HTTPS = HTTP + TLS/SSL, encrypting the HTTP transmission process to ensure data security.
  2. HTTPS uses both asymmetric and symmetric encryption.
  3. Asymmetric encryption: Client initiates HTTPS request -> Server returns public key to client -> Client generates a random value and encrypts it with the public key -> Server receives the encrypted content and decrypts it with the private key to obtain the client's random value.
  4. Symmetric encryption: Server encrypts the transmission content using the random value -> Client receives the encrypted content and decrypts it using the previously generated random value.

Parts of this article are referenced from: