HTTPS 如何提供安全性?
我想知道HTTPS是如何实现的。数据是否加密或路径(数据通过其传递)是否加密。如果有人向我提供实施细节,我将不胜感激。
I want to know how HTTPS is implemented. Whether the data is encrypted or path is encrypted (through which data is passed). I will be thankful if someone provides me implementation details.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
非常简单,HTTPS 使用安全套接字层来加密客户端和服务器之间传输的数据。 SSL 使用 RSA 算法 https://en.wikipedia.org/wiki/RSA_(cryptosystem)< /a>,一种非对称加密技术。该算法工作原理的精确细节很复杂,但基本上它利用了这样一个事实:虽然将两个大素数相乘很容易,但将结果分解回组成素数却非常非常困难。所有 SSL/RSA 加密的工作原理是:
服务器生成两个大素数,并将它们相乘。这称为“公钥”。该密钥可供任何希望将数据安全传输到服务器的客户端使用。客户端使用这个“公钥”来加密它希望发送的数据。现在,由于这是一种非对称算法,因此公钥不能用于解密传输的数据,只能对其进行加密。为了解密,您需要原始素数,并且只有服务器拥有这些(“私钥”)。收到加密数据后,服务器使用其私钥对传输进行解密。
当您浏览网页时,您的浏览器会向服务器提供其公钥。服务器使用此密钥对发送到浏览器的数据进行加密,然后浏览器使用其私钥进行解密。
所以,是的,所有通过 HTTPs 传输到服务器或从服务器传输的数据都是加密的 - 并且加密得很好。典型的 SSL 实现使用 128 或 256 位数字作为密钥。要打破这一点,您需要真正大量的计算资源。
据我所知,对服务器资产的请求未加密 - 使用 httpfox https://addons.mozilla.org/en-US/firefox/addon/6647/ 或 Wireshark http: //www.wireshark.org/ 或需要确认的内容。
Very simply, HTTPS uses Secure Socket Layer to encrypt data that is transferred between client and server. SSL uses the RSA algorithm https://en.wikipedia.org/wiki/RSA_(cryptosystem), an asymmetric encryption technology. The precise details of how the algorithm works is complex, but basically it leverages the fact that whilst multiplying two large prime numbers together is easy, factoring the result back into the constituent primes is very, very hard. How all SSL/RSA encryption works is:
The server generates two large prime numbers, and multiplies them together. This is called the "public key". This key is made available to any client which wishes to transmit data securely to the server. The client uses this "public key" to encrypt data it wishes to send. Now because this is an asymmetric algorithm, the public key cannot be used to decrypt the transmitted data, only encrypt it. In order to decrypt, you need the original prime numbers, and only the server has these (the "private key"). On receiving the encrypted data, the server uses its private key to decrypt the transmission.
In the case of you browsing the web, your browser gives the server its public key. The server uses this key to encrypt data to be sent to your browser, which then uses its private key to decrypt.
So yes all data transmitted to/from server over HTTPs is encrypted - and encrypted well. Typical SSL implementations use 128 or 256 digits for their keys. To break this you need a truly vast amount of computing resources.
As far as I am aware the request for a server asset is not encrypted - use httpfox https://addons.mozilla.org/en-US/firefox/addon/6647/ or Wireshark http://www.wireshark.org/ or something to confirm.
有两种方式。
确保您和网站之间传输的所有信息均经过加密。它通过使用 RSA 的密钥交换过程(交换用于实际加密的“会话密钥”)来实现此目的。
通过(尝试)表现出对您访问的网站的信任。证书被提供给域,其想法是在您的计算机上您只信任来自各种信誉良好的来源的证书。然后,您可以(理论上)放心,当弹出“您的银行”的证书时,它确实是“您的银行”网站,而不是其他网站。实际上,很少有人关心/注意到 SSL 的这一方面。
这是传输层安全性。它不是应用程序级别。您仍然需要遵循安全编码实践和各种其他技术来确保您的网站安全。
In two ways.
By ensuring that all information transmitted between you and the website is encrypted. It does this via a key-exchange process using RSA (which exchanges a 'session key', which is used for the actual encryption).
By (trying to) demonstrate trust in the website you visit. Certificates are provided to domains, and the idea is that on your machine you trust only certificates from various reputable sources. Then, you can (in theory) be assured that when a certificate pops up for "Your Bank", it is really "Your Bank" website, and not some other website. In practice, very few people care/notice this aspect of SSL.
It's transport layer security. It is not application level. You still need to follow secure coding practices and various other techniques to ensure that your site is secure.
我认为这是一个非常简洁的人类可读的解释:
http://robertheaton.com/2014/03/27/ how-does-https-actually-work/
这是我的总结版本:
概念:
密钥解密。
加密和解密。
握手:
I thought this was a really concise human readable explanation:
http://robertheaton.com/2014/03/27/how-does-https-actually-work/
Here is my summarised version:
Concepts:
key decryption.
encryption and decryption.
Handshake:
您可以阅读 TLSv1 RFC-2246 中的所有详细信息。
对于安全分析,具体如下部分:
You can read all the details in the TLSv1 RFC-2246.
For security analysis, specifically the following section:
服务器和客户端无法控制用于传输数据的路径。使用的路径是网络层(互联网协议 - IP)的问题,而不是传输层安全性(TLS)的问题。
数据本身是加密的,并且还有检查服务器真实性的方法,正如 Noon Silk 提到的。
http://en.wikipedia.org/wiki/Transport_Layer_Security
Server and client do not have control over the path that is used to transmit the data. The path used is a matter for the network layer (Internet Protocol - IP), not for the Transport Layer Security (TLS)
The data itself is encrypted, and there are also means for checking server autenticity, as mentioned by Noon Silk.
http://en.wikipedia.org/wiki/Transport_Layer_Security