Introduction to HTTPS encryption methods and their advantages and disadvantages

Symmetric encryption

Symmetric encryption refers to an encryption algorithm that uses the same key for encryption and decryption. It requires the sender and receiver to agree on a key before secure communication. The security of symmetric algorithms depends on the key. Leaking the key means that anyone can decrypt the messages they send or receive, so the confidentiality of the key is crucial to communication.

[[207272]]

Advantages and disadvantages of symmetric encryption algorithms:

Advantages: open algorithm, small amount of calculation, fast encryption speed and high encryption efficiency.

shortcoming:

• Both parties in the transaction use the same key, so security cannot be guaranteed;
• Each time a pair of users uses a symmetric encryption algorithm, they need to use a unique key that is unknown to others. This will cause the number of keys owned by the sender and receiver to grow exponentially, and key management will become a burden on users.
• It can provide confidentiality, but cannot provide authentication and non-repudiation.

Asymmetric encryption

​ This type of encryption may be difficult to understand. This type of encryption refers to the ability to generate public and private keys. Any data encrypted by a public key cannot be decrypted by the public key itself, but requires a private key to decrypt it; any data encrypted by a private key cannot be decrypted by the private key, but requires a public key to decrypt it. In fact, there are many such algorithms. The most commonly used one is RSA. The mathematical principle it is based on is that the product of two large prime numbers is easy to calculate, but it is very complicated to use this product to calculate which two prime numbers are multiplied. If you are interested in the specific principle, you can study it yourself.

Asymmetric encryption is more secure than symmetric encryption, but it also has two obvious disadvantages:

• CPU computing resource consumption is very large. In a complete TLS handshake, the asymmetric decryption calculation during key exchange accounts for more than 90% of the entire handshake process. The calculation amount of symmetric encryption is only equivalent to 0.1% of asymmetric encryption. If asymmetric encryption and decryption are also used for application layer data, the performance overhead is too high to bear.
• Asymmetric encryption algorithms have a limit on the length of the encrypted content, which cannot exceed the length of the public key. For example, the commonly used public key length is 2048 bits, which means that the encrypted content cannot exceed 256 bytes.

Therefore, public key encryption can only be used for key exchange or content signing at present, and is not suitable for encryption and decryption of content transmitted at the application layer.

Detailed encryption process

​ First, the server uses asymmetric encryption (RSA) to generate a public key and a private key. Then the public key is sent to the client. Someone may intercept the path, but it is useless because only the private key can decrypt the file encrypted with the public key, and the private key will never leave the server. When the public key reaches the client, the client will use symmetric encryption to generate a secret key and encrypt it with the public key to send it to the server. This secret key is the key used for communication in the future. In this way, when the server receives the secret key encrypted with the public key, it can use the private key to decrypt the public key to obtain the secret key. In this way, both the client and the server have obtained the secret key, and the information exchange is relatively safe.

It sounds really safe, but in fact, there is a more serious attack that this method cannot prevent, which is the legendary "man-in-the-middle attack". During the identity authentication process, a "middleman" intercepts our information and intends to know your message. We call this middleman M. When the server sends the public key to the client for the first time, it passes through M. M knows that you want to exchange keys, so it deducts the public key, pretends to be the client, forges a pseudo-secret key (generated by symmetric encryption), and then encrypts the pseudo-secret key with the public key sent by the server and sends it back to the server. In this way, the server thinks that it has completed the key exchange with the client, but in fact the server has completed the key exchange with M (obtained the pseudo-secret key). At the same time, M pretends to be a server and generates a pseudo-public key and a pseudo-private key by asymmetric encryption, exchanges keys with the client, and obtains the secret key sent by the client. Now the client has the secret key, M has the secret key and the pseudo-secret key, and the server has the pseudo-secret key.