问题
I have searched all this morning but I've found websites where it is said that data is sent through an asymmetric encryption using the TLS protocol. Then I found the contrary. Please can you tell me which is true? Thanks. And does anyone know a guide where it is explained step by step the handshake of TLS protocol over http?
回答1:
HTTP uses no encryption at all, as defined in https://tools.ietf.org/html/rfc2616
HTTPS on other hand, uses TLS which may choose from bunch of algorithms to achieve encrypted transfer, and is defined here: https://tools.ietf.org/html/rfc2818 You could read more on TLS: https://www.acunetix.com/blog/articles/establishing-tls-ssl-connection-part-5/
回答2:
Both symmetric and asymmetric keys are used in HTTPS (not HTTP). But only symmetric key is used for encryption. They are much faster than asymmetric algorithms and thus serve better for working with large messages (which web traffic is).
But symmetric key needs to be shared somehow, you can't just send it as is. Otherwise the man-in-the-middle will know it and thus will be able to decrypt the messages. Hence additional algorithm (Diffie-Helman) is used - it's a nice trick to exchange private data on the open channel. This algorithm uses asymmetric keys for data signing (not encryption).
PS: similar mechanism is used in SSH.
来源:https://stackoverflow.com/questions/62754861/does-https-use-asymmetric-or-symmetric-encryption