590 likes | 605 Views
Dive into the fundamentals of HTTP in this seminar covering structure, protocols, requests, responses, and more. Learn about HTTPS, TLS/SSL, certificates, and key concepts of the Hypertext Transfer Protocol.
E N D
Advanced? HTTP Web Seminar #01
elaborate Wheel 바퀴짱? SPARCS 07 밤의 제왕? 안병욱 The presenter is 3월 신작? 4월 신작? Moodle TA CS101 TA 5월 신작? 6월은 아직… 악명 높은 TA?
여러분 방학은 다들 잘 보내셨는지요? 첫 세미나인 만큼 즐겁게 하고 싶어요. 어쩌다 보니 제가 첫 세미나를 맡았는데,,,,,, 딱히 할 말도 없고,,,, 뭐 어떻게 해야 하는지 참.. 아… 물 같은 걸 끼얹으면 되는 건가? 장짤인데…. 내가 뭐 하는 건지 참…. ㄴ이ㅏ런이ㅏ런이ㅏ런아ㅣ러나이런아ㅣ런이러ㅏㄴㅇㄹ 아무튼 시작합니다!
Brief Contents Abbreviation Protocol? Definition Introduction What is HTTP? Structure of HTTP Stateless Session Further HTTPS, TLS/SSL? public, private key Request HTTP Response HTTP Sever side Client side Certificate Certificate Authority Self Signed Certificate Digital Signature Message Digest
What is HTTP? Hypertext Transfer Protocol
What is HTTP? Hypertext Transfer Protocol Hypertext? Text displayed on electronic device with references. Reader can immediately access, usually by a mouse click or key press. It contains tables, images, and other presentational devices. Underlying concept defining the structure of the WWW, making flexible format to share information over the Internet.
What is HTTP? Hypertext Transfer Protocol Hypertext? < This is Text. It is nothing but just text. This is Hypertext. It is text but express more than just text. V
What is HTTP? Hypertext Transfer Protocol Protocol? A formaldescription of message formats and the rules for exchanging those messages FTP, IMCP, DHCP, LDAP, NFS, NTP, MIME, DNS, SSH, POP, IMAP, SMTP, RPC, NIS,,,, etc so many things!
What is HTTP? Hypertext Transfer Protocol HTTP? A protocol which defines standard of transferringHypertext such as text, file, or image. Looks quite easy… ?
What is HTTP? Hypertext Transfer Protocol HTTP Another? Application Layer for distributed, collaborative, hypermedia information systems. (Architecture Models of Computer Networking) Such as OSI Model, Internet Protocol Suite Simply, protocols that applications use
What is HTTP? Hypertext Transfer Protocol HTTP Another? HTTP is a request-responsestandard typical of client-server computing. Server Client HTTP Response Request
Now You are Abbreviation Protocol? Definition Introduction What is HTTP? Structure of HTTP Stateless Session Further HTTPS, TLS/SSL? public, private key Request HTTP Response HTTP Sever side Client side Certificate Certificate Authority Self Signed Certificate Digital Signature Message Digest
Structure of HTTP? Simply, we can divide into twokinds of HTTP. Request HTTP A HTTP that occurs when the client requests to the server Server Client Request
Structure of HTTP? Simply, we can divide into twokinds of HTTP. Response HTTP A HTTP that occurs when the server response to the client. Server Client Response
Structure of HTTP? Request HTTP Formally, we can say Request line *(( general header | request header | entity header ) CRLF) CRLF [ message body ]
Structure of HTTP? Request HTTP Formally, we can say Empty or more than once Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] OR \r\n (it depends on system and program language) Optional Attributes
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] Request-Line = METHOD SP Request-URI SP HTTP-Version CRLF
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] Space Real text Request-Line = METHOD SP Request-URI SP HTTP-Version CRLF “OPTIONS” | “GET” | ”HEAD” | ”POST” | ”PUT” | ”DELETE” | ”TRACE” | ”CONNECT” | extension-method Methods indicates the desired action to be performed on the identified resource
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] Request-Line = METHOD SP Request-URI SP HTTP-Version CRLF "*" | absoluteURI | abs_path | authority For non-particular resource (“OPTIONS”) Only for “CONNECT” For Proxy On an origin server or gateway The Request-URI is a Uniform Resource Identifier and identifies the resource upon which to apply the request
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] Request-Line = METHOD SP Request-URI SP HTTP-Version CRLF HTTP/1.0 | HTTP/1.1 (in web) It specify the HTTP version. In these days, version 1.1 is dominant.
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] general-header = Cache-Control | Connection | Date | Pragma | Trailer | Transfer-Encoding | Upgrade | Via | Warning request-header = Accept | Accept-Charset | Accept-Encoding | Accept-Language | Authorization | Expect | From | Host | If-Match | If-Modified-Since | If-None-Match | If-Range | If-Unmodified-Since | Max-Forwards | Proxy-Authorization | Range | Referer | TE | User-Agent entity-header = Allow | Content-Encoding | Content-Language | Content-Length | Content-Location | Content-MD5 | Content-Range | Content-Type | Expires | Last-Modified | extension-header extension-header = message-header Cookie RFC-4229
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] Indicates the end of header It could be also end of HTTP, if there is no ‘message body’
Structure of HTTP? Request HTTP Request-Line *(( general header | request header | entity header ) CRLF) CRLF [ message body ] message-body = entity-body | <entity-body encoded as per Transfer-Encoding> The message-body (if any) of an HTTP message is used to carry the entity-body associated with the request or response.
Structure of HTTP? Request HTTP Now we know Request HTTP POST /login/ HTTP/1.1 Host: sparcs.kaist.ac.kr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3)……. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://sparcs.kaist.ac.kr/login/? Cookie: sessionid=39d2089695cab9408868433d6b811eec Content-Type: application/x-www-form-urlencoded Content-Length: 41 username=elaborate&password=*******&next=
Structure of HTTP? Response HTTP Formally, we can say Status-Line *(( general header | response header | entity header ) CRLF) CRLF [ message body ]
Structure of HTTP? | "500" ; Section 10.5.1: Internal Server Error | "501" ; Section 10.5.2: Not Implemented | "502" ; Section 10.5.3: Bad Gateway | "503" ; Section 10.5.4: Service Unavailable | "504" ; Section 10.5.5: Gateway Time-out | "505" ; Section 10.5.6: HTTP Version not supported Response HTTP Status-Line *(( general header | response header | entity header ) CRLF) CRLF [ message body ] | extension-code extension-code = 3DIGIT Reason-Phrase = *<TEXT, excluding CR, LF> Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF Status-Code = "100" ; Section 10.1.1: Continue | "101" ; Section 10.1.2: Switching Protocols | "200" ; Section 10.2.1: OK | "201" ; Section 10.2.2: Created | "202" ; Section 10.2.3: Accepted | "203" ; Section 10.2.4: Non-Authoritative Information | "204" ; Section 10.2.5: No Content | "205" ; Section 10.2.6: Reset Content | "206" ; Section 10.2.7: Partial Content | "300" ; Section 10.3.1: Multiple Choices | "301" ; Section 10.3.2: Moved Permanently | "302" ; Section 10.3.3: Found | "303" ; Section 10.3.4: See Other | "304" ; Section 10.3.5: Not Modified | "305" ; Section 10.3.6: Use Proxy | "307" ; Section 10.3.8: Temporary Redirect | "400" ; Section 10.4.1: Bad Request | "401" ; Section 10.4.2: Unauthorized | "402" ; Section 10.4.3: Payment Required | "403" ; Section 10.4.4: Forbidden | "404" ; Section 10.4.5: Not Found | "405" ; Section 10.4.6: Method Not Allowed | "406" ; Section 10.4.7: Not Acceptable | "407" ; Section 10.4.8: Proxy Authentication Required | "408" ; Section 10.4.9: Request Time-out | "409" ; Section 10.4.10: Conflict | "410" ; Section 10.4.11: Gone | "411" ; Section 10.4.12: Length Required | "412" ; Section 10.4.13: Precondition Failed | "413" ; Section 10.4.14: Request Entity Too Large | "414" ; Section 10.4.15: Request-URI Too Large | "415" ; Section 10.4.16: Unsupported Media Type | "416" ; Section 10.4.17: Requested range not satisfiable | "417" ; Section 10.4.18: Expectation Failed
Structure of HTTP? Response HTTP Status-Line *(( general header | response header | entity header ) CRLF) CRLF [ message body ] general-header = Cache-Control | Connection |Date | Pragma | Trailer | Transfer-Encoding | Upgrade | Via | Warning response-header = Accept-Ranges | Age | Etag | Location | Proxy-Authenticate | Retry-After | Server | Vary | WWW-Authenticate entity-header = Allow | Content-Encoding | Content-Language | Content-Length | Content-Location | Content-MD5 | Content-Range | Content-Type | Expires | Last-Modified | extension-header extension-header = message-header Set-Cookie RFC-4229
Structure of HTTP? Response HTTP Status-Line *(( general header | response header | entity header ) CRLF) CRLF [ message body ] Indicates the end of header It could be also end of HTTP, if there is no ‘message body’
Structure of HTTP? Response HTTP Status-Line *(( general header | response header | entity header ) CRLF) CRLF [ message body ] message-body = entity-body | <entity-body encoded as per Transfer-Encoding> The message-body (if any) of an HTTP message is used to carry the entity-body associated with the request or response.
Structure of HTTP? Response HTTP Now we know Response HTTP HTTP/1.1 200 OK Date: Tue, 01 Jun 2010 12:20:15 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch Last-Modified: Sat, 17 Apr 2010 11:13:28 GMT Etag: "7201e2-d23-4846cd133a600" Accept-Ranges: bytes Content-Length: 3363 Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: text/css (Large size of data)
Now You are Abbreviation Protocol? Definition Introduction What is HTTP? Structure of HTTP Stateless Session Further HTTPS, TLS/SSL? public, private key Request HTTP Response HTTP Sever side Client side Certificate Certificate Authority Self Signed Certificate Digital Signature Message Digest
Stateless? HTTP is stateless protocol. Server would not retain your information about users between requests. Session In computer science, in particular networking, a session is a semi-permanent interactive information interchange, between two or more communicating devices, or between a computer and user
Session? Again, we can simply divide into twokinds of HTTP. Server side session A session that stored in the server. Handy and efficient, but huge load on the server Client side session A session that stored in clients. Cookies and cryptographic techniques. Cookies are not only for session management, it could be used for Personalization, Tracking, and Third-party.
Session? Set-Cookie set-cookie = "Set-Cookie:" cookies cookies = 1#cookie cookie = NAME "=" VALUE *(";" cookie-av) NAME = attr VALUE = value cookie-av = "Comment" "=" value | "Domain" "=" value | "Max-Age" "=" value | "Path" "=" value | "Secure" | "Version" "=" 1*DIGIT Response Set-Cookie: sessionid=39d2089695cab9408868433d6b811eec; expires=Thu, 17-Jun-2010 04:55:45 GMT; Max-Age=1209600; Path=/
Session? Cookie cookie = "Cookie:" cookie-version 1*((";" | ",") cookie-value) cookie-value = NAME "=" VALUE [";" path] [";" domain] [";" port] cookie-version = "$Version" "=" value NAME = attr VALUE = value path = "$Path" "=" value domain = "$Domain" "=" value port = "$Port" [ "=" <"> value <"> ] Request Cookie: sessionid=39d2089695cab9408868433d6b811eec
Now You are Abbreviation Protocol? Definition Introduction What is HTTP? Structure of HTTP Stateless Session Further HTTPS, TLS/SSL? public, private key Request HTTP Response HTTP Sever side Client side Certificate Certificate Authority Self Signed Certificate Digital Signature Message Digest
HTTPS? It is quite hard to understand at once. I tried to explain in easiest way. There are something you need to now Certificate Authority (CA) Private key, Public key Message Digest Digital Signature TLS/SSL Encrypt, Decrypt
HTTPS? HTTPS(HTTP Secure) includes all characteristics in HTTP and it has more! HTTP has nothing about security, just encoding text is all they can do. Somebody can hijack or thieve. HTTPS guarantee that the server or the client is what we want to communicate such as bank or log in. It requires several steps to authorize the server and client. This is quite issue on SPARCS right now.
HTTPS? SPARCS I create private key(SP priv) and public key (SP pub) CA They have private key(CA priv) and public key(CA pub) also. They have (CA certificate) which is distributed all over the world.
HTTPS? SPARCS I create private key(SP priv) and public key (SP pub) CA They have private key(CA priv) and public key(CA pub) also. They have (CA certificate) which is distributed all over the world and includes (CA pub). Now, they have SP pub. 1. Give a (SP pub) to CA
HTTPS? SPARCS I create private key(SP priv) and public key (SP pub) CA private key(CA priv) public key(CA pub) (CA certificate) (SP pub) They generate (SP certificate). 1. Give a (SP pub) to CA 2. They generate (SP certificate) which includes (SP pub) and )CA digital signature)
HTTPS? SPARCS I create private key(SP priv) and public key (SP pub) CA private key(CA priv) public key(CA pub) (CA certificate) (SP pub) (SP certificate){CA priv}. 1. Give a (SP pub) to CA 2. They generate (SP certificate) which includes (SP pub) and (CA digital signature) 3. Give (SP certificate) to SPARCS
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate){CA priv}. Hi Client Web browser
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate){CA priv} Hello, Here is my SP cert. Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) Now, I have (SP certificate){CA priv}. Decrypt with (CA pub) which is in (CA Certificate). Then, I can get (CA digital signature) and (SP pub). I will match (CA digital signature) from SP cert and CA Certificate. Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) It matches! You are authorized! or It does not match or expired… F__k you. Disconnect! Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) I want you to identify yourself. There might be a server who mocking you. Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) O.K here is a message{SP priv} Please decrypt it. It will prove myself. Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) Now, I decrypt message{SP priv} with (SP pub) Let me see it is able to decrypt. Client Web browser SP Certificate
HTTPS? SPARCS private key(SP priv) public key (SP pub) (SP certificate) Well, it works! Nice to see you SPARCS. or It is not valid message… F__k you. Disconnect! Client Web browser SP Certificate