Data communication and network notes-SSL/TLS

Data communication and network note-SSL/TLS describes the two most important security protocols at the transport layer: Secure Sockets Layer (SSL) protocol and Transport Layer Security (TLS) protocol. TLS is actually the IETF version of SSL. 1. secure socket layer (SSL) is designed to provide secure compression services for data from the application layer. SSL can accept data from any protocol on the application layer, typically, HTTP is used. Data from the application layer is compressed (optional), tagged, and encrypted, and then transmitted to reliable transport layer protocols such as TCP. Netscape developed SSL in 1994 and released version 1995 and version 2nd in 3rd. This chapter discusses SSLv3. segment SSL first divides data into blocks equal to or less than 2 ^ 14 bytes. This service is optional when the customer and the server negotiate a lossless compression method to compress each segment. Message integrity must be ensured. SSL uses the hash function to create a MAC (Message Authentication Code ). Confidentiality in order to provide confidentiality, raw data and MAC are encrypted using symmetric key encryption methods. Add a header to the encrypted payload and transmit it to a reliable transport layer protocol. 2. during the last discussion of IPSec, either party of the two parties to improve the exchange of data requires a set of parameters for each association (SA). SSL has a similar purpose, but the methods are different, there is no security association, but there is a security association between the password group and the encrypted password. The password group defines the password group (cipher suite) for each SSL session, key exchange, hash, and encryption algorithm ). Each password group starts with ssl and is followed by the key exchange algorithm. Use WITH to separate the key algorithm from the encryption algorithm and the hash algorithm. For example, a SSL-DHE-RSA-WITH-DES-CBC-SHA defines a DHE-RSA (temporary DIffie-Hellman RSA Digital Signature) using a DES-CBC as an encryption algorithm for key exchange and SHA is called a hash algorithm. Note: DH is the corresponding Diffie-Hellman, and DHE is the temporary Diffie-Hellman. The second part of the encrypted password security parameter is the encrypted password. For the integrity and confidentiality of packets. SSL requires six encrypted passwords, four keys, and two Initialization vectors. Shows the process of generating passwords and encryption. 1. Two random numbers are exchanged between the customer and the server. One is generated by the customer and the other is generated by the server. 2. A key exchange algorithm previously discussed in customer and server exchange pre-master password (premaster secret) 3. apply two hash functions (SHA-1 and MD5) to the pre-master password to generate a 48-digit master password (master secret) 4. apply a predefined constant to the master password and the same group of hash functions to generate a variable-length password. 3. sessions have different characteristics from connection IP addresses and TCP Protocols. IP addresses are connectionless, while TCP is connection-oriented, IPSec connections convert connectionless IP addresses to connection-oriented security protocols, while TCP is connection-oriented. However, SSL designers use the second-level connectivity method: session and connection ). A session between two systems is an association that can last for a long time. During a session, the connection can be established and the terminal can be established several times. Some security parameters are generated during session creation and remain valid until the session ends (for example, encryption group and CMK ), some security parameters must be re-generated for each connection (or occasionally recoverable) (for example, 6 passwords) 4. the following describes how to implement SSL under the four Protocols. SSL defines four protocols on two layers: Record protocol is the carrier and carries packets from the other three protocols, it also carries data from the application layer. For the transport layer, usually TCP, the message from the record protocol is its payload. Handshake protocol provides security parameters for the record protocol. It establishes a password group and provides keys and security parameters. It also implements user authentication on the server, as well as server authentication on the user if necessary. Change cipher spec protocol is used to send a notification that the encrypted password is ready. The alert protocol user reports exceptions.