ASP. NET Security Model Part.2 (SSL)

ArticleDirectory

• 1. Understand the certificate
• 2. Understand SSL
• 3. Configure SSL in IIS 7.x

SSL (Secure Sockets Layer(Secure Sockets Layer) technology to encrypt the communication over HTTP.SSL is supported by a large number of browsers and ensures that the information exchanged between the client and the Web server is not easily decrypted by the listener. Sensitive data must be encrypted using SSL.. For example, the user name and password submitted by the user. Otherwise, malicious customers can steal user creden。 and use this creden。 to log on to the system.

IIS provides built-in support for SSL. Because SSL is used at the underlying layer of HTTP, using SSL does not change the HTTP request method. All encryption and decryption are performed by the SSL function of the web server software (IIS. The only difference is that the SSL-protected URL address starts with https: // instead of http: //..

SSL communication also uses different ports. The web server usually uses port 443 for SSL requests and port 80 for common requests..

To allow the server to support SSL connections, it must install the X.509 Certificate. You must purchase a certificate, install it, and correctly configure IIS.

 

1. Understand the certificate

Before sending sensitive data, the client must determine whether to trust a website. This is the purpose of the certificate design. It can partially verify the user's identity. Certificates can be installed on any type of computer, but they most often appear on Web servers.

For certificates (Certificate Authority, certificate authorization) Purchase a certificate and install it on your Web server. The client implicitly trusts the CA, so it also trusts the certificate issued by the CA.

This model works well because malicious users are unlikely to buy and install a forged certificate. CA saves the information of each registered user. However, certificates never guarantee that the server can be trusted or applied.ProgramSecurity or business legitimacy. The certificate is valid only for a limited range.

The certificate itself contains some identification information. It uses the CA's private key signature to ensure that it is credible and not tampered. The industry-standard certificate type is x.509v3, which contains the following information:

• Registrant's name, organization, address
• The public key of the registrant. It is used to encrypt the SSL session key in the communication.
• Valid date of Certificate
• Certificate serial number

The two largest certificate authorization centers are:

• Thawte (http://www.thawte.com)
• Verisign (http://www.verisign.com)

If you do not need the CA identity verification function (for example, your certificate is only used for local LAN), you can create and use your own certificate, and then configure all clients to trust it. This requires the active directory and the Certificate Server (they are part of Windows 2003 Server and Windows 2000 Server ).

 

2. Understand SSL

All certificates have a public key.The Public Key is part of a non-symmetric key pair. The basic idea is that the public key can be provided to all users at will. The corresponding private key is carefully kept and only available to the server. Interestingly, all contents encrypted with a public key can be decrypted by a private key.That is to say, the client can obtain the public key and use it to encode the secret message, and the message can only be decrypted by the corresponding private key. In other words, the client can create messages that can only be read by the server.

This process isAsymmetric encryptionIs one of the basic SSL build blocks. An important principle of asymmetric encryption is that you cannot obtain the private key by analyzing the corresponding public key. If you have to do so, the computing cost is very high. However, asymmetric encryption also has its own restrictions, it is far slower than encryption and generates more messages.

Symmetric encryptionMost people will feel familiar with the encryption type. It uses the same security key to encrypt and decrypt messages. The disadvantage of symmetric encryption is that both parties need to know the key content. However, symmetric encryption cannot be used on the Internet. Malicious users intercept and decrypt encrypted sessions.

What's amazing about SSL is that it combines symmetric encryption and asymmetric encryption. Asymmetric encryption manages initial key interaction, and then uses this secret value to symmetric encrypt all subsequent messages, thus ensuring optimal performance..

The process is as follows:

1. The client sends a request to connect to the server.
2. The server signs the certificate and sends it to the client. Here, the handshake part of the switch is included.
3. The client checks whether the certificate is issued by a trusted ca. If yes, it performs the next step. If the client does not recognize the CA, a warning message may be displayed, allowing the user to decide whether to continue.When the certificate is stored in the "Trusted Root Certificate Authority" of the operating system, the client can identify the CA. You can click the "certificate" button on the "content" tab in the IE option to find all the saved certificates..
4. The client compares the information in the certificate with the information obtained from the website (Domain Name and Public Key) to verify the certificate validity.
5. The client tells the server what type of communication encryption key it supports.
6. The server selects the strongest key length and notifies the client
7. Based on the specified key length, the client randomly generates a symmetric encryption key, which guarantees optimal performance and is faster than asymmetric encryption.
8. The client uses the server's public key (from the certificate) to encrypt the session key and sends the encrypted session key to the server.
9. The server receives the encrypted session key and decrypts it with its own private key. Now, both the server and client have a shared key, which will be used to encrypt all the information in the session.

You may notice that,Symmetric keys are randomly generated and used only during sessions.. This reduces security risks. FirstPassword analyticsIt is more difficult to crack the encrypted content because messages from other sessions cannot be used. Second, even if the key is known to malicious users, it is only available during the session.

 

3. Configure SSL in IIS 7.x

First, issue a certificate to the web server. In IIS manager, select the root node of the web server and then select "server certificate ":

After opening the details, the console lists all server certificates installed on the Web server. In IIS 7.x, it is interesting to install multiple server certificates on the same web service provider to configure different websites:

The right side of this view shows the tasks required to install the server certificate. It can automatically create a certificate request, and you can use it to request a new certificate from the CA. If you want to create a new request, click the "Create certificate request" task link to create a base64 encoded request. You can use this base64 encoded request to submit a request to the CA. After receiving the certificate from the CA, you can click the "complete certificate request" task link to complete the running request. In this way, you can request and configure an SSL certificate for an independent web server.

To request a certificate for your ca, click "create domain certificate ..." Continue wizard...

For more information about SSL, see related documents.