Firewall and others-7

Transport Layer Security

Generally, interprocess communication (IPC) mechanisms are used in Internet application programming programs at different levels.
Deal with security protocols. Two popular IPC programming interfaces are BSD Sockets and transport layer interface (TLI)
It can be found in Unix System V.

The first idea of providing security services on the Internet is to strengthen its IPC interface, such as BSD Sockets.
And so on. Netscape Communications Company compliance
Based on this idea, a secure connection established on a reliable transmission service (such as provided by TCP/IP) is developed.
Layer Protocol (SSL ). SSL version 3 (SSLv3) was developed in December 1995. It mainly includes the following two Protocols:

· The SSL record protocol involves the segmentation, compression, data authentication, and encryption of information provided by applications. SSL
V3 provides support for MD5 and SHA for data authentication, and R4 and DES for data encryption.
The keys for data authentication and encryption can be negotiated through the SSL handshake protocol.

· The SSL handshake protocol is used to exchange version numbers, encryption algorithms, and (mutual) identity authentication and key exchange. SSLv3
Provides the Deffie-Hellman Key Exchange algorithm, RSA-based key exchange mechanism, and
Supported by the key exchange mechanism on Fortezza chip.

Netscape has released the SSL reference implementation (SSLref) to the public ). Another free SSL
The implementation is called SSLeay. SSLref and SSLeay can provide SSL functions for any TCP/IP application. Internet
The number assignment Authority (IANA) has assigned a fixed port number for an application with the SSL function, such
HTTP (https) is allocated to SMTP (ssmtp) with port 443 with SSL (ssmtp) is allocated to port 465 with SSL
Is assigned with the port number 563.

Microsoft released an improved version of SSL version 2 called PCT (private communication technology ). At least from the records it uses
In terms of the format, SSL and PCT are very similar. The main difference between them is that they are the most significant in the version number field.
Bit (The Most Significant Bit) has different values: SSL takes 0 PCT and 1. This
After differentiation, you can support both Protocols.

In April 1996, IETF authorized a Transport Layer Security (TLS) Working Group to develop a Transport Layer Security protocol.
(TLSP) to be formally submitted to the IESG as a standard proposal. TLSP will look like SSL in many places.

We have seen that the main advantage of the Internet-layer security mechanism is its transparency, that is, the provision of security services.
The application is not required to make any changes. This is not possible for the transport layer. In principle, any TCP/IP application
As long as the application Transport Layer Security protocols such as SSL or PCT must be modified to add the corresponding
Function and use (slightly) Different IPC interfaces. Therefore, the main disadvantage of the Transport Layer Security Mechanism is
Modify both the transport layer IPC interface and application. However, compared with the security at the Internet layer and the application layer
The modification here is quite small. Another disadvantage is that UDP-based communication is hard to be established at the transport layer.
Establish security mechanisms. Compared with the network layer security mechanism, the Transport Layer Security Mechanism provides
The process-to-process (rather than host-to-host) Security Service. This achievement is coupled with application-level security
The whole service can be a huge step forward.