I. Introduction to Secure Socket Layer SSL
The Secure Sockets Layer Protocol is an encryption system used on the server to ensure that the data transmitted between the client and the server is secure and encrypted. If the server and client use SSL for secure communication, the server must have:
1. The Key pair contains a public Key and a private Key. The Key pair is used to encrypt and decrypt information to ensure the security of data transmission.
2. The Certificate is used for identity verification or confirmation. A certificate can be a self-signed certificate (a certificate created for your private Web network) or a certificate (A certificate provided by the certification center or the certificate signatory ).
Ii. SSL principle of Secure Sockets Layer
Data transmitted between the client and the server is encrypted by Using symmetric algorithms (such as DES or RC4. Public key encryption is a technology that uses an asymmetric key for encryption and decryption. Each pair of keys consists of a public key and a private key. When the public key is widely distributed, it becomes public. Private keys are never distributed; they are always confidential. The Public Key algorithm (generally RSA) is used to obtain the encryption key exchange and digital signature. This algorithm uses the public key in the SSL digital certificate of the server. With the SSL digital certificate of the server, the client can also verify the identity of the server.
The principle of SSL is actually the handshake negotiation between the server and the client. After the negotiation, you can use SSL for data exchange:
1. The client sends client information, including the SSL version supported by the client, the password pair supported by the client, and the data compression method supported by the client. The message also contains a 28-bit random number.
2. The server replies with a Hello message, which includes the password method (password pair) used, the data compression method selected by the server, the session ID, and another random number.
3. If the server sends an SSL Certificate to the client (SSL 3.0 supports client verification), the client also needs to send a digital certificate request message.
4. the server sends the completion message, and so on.
5. After the client receives the complete message from the server, the client checks the validity of the SSL digital certificate on the server. If the server needs to verify the identity of the client, the client sends its digital certificate to the server. If the client does not have the corresponding digital certificate, a warning window is displayed, if the server forces the client's identity authentication, the server will end the session when the client does not have the corresponding certificate.
6. The client sends a "client key exchange" message, which contains a pre-master secret (a random number of 46 bytes used in symmetric encryption key generation) and message authentication code (MAC) key (encrypted with the public key of the server ). The server verifies the message sent by the client. If the message fails, the server ends the session.
7. The client sends the "Change Password specification" message.
8. The server responds to the message with its own "Change Password specification" and "completed.
9. After the handshake ends, the server and client can communicate encrypted.
Iii. Advantages and Disadvantages of Secure Socket Layer SSL
1. authenticated, and all message sources are guaranteed.
2. Reliable. message transmission uses message integrity check to ensure the quality of transmitted data.
3. Confidential: the message is encrypted, and the key is defined after handshaking to ensure that the content of the message cannot be read by a third party.
To use SSL, both parties need to perform additional work, encrypt and decrypt the information, and increase the system overhead so that SSL is slower than to use SSL.
References:
Http://www.wosign.com/Basic/howsslwork.htm
Http://support.microsoft.com/kb/245152/zh-cn
A http://www.hudong.com/wiki/%E5% AE %89%E5%85%A8%E5%A5%97%E6%8E%A5%E5%AD%97%E5%B1%82 (SSL) #1
Http://publib.boulder.ibm.com/tividd/td/ITLM/SC32-1431-01/zh_CN/HTML/tlminmst43.htm