The SSL (Secure Sockets Layer) protocol was first developed by the famous Netscape company. It is now widely used for identity authentication on the Internet and secure data communication between web servers and Client browsers.
The purpose of the SSL protocol is to provide secure and reliable communication protocol services for both parties, and establish a Transport Layer Security channel between the two parties. SSL uses symmetric encryption to ensure communication confidentiality.
Information Authentication Code (MAC) to ensure data integrity. SSL uses PKI to authenticate the identities of both parties when establishing a connection. Transport Layer Security (TLS) protocol (RFC) of IETF
1999) and Wireless Access Protocol (WAP) Forum wireless transmission layer security protocol (wtis) are the follow-up development of SSI. The Protocol has two layers: its lower SSL record layer protocol is located in the Transport Protocol
Above TCP/IP. The SSL record protocol is used to encapsulate the upper-layer protocols. In these encapsulated upper-layer protocols, the handshake protocol allows clients and servers to authenticate each other and
Negotiate encryption before the Protocol is sent or receivedAlgorithmAnd encryption key. The reason for this is to ensure the independence of the application protocol and make the low-level protocol transparent to the advanced protocol.
Currently, encryption protocols have been proposed for each layer of the layer-7 network model on the Internet. Among all these protocols, SSL at the Session Layer and set at the application layer are most closely related to e-commerce applications.
Therefore, SSL has become a de facto standard for secure communication between users and the Internet, and supporting SSL has become a built-in function of each browser. SSL includes two sub-protocols: handshake and record. Both sub-protocols can provide connections with applications, especially HTTP. This connection is authenticated and kept confidential to prevent tampering.
SSL can be embedded in the Processing Stack of the Internet, which is located at the upper and lower layers of TCP/IP and does not affect other protocol layers. SSL can also be used with other
Internet applications are used together, such as Intranet and exclusive access, application security, wireless applications, and Web services. By encrypting the data that leaves the browser
The data center is decrypted, and SSL protects Internet data communication.
SSL dialogs are composed of connections and applications. During the connection dialog, the client and server Exchange Certificates and negotiate security parameters. If the client accepts the server certificate, a CMK is created, which is used to encrypt subsequent communications.
During the application conversation, the client and server can transmit information securely, such as credit card numbers, stock transaction data, personal medical data, and other sensitive data. SSL provides the following three mechanisms to ensure
Security: authentication, which can authenticate the clients and servers on the server or connected terminals. It is confidential and can encrypt the information. Only the Parties that exchange the information can access and understand the encrypted information. Integrity, prevents
The information content is modified without detection, and the recipient can be sure that they receive information that cannot be modified.
A key step in the process of secure communication is to authenticate the identities of both parties. The SSL handshake sub-protocol has one function. The following actions between the server and the client can make the authentication process faster:
The client authenticates the server, allows the client and server to select the required password algorithm and security level, the server selectively authenticates the client, and uses the public key password to generate a shared key.
Use these keys to transmit truly confidential data and establish an SSL connection.
The SSL record sub-protocol is used to encrypt data transmission. The following actions can make data transmission faster: data is broken down into small usable blocks, called fragments, and data is not modified through an integrated "wrapping paper; after the data is encrypted, You can paste "wrapping paper.
In the past, many e-commerce applications did not undergo client authentication. However, companies currently use SSL as a protocol for new applications in data centers. For SSL-based VPNs and applications that require additional authentication for end users, client authentication is becoming a trend.
Client Authentication allows the server to use the same technology as allowing the client to authenticate the server and confirm the user identity within the Protocol. Although the two authentication processes have extremely different information flows
The process is the same as that of server authentication. This process will also be performed within the SSL handshake sub-protocol. In this case, the client must provide a valid certificate to the server. By enabling
Use standard public key cryptography technology to authenticate the validity of end users.
The flexibility and vitality of SSL make it ubiquitous. It is predicted that SSL applications will continue to grow significantly while SSL becomes a key protocol for enterprise applications, wireless access devices, Web Services, and secure access management. The following describes the principle and working process of SSL.
1 SSL protocol Overview
1. Functions of the SSL protocol
SSL is a security protocol that provides private communication over the Internet. This protocol allows clients/server applications to communicate securely against eavesdropping, message tampering, and message forgery.
It is the most basic control protocol used for data transmission and communication over the Internet.
Protocol), LDAP (Lightweight Directory Access protoco1), IMAP (Internet
Protocol. SSL is a data security protocol (as shown in 1l-8) between TCP/IP and various application layer protocols ). SSL protocol can effectively avoid
This prevents eavesdropping, tampering, and forgery of information on the Internet.
|Figure 11-8 location of the SSL protocol
The key to the SSL standard is to solve the following problems.
(1) Customer authentication on the server: the SSL server allows the customer's browser to use standard public key encryption technology and some reliable certificate from the authentication center (CA, to check the validity of the server (verify the validity of the server certificate and ID ). It is very important to confirm the user's server identity, because the customer may send his/her credit card password to the server.
(2) server-to-customer identity confirmation: allow the SSL server to confirm the customer's identity, the SSL protocol allows the software on the client server to confirm the customer's identity (the customer's certificate) through Public Key Technology and trusted certificates ). It is very important to confirm the identity of a server customer because online banking may send confidential financial information to the customer.
(3) establish a secure data channel between the server and the customer: SSL requires that all sent data between the customer and the server be encrypted by the sending end, and all received data is decrypted by the receiving end, in this way, a high level of security can be provided. At the same time, the SSL protocol checks whether the data is modified midway through the transmission process.
2. Objectives of the SSL protocol
According to their priorities, the goals of the SSL protocol are as follows.
(1) Establish a secure connection between the communication parties using encrypted SSL Messages.
(2) interoperability. Communication partiesProgramIs independent, that is, one party can use SSL to successfully exchange encryption parameters without knowing the program code of the other party.
Note: not all SSL instances (even in the same application) can be connected successfully. For example, if the server supports a specific hardware token and the client cannot access this token, the connection will not succeed.
(3) scalability. SSL seeks to provide a framework structure in which a new Public Key algorithm and a single key algorithm can be added when necessary without making major changes to the Protocol. In this way, two sub-goals can be achieved:
Avoid the need for new protocols, and further avoid the possibility of new deficiencies;
This avoids the need to implement a complete security protocol.
Compared with effective encryption operations, especially public key encryption, this is a time-consuming task for the CPU. Therefore, the SSL Protocol introduces an optional dialog cache) to reduce the number of connections from the beginning. At the same time, it also pays attention to reducing network activity.
3. Main Components of SSL
The SSL protocol consists of two layers: the handshake protocol layer and the record protocol layer. The handshake protocol is based on the record Protocol. In addition, there are also sub-protocols that support conversation protocols and management, such as the warning protocol, password change protocol, and application data protocol. The composition of the SSL protocol and its TCP/IP location 11-9 are shown.
|Figure 11-9 Composition of the SSL protocol and its location in TCP/IP
Each layer in Figure 11-9 can contain length, description, and content fields. SSL Messages are the results of dividing data into manageable blocks, compression, Mac, and encryption. To receive messages, you need to decrypt, verify, decompress, and reorganize the messages, and then send the results to customers at a higher level.
(1) record Protocol
Perform security-related operations such as compression/decompression, encryption/decryption, and computer Mac. In addition:
Change Password Description Protocol: This Protocol consists of a message, which can be sent by a client or server. The record after the notification recipient will be the password description and key protection negotiated by the new user; after receiving the message, the Receiver immediately instructs the record layer to change the read status to the current read status. After sending the message, the sender immediately instructs the record layer to change the write status to the current write status.
Warning protocol: warn a message to convey the message's severity and describe the warning. A fatal warning will immediately terminate the connection. Like other messages, warning messages are encrypted and compressed in the current status. There are the following types of warning messages:
Disable notification message, unexpected message, error record MAC message, decompress failed message, handshake failed message, no certificate message, error certificate message, unsupported certificate message, certificate recall message, certificate expiration messages, unknown certificates, and invalid parameters.
Application Data Protocol: Transfers application data directly to the record protocol.
(2) handshake protocol
The SSL handshake protocol is a secure communication mechanism established to transmit application data between the client and the server.
Algorithm negotiation: During the first communication, both parties negotiate the key encryption algorithm, data encryption algorithm, and digest algorithm through the handshake protocol.
Authentication: After the key negotiation is complete, the client and the server Verify the identity of each other through the certificate.
Determine the key: Finally, use the negotiated Key Exchange Algorithm to generate a secret information that only the two parties know. the client and the server determine the parameters of the Data Encryption Algorithm Based on the secret information (generally the key ). It can be seen that the SSL protocol is an end-to-end communication security protocol.