Go The principle of SSL protocol and digital certificate

Source: Internet
Author: User

1 SSL (Secure Socket lclientyer) is a secure transport protocol designed primarily for Weserver by NETSCCLIENTPE Corporation. This kind of protocol has been widely used in weserver.

SSL establishes an encrypted channel on top of TCP, and the data through this layer is encrypted, thus achieving a confidential effect.

The SSL protocol is divided into two parts: Hclientndshclientke Protocol and record Protocol.

Where Hclientndshclientke protocol is used to negotiate a key, much of the protocol is how the communication parties use it to negotiate a key securely.

The Record protocol defines the format of the transfer.

SSL defaults to server-side authentication only, and client authentication is optional.

Key negotiation Process

Why negotiate a copy of conspiracy?

Because of the slow speed of symmetric encryption, it is generally used for key exchange, the two parties through the public key algorithm to negotiate a copy of the key (public key, private key), and then through symmetric encryption to communicate, symmetric encryption is used in the transmission.

To put it simply:

1. The SSL client (also the TCP client) sends a Clienth*llo after the TCP link is established, which contains the list of algorithms that it can implement and some other required messages.

2. The server side of SSL responds to a Serverh*llo, which determines the algorithm required for this communication, and then sends its own certificate (which contains the identity and its own public key).

3. When the client receives this message, it generates a secret message that is encrypted with the SSL server's public key and passed through.

4. After the SSL server is decrypted with its own private key, the session key negotiation succeeds and the two parties can communicate with the same session key.

Question: How do I know the authenticity of a certificate? is issued by the certificate authority.

Because of the public key of the CA, the CA encrypts the certificate with its own private key, and C decrypts it with the CA's convention, if the decryption succeeds, it proves the authenticity of the certificate.

Figurative metaphor

Client communicates with the server, the client is SSL, the server is SSL, and the encrypted message is placed in square brackets [] to highlight the difference between the plaintext messages. The description of the handling action of both parties is enclosed in parentheses ().

CLIENT: I want to talk to you safely, I here the symmetric encryption algorithm has DES,RC5, the key exchange algorithm has rsclient and DH, the abstract algorithm has MD5 and shclient.

(Note: There are three kinds of algorithms:

1 Conspiracy switching algorithm RSA asymmetric-----Exchange cipher

2 Digest algorithm-guarantees the integrity of the message

3 symmetric encryption algorithm----data encryption)

SERVER: We used the des-rsclient-shclient to set it up.
This is my certificate, which has my name and public key, you take to verify my identity (send the certificate to client).
There is nothing else to say at the moment.

Client: (see if the name of the server on the certificate is correct, and verify the authenticity of the server's certificate through the Cclient certificate that is already in hand [if it is one-way, the first client does not have a certificate, so will ask you], if one of the errors, issue a warning and disconnect, This step ensures the authenticity of the server's public key)
(generates a secret message that is treated as an encryption key, encrypting the initialization vector and the HMCLIENTC key.) This secret message-known as per_mclientster_secret-in the protocol-is encrypted with the public key of the server and encapsulated into a message called Clientkeyexchclientnge. Due to the use of the server's public key to ensure that third parties cannot eavesdrop)
I generated a secret message and encrypted it with your public key to give you (send Clientkeyexchclientnge to server) [it is useless for others to get the secret message, because only the server can solve]
Note that I'm going to send you a message in an encrypted way!
(Process secret messages, generate encryption keys, encrypt initialization vectors and HMCLIENTC keys)

[It is useless for others to get the public key at this time because she does not know the secret message content]
[I'm done.]

SERVER: (The secret message in Clientkeyexchclientnge is decrypted with its own private key, then the secret message is processed, the encryption key is generated, the initialization vector is encrypted, and the key of the HMCLIENTC is secured, and both parties have negotiated a cryptographic method securely)
Note that I will also start to send you a message in an encrypted way!
[I'm done.]

CLIENT: [My secret is ...]

SERVER: [Others won't hear ...]

The specific process of two-way authentication SSL protocol

The ① browser sends a connection request to the secure server.
The ② server sends its own certificate, along with the information associated with the certificate, to the customer's browser.
③ the client browser checks if the certificate sent by the server is issued by the CA center that you trust. If it is, continue to execute the agreement; if not, the customer's browser gives the customer a warning message: Warn the customer that the certificate is not trustworthy and ask the customer if they need to continue.
④ then the client browser compares the messages in the certificate, such as the domain name and the public key, whether the message that the server has just sent is consistent, and if it is consistent, the client's browser recognizes the legitimate identity of the server.
The ⑤ server requires customers to send their own certificates. Upon receipt, the server verifies the client's certificate and denies the connection if it is not authenticated, and if authenticated, the server obtains the user's public key.
The ⑥ client browser tells the server that it can support a symmetric password scheme for communication.
⑦ server from the customer sent over the password scheme, select a cryptographic scheme of the highest encryption, with the customer's public key after the notification browser.
⑧ Browser for this password scheme, select a call key, and then use the server's public key to be sent to the server.
The ⑨ server receives the message sent by the browser, decrypts it with its own private key, and obtains the call key.
⑩ server, browser Next communication is a symmetric cipher scheme, symmetric key is over-dense.

The one-way authentication SSL protocol does not require the customer to have the CA certificate, the specific process is relative to the above steps, only need to remove the server-side validation of the client certificate, and in the negotiation of symmetric password scheme, symmetric call key, the server sent to the customer is no encryption (this does not affect the SSL process security) password scheme. In this way, the two sides of the specific communication content, is to add over the dense data, if there is a third-party attack, access to only encrypted data, the third party to obtain useful information, it is necessary to decrypt the encrypted data, this time the security depends on the security of the password scheme. Fortunately, the current cipher scheme, as long as the communication key length is long enough, is sufficient security. This is why we emphasize the requirement to use 128-bit encrypted communication.

Digital certificates

What is a digital certificate?

Is the authentication of the user's public key issued by the certificate Visa Authority (CA).

The contents of the

Certificate should include information about the CA, user information, the user's public key, and the time and duration of the CA's issuance. At present, the international certificate format and authentication methods comply with the system standards.  
A digital certificate is also known as a digital certificate,digital ID. It provides a way to authenticate on the Internet, a digital information file that signs and proves the identity of both parties to the network, similar to a driver's license or an identity card in everyday life. When conducting e-commerce activities online, both sides of the transaction need to use digital certificates to identify themselves and use digital certificates for trading operations. In layman's words, a digital certificate is an identity card for an individual or unit on the Internet. Digital certificates mainly include three aspects: the information of the certificate owner, the public key of the certificate owner, and the signature of the certification authority.   What is included in the
A standard one-up digital certificate includes the following:  
Certificate version information;  
The serial number of the certificate, each certificate has a unique certificate serial number;  
The signature algorithm used by the certificate;  
the issuer name of the certificate, the naming convention is generally in X.500 format;  
The validity period of the certificate, which is now commonly used in UTC time format, with a timing range of 1950-2049;   
The name of the certificate owner, the naming convention is generally in X.500 format;  
the public key of the certificate owner;  
The certificate issuer's signature to the certificate.  
What problems can a digital certificate solve?

The use of digital certificate in the process of using public key encryption technology, set up a rigorous system of identity authentication, it can guarantee:
Confidentiality: By using the sender's digital certificate to encrypt the e-mail message, only the recipient can read the encrypted message, so that e-mail messages that are delivered on the Internet are not stolen by others, even if the recipient is unable to decrypt the message content because it cannot be decrypted.
Integrity: Using a sender's digital certificate to digitally sign an e-mail message before it is delivered not only determines the sender's identity, but it can also determine whether the sent information has been tampered with during delivery.
Identity authentication: Both parties that deliver e-mail on the Internet cannot meet each other, so there must be a way to determine the identity of each other. The sender's digital certificate is used to digitally sign an e-mail message before it is delivered to determine the identity of the sender, not the person impersonating it.
Non-repudiation: The sender's digital certificate is unique to the sender, so the sender cannot deny sending the e-mail message after the sender has used its digital certificate to digitally sign the e-mail message before it is delivered.
What is the principle of digital certificates?

Digital certificates use PKI (Public key Infrastructure) to expose key infrastructure technology, using a pair of mutually matching keys for encryption and decryption.

A Encryption and authentication

First we need to differentiate between the two basic concepts of encryption and authentication.

Encryption is the encryption of data, so that illegal users, even if the encrypted data can not obtain the correct information content, so data encryption to protect data, prevent monitoring attacks. The focus is on the security of the data.

Identity authentication is used to determine the authenticity of an identity, after confirming the identity, the system can be based on different identities to give different permissions. Its focus is on the authenticity of the user. The focus of the two is different.

B Public and private keys

Second, we also need to understand the concept and role of public and private keys.

In modern cryptography, encryption and decryption are the use of different keys (public key), that is, asymmetric key cryptography system, each communication requires two keys, that is, the public key and the private key, the two keys can be mutually encryption and decryption. Public keys are public and do not need to be kept confidential, while private keys are held by individuals and must be properly kept and kept in mind.

The principle of public key private key:

    1. A public key corresponds to a private key.
    2. Key pair, let everybody know is the public key, do not tell everyone, only oneself know, is the private key.
    3. If the data is encrypted with one of the keys, only the corresponding key can be decrypted.
    4. If you use one of the keys to decrypt the data, the data must be encrypted with the corresponding key.

The main application of asymmetric key cryptography is public key cryptography and public key authentication, while the process of public key cryptography and public key authentication is different, let me explain the difference in detail below.

C encryption process based on public key (encryption)

For example, there are two users Alice and Bob,alice want to send a piece of plaintext through two-key encryption technology to Bob,bob has a pair of public and private keys, then the process of encryption decryption is as follows:

    1. Bob sends his public key to Alice.
    2. Alice encrypts her message with Bob's public key and sends it to Bob.
    3. Bob decrypts Alice's message with his private key.

The sender uses the recipient's public key for encryption, and the receiver decrypts it with its own private key-to achieve the confidentiality of the communication.

D Authentication process based on public key (identification)

Identity authentication and encryption are different, the main user to identify the authenticity of users. Here, as long as we can identify a user's private key is correct, you can identify the authenticity of this user.

Or Alice and Bob, two users, Alice wants Bob to know that he is the real Alice, not the fake, so Alice simply uses public key cryptography to send the file signature to Bob,bob using Alice's public key to decrypt the file, if it can be decrypted successfully, It proves that Alice's private key is correct, and thus completes the identification of Alice. The entire identity authentication process is as follows:

    1. Alice uses her private key to encrypt the file, thereby signing the file.
    2. Alice sends the signed file to Bob.
    3. Bob verifies the signature by decrypting the file with Alice's public key.

The sender uses its own private key for encryption, and the receiver decrypts it with the sender's public key.

e identification and encryption

The sender encrypts the plaintext with its own private key, and then encrypts it with the public key of the receiver.

The receiver decrypts with its own private key and then decrypts it using the sender's public key.

Two times encryption, two decryption.

The digital certificate adopts the public key system, which uses a pair of matching keys to encrypt and decrypt. Each user sets a specific private key (private key) that is only known to me, decrypts and signs it, and sets a public key (public key) to be shared with a group of users to encrypt and verify the signature . When a confidential file is sent, the sender encrypts the data with the receiver's public key, and the receiver decrypts it with its own private key, so that the information can arrive at the destination safely and without error.

Application of digital certificate

In order to guarantee the authenticity, completeness and non-repudiation of the information transmission, the existing holder a transmits the digital information to the holder B, and the transmitting process is as follows: Digital encryption and digital signature.

(1) A set of digital information (clear text) to be transmitted.
(2) a hashes (hash) operation of the digital information, and a summary of the information is obtained .
(3) A uses its own private key (SK) to encrypt the information digest to obtain a digital signature, and attach it to the digital information.
(4) A randomly generates an encryption key (DES Key) and uses this key to encrypt the information to be sent to form ciphertext.
(5) A with B's public key (PK) to encrypt the encryption key generated just randomly, the encrypted des key along with the cipher sent to B.
(6) B received a sent over the ciphertext and the encryption of the DES Key, first with their own private key (SK) to decrypt the encrypted des key, to obtain the DES key.
(7) B then use the DES Key to decrypt the received ciphertext, get the digital information in clear text, and then discard the DES key (that is, des key obsolete).
(8) B uses a public key (PK) to decrypt the digital signature of a, get the Information Digest (attachment).
(9) B with the same hash algorithm to receive the plaintext again to do a hash operation, a new information digest.
(10) B Compare the information received with the summary of the newly generated information and, if so, the information received has not been modified.
The PK used in (5), is it from the digital certificate held by B? If so, where do you get the digital certificate? How is encryption and decryption of this process implemented?
A how to obtain the public key of the communication partner and believe that the public key is owned by a person identified by an identity, it is necessary to use an electronic certificate. E-CERT is issued by a third-party---Certification center (Certificate AUTHORITY,CA) that is trusted by everyone, with the identity information of someone, the public key, and the digital signature of the CA. Any communication party that trusts a CA can establish and trust the other person's public key by verifying the CA digital signature on the other's electronic certificate.

Use of digital certificates

Each user has a different name, a trusted certificate Authority (CA) assigns each user a unique name and a certificate that contains the name and the user's public key.

If a wants to communicate with B, he must first obtain the certificate of B from the database and then verify it. If they use the same CA, things are simple. A simply verifies the CA's signature on the B certificate, and if they use a different CA, the problem is complicated. A must start at the bottom of the CA's tree structure, query from the underlying CA to the upper CA, trace to the same CA, and find a common trust ca.

Certificates can be stored in a database in the network. Users can use the network to Exchange certificates with each other. When the certificate is revoked, it is removed from the certificate directory, but the CA that issued the certificate retains a copy of the certificate for future resolution of the dispute that may arise.

If the user's key or the CA's key is compromised, the revocation of the certificate is caused. Each CA must keep a certificate revocation list (CRL) that has been revoked but has not expired. When you receive a new certificate, you should first check that the certificate has been revoked from the certificate revocation list (CRL).
Who is the digital certificate issued and how is it issued?

Digital certificates are issued by a certification authority.

The Certification center is a management agency that can issue digital certificates to users to confirm their identity. In order to prevent the forgery of digital documents, the public key of the certification center must be reliable, the certification center must publish its public key or a higher level certification center to provide an electronic voucher to prove the validity of its public key, the latter method led to the emergence of a multi-level certification center.

The digital certificate issuance process is as follows: The user first generates their own key pair and transmits the public key and some personally identifiable information to the authentication center. Certification Center after verifying the identity, the necessary steps will be taken to make sure that the request is actually sent by the user, and then the certificate authority will send the user a digital certificate containing the user's personal information and his public key information, along with the signature information of the certificate authority. Users can use their own digital certificates for various activities related to them.

Message digest

Some people may tamper with or replace their original message, a way to guarantee message integrity is to send a simple digest of their message with the message itself, and the message is correct if it matches.

Digital signatures

Non-repudiation and identity verification


Is the authentication of the user's public key issued by the certificate Visa Authority (CA).

The contents of the certificate

Certificate Authority

Certificate chain

Build a top-level CA

Go The principle of SSL protocol and digital certificate

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.