handshake process for SSL protocol To facilitate a better understanding and understanding of the SSL protocol, this article focuses on the SSL protocol Handshake protocol. The SSL protocol uses both public-key cryptography (asymmetric encryption) and symmetric encryption technology, and SSL encrypts the transmitted content with symmetric encryption, and then uses the public key to encrypt the symmetric encryption key. The advantage of this is that symmetric cryptography is faster than public-key cryptography, can be used to encrypt large transmission content, and public-key cryptography is relatively slow, providing better authentication techniques that can be used to encrypt the keys used by the symmetric encryption process.
The SSL handshake protocol is very effective in enabling mutual authentication between the client and the server, and the main process is as follows:
The browser of the ① client transmits the version number of the client SSL protocol to the server, the type of cryptographic algorithm, the random number generated, and the various information needed to communicate between the server and the client. The ② server transmits the version number of the SSL protocol to the client, the type of encryption algorithm, the random number, and other related information, and the server also transmits its own certificate to the client. ③ customers use the information sent by the server to verify the legitimacy of the server, the legitimacy of the server includes: whether the certificate expires, the issuing server certificate of the CA is reliable, the publisher certificate's public key can correctly unlock the server certificate "publisher's digital signature", the server certificate on the domain name and the server's actual domain name match. If the legitimacy verification is not passed, the communication will be disconnected, and if the legitimacy validation passes, the fourth step will continue. The ④ client randomly generates a "symmetric password" for subsequent communication, encrypts it with the server's public key (obtained from the server's certificate in step ②), and then passes the encrypted "pre-master password" to the server. ⑤ If the server requires a customer's authentication (optional during the handshake), the user can create a random number and then sign the data to the server with the random number of signatures, along with the client's own certificate and the encrypted "pre-master password". ⑥ If the server requires customer authentication, the server must verify the legitimacy of the client certificate and the signature random number, the specific legality verification process includes: whether the customer's certificate use date is valid, to provide a certificate to the client CA is reliable, the issuing CA's public key can correctly unlock the client certificate of the issuing CA's digital signature, Check that the client's certificate is in the certificate revocation list (CRL). If the test is not passed, the communication is interrupted immediately; If authenticated, the server will use its own private key to unlock the encrypted "master password" and then perform a series of steps to generate the primary communication password (the client will also generate the same master communication password in the same way). ⑦ server and client use the same master password as the "Call password", a symmetric key for the SSL protocol of Secure data communication encryption and decryption communication. At the same time in the process of SSL communication to complete the integrity of data communication, to prevent any changes in data communication. The ⑧ client sends a message to the server that indicates that subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the server client that the handshake process is complete. The ⑨ server sends a message to the client indicating that the subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the client that the server side of the handshake process is complete.
⑩ssl The handshake part ends, the SSL secure channel data communication begins, the client and the server begin to use the same symmetric key for data communication, while the integrity of the communication test. |
