Handshake protocol for Public key and SSL (RPM)

Source: Internet
Author: User
Tags ssl connection asymmetric encryption

One, public key private key
1, the public and private keys appear in pairs
2, the public key is called the public key, only you know the private key
3, the data encrypted with the public key can only be decrypted by the corresponding private key
4, the data encrypted with the private key can only be decrypted by the corresponding public key
5, if the public key can be decrypted, it must be the corresponding private key plus the secret
6, if the private key can be decrypted, it must be the corresponding public key plus the secret
I see?

Let's say I've looked for two numbers, one is 1, the other is 2. I like the number 2, I keep it, I don't tell you, and then I tell you that 1 is my public key.

I have a file that I can't let anyone else see, I'm using 1 encryption. Others found this file, but he did not know that 2 is the decryption of the private key ah, so he cannot solve, only I can use the number 2, is my private key, to decrypt. So I can protect the data.

My good friend X encrypted the character A with my public key 1, encrypted it into B, and put it on the Internet. Others stole this file, but others can not open, because others do not know that 2 is my private key, only me to decrypt, after decryption to get a. In this way, we can transfer encrypted data.

Now that we know to encrypt with the public key and then decrypt it with the private key, we can solve the problem of secure transmission. If I encrypt a piece of data with the private key (only I can encrypt it with the private key, because I know that 2 is my private key), and all the people see my content because they know my public key is 1, what is the use of this encryption?

But my good friend X said someone was impersonating me and sending him a letter. What do we do? I sent my letter, the content is C, with my private key 2, encryption, the content of the encryption is D, to X, and then tell him to decrypt to see is not C. He decrypted it with my public key 1 and found that it was c. At this point, he would think that the data that can be decrypted with my public key must be encrypted with my private key. Only I knew I had the private key, so he could confirm that it was really my hair. So we can confirm the sender's identity. This process is called a digital signature. Of course, the specific process is slightly more complicated. Use the private key to encrypt the data, which is the digital signature.

OK, let's review:
1, a pair of public key keys appear
2, private key only I know
3, you can use my public key to send me an encrypted letter.
4, everyone use my public key to decrypt the contents of the letter, to see if it can be untied, to untie, the explanation is after my private key encryption, you can confirm that I sent the.

To summarize the conclusion:
1, encrypt data with public key, decrypt data with private key
2, encrypt the data with the private key (digital signature), and use the public key to verify the digital signature.

In the actual use, the public key does not appear alone, always appears as a digital certificate, this is for the security and validity of the public key.

Two, SSL
I and my good friend X, want to make secure communication. This kind of communication can be QQ chat, very frequent. Encrypting the data with my public key is not going to work because:
1, my good friend X does not have a public key pair, how can I send him encrypted message ah? (Note: In practice, both parties can have a public private key pair)
2, with the public private key encryption operation is time-consuming, very slow, affecting the effect of QQ.

OK, good friend X, find a number 3, with my public key 1, encrypted and sent to me, said, we will use this number to encrypt information. After I untied it, I got the number 3. In this way, only two of us know the secret number 3, no one else knows, because they don't know what number x picked up, the encrypted content they can not untie, we call this secret number of the session key.

Then, we choose a symmetric key algorithm, such as DES, (symmetric algorithm is that the encryption process and decryption process is symmetric, with a key encryption, you can use the same key to decrypt.) The algorithm using the public private key is a non-symmetric encryption algorithm) to encrypt the communication between us. Others are unable to decrypt because they do not know that 3 is our session key.

OK, review it:
1,ssl for Secure Communication
2, both sides of the communication use the public key of a party or both to pass and contract the session key (this process is called handshake)
3, both parties use the session key to encrypt the communication content of both parties

It says the principle. You may find it more complicated than it is in practical use. Fortunately, the good pioneers implemented the layer in the operating system or related software, and a nasty name called SSL, the Secure Socket layer.

Handshake protocol for SSL

1. The user's browser sends its SSL version number, encryption setting parameters, session-related data, and other necessary information to the server. 2. The server sends its SSL version number, encryption setting parameters, session-related data, and some other necessary information to the browser, as well as the server's certificate to the browser. If you configure the server's SSL to authenticate the user, a request is made to require the browser to provide a user certificate. 3. The client checks the server certificate and if the check fails, the prompt cannot establish an SSL connection. If successful, then continue. 4. The client browser generates PRE-MASTER secret for this session and encrypts it with the server public key and sends it to the server. 5. If the server requires authentication of the client, the client also signs additional data and sends it to the server along with the client certificate. 6. If the server requires authentication of the customer, check that the CA that signed the client certificate is trustworthy. If you are not in the trust list, end this session. If the check passes, the server decrypts the received pre-master secret with its own private key and uses it to generate the master secret for this session through certain algorithms. 7. Both the client and the server use this master secret to generate the session key (symmetric key) for this session. This session key is used when passing any message after the end of both SSL handshake. The main reason for this is that symmetric encryption is more than an order of magnitude lower than asymmetric encryption and can significantly increase the computational speed of both sessions. 8. The client notifies the server that the message sent thereafter is encrypted with this session key. and notifies the server that the client has completed this SSL handshake. 9. The server notifies the client that the message sent thereafter is encrypted with this session key. and notifies the client server that the SSL handshake has been completed. 10. The handshake process is complete and the session has been established. Both parties use the same session key to add and decrypt the information sent and received separately. 1 SSL CommunicationSSL Communication 1 shows: 2 SSL Communication InstructionsIn this section, the illustration shown in Figure 1 will be described. To illustrate the convenience, in this article the client is called B and the server side is S. STEP 1:b--〉s (initiate dialogue, negotiate transfer encryption algorithm) Hello, S! I want to have a secure conversation with you, my symmetric encryption algorithm has DES,RC5, my key exchange algorithm has RSA and DH, the digest algorithm has MD5 and SHA. STEP2:S--〉B (send server digital certificate) Hello, B! Then we use Des-rsa-sha to communicate the combination, in order to prove that I am really s, now send my digital certificate to you, you can verify my identity. STEP 3:b--〉s (the key for this conversation) (check that the digital certificate for S is correct, after verifying the true validity of the s certificate through a certificate issued by the CA authority). Generated the key of this conversation using the public key of S encryption sent to s) s, I have confirmed your identity and now send you the key of the symmetric encryption algorithm we used in this communication. Step4:s--〉b (Gets the key) (S) with its own private key to decrypt the key for this communication. B, I have acquired the key. We can start the communication. Step5:s<-->b (for communication) Description: In general, when B is the transmission of confidential information, B does not require a digital certificate to verify the authenticity of their identity, such ase-Banking applications, customers need to send their own account number and password to the bank, so the bank's server needs to install a digital certificate to indicate the validity of their identity. In some business-to-business applications, the server side also needs to authenticate the identity of the client, the client also needs to install a digital certificate to ensure that the server can identify the identity of the client, the verification process is similar to the authentication process of the server identity. It is also necessary to note that in some e-commerce applications, electronic signatures may also be used, or for more secure exchange of information, electronic signatures and message check codes (MACS) will be added. To facilitate understanding of SSL, the following is a brief introduction to information encryption-related knowledge. Cryptographic algorithms that use key types to encrypt information can be categorized into the following categories: HASH coding, symmetric encryption, and asymmetric encryption. Hash coding is a process of calculating the hash value from any length message using the hash algorithm, and the hash value can be said to be the fingerprint of the message, because there is almost always a different hash value for any different message. So in the SSL communication process,The HASH value of the message can be encrypted to ensure that the message passed is not modified during transmission. Asymmetric encryption, or public-key cryptography, uses two mathematically related values to encode (encrypt) information, one of which is called the public key, and the other is called the private key. Public key encryption information can be decrypted with the private key, the private key encryption information can be decrypted with the public key. Because public keys can be distributed on a large scale, public key cryptography is applied to encrypt or digitally sign the key in SSL-encrypted communication. The difference between symmetric and asymmetric encryption is that in symmetric encryption, the encryption information and the decrypted information use the same key, so the key cannot be exposed.but it has the characteristics of fast encryption and decryption. in SSL communication, the asymmetric encryption is used to exchange information, so that the server obtains the symmetric encrypted key provided by the browser, and then uses the key to encrypt and decrypt the information during communication. In order to ensure that messages are not tampered with during delivery, HASH codes can be encrypted to ensure the integrity of the information.
[@[email protected]]

Handshake protocol for Public key and SSL (RPM)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.