First, SSL Overview
The SSL protocol uses digital certificate and digital signature for two-terminal entity authentication, uses asymmetric encryption algorithm for key negotiation, encrypts data with symmetric encryption algorithm and transmits it to ensure the confidentiality of data, and verifies whether the data is tampered and forged in the transmission process by calculating the Digital digest. Thus, it provides a security means for the transmission of sensitive data.
The services provided by the SSL protocol are mainly:
1) Authenticate users and servers to ensure that data is sent to the correct client and server
Authenticate users and servers so that they can be confident that the data will be sent to the correct client and server. Both the client and the server have their own identification number, which is numbered by the public key, to verify that the user is legitimate, andthat the SSL protocol requires digital authentication when the handshake is exchanging data to ensure the user's legitimacy.
2) Encrypt data to prevent the data from being stolen in the middle
The encryption technology used in the SSL protocol has both symmetric key technology and public key technology. Before the data exchange between the client and the server, the SSL initial handshake information is exchanged, encryption is used in the SSL handshake information to ensure its confidentiality and data integrity, and the digital certificate is used to authenticate, so that illegal users can be prevented from deciphering.
3) Maintain the integrity of the data to ensure that the data is not changed during transmission
The SSL protocol uses the hash function and the secret sharing method to provide the information Integrity service, establishes the secure channel between the client and the server, so that all the services that are processed by the SSL protocol can reach the destination completely and accurately in the transmission process.
SSL Architecture:
The SSL protocol is located between the network layer and the application tier of the TCP/IP protocol model and uses TCP to provide a reliable end-to-end security service that communicates between client/server applications without attack eavesdropping and always authenticates the server , you can also choose to certify the customer. SSL Architecture is shown in 1.
In SSL communication, the asymmetric encryption is used to exchange information, so that the server obtains the symmetric encrypted key provided by the browser, and then uses the key to encrypt and decrypt the information during communication. In order to ensure that messages are not tampered with during delivery, hash codes can be encrypted to ensure the integrity of the information. SSL communication process,shown in 2.
In general, when the client is the sender of confidential information, the client does not need a digital certificate to verify the authenticity of their identity, such as the application of electronic banking, customers need to send their own account and password to the bank, so the bank's server needs to install a digital certificate to indicate the validity of their identity. In some applications, the server side also needs to authenticate the identity of the client, the client also needs to install a digital certificate to ensure that the server can identify the identity of the client, the verification process is similar to the authentication process of the server identity.
Third,SSL socket Two-way authentication implementation
SSL socket communication is an extension of socket communication. a layer of security protection is added on top of socket communications, providing greater security, including authentication, data encryption, and integrity verification.
SSL Socket bidirectional authentication Implementation technology: JSSE (Java Security Socket Extension), which implements the SSL and TSL (Transport Layer Security) protocol. The Jsse includes techniques such as data encryption, server authentication, message integrity, and client authentication. By using JSSE, you can securely transfer data between the client and server through the TCP/IP protocol. In order to achieve message authentication:
Server-side needs:
1.KeyStore: Where the private key of the server side is saved
2,Trust KeyStore: Which saves the client's authorization certificate
The client needs:
1.KeyStore: Where the private key of the client is saved
2,Trust KeyStore: Which saves the service side of the authorization certificate
How to generate a key and authorization certificate:
Use the Java keytool command, which is generated from the command line.
1. Generate server-side private key Kserver.keystore file
Keytool-genkey-alias serverkey -validity 1 -keystore kserver.keystore
2, according to the private key, export server-side security certificate
Keytool-export-alias Serverkey-keystore Kserver.keystore-file SERVER.CRT
3. Import the server-side certificate into the Trust KeyStore of the client
Keytool-import-alias serverkey-file Server.crt-keystore Tclient.keystore
4. Generate the client private key Kclient.keystore file
Keytool-genkey-alias clientkey -validity 1 -keystore kclient.keystore
5, according to the private key, export the client security certificate
Keytool-export-alias Clientkey-keystore Kclient.keystore-file CLIENT.CRT
6, the client certificate, import into the server-side Trust KeyStore
Keytool-import-alias clientkey-file Client.crt-keystore Tserver.keystore
The resulting file is divided into two groups, server-side Save:kserver.keystore Tserver.keystore Client Save:Kclient.keystore tclient.kyestore (Typically, We can also import each other's certificate into the KeyStore that holds the private key).
The principle of authentication
The client uses its own private key for data encryption, and sends it to the server, which uses the client's public key (CLIENT.CRT certificate) to decrypt the data, and if the decryption is successful, the message comes from the trusted client and is logically processed;
In the same vein, the server uses the private key in the Kserver.keystore for data encryption, which is sent to the client, and the client uses the Tclient.keystore The SERVER.CRT certificate decrypts the data and, if decrypted successfully, proves that the message is from the trusted server side and is logically processed. If decryption fails, then the source of the message is wrong. No logical processing is performed.
SSL socket Two-way authentication security:
(1) ensures that data is delivered to the correct server side and client.
(2) can prevent the message from being stolen during the transmission.
(3) prevent the message from being modified during delivery .
The following conditions may occur during system operation:
(1) both the server side and the client hold the correct key and security certificate, and the server side and client can communicate normally.
(2) the client's key and security certificate is incorrect, and the server side and client are not able to communicate properly.
(3) the client does not hold a key and security certificate, and neither the server nor the client can communicate properly.
Introduction to SSL/TSL in Java and how to implement SSL socket bidirectional authentication