My understanding of SSL

SSL is called the "Secure Sockets Layer" (Secure Sockets Layer). It is a protocol (or technology) used for Secure website connection ).
The so-called secure connection has two functions:
First, SSL can provide mutual authentication between the communication parties. Obviously, it is very important to know the identity of the other party before you begin to exchange information with the other party. SSL is implemented by digital certificate technology to meet this requirement.
The other is that it enables data to be transmitted encrypted, making unreadable by unauthorized users.
 
I.
Before introducing other SSL knowledge, follow the Convention to introduce several terms:
1. Certificate
A digital certificate is a trusted carrier of public key data. It contains the identity information of the holder and is issued and managed by an authoritative third-party CA. That is to say, the certificate is trusted, is built on trust in authoritative third parties
 
2. Certificate Chain
The certificate chain is a series of certificates. Specifically, the certificate chain is composed of two certificates: The Root CA certificate of the CA and the secondary CA certificate. with the CA certificate chain, your browser will automatically trust all certificates issued by the same CA. If you select this option, the system will ask if you want to accept the CA certificate for your browser. By choosing to accept the certificate, your browser will receive the certificate directly.
 
3. CA
CA is an authoritative third party and serves as the starting point of trust relationship. its functions include receiving and processing certificate application requests, generating certificates, generating a certificate abolition list, and publishing certificates to the Directory Server. all certificates must be signed by the CA before they take effect.
 
Ii. Digital Certificate verification process
Step 1: Verify the signature of the CA.
Step 2: verify the validity of the certificate. Each certificate has a validity period. If the certificate is valid, you can see that the digital certificate is still in use.
Step 3: verify the validity of the certificate status. All the certificates that are reported to be lost or voided are published to the CRL blacklist by the CA center. Check whether the certificate of the other Party is in the CRL. If yes, the status of the digital certificate is normal.
 
Iii. SSL handshake
 
Client server
Hello
----------------->
Hello
<-----------------
---------------- Minute-gauge-line -------------------------------------------------
Server Certificate
<-----------------
Certificate Request (two-way authentication)
<-----------------
------------------------- Separation-line ------------------------------------
Client certificate
------------------>
Verify Certificate
------------------>
----------------------------- Separation-line -------------------------------------
Grip hand knot
 
Explanation:
The client sends the www.2cto.com client_hello message to the server. The server responds to the server_hello message to establish the following security attributes: Protocol version, session ID, compression method, and generate and exchange random numbers used to prevent replay attacks.
If the server is configured with one-way authentication, the client only needs to verify that the server certificate is valid and does not need to present its own certificate. If the server is configured with two-way authentication, after the client verifies the server certificate, your User Certificate will be presented at the request of the server. The server will verify the legitimacy of the client.
After the handshake ends, the customer and the server can send application-layer data.
 
Iii. data transmission process
1. Sender
 
1) | -------------- | encrypt with Session Key
| Plaintext | ---------------------------> ciphertext
| -------------- |
2) | ------------ use the hash algorithm to send the Private Key
| Plaintext | ---------> abstract ---------> original text Abstract After signature
| -------------- |
3) | ---------------- | use the public key of the receiver to encrypt the data
| Session key | --------------------> encrypted session key
| ----------------- |
The sender sends the three items to the receiver, and the receiver receives the three items;
2. Receiver
1) Use the receiver's private key for decryption
Encrypted session key ----------------------------------> session key
2) decrypt data with a session key
Original Abstract After signature ---------------------------------> Abstract
3) use the hash algorithm for Session Key decryption
Ciphertext ------------------> plaintext --------------------> Abstract
Then, take the two summaries of 2), 3). If they are consistent, the data is complete. Otherwise, the data may be tampered.


Author Lin Zhong Road