Secret: use SSL in the Web

Source: Internet
Author: User
Tags csr certificate ssl connection fully qualified domain name
SSL
In general, for applications like Web, data is encapsulated several times from top to bottom in the machine and enters the network. If these packets are intercepted, you can easily obtain the data, including the login user name and password, based on the network protocol. This can be easily achieved using a monitoring tool like sniffer. SSL can be used as a countermeasure to improve the security of web systems.

1. SSL Work Project Overview

SSL (Secure Socket Layer) is mainly used for Secure Web communication standards. It can be understood that the layer in the component layer architecture is located between the network layer and the application layer. Data is encrypted when it flows out, and then sent to TCP/IP, and the data enters the layer before it is decrypted, it can also verify the identity of both ends of the network connection. SSL can encrypt various application data, such as HTTP, Pop, FTP, and ladp. The security mechanism provided by SSL ensures that the application layer data is not monitored, forged, or tampered during transmission.

Three encryption technologies are used in SSL: Asymmetric keys (public/private key pairs), symmetric keys, and digital signatures. You can use a public/private key pair for encryption and decryption to initialize an SSL connection. The Web server holds the private key and transmits the public key to the client through the certificate. The specific process is as follows:

1. The client sends a request to the Web server over https for a page.

2. The web server will send a certificate containing the server's public key to the client.

3. The client performs a series of checks, including:

1) whether the certificate has expired;

2) whether the CA that issues the certificate exists in the trusted ca list of the browser;

3) whether the FQDN (fully qualified domain name) of the Web server matches the CN (comman name) in the certificate.

If all the checks are passed, the SSL connection will be successfully initialized. Of course, for the second check, the CA can not establish a connection in the trust list, but the browser will prompt you to say that the certificate is from an untrusted organization, whether to continue and so on. Select "yes. This is the case for self-built CA certificates.

Any data encrypted by the private key can be decrypted only through the public key, and vice versa. Encryption and decryption can be performed on both the public and private keys, but the applications are different. Public key encryption/Private Key decryption is usually called encryption to ensure that only the specified receiver (Private Key owner) can access the data. Private Key Encryption/Public Key decryption is used for digital signatures. The signature is to ensure that the original text is not tampered with, and only the document can be checked out, that is, it cannot be relied on. The following example shows the specific process.

Condition: Alice's public key K (UA) and private key K (RA), Bob's public key K (UB) and private key K (RB ).

Alice wants to send the plaintext m to Bob, which uses digital signature and encryption. Let's take a look at the encryption and decryption process:

The premise is that Alice has K (UB) and K (RA), Bob has K (UA) and K (RB );

First, Alice uses Bob's public key K (UB) to encrypt m to get m (K) and send it to Bob. Bob uses his private key K (RB) decrypt the encrypted message m (k) to obtain M. Even if other people get the message m (K), they still cannot decrypt the message m because no K (RB) is available. In a word, the public key of the plaintext to be sent to is used for encryption.

Let's look at the digital signature process:

Alice uses one-way hash (md4/MD5) to generate digest-m for plaintext m, and uses her own private key K (RA) to encrypt the Digest. bob uses Alice's public key to unbind the plaintext digest. Bob uses the plaintext M (obtained in the previous step) to generate a new digest and decrypt the Digest, if there is no error, the original text is considered to have not been tampered with (the irreversible guarantee of the one-way hash function), and the integrity of the plaintext is ensured. If Alice's public key is trusted or issued by a ca, Alice's identity is true and the non-repudiation of Alice's signature is ensured.

When an SSL connection is established, symmetric keys are used for actual data transmission, because encryption and decryption with the same key can save system resources. This key is determined by negotiation between the client and the server through public key encryption/Private Key decryption in the SSL connection initialization project.

Ii. certificate application and issuance

From the above SSL work process, we can find that the web system encryption is inseparable from the generation of key pairs and the issuance of certificates. CA (security authentication center) issues the certificate.

There are two ways to generate public/private key pairs:

1) The user generates a key pair on his/her own machine.

In this way, when a user applies for a certificate from a ca, only the public key is transferred, and the private key is kept by the user. Therefore, the security is high.

2) A "trusted third party", that is, the Ca mechanically generates a key pair for the customer.

In the first method, after a key pair is generated, the user can spend money for the CA to sign the certificate. At this time, the user needs to generate a certificate request and upload it to the CA, this certificate request contains the public key of the key pair, waiting for the CA to issue. For testing purposes, you can create your own Ca and issue a certificate.

To evaluate the performance of web servers when SSL is implemented, we tested the performance in the Windows 2000 Server Ca + IIS and Linux + OpenSSL + Apache environments. It should be said that the operation steps on the two platforms are basically the same, although it seems a little different from the surface. Take the server certificate as an example. The process is as follows:

1) create a ca. Use the Windows 2000 CA component on Windows. To use OpenSSL in Linux, you must use commands to generate the CA's own public key and private key. This step is required. Otherwise, the Ca cannot generate a digital signature. An error is reported when the OpenSSL Verify command is used to verify the certificate issued to the user;

2) generate a key pair. The Windows platform combination is generated by iis5.0 and can be exported and saved. Linux combination

Generated by OpenSSL. In this step, I feel that the OpenSSL command line is clearer. First, generate the key pair file, and then use the key file (using the public key part) to generate a CSR certificate request. In Windows, an implicit key pair is generated and saved to the default location;

3) send the certificate request to the CA. Windows ca supports Web-based deployment. You can paste the request text to a specified location. In Linux, you only need to copy the certificate request file to the corresponding OpenSSL directory.

4) issue a certificate. Use Control Panel-Administrative Tools-Certificate Authority to issue a certificate in windows. Use the OpenSSL command in Linux.

5) install the certificate. You can obtain a certificate from a CA by downloading it online or using a disk copy or an IC card. Iis5.0 processes pending requests and points to the obtained certificate. In the Linux combination, configure httpd. conf of Apache to specify the location of the private key and Certificate file.

If you want to compare the performance of web with SSL on Linux and Windows platforms, you 'd better use the same key pair on the two platforms. This kind of requirement will also be encountered in practical applications. For example, if an enterprise's Web site needs to migrate the platform, it may need to export the key and certificate from IIS to Apache, and vice versa. IIS and OpenSSL have corresponding commands to support these operations. (For detailed command descriptions, refer to the IIS and OpenSSL documents)

If you are interested, you can try to add SSL to your web system, or the email system or other applications. Of course, the increase in security is at the cost of performance degradation.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.