SSL Handshake Step "Favorites"

http://www.codeweblog.com/ssl-handshake-process-of-interaction-and/

SSL to send a message in the following order:
1.Client Hello
Client sends the server information including passwords group it supports. Password set in cryptographic algorithms and key sizes;
2.Server Hello
The server choose the client and server support the password set to the client.
3.Certificate
Server sends a certificate or a certificate chain to the client, a certificate chain, starting at the end of the server Pu Blic Key certificate and the root certificate authority in the show. This information was optional, but the server certificate as necessary and to use it.
4.Certificate Request
When the server needs to identify clients, it sends a certificate request to the client. In Web applications, very little to send the message.
5.Server Key Exchange
When the server sends to the public key of the key in exchange is not very good when a server key exchange message to send.
6.Server Hello done
Server to the clients to complete its initialization flow of information.
7.Certificate
If the server requires a client certificate, the client sends a certificate chain. (only when the server requires client certificate)
8.Client Key Exchange
Customers generate a key for the symmetric algorithm. Customers with a server in the RSA public key cryptography This key information and send it to the server.
9.Certificate Verify
In Web applications, very few send this message, it's primarily used to allow the server to handle the end of the custome R identification. When using this information, the client sends a password function of the digital signature information to the server, when The service ended with a public key to decrypt the message, the server can identify clients.
10.Change Cipher Spec
Client sends a message to the encryption mode of the server to change.
11.Finished
Client tells the server it is ready to secure data communication.
12.Change Cipher Spec
Server sends a message to the client and the clients modify encrypted mode.
13.Finished
Server tells the client, the it is ready to secure data communication. This was a Client-server handshake protocol the last step.
14.Encrypted Data
Client with the server using a symmetric encryption algorithm and cryptographic functions, and with the client to the Serv ER secret key encrypted communication.
SSL Handshake Process:
Extracted from the "SSL and TLS"
Objective:
1. The client and server need to protect data in a set of algorithms for consensus;
2. They need to establish a set of algorithms that is used by the encryption key;
3. Handshake can also choose to authenticate the client.

Process:
1. Client list and its support for the algorithm used to generate a, random number key sent to the server;
2. Server list from the algorithm to choose a encryption algorithm, and it contains the server public key and a certificat E sent to the client; The certificate also contains the server ID for authentication purposes, the server also provides a generate random number s for keys;
3. Client-side validation on the server's certificate (certificate of verification, can refer to the digital signature), a nd to take the server's public key; Then, and then generate a random password string called Pre_master_secret, and use the server's public key pair the ENCRYP Ted (refer to Non-symmetric encryption/decryption), and encrypted information are sent to the server;
4. Client-side and Server-side and under the Pre_master_secret Client and server calculate a random value independent ENCR Yption and MAC keys (see DH key exchange algorithm).
5. Client MAC values of all handshake messages sent to the server;
6. Server MAC values of all handshake messages sent to the client.

Step 5 and 6 to prevent themselves from being tampered with shaking hands. Envisaged an attacker wants to control the use of the client and server algorithms. Client offers a variety of algorithms is quite common, some of the strength of weak and some strong intensity, in order t o be able to support the weak intensity algorithm with only the server to communicate. An attacker can remove the client provided in step 1 all the high-intensity algorithm, so they force the server to choose A weak strength of the algorithm. Step 5 and Step 6 of the Mac being able to prevent the exchange of such attacks, because the client's Mac is calculated Accor Ding to the original message, but the server's MAC is modified according to the news of the attacker are calculated, so tha T after inspection'll find does not match. As provided by the client and server for random number key generation process, and so the hands is not being replay attacks. The message is the first in a new encryption algorithm and key messages ENcrypted under.

Just described every step through one or more handshake messages to achieve. In this first message with a brief description of which corresponds to what steps, then a detailed description of the Cont Ents of each message. The following diagram describes the messages:

Step 1 corresponds to a single handshake message, ClientHello.
Step 2 corresponds to a SSL handshake message, the server sends the first message to Serverhello, which contains its chose n method, then again in the Certificate message send their certificates. Finally, the server sends a message to indicate serverhellodone the completion of the handshake stage. Need Serverhellodone because some of the more complex variants would also as-shake hands after the certifacate send O ther messages. When the client receives Serverhellodone message, it knows there'll be is no other similar news coming, so he can continue It on this side of the handshake.
Step 3 corresponds to Clientkeyexchange news.
Step 5 and 6 corresponding finished message. The news is just negotiated the first algorithm used to protect the information. In order to prevent the handshake have been tampered with, the contents of the message to all the previous stage handshake Message MAC. However, the finished message is a good method of protection, consultations, so they would has consultations with the new Mac Key-a Message from the calculation of the value of their MAc.
Note that the image above omits the Changecipherspec news.
SSL Record Protocol:
In SSL, the actual data transmission are to use the SSL record protocol to achieve. SSL record protocol is divided by the data stream into a series of clips and transfer them to work, in which each fragment Separately protection and transmission. The receiver, each record on a separate decryption and verification. The resulted in the figures had been ready to be sent from one end to connect to the other end, and received Instantly be addressed.
In the transmission segment, you must prevent attacks. MAC can is calculated to provide data integrity protection. MAC transmitted together with the fragment, verified by the receiver to achieve. The Mac appended to the fragment of the tail, and data and integrate the contents of the Mac are encrypted to form Encrypte D Load (Payload). Finally on top of information to the load equipment. Header information and encrypted links to known records of Load (record), record the actual transfer of the content is. The following diagram describes the transfer process:

1. Recorded The first message:
Record header information is to receive the work to achieve (receiving implementation) to explain the records provided the Necessary information. In practice, it refers to three types of information:content type, length, and SSL version. Length field can the receiver is aware that he was taken from the line Duoshao octet processing the message, version Numbe R, Zhi Shi 1 to ensure, this consultation version of the redundancy check. Content-type field indicates the message Type.
2. SSL Record Type:
SSL support for the four content types:application_data, alert, handshake and Change_cipher_spec.
Use SSL, software to send and receive all the data is based on application_data type to send, the other three kinds of Ne Irongleixing used on communications Jinxingguanli, Ruwan Cheng handshake and reporting Cuowu so.
Content type alert is mainly used for reporting all types of errors. Most of the alert (warning) for reporting handshake chuxian problems, but there is some instructions to try to Jin Xing J I Lu Zai right or Renzheng decryption errors so occur, alert messages to other YONGTU Yes instructions would be Guanbi L Ian Jie.
Used to carry content type handshake handshake message. Even if the initial connection handshake message is formed by the recording layer in order to handshake types of records T o load the. As the encryption key has not yet established, these initial message is not encrypted or authentication, but the other PR Ocess is the same. Possible existing connections on a new handshake initialization, the new record was like shaking hands, like Other data, to go through encryption and authentication.
Change_cipher_spec recorded message said to change the encryption and authentication. Once the handshake agreed on a new set of keys, the send Change_cipher_spec to indicate at this point would enable the new Key.
Work with a variety of sources:
As we have seen, SSL was a layered protocol, it is a recording layer and recording layer of a CD bearing the same message T ype composition. And the recording layer would by some reliable transport protocol such as TCP to carry. The following diagram describes the structure of the Association to:

The complete process a SSL connection:

SSL Handshake Step "Favorites"