SSL/TLS protocol introduction

The SSL/TLS protocol (RFC2246 RFC4346) is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication.

From the functional level within the protocol, the SSL/TLS protocol can be divided into two tiers:

1. SSL/TLS recording protocol (SSL/TLS record Protocol), which is based on a reliable Transport layer protocol (such as TCP), provides the basic functions of data encapsulation, compression and encryption for the upper layer protocol.

2. SSL/TLS Handshake Protocol (SSL/TLS handshake Protocol), which is based on the SSL/TLS logging protocol, is used to authenticate, negotiate encryption algorithms, Exchange cryptographic keys and other initialization negotiation functions before the actual data transfer begins.

From the way the protocol is used, it can be divided into two categories:

1. SSL/TLS One-way authentication, that is, the user to the server only one-sided authentication, that is, the client Authentication server-side identity, and the server side will not go to authenticate the client identity. First, the client initiates a handshake request and the server receives a handshake request and chooses the protocol version and encryption method that is appropriate for both parties. The result of the negotiation is then sent to the client along with the server-side public key. The client uses the server-side public key to encrypt the data to be sent and send it to the server side. Upon receipt of the server, the received client-side encrypted data is decrypted with the local private key. The data will then be used by both parties to generate the encryption key for communication between the two parties. Next, the two sides can start the secure communication process.

2.SSL/TLS Two-way authentication, that is, both sides will be mutual authentication, that is, the exchange of certificates between the two. The basic process and one-way authentication are exactly the same, just a few more steps in the negotiation phase. After the server-side sends the negotiated results to the client with the server-side public key, the client's certificate is requested and the client sends the certificate to the server side. The client then sends the digital signature generated by the private key to the server side after the client has sent the encrypted data to the server. The server side uses the public key in the client certificate to verify the legitimacy of the digital signature. The process is completely consistent with one-way communication after the handshake is established.

The SSL/TLS protocol establishes the basic flow of communication as shown in 1,

650) this.width=650; "src=" Http://www.evtrust.com/knowledge/images/image001.png "alt=" SSL/TLS protocol establish basic flow of communication "height=" 681 "width=" 567 "/>

Step 1. The clienthello– client sends information such as the supported SSL/TLS maximum protocol version number and the set of supported cryptographic algorithms and the collection of compression methods to the server side.

Step 2. After the serverhello– server receives the client information, the SSL/TLS protocol version and encryption method and compression method can be supported by both parties, and returned to the client.

(optional) Step 3. The sendcertificate– server sends the service-side certificate to the client.

(optional) Step 4. requestcertificate– If you choose two-way authentication, the server requests client certificates from the client.

Step 5. serverhellodone– server-side notification client initial negotiation ends.

(optional) Step 6. responsecertificate– If you select bidirectional authentication, the client sends a client certificate to the server side.

Step 7. The clientkeyexchange– client uses the server-side public key, encrypts the client public key and the key seed, and then sends it to the server side.

(optional) Step 8. certificateverify– If you choose two-way authentication, the client generates a digital signature with the local private key and sends it to the server side to authenticate with the received client public key.

Step 9. createsecretkey– communication keys are generated by both parties based on key seed and other information.

Step ten. The changecipherspec– client notifies the server that it has switched traffic to encryption mode.

steps. finished– client is ready for encrypted communication.

step. The changecipherspec– server-side notifies the client that it has switched traffic to encryption mode.

step. finished– server is ready for encrypted communication.

steps. Encrypted/decrypteddata– uses the client secret key to encrypt the communication content through the symmetric encryption algorithm.

steps. After the closedconnection– communication is over, either party sends a message to disconnect the SSL connection.

In addition to the basic process above, the SSL/TLS protocol itself has some concepts that need to be explained here.

Key: A key is a bit string that encrypts and decrypts the data, like a key to unlock it.

symmetric algorithm (symmetric cryptography): It is necessary to use the same key to encrypt the decryption message algorithm, common key algorithm has Data Encryption Standard (DES), Triple-strength DES (3DES), Rivest Cipher 2 (RC2) and Rivest Cipher 4 (RC4). Because the symmetric algorithm is relatively efficient, sensitive data in an SSL session is encrypted with a key algorithm.

Asymmetric Algorithm (Asymmetric Cryptography): The key is composed of the public key private key pair (Key-pair), the public key is passed to the other side of the private key reserved. The public key private key algorithm is reciprocal, one to encrypt and the other to decrypt. Common algorithms are Rivest Shamir Adleman (RSA), Diffie-hellman (DH). Asymmetric algorithms are computationally slow, so they are only suitable for small amounts of data encryption, such as encryption of keys, not for large amounts of data.

Public Keycertificate: A public key certificate similar to a digital passport, issued by a trusted institution. The trusted organization's public key certificate is Certificate Authority (CA). Multiple certificates can be connected to a certificate string, the first is the sender, the next is the certificate entity to which it is issued, and the top-to-root certificate is a world-wide trusted organization, including VeriSign, Entrust, and GTE Cybertrust. A public key certificate makes the public key of an asymmetric algorithm more secure, avoids identity forgery, such as C creates a public key private key, and passes the public key to B as a, so that the communication between C and B makes B mistaken for communication between A and B.

Cryptographic hashing function (cryptographic hash Functions): The cryptographic hash function is similar to the checksum function. The difference is that checksum is used to detect accidental data changes while the former is used to detect intentional data tampering. The data is hashed to produce a small string of bits, and a small change in the data will result in a hash string change. When sending encrypted data, SSL uses the cryptographic hashing feature to ensure data consistency and to prevent third parties from disrupting the integrity of the communication data. The commonly used hashing algorithms for SSL are Message Digest 5 (MD5) and Secure hash Algorithm (SHA).

MessageAuthenticationcode: The message authentication code is similar to the cryptographic hash function except that it needs to be based on a key. The combination of key information and data generated by the cryptographic hashing function is a hash message authentication code (HMAC). If a wants to make sure that the message to B is not tampered with by C, he will do the following steps--a first to calculate an HMAC value, add it to the original message. The message body is encrypted with the key that is communicated between A and B, and then sent to B. B after receiving the message, decrypt it with the key and then recalculate an HMAC to determine if the message was tampered with in transit. SSL uses HMAC to ensure the security of data transmission.

DigitalSignature: When a cryptographic hash of a message is created, the hash value is encrypted with the sender's private key, and the result of the encryption is called a digital signature.

SSL/TLS protocol introduction