Talking about Https\ssl\ digital certificate [reprint]

Source: Internet
Author: User
Tags decrypt hmac asymmetric encryption

In the Internet Secure Communication mode, the most used is HTTPS with SSL and digital certificates to ensure the security of transmission and authentication. This article has been traced around this model for a brief discussion.

noun explanation

First explain some of the above nouns:

    • https: a secure HTTP protocol based on HTTP (Hypertext Transfer Protocol), so it can be referred to as a secure hyper-text Transfer protocol. The HTTP protocol is placed directly above the TCP protocol, while HTTPS proposes a layer of encryption between HTTP and TCP. From the sending side, this layer is responsible for encrypting the contents of the HTTP sent to the underlying TCP, from the receiver, this layer is responsible for the TCP sent data decryption to restore the content of HTTP.
    • SSL (Secure Socket Layer): A secure transport protocol designed primarily for the web by Netscape Corporation. It can be seen from the name that it is responsible for implementing the encryption layer mentioned above in the HTTPS protocol stack. Therefore, an HTTPS protocol stack is roughly the same:

    • Digital Certificate: The name of a file, like the signature of an institution or person, that proves the authenticity of the institution or person. The information contained therein is used to implement the above functions.
    • Encryption and authentication: encryption refers to the communication between the two parties in order to prevent most grateful information on the channel by the third party eavesdropping and leakage, will be plaintext through encryption into ciphertext, if the third party can not decrypt, even if he obtained ciphertext can do nothing; authentication refers to the communication between the parties in order to confirm that the other party is trustworthy message sent or received by , rather than using fake identities for scammers, to take a confirmed identity way. Both encryption and seriousness are required to ensure the security of the communication, so both are expected in the SSL communication protocol.

Therefore, the relationship between the three is clear: HTTPS relies on a way of implementation, the current common is SSL, digital certificate is to support this secure communication files. There is also SSL-derived TLS and WTLS, the former is Ieft SSL standardization (TSL1.0), and the SSL difference is very small, the latter is used in the wireless environment of the TSL.

How to encrypt Common encryption Algorithms
    • Symmetric cipher algorithm: refers to the encryption and decryption using the same key, typically DES, RC5, Idea (packet encryption), RC4 (sequence encryption);
    • Asymmetric cryptographic algorithms, also known as public-key cryptography, means that encryption and decryption use different keys (public public keys are used for encryption, private private keys are used for decryption). For example a send, b receive, a want to make sure that the message only b see, need B to generate a pair of public key, and get B's public key. So a uses this public key to encrypt the message, B receives the ciphertext and decrypts it with its own matching private key. In turn, the public key can also be decrypted with the private key. This means that for a given public key there is only one private key that can be decrypted, and only the public key that matches it can be decrypted for the given private key. The typical algorithm has RSA,DSA,DH;
    • Hash algorithm: Hash transformation refers to the file content through some kind of public algorithm, into fixed-length value (hash value), the process can use the key can also be used. This hash transformation is irreversible, meaning that it cannot be converted from a hash value to a source. Therefore, hash transformations are often used to verify that the original text has been tampered with. Typical algorithms are: MD5,SHA,BASE64,CRC and so on.

In the hashing algorithm (also called the Digest algorithm), there are two concepts, strong collision-free and weak collision-free. Weak collision-Free is the same summary information for the given message X, which is the plaintext you want to forge. That means you can control the contents of the plaintext. Strong collision-free refers to the ability to find the same summary information, but the forged plaintext is not known.

encryption process for SSL

The efficiency of asymmetric encryption and decryption algorithm is much lower than that of symmetric plus decryption. Therefore, SSL in the handshake process using asymmetric cryptographic algorithm to negotiate the key, the actual use of symmetric encryption and decryption method to encrypt the transmission of HTTP content. Here is a metaphor for the image of the process (excerpt from

Suppose a communicates with B, A is the SSL client and B is the SSL server side, and the encrypted message is placed in square brackets [] to highlight the difference between the plaintext messages. The description of the handling action of both parties is enclosed in parentheses ().

A: I want to talk to you safely, I here the symmetric encryption algorithm has DES,RC5, the key exchange algorithm has RSA and DH, Digest algorithm has MD5 and SHA.

B: We'll use the Des-rsa-sha to set it up.

This is my certificate, which has my name and public key, you take to verify my identity (send the certificate to a).

A: (see if the name of B on the certificate is correct, and verify the authenticity of B's certificate through a certificate of the number already in hand, if one of the errors, issue a warning and disconnect, this step ensures the authenticity of B's public key)

(generates a secret message that will be treated as a symmetric encryption key, encrypting the initialization vector and the HMAC key.) This secret message-the protocol, known as per_master_secret-, is encrypted with the public key of B, encapsulated in a message called Clientkeyexchange. Due to the use of B's public key to ensure that third parties cannot eavesdrop)

I generated a secret message and encrypted it with your public key and gave it to you (send Clientkeyexchange to B)

Note that I'm going to send you a message in an encrypted way!

(Process secret messages, generate encryption keys, encrypt initialization vectors, and keys for HMAC)

[I'm done.]

B: (Use your own private key to decrypt the secret message in Clientkeyexchange, and then process the secret message, generate the encryption key, encrypt the initialization vector and the HMAC key, the two sides have negotiated a set of encryption method safely)

Note that I will also start to send you a message in an encrypted way!

[I'm done.]

A: [My secret is ...]

B: [Others won't hear ...]

As you can see from the above procedure, how the SSL protocol negotiates the key with an asymmetric cryptographic algorithm and encrypts the plaintext and transmits it using the key. Here are some additional points:

1.B uses a digital certificate to wrap its public key and other information to send the identity of A,a authentication B, the following talks about how a is verified.

2.A generates cryptographic keys, cryptographic initialization vectors, and HMAC keys that are used by both parties to digest and encrypt plaintext. The cryptographic initialization vector and the HMAC key are first used to digest the plaintext (prevent the plaintext from being tampered with), and then the digest and plaintext are encrypted with the encryption key and then transmitted.

3. Since only B has a private key, only B can decrypt the Clientkeyexchange message and obtain a subsequent communication key.

4. In fact, the above process B does not verify the identity of a, if necessary, SSL is also supported, at this time a also need to provide their own certificate, here is not expanded. When you set up SSL require for IIS, the Igore client certification is usually the default.

Digital Certificates

As can be known from the above discussion, digital certificates play the role of identity authentication and key distribution during SSL transmission. What exactly is a digital certificate?

In short, a digital certificate is a file that proves the identity of the bearer on a network and also contains a public key. On the one hand, since it is possible to "forge" the document, therefore, the authenticity of the certificate requires a verification method, on the other hand, the verifier needs to agree with this method of authentication.

For the first requirement, the current solution is that the certificate can be issued by an internationally recognized certificate authority, which is recognized as a trust authority, and some client applications that verify certificates: such as browsers, mail clients, etc., that are fully trusted for certificates issued by these institutions. Of course, to ask these institutions to issue certificates but to pay "to", usually when the Windows Deployment system will let the client install our own server root certificate, so that the client can also trust our certificate.

For the second requirement, the client program usually maintains a "list of root trusted institutions", when a certificate is received, to see if the certificate is issued by the authority in the list, and if it is, the certificate is trustworthy, otherwise it will not be trusted.

Trust of Certificates

Therefore, as an HTTPS site needs to be bound with a certificate, in any case, the certificate always requires an agency issued, the institution can be an internationally recognized certificate authority, or any computer that has Certificate Services installed. Whether the client can trust the certificate for this site depends first on whether the client program has imported the certificate issuer's root certificate. Illustrates this process:

Sometimes a certificate authority may authorize another certificate authority to issue a certificate, so that a certificate chain appears.


This paper summarizes the basic concepts of https/ssl/digital certificate, expounds the implementation principle of SSL protocol, and expounds the role that digital certificate plays in it.

Fruits of labor, reproduced please specify the source:

Talking about Https\ssl\ digital certificate [reprint]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.