The principle of SSL/TLS and how the Internet works (2)-"More suitable architecture, we work together!" ”

Source: Internet
Author: User
Tags asymmetric encryption

The last thing I said about discussing it with other friends was that it was a general solution to the communication problem between any two computers, but there were new problems:

"(i) you guys, I found out that last time we were talking about issues based on the OSI model, but this model isn't really that good, there's some redundancy." As you can imagine, the conversation layer and presentation layer are actually working with the application, and the physical layer of the purely hardware-level problem is not really our domain, we are at most as long as the interface with the hardware to deal with this level is sufficient. "Indeed." "(my) studio needs to merge: The physical layer and the data link layer is merged into the network interface layer, only responsible for the hardware interface related tasks, hardware problems do not have to control it; the network layer is renamed the network Interconnect layer, clearer; the transport layer is unchanged; "

what is actually being used is the TCP/IP model, also known as the TCP/IP stack, consisting of the following 4 layers (these layers are not real, they are just abstract concepts):

1, network interface layer
The physical layer and the data link layer in the OSI model are generally considered to correspond, but in fact the TCP/IP standard does not define the functions corresponding to the OSI data link layer and the physical layer. Instead, it defines protocols such as Address Resolution Protocol (Resolution Protocol,arp), which provides the data structure of the TCP/IP protocol and the interface between the actual physical hardware, such as a PC's NIC driver.

2, Network interconnect layer
It is generally considered that the network layer corresponding to the OSI model includes IP protocol, RIP protocol (Routing information Protocol, routing Information Protocol), which is responsible for the packing, addressing and routing of data. It also includes the inter-Network Control Message Protocol (Internet Command message PROTOCOL,ICMP) to provide network diagnostic information. Note that ICMP is actually above the IP layer, but it is an IP-attached protocol that cannot be placed in a suitable location in the OSI model and the TCP/IP protocol stack. No way, no model is perfect.

3, Transport layer
The transport layer in the OSI model is generally considered to be able to address such as end-to-end reliability ("has the data arrived at the destination?"). ") and ensure that the data arrives in the correct order, including which application the given data should be sent to.

4, Application layer
the session layer, presentation layer, and application layer that correspond to the OSI model are generally considered, and this layer includes all protocols that work together with the application and use the underlying network to exchange application-specific data. The protocol of the application layer is to rely on the protocol of the Transport layer, and the application layer protocol runs on the TCP or UDP protocol of the Transport layer (this means that the application layer protocol is responsible for packaging the encapsulated data for the client or server-side useful information, which is then processed and transmitted by the Transport Layer Protocol packet).

"(my) Men, the task came: A to the PC users want to browse the Web site, the corresponding Web server in the half of the earth outside the ground." Let's go! "I'll handle the user's request first!" (HTTP and several others (which have the original presentation layer Studio members) "" We build reliable connections together! (TCP and IP are in unison.) Ps:tcp and IP are always working together, the TCP error mechanism is one step in the whole TCP segment and pseudo-segment header (IP header part) Check and, some user parameters TCP directly to the IP layer processing), the application layer of the people, the data package is sent to us to deal with the transmission! "" Yes! (Application layer) "" and then we can finally turn these logic messages into physical information and send them out! (The network interface Layer) "" (i) seems to have missed the router in charge of several ... Forget it, they are too low-key, free to introduce it. "


"Cough, so the transmission is clear, you do not care about the data by eavesdropping copy tampering or fall into the hands of the middleman?" "

"(Me and others) SSL? What middleman? "

"Call me tls!. Well, it doesn't matter, you can imagine a scenario where a malicious third party wants to steal user data, and then he pretends to be a target Web server on the road to receive data ... "

"(i) third parties cannot meet user requests, and there is a unique domain name guarantee ..."

"Stupid!" Domain Name System is very unreliable, domain name spoofing domain name hijacking domain name Pollution These are often the thing! [3] Also, the third party can completely intercept the user data, and then their own when the client and the target site to establish a connection, from the target site after fetching data and then transferred to the user, so that the user is not aware of the man-in-the-middle attack! "

"(Me) then what do you say?" (In Anger) "

"First of all, the user data must be encrypted from beginning to end, and if strong encryption, or minute by brute force, then, there is a reliable authentication mechanism to ensure that there is no third-party between the user and the server; and you have to ensure that a packet is not left behind, You know, in order to establish an encrypted connection I would like to help the client and the target server handshake, this period if there is a packet lost and I do not know, it is funny! So I'm going to work with the help of TCP (Tcp:ok, establish a reliable connection, I'm good at it!) Finally, the client and the target server each hold a key that cannot be intercepted by a third party, otherwise the encryption loses its meaning. "

"(Me) so, both sides prepared a pair of keys beforehand?" "

"not realistic. Do you know what sites users want to establish HTTPS connection with, how to prepare the method beforehand? What is the way to send the key to the user's hand? Web server if you always use a key, then unknowingly be stolen by a third party what to do? That would be pretty serious! Must do two unique keys per connection! "

"(Me) wait a minute, two?" Two different keys? "

"That's right. If the same key (using symmetric encryption, for example, you encrypt the package with 7zip, the password is set to 123456, the next time you open the package decryption is also input 123456, encryption key and decryption key is the same), then how to secretly pass the key is a problem of no solution. You can not be sent offline to the user (laughter), if the encryption is passed, then it becomes a chicken or egg first problem: How to secure the encryption when the key is transmitted? Then only asymmetric encryption is used, the encryption key (public key) is passed in plaintext, the decryption key (private key) is secret, so that the third party can only despair. However, if a third party is disguised as a target server, there is still a way to deal with asymmetric encryption, so a reliable authentication mechanism is also required. "

"(me) so what exactly is your idea?" "

"Long story, my idea is not so easy to understand, next time to specify it." "

"(i) OK, TLS, next time is your special session (laughter)." By the right, you have a shortcoming, do you mind if I bring it up? "

"Say it, Phantom." "

"(i) please can you get rid of this do not say hello to sudden chipped in bad trouble!" (roaring) "

The principle of SSL/TLS and how the Internet works (2)-"More suitable architecture, we work together!" ”

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.