Two-way Authentication SSL principle

Good depth of text, worthy of reprint

This paper first explains some basic knowledge and concepts of encryption and decryption, then illustrates the function of cryptographic algorithm and the appearance of digital certificate through an example of encrypting communication process. Then give a detailed explanation of the digital certificate, and discuss the management of digital certificates in Windows, and finally demonstrate the use of MakeCert to generate a digital certificate. If you find that there is a mistake in the text, or if there is any place that is not clear enough, please point out.

1. Basic knowledge

This part of the content mainly explains some concepts and terminology, it is better to first understand this part of the content. 1.1. Public Key Cryptography (Public-key cryptography)

Public key cryptosystem is divided into three parts, public key, private key, encryption and decryption algorithm, its encryption and decryption process is as follows: Encryption algorithm and public key to encrypt the content (or description), get ciphertext. The encryption process requires a public key. Decryption: Decryption algorithm and private key to decrypt ciphertext, get clear text. The decryption algorithm and the private key are used to decrypt the process. Note that the content that is encrypted by the public key can only be decrypted by the private key, that is, the content that is encrypted by the public key, and if the private key is not known, it cannot be decrypted.

Public key cryptography public keys and algorithms are public (this is why called Public key Cryptography), the private key is confidential. Everyone encrypts with a public key, but only the holder of the private key can decrypt it. In actual use, the person in need will generate a pair of public and private keys, publish the public key for others to use, and keep the private key.

1.2. Symmetric encryption Algorithm (symmetric key algorithms)

In symmetric encryption algorithms, the keys used for encryption are the same as the keys used for decryption. In other words, both encryption and decryption are the same key used. Therefore, the symmetric encryption algorithm to ensure security, the key to do a good job of secrecy, can only let the use of people know, can not be public. This differs from the public key cryptosystem above, where cryptography is using the public key, decryption uses the private key, and the symmetric encryption algorithm, which encrypts and decrypts the same key, does not distinguish between the public key and the private key.

A key, typically a string or number, is passed to the encryption/decryption algorithm when it is encrypted or decrypted.   The public key, the private key, which is mentioned in the public key cryptosystem, is the key, the public key is the key that is encrypted, and the private key is the key used for decryption. 1.3. Asymmetric encryption Algorithm (asymmetric key algorithms)

In asymmetric encryption algorithms, encryption uses a key that is not the same as the key used for decryption. The public key cryptosystem mentioned above is an asymmetric encryption algorithm, and his public key and the private key are not the same, that is, the encryption using the key and decryption using a different key, so it is an asymmetric encryption algorithm.

1.4. Introduction to RSA

RSA is a public-key cryptography system, which is now widely used. If you are interested in RSA itself, see if I have time to write a specific introduction to RSA.

RSA Cryptosystem is a public key cryptosystem, public key, private key secrecy, and its encryption and decryption algorithm is public. Content that is encrypted by the public key can and must be decrypted by the private key, and the content that is encrypted by the private key can be decrypted only by the public key. In other words,RSA's public and private keys can be used to encrypt and decrypt, and the content of one party's encrypted can be decrypted by the other side only .

1.5. Signature and encryption

We say encryption refers to the encryption of a content, encrypted content can also be decrypted to restore. For example, we encrypt an e-mail message, the encrypted content is transmitted over the network, and the recipient, after receiving it, can restore the real content of the message by decrypting it.

Here the main explanation of the signature, the signature is in the back of the information plus a section of content, you can prove that the information has not been modified, how can achieve this effect. The general is to do a hash of the information to get a hash value, note that the process is irreversible, that is, the hash value can not be derived from the original information content. When the message is sent out, the hash value is encrypted and sent out together as a signature and message . When the receiver receives the information , it recalculates the hash value of the information and compares it with the hash value (decrypted) accompanying the information , and if it is consistent, the content of the information has not been modified. Because the hash calculation here can guarantee that different content will get different hash value, so long as the content is modified, the hash value calculated according to the information content will change. Of course, malicious people can also modify the content of the message and also modify the hash value, so that they can match, in order to prevent this situation, the hash value is generally encrypted (that is, the signature) and the message sent together, To ensure that the hash value is not modified. As for how to allow others to decrypt this signature, this process involves the concepts of digital certificates, which we will explain in detail later when we talk about digital certificates, where you first need to understand the concept of signature first.

2. Evolution of an encrypted communication process

Let's take a look at an example and now assume that "server" and "customer" want to communicate on the network, and they intend to use RSA (see the previous RSA introduction) to encrypt the communication to ensure the security of the conversation. Due to the use of RSA, the public Key cryptography system, "server" needs to publish public key (algorithm does not need to be published, RSA algorithm Everyone knows), and keep the private key. "Customer" has some way to get the public key published by the "server", the customer does not know the private key. "Customer" is the specific way to obtain the public key, we will explain later, the following to see how the two sides of the confidential communication:

2.1 First Round:

"Customer", "Server": Hello

"Server", "Customer": Hello, I am the server

"Customer", "Server": ....

Because messages are transmitted over the network, someone can impersonate themselves as "servers" to send information to the customer. For example the above message can be intercepted by hackers as follows:

"Customer", "Server": Hello

"Server", "Customer": Hello, I am the server

" customer", "hacker": Hello //Hackers intercept "customers" on a router between "customer" and "Server" to the server, and then impersonate the "server"

" hacker", "Customer": Hello, I am the server

Therefore, the "customer" after receiving the message, is not certain that the message is sent by the "server", some "hackers" can also impersonate the "server" to send this message. How to make sure that the information is sent by the "server"? There is a workaround, because only the server has a private key, so if you can confirm that the other party has a private key, then the other side is the "server." Thus the communication process can be improved as follows:

2.2 Second round:

"Customer", "Server": Hello

"Server", "Customer": Hello, I am the server

"Customer", "Server": Prove to me that you are the server

"Server", "Customer": Hello, I am the server {Hello, I am the server}[private key | RSA]

// Note Here is an appointment, {} means the content after RSA encryption, [|] Indicates what key and algorithm are used for encryption, as shown in the following example, {Hello, I am the server}[private key | RSA] is the result of encrypting the "Hello, I am the server" with the private key .

In order to prove to the customer that he is a "server", "Server" encrypts a string with its own private key, and sends the plaintext and encrypted ciphertext together to the "customer". For the example here, is the string "Hello, I am the server" and the string is encrypted with the private key after the content {Hello, I am the server}[private key | RSA] is sent to the customer.

When the customer receives the message, she uses her own public key decryption text to compare it to the plaintext, and if it is consistent, the message is actually sent by the server. That means "customer" put {hello, I am server}[private key | RSA] This content is decrypted with the public key, and then compared to "hello, I am the server". Because the "server" with the private key encryption after the content, and can only be decrypted by the public key, the private key only "server" hold, so if the decrypted content can be the right, then the information must be sent from the "server".

Suppose a "hacker" wants to impersonate a "server":

" hacker", "Customer": Hello, I am the server

"Customer", "hacker": Prove to me that you are the server

" hacker", "Customer": Hello, I am the server {Hello, I am the server}[... | RSA] //Here The hacker cannot impersonate, because he does not know the private key , cannot encrypt a string with the private key and sends it to the customer to verify.

"Customer", "hacker": ....

Because the "hacker" does not have a "server" private key, so it sends the past content, "the customer" is unable to decrypt through the server's public key, therefore may assume the other party is a counterfeit.

So far, "customer" can confirm "server" identity, can rest assured and "server" to communicate, but there is a problem, the content of the communication is still not confidential on the network. Why can't we keep it a secret. Communication process can not be encrypted with the public key, private key. In fact, with RSA's private key and public key is not possible, we have to specifically analyze the next process, see the following demo:

2.3 Third round:

"Customer", "Server": Hello

"Server", "Customer": Hello, I am the server

"Customer", "Server": Prove to me that you are the server

"Server", "Customer": Hello, I am the server {Hello, I am the server}[private key | RSA]

"Customer", "server": {My account is AAA, the password is 123, send me the information of my balance see}[public key | RSA]

"Server", "customer": {Your balance is $100}[private Key | RSA]

Note that the above information {your balance is 100 yuan}[private key], this is the "server" with the private key encryption after the content, but we said before, the public key is published, so all people know the public key, so in addition to "customer", other people can also use the public key pair {Your balance is 100}[private key] To decrypt. So if the "server" is encrypted with the private key to the "customer", this information is not confidential, because as long as there is a public key to decrypt the content. However, the "server" also cannot encrypt the content sent with the public key, because "the customer" does not have the private key and sends a "customer" to decrypt it.

So the question is again, and how to solve it. In the actual application process, generally through the introduction of symmetric encryption to solve this problem, see the following demo:

2.4 Fourth round:

"Customer", "Server": Hello

"Server", "Customer": Hello, I am the server

"Customer", "Server": Prove to me that you are the server

"Server", "Customer": Hello, I am the server {Hello, I am the server}[private key | RSA]

"Customer", "server": {We follow the communication process, with symmetric encryption, here is the symmetric encryption algorithm and the key}[public key | RSA]//Blue font part is the symmetric encryption algorithm and the specific contents of the key, the customer sends them to the server.

"Server", "customer": {OK, received. }[Key | symmetric encryption algorithm]

"Customer", "server": {My account is AAA, the password is 123, send me the information of my balance see}[key | symmetric encryption algorithm]

"Server", "customer": {Your balance is $100}[key | symmetric encryption algorithm]

In the above communication process, "customer" after confirming the "server" identity, "customer" chooses a symmetric encryption algorithm and a key, the symmetric encryption algorithm and the key together with the public key encrypted and sent to the "server". Note that because symmetric encryption is calculated