WebService SSL 1/TLS protocol primer

SSL (secure Sockets layer), and its successor, TLS (Transport layer Security, Transport layer safety) is a security protocol that provides security and data integrity for network communications. TLS encrypts the network connection with SSL at the transport layer.

Developed for Netscape to secure data transmission over the Internet, the use of encryption (encryption) technology ensures that data is not intercepted and tapped during transmission over the network.

The SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication. The SSL protocol can be divided into two tiers:
SSL recording Protocol (SSL record Protocol): It is based on a reliable transport protocol (such as TCP) to provide high-level protocol data encapsulation, compression, encryption and other basic functions of support.
SSL Handshake Protocol (SSL handshake Protocol): It is based on the SSL logging Protocol, which is used to authenticate, negotiate cryptographic algorithms, exchange encryption keys, etc. before the actual data transfer begins.

The services provided by the SSL protocol are mainly:
1) Authenticate users and servers to ensure that data is sent to the correct client and server;
2) Encrypt data to prevent the data from being stolen in the middle;

3) Maintain the integrity of the data and ensure that the data is not changed during transmission.

First, what is SSL?

SSL or Secure Socket Layer is a technology that allows Web browsers and Web servers to communicate through a secure connection. This means that the data being sent is translated into a password at one end, sent out, and then solved by unlocking the password at the other end. This is a two-way process in which both the browser and the server need to encrypt the data before sending it.

Another important aspect of the SSL protocol is authentication (authentication). This means that when you start trying to communicate with a Web server through a secure connection, the server will ask your browser to show a set of credentials, proving that this is the site you are declaring by "authentication". In some cases, the server will also require a certificate from your Web browser to prove that you are the person you are talking about. This is known as "Customer Authentication", although in practice it is more used for business-to-business transactions rather than for individual users. Most Web servers that have SSL functionality do not require client authentication (client authentication).

Second, the certificate: Certificate

To be able to implement SSL, a Web server must have a corresponding authentication certificate (Certificate) for each external interface (IP address) that accepts a secure connection. The theory of this design is that a server must provide some reasonable assurance that the owner of the server is the person you think it is, especially if you want to do so before receiving any sensitive information. A broader explanation of certificates beyond the scope of this document is to treat a certificate as a "digital driver's license" for an Internet address. This certificate is to state the company associated with this site, as well as some basic contact information for the owner or system administrator of the site.

This "driver's license" is signed by all the people by password, and others are very difficult to forge. For any commercial transaction where e-commerce (e-commerce) websites, or other identity certifications are essential, the certificate is to be purchased from a well-known certification authority (Certificate Authority (CA)) such as VeriSign or Thawte. Such a certificate can be verified by electronic technology-in fact, the certification authority will guarantee the authenticity of the certificate issued by it, if you trust the certification Authority issued certification authorities, you can believe that the certificate is valid.

Technically, an SSL certificate (also known as a digital certificate) binds the identity to a pair of electronic keys that can be used to encrypt and sign digital information. SSL certificates enable validation of claims that a person claims to have permission to use a specific key, helping to prevent someone from using a deceptive key to impersonate another user. When used in conjunction with encryption, an SSL certificate provides a complete security solution that guarantees the identity of the party or parties involved in the transaction.

An SSL certificate is issued by a trusted third party (known as a Certification authority (CA)). CA acts like a passport office. The CA must take steps to determine the identity of the person or organization to whom the ID is to be issued. Once the CA has established an organization's identity, it can issue a certificate containing the organization's public key and sign it with the CA's private key.

By using SSL certificates, you can conduct authenticated, encrypted online business activities on your site. Users who visit your site will be able to submit credit card numbers or other personal information to the site to ensure that they are in genuine business dealings with you (not scammers) and that the information they send you will not be intercepted or decrypted by anyone other than the intended recipient. Your SSL certificate will contain the following information:

• The common name of your organization (such as www.bea.com)
• Other identifying information (such as IP and physical addresses)
• Your Public key
• Expiration date of the public key
• Name of the CA that issued this ID (such as VeriSign)
• A unique serial number.
• The digital signature of VeriSign

Third, certificate format

The main types of certificates are:
Pem
DER
Pkcs#12

Pem
You can include all private keys (RSA and DSA), public key (RSA and DSA), and (X509) certificates. It stores the DER format data encoded in Base64, surrounded by an ASCII header, so it is suitable for text-mode transmission between systems.

-----BEGIN CERTIFICATE-----
Miicjjccadcgawibagibitanbgkqhkig9w0baqqfadcbqtelmakga1uebhmcvvmx
Ezarbgnvbagtcknhbglmb3juawexfjaubgnvbactdvnhbibgcmfuy2lzy28xftat
Bgnvbaotdejfqsbxzwjmb2dpyzerma8ga1uecxmiu2vjdxjpdhkxizahbgnvbamt
Gkrlbw8gq2vydglmawnhdgugqxv0ag9yaxr5mr4whayjkozihvcnaqkbfg9zdxbw
B3j0qgjlys5jb20whhcnmdawntmwmjezodaxwhcnmdqwntezmjezodaxwjcbjdel
Makga1uebhmcvvmxezarbgnvbagtcknhbglmb3juawexfjaubgnvbactdvnhbibg
cmfuy2lzy28xftatbgnvbaotdejfqsbxzwjmb2dpyzezmbcga1ueaxmqd2vibg9n
Awmuymvhlmnvbteembwgcsqgsib3dqejarypc3vwcg9ydebizweuy29tmfwwdqyj
Kozihvcnaqebbqadswawsajbaldsxehqkhgs6zj0hu5sxmauhzot8kgwxmnkkhxh
79qbph6efdlriw9g/abrf/pkrcqu7hhllaxrebqtuslf2emcaweaatanbgkqhkig
9w0baqqfaanbacgmqfll5m5lnejgpwx9aioabciudcpw1ffyegsqgx7cbhffcrus
1p8h5vkhvbmu1frd1uggnploo/k7ig/krsu=
-----END CERTIFICATE-----

DER
The Discrimination Encoding rule (DER) can contain all private keys, public keys, and certificates. It is the default format for most browsers and is stored in ASN1 DER format. It is a no-header-PEM is a DER surrounded by a text header.

Pkcs#12
The public Key Cryptography Standard #12 (PKCS#12) can contain all private keys, public keys, and certificates. It is stored in a binary format, also known as a PFX file.

Four, encryption algorithm

There are two major types of encryption algorithms, the first one is not based on key, and the other is not based on key.

Based on key, to give a simple example, I want to encrypt "fordesign" such a string of characters, each character will become its next character, then it is "GPSEFTJHM", such things people certainly do not understand, the receiver in the opposite way can get the original text. Of course, this is just an example, now no one should use such a funny encryption algorithm.

Not based on key, as if the computer has been used to appear. I remember the ancient Chinese military secrets were encrypted in this way. It was like the military telegraph officers had to carry the cipher book, and it should be encrypted in this way. The security of this algorithm is premised on preserving the secrecy of the algorithm.
The disadvantage of this encryption algorithm is too obvious, that is, once your encryption algorithm is known to others, it will certainly hang. Japan Midway Is. fiasco seems to be the password to Lao mi broken. Design an algorithm is very troublesome, once give a person to break the useless, this also prophecymusic waste.

The encryption algorithm we are using is typically based on key, which means that a key is required during the encryption process to encrypt the plaintext with this key. Such an algorithm even once broken, the next time to change a key, you can continue to use. What's a key? You can be a randomly generated number, or a word, anything, as long as you use the algorithm that you choose to do the key of the thing is legal.

The most important of these algorithms is that their security depends on key, which generally depends on the length of the key. In other words, it is very difficult to solve the problem of knowing the algorithm without knowing the key. In fact, the commonly used key-based encryption algorithm can be found on the network.

Key-based encryption algorithms also include two classes: symmetric and asymmetric encryption.

Symmetric encryption refers to the use of identical keys on both sides, the most common being des. DES3, RC4 and so on. The principle of symmetric encryption algorithm is easy to understand, the communication side with KEK encryption plaintext, the other party received after the same key to decrypt the plaintext can be obtained.

Asymmetric encryption means that both parties encrypt and decrypt plaintext with different keys, and both sides of the communication must have their own public key and private key.
For example, it is easy to understand that we assume that both sides of the communication are A and B respectively.
A owns KEY_A1, KEY_A2, where KEY_A1 is the private key of a, and KEY_A2 is the public key of a.
B owns Key_b1, KEY_B2, where KEY_B1 is the private key of B, and KEY_B2 is the public key of B.
The public key and the private key are characterized by the ability to unlock any plaintext that has been encrypted before it can be solved with the other one. That is, after key_a1 encrypted plaintext, only KEY_A2 can decrypt, and vice versa.


The communication process is as follows:

A-------->key_a2------------>b
a<--------key_b2<------------A

This process is called Public key exchange, which is called key exchange by foreigners.
A and B are then encrypted with each other's public key and decrypted with their own private key.
The general public key is to be published, and then you encrypt the plaintext through your own private key, people use your public key decryption, if you can untie, then you are encrypted, this is the SSL use authentication mechanism.

If I want to send it to you, I'll use your public key to encrypt it so that only you can decrypt it with your own private key. If I use my own private key encryption, and then publish it, this is not confidential, but belongs to the certification, proof that this message is my hair, and I can not rely on the account, because the private key only I know.

Commonly used asymmetric encryption generally has RSA, DSA, DH and so on. We generally use RSA.

Five, digital signature

Digital signature is also an important application of asymmetric encryption algorithm, understanding it is important for understanding SSL, put here together to introduce.

What's the signature, everybody familiar with it? Prove that you wrote it, you publish it, and you use the signature to fix it. Take a look at all the important documents and sign the boss. Digital signatures are digital signatures. Remember the features of the public key and private key? You are the only one who has your own private key. And your public key is something that everyone else knows. So after you finish writing an email, encrypt your name with your own private key, and the recipient uses your public key to unlock it, oh, you sent it. This is your digital signature process.

The above explanation is very simplified, in fact, the digital signature is much more complicated than this, but we do not understand the need to know that digital signature is such a thing to do.

There is a kind of encryption algorithm that we need to know, in fact, I do not think that is the encryption algorithm, should be called hash algorithm, English is a message digest, is used to put any length of a string of plaintext with a certain rule into a fixed length string. The role it plays in SSL is also important and will be mentioned later. The general use of MD5, SHA, Base64 is not an encryption algorithm, but also SSL is often used by an algorithm, it is encoded in order to use the ASC code and Binary code.

The specific encryption and decryption process we do not need to understand, because SSL does not care at all. But understanding some of the fundamentals of cryptographic algorithms is necessary, otherwise it is difficult to understand SSL.

WebService SSL 1/TLS protocol primer