What is SSL

SSL is a Secure Socket Layer and is one of the most widely used cryptographic applications in today's Internet environments.
Internet is an open network environment. An open network environment means that any data transmitted over the network may be intercepted and monitored. When you submit personal information on a WWW website, the information is sent from your computer and reaches the server after several nodes on the Internet, the data is completely exposed, and anyone with the right tools can intercept the data.
Due to this security risk, Netscape developed SSL to solve this problem. SSL is a communication layer created by the client browser for secure information transmission. This Secure Socket Layer is located at the layer between the TCP/IP protocol cluster layer and the browser and HTTP and other application layers to transparently Complete Information Encryption Transmission tasks. The SSL implementation of the browser uses RSA's public/private key encryption system and digital certificate application system. All mainstream browsers have built-in SSL support. When users access pages that require SSL authentication, the browser will correctly identify and process the corresponding requests. SSL can effectively prevent data transmission from being monitored and tampered with. clients and servers can establish a secure communication channel through mutual authentication.
In SSL applications, the security of user sensitive information is guaranteed by High-strength encryption algorithms. SSL uses RSA encryption algorithm, digital certificate system, and digital signature mechanism to ensure data security. The privacy, consistency, and integrity of user data can be guaranteed during transmission through a network connection established by SSL. Due to the speed of RSA, each SSL session only performs one RSA operation on the server and client. In this process, the server and the client establish a secure communication channel through a series of interactions. This process is called SSL handshake.
The SSL handshake process can be divided into the following steps:
1. The client sends the SSL version number of the client to the server, the encryption algorithm settings, the randomly generated data, and the data that other servers need to use to communicate with the client.
2. the server sends the server's SSL version number, encryption algorithm settings, randomly generated data, and data that other clients need to communicate with the server. In addition, the server also needs to send its own certificate. If the client is requesting authentication information, the server also needs to request the client certificate.

3. The client uses the information sent by the server to verify the identity of the server. If the verification fails, the user will receive a warning and the encrypted communication connection will not be established. If the operation is successful, proceed to the next step.
4. the premaster secret used by the user to create the connection, encrypt the data generated since the handshake, and transmit the data to the server using the server's public key (obtained in the server certificate transmitted in step 2.
5. If the server also requests client verification, the client will sign another data that is different from the data used for the last encrypted connection. In this case, the client sends the generated encrypted data and its own certificate to the server at the same time to generate the premaster secret.
6. If the server also requests client authentication, the server will try to verify the client identity. If the client cannot be authenticated, the connection will be suspended. If the authentication succeeds, the server uses its own private key to encrypt the premaster secret, And then executes a series of operations to generate the master secret.
7. The server and the client generate a session key at the same time, and all subsequent data transmission will use the symmetric key algorithm to exchange data.
8. The client sends a message to the server, indicating that all future information will be encrypted with the session key. At this point, he will send a separate message to identify that the handshake part of the client has been completed.
9. The server also sends a message to the client indicating that all future information will be encrypted with the session key. At this point, he will send a separate message to identify that the server-side handshake has been completed.
10. the SSL handshake ends successfully. The client and server start to use the session key to encrypt and decrypt all data exchanged between the two parties.
Is a common SSL handshake process:

 

In the process of using a digital certificate for identity authentication, the server-side authentication is slightly different from the client. The process for the client to verify the server using a digital certificate is as follows:
1. obtain relevant information from the certificate sent by the server.
2. Whether the current day is within the validity period of the certificate.
3. Whether the certificate issuing authority is trusted by the client.

4. Whether the public key for certificate issuance complies with the digital signature of the issuer.
5. Check whether the server domain name in the certificate meets the Real Domain Name of the server.
6. If the server is successfully verified, the customer continues the handshake process.
The process for the server to verify the client using a digital certificate is as follows:
1. obtain relevant information from the certificate sent by the client.
2. Whether your public key complies with your digital signature.
3. Whether the current day is within the validity period of the certificate.
4. whether the certificate issuing authority is trusted by the server.
5. Whether the user's certificate is listed in the user's information in the server's LDAP.
6. Whether the verified user still has the permission to access the requested server resources.
While obtaining high communication security through SSL applications, servers also need to pay a lot of cost. For a commercial website with a high click rate, if you use SSL to protect its website, it will greatly increase the burden on the server. Because the server needs to perform RSA operations for each user in the request. The solution to this problem is to use more auxiliary servers to share the processing of client access and use the additional RSA computing to accelerate hardware products to share the load of server CPU for RSA computing.