Shulou(Shulou.com)06/02 Report--

The handshake process of SSL protocol SSL protocol uses both public key encryption technology (asymmetric encryption) and symmetrical encryption technology. SSL encrypts the transmission content with symmetrical encryption, and then uses the public key to encrypt the symmetric encryption key. SSL's handshake protocol is very effective in allowing clients and servers to authenticate each other. The main process is as follows:

The browser of the ① client sends to the server the version number of the client SSL protocol, the type of encryption algorithm, the random number generated, and all kinds of information needed for communication between the server and the client.

The ② server sends the version number of the SSL protocol, the type of encryption algorithm, random number and other related information to the client, and the server will also send its own certificate to the client.

③ clients use the information sent from the server to verify the validity of the server. The validity of the server includes whether the certificate expires, whether the CA of the issuing server certificate is reliable, whether the public key of the issuer certificate can correctly unlock the "issuer's digital signature" of the server certificate, and whether the domain name on the server certificate matches the actual domain name of the server. If the legitimacy verification fails, the communication will be disconnected; if the legitimacy verification is passed, the fourth step will be continued.

The ④ client randomly generates a "symmetric password" for later communication, and then uses the server's public key (the server's public key from the step

⑤ if the server requires the identity of the customer (optional during the handshake), the user can create a random number and then sign it, passing the random number with the signature to the server along with the customer's own certificate and the encrypted "pre-master password".

⑥ if the server requires the identity authentication of the client, the server must verify the validity of the client's certificate and the random number of signatures. The specific verification process includes: whether the date of use of the client's certificate is valid, whether the CA providing the certificate for the client is reliable, whether the public key of issuing CA can correctly unlock the digital signature of the issuing CA of the client's certificate, and checking whether the client's certificate is in the certificate revocation list (CRL). If the verification fails, the communication will be interrupted immediately; if the authentication is passed, the server will unlock the encrypted "pre-master password" with its own private key. Then perform a series of steps to generate the primary communication password (the client will generate the same primary communication password in the same way).

The ⑦ server and the client use the same master password, namely "call password", and a symmetric key is used for the encryption and decryption of the secure data communication of the SSL protocol. At the same time, the integrity of data communication should be completed in the process of SSL communication to prevent any changes in data communication.

The ⑧ client sends a message to the server indicating that the master password in the following step ⑦ is a symmetric key and notifies the server client that the handshake process is over.

The ⑨ server sends a message to the client indicating that the master password in the step ⑦ that will be used in subsequent data communication is a symmetric key, while informing the client server that the handshake process ends.

The handshake part of ⑩ SSL ends, the data communication of SSL secure channel begins, the client and server begin to use the same symmetric key for data communication, and the communication integrity is checked at the same time. The specific process of two-way authentication of SSL protocol

The ① browser sends a connection request to the security server.

The ② server sends its own certificate and information related to the certificate to the client browser.

The ③ client browser checks whether the certificate sent by the server is issued by a trusted CA center. If so, continue to execute the agreement; if not, the customer's browser gives the customer a warning message: warn the customer that the certificate is not trustworthy and ask the customer if he needs to continue.

④ then compares the messages in the certificate, such as domain name and public key, with the relevant messages just sent by the server. If so, the client browser recognizes the legal identity of the server.

The ⑤ server requires the customer to send the customer's own certificate. Upon receipt, the server validates the client's certificate and rejects the connection if it fails authentication; if it passes authentication, the server obtains the user's public key.

The ⑥ client browser tells the server the communication symmetric cryptographic scheme that it can support.

The ⑦ server chooses a password scheme with the highest degree of encryption from the password scheme sent by the client, and notifies the browser after it is encrypted with the client's public key.

For this cryptographic scheme, the ⑧ browser selects a call key, then encrypts it with the server's public key and sends it to the server.

The ⑨ server receives the message sent by the browser, decrypts it with its own private key and obtains the call key.

The next communication between the ⑩ server and the browser uses a symmetric cryptographic scheme, and the symmetric key is overencrypted. What is described above is the specific communication process of two-way authentication SSL protocol, which requires both the server and the user to have a certificate. The one-way authentication SSL protocol does not require the client to own the CA certificate. Compared with the above steps, the specific process only needs to remove the process of verifying the client certificate on the server side, and when negotiating the symmetric cryptographic scheme and the symmetric call key, the server sends the client an unencrypted cryptographic scheme. In this way, the specific communication content of both parties is the encrypted data. If there is a third party *, only the encrypted data is obtained. If the third party wants to obtain useful information, it needs to decrypt the encrypted data. At this time, the security depends on the security of the password scheme. Fortunately, the cryptographic scheme currently used is secure enough as long as the length of the communication key is long enough.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.