Shulou(Shulou.com)06/01 Report--

This article is to share with you about the specific process of SSL handshake. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

The SSL handshake has three purposes: the client and server need to agree on a set of algorithms to protect data, they need to establish a set of encryption keys used by those algorithms, and the handshake can optionally authenticate the client.

Overview

SSL (Secure Socket Layer) secure socket protocol is a security mechanism that runs between the application layer and the TCP layer. To ensure the confidentiality and integrity of the upper application data transmission and the legitimacy of the double transmission identity. 1. Transmission encryption: after the handshake protocol defines the session key, all transmitted messages are encrypted by the session key. two。 Message integrity: MAC (message authentication code) is added to the transmitted message to check the integrity. 3. Authentication: client authentication (optional), server authentication (mandatory)

SSL protocol includes handshake protocol (Handshake protocol), SSLpassword change protocol (SSL change cipher spec protocol), alarm protocol (Alert protocol), recording protocol (Record protocol).

Handshake protocol is the first and most complex protocol of SSL connection communication.

SSL handshake protocol

Through the handshake process, the client and the server negotiate session parameters (including mutual authentication, negotiating encryption and MAC algorithms, generating session keys, etc.).

Phase I: building security capabilities

Client-client_hello:1. The highest version number of SSL that the client can support; 2. The 32-byte random number generated by the client; 3. Session identifier ID;4. List of cipher suites that the client can support; 5. A list of compression methods that the client can support.

Server-server_hello:1.SSL version number, which takes the lower of the received client SSL version and the highest version supported by the server; 2. The 32-byte random number generated by the server; 3. Session identifier ID;4. Select a cipher suite from the list of received client cipher suites (including key exchange algorithm, symmetric encryption algorithm, digest algorithm); 5. Select a compression method from the list of client compression methods received.

Second phase: server-side authentication and key exchange

Server-certificate: a server-side digital certificate containing public key information or a complete certificate chain to CA.

Server-server_key_exchange: optional, depending on the key negotiation algorithm, if the server certificate data transmitted to the client is not sufficient to negotiate the key according to the key exchange algorithm selected in the first stage, this step is insufficient for the key negotiation element.

Server-certificate_request: optional, request verification of client certificate information. One-way data authentication (authentication server only) does not have this step.

Server-server_hello_done: notifies the client that the version number and cipher suite negotiation is over.

Phase III: client authentication and key exchange

Client-certificate: optional, client digital certificate, in two-way data authentication, the server is required to verify the legitimacy of the client's identity.

Client-client_key_exchange: the client exchanges keys, depending on the key exchange algorithm, key negotiation parameters or pre-master key (server public key encryption).

Client-certificate_verify: optionally, the client sends the exchanged handshake message and the summary value of the session key to the server with the client private key encryption.

Phase IV: completion

Client-change_cipher_spec: change the password format information and tell the server that the message after it is encrypted with the session key.

Client-finished: announces the completion of the handshake protocol to the server.

Server-change_cipher_spec: change the password format information and tell the client that the subsequent message is encrypted with the session key.

Server-finished: announces to the client that the handshake protocol is complete.

Thank you for reading! This is the end of the article on "how the specific process of SSL handshake is". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.