Tuesday, October 5, 2010

SSL works



SSL is a security protocol that provides to use TCP / IP communications between the application of privacy and integrity. Internet Hypertext Transfer Protocol (HTTP) to use SSL to achieve secure communications.

Between the client and server data transmitted through the use of symmetric algorithms (such as DES or RC4) for encryption. Public key algorithm (usually RSA) is used to obtain the encryption key exchange and digital signatures, this algorithm uses the server's SSL digital certificate public key. With the server's SSL digital certificate, the client can verify the identity of the server. SSL protocol version 1 and 2 provide only server authentication. Version 3 adds client authentication, this certification also requires the client and the server's digital certificate.

SSL handshake /

SSL connections are always initiated by the client. SSL session at the beginning of the implementation of SSL handshake. This handshake produces the session password parameters. SSL handshake on how to deal with a simple outline, as shown below. This example assumes that in Web browsers and Web servers to establish a SSL connection.






(1) client to send out capacity of the client password client "Hello" message (to client preference order), such as the SSL version of the password on the client support and client support for data compression. Message also contains 28 bytes of random numbers.

(2) server to server "Hello" message response, this message contains password methods (password pair) and selected by the server, data compression, and the session ID and another random number.

Note: client and server must support at least one public password pair, or handshake failure. Server generally choose the largest public password pair.

(3) The server sends its SSL digital certificate. (Server with SSL, X.509 V3 digital certificates.)

If the server uses SSL V3, and the server application (such as Web server) needs a digital certificate for client authentication, the client will issue a "digital certificate request" message. In the "digital certificate request" message, the server to issue digital certificates to support the client list of the types and acceptable CA names.

(4) server to issue server "Hello to complete" message and wait for client response.

(5) a receiving server "Hello to complete" message, the client (Web browser) to verify the server's SSL digital certificate and check the validity of the server's "Hello" message parameters is acceptable.

If the server requested client digital certificate, the client will send its digital certificate; or, if no suitable digital certificate is available, the client will send a "no digital certificate" warning. This warning is just a warning, but if the client digital certificate authentication is mandatory, then the session server application will fail.

(6) The client sends a "client key exchange" message.

This message contains the pre-master secret (a symmetric encryption key used in the generation of 46-byte random number), and message authentication code (MAC) key (with the server's public key encryption).

If the client sends a client-side digital certificate to the server, the client will issue a signed client's private key "digital certificate authentication" message. By verifying the signature of this message, the server can display digital certificates verify the ownership of the client.

Note: If the server does not belong to a digital certificate private key, it will not decrypt the pre-master password, can not create the correct key is a symmetric encryption algorithm, and the handshake will fail.

(7) client using a series of encryption algorithms will be pre-master secret into a master secret, which will send all birth for encryption and message authentication key. Then, the client issued a "change password specification" message will be converted to the new consultation server password pair. The next client to issue a message ("not complete" message) to use this password key encryption method and the first message.

(8) server to its own "Change Password norms" and "completed" message response.

(9) SSL handshake over, and the application can send encrypted data.







Recommended links:



SWsoft Virtuozzo: Maverick chaser



CMMB TD and who needs who more?



Baidu to "PPC" rectification AND apology



Ehrecvr Exe Crashes Easy Fix



MOD converter



MOD to MPG



"Sacred 2 Fallen Angel," Raiders special mounts detailed process



Shop Kids Education



Sonic Foundry Vegas 4.0 Image Sharpening novice Collection 28



Picked Anti-Spam And Anti-Spy Tools



The bitmap on the Symbian OPERATING



HP means to maintain the integrity of former coach



Intellectual Property Rights Is Not Instead Of Themselves



MSN's new fashion derivative can invite friends online to LISTEN to music all day



DAT to MP4



No comments:

Post a Comment