Safety Certification Series - (a) https principle of one-way authentication and mutual authentication

A recent CA certificate management when this function, interaction with the PKI certificate authority, NGINX one-way two-way service configuration from end to NGINX APP to normal background can already secure authentication and data exchange, but also understand the basic one-way authentication and the principle of mutual authentication. I read a lot of times, but every few days they forgot, or did not feel thoroughly understand look. Make it difficult subject, I am here and then with a few other heavyweights understanding of the principle of one-way authentication and mutual authentication, to help consolidate their own understanding of what a two-way one-way authentication and certification principles.

Basic principles

Digital certificates provide for the public key published an easy way to become its digital certificate and public key encryption algorithm carrier, relies on digital certificates, we can build a simple encryption network application platform, a digital certificate is like our lives identity , reality, identity cards issued by the public security organs, while the identity of a network user credentials issued by a certificate authority -CA issued only after CA certificate issued by the network only with the authentication of, is not a simple CA defenses, which brings together a variety of cryptographic algorithms:
message digest algorithm : the MD5, and the SHA (digital certificates do province summary process for the server to verify data integrity)
symmetric encryption algorithms : RC2, RC4, IDEA, DES , AES (data encryption / decryption operations, to ensure data confidentiality services)
asymmetric encryption algorithms : RSA, DH (data encryption / decryption operations, to ensure data confidentiality services)
digital signature algorithms : RSA, DSA ( data signing / verification operation to ensure the integrity and non-repudiation of data).

Certificate issuance process is actually doing to request a digital certificate public key digital signature certificate validation process is actually a public key digital signature verification certificate to do, which also contains the validity of the certificate authentication, CA digital certificate through our network data transmission to encrypt / decrypt and sign / verify operation, ensure data confidentiality, integrity, non-repudiation, authentication, to ensure the authenticity of the identity of the trading entity, to ensure network security.

Encoding format

All certificates have a variety of file encoding formats, including:
CER coding (encoding format specification) : it is an encoding format digital certificate, which is a variant of BER (basic encoding format), and more stringent provisions than the BER
DER (Excellence encoding format) : a variation of the BER is also different in that the CER, DER mode using fixed length, and variable-length mode CER.

All certificates are in line with international standards ITU-T X509 Public Key Infrastructure (PKI) to develop, PKCS (Public Key Cryptography Standards) to promote the development of public key cryptography and developed by RSA Laboratories and other security system developers a set of criteria such as: PKCS # 7 (cryptographic message syntax standard ---- file extensions: .p7b, .p7c, .spc), PKCS # 10 (certificate request syntax standard ---- file extensions: .p10, .csr ), PKCS # 12 (personal information exchange syntax standard ---- file extensions: .p12, .pfx), etc.

After obtaining a digital certificate, you can save it in the computer, can also be saved in the appropriate device like USB Key.

Transfer Protocol

• HTTP
  Profile:
  HyperText Transfer Protocol, Hypertext Transfer Protocol, is one of the most widely used protocol on the Internet, all WWW documents must follow the standards. HTTP protocol to transmit data is unencrypted, clear text that is, so using HTTP protocol to transmit private information very unsafe.
  Using TCP port: 80
• The HTTPS
  the Hyper the Secure the Text Transfer Protocol over the Socket Layer, secure hypertext transfer protocol, Wang Jinggong design a security session in SSL (Secure Sockets Layer) protocol for data transmission protocol Http encrypted guaranteed.
  Using TCP port 443 by default

• SSL encryption protocol
  SSL protocol that is used in symmetric encryption is also used in asymmetric encryption (public key cryptography), in the establishment of a transmission link, SSL first symmetric encryption key using the public key for asymmetric encryption, a link is set up after, SSL encrypted using a symmetric content transmission.
  1. Symmetric encryption
  speed is high, a large content can be encrypted, the process used to encrypt the message session.
  2. The public key encryption
  to encrypt slower, but provides better authentication techniques, used to encrypt the symmetric encryption key.

• Way authentication
  Https Socket connection before establishing required handshaking procedure is as follows:

1. The client sends information SSL protocol version number, the type of encryption algorithm, a random number to the server.
2. The server returns the information to the client SSL protocol version number, the type of encryption algorithm, random numbers, but also return the certificate server that the public key certificate
3. The client uses the information to verify the legitimacy of the server returned from the server, including: whether the certificate is expired, CA hairstyle server certificate is reliable, whether to return the correct public key can unlock the return digital signature certificate, the domain name on the server certificate and the server matches the actual domain, etc., after the verification, the communication continues, otherwise, terminating the communication.
4. The client sends their best to support symmetric encryption scheme to the server for the server to choose
5. The server selects the highest encryption level of encryption in the encryption scheme provided by the client.
6. The server selects a good encryption scheme back to the client through the plaintext
7. After receiving a service returned by the encryption method, the encryption method used to generate a random code is generated, the communication process as a symmetric encryption key using the public key returned from the server is encrypted, the encrypted random code is sent to the server
8. After the server receives encrypted information returned by the client, using its own private key to decrypt the symmetric encryption key acquisition. In the next session, the server and the client will use the password for symmetric encryption, secure communication process information.

• Mutual Authentication

       Two-way and one-way authentication authentication basic principle, only in addition to the client needs to authenticate the server, increasing server to authenticate the client, the specific process is as follows:

1. The client sends information SSL protocol version number, the type of encryption algorithm, a random number to the server.
2. The server returns the information to the client SSL protocol version number, the type of encryption algorithm, random numbers, but also return the certificate server that the public key certificate
3. The client uses the information to verify the legitimacy of the server returned from the server, including: whether the certificate is expired, CA hairstyle server certificate is reliable, whether to return the correct public key can unlock the return digital signature certificate, the domain name on the server certificate and the server matches the actual domain, etc., after the verification, the communication continues, otherwise, terminating the communication.
4. The server requires the client to send a client certificate, the client will own certificate is sent to the server
5. Verify the client's certificate, authenticated, the client will obtain the public key
6. The client sends their best to support symmetric encryption scheme to the server for the server to choose
7. The server selects the highest encryption level of encryption in the encryption scheme provided by the client
8. The encryption scheme previously acquired by using the public key encrypted, returned to the client
9. After the client receives an encrypted program ciphertext returned from the server, using its private key to decrypt the encrypted obtain specific manner, and then, generating a random code of the cryptosystem, the key used in the encryption process, prior to use from the service after the end of the public key certificate acquired encrypted, it is sent to the server
10. After the server receives the message sent by the client, uses its own private key to decrypt the symmetric encryption key acquired in the next session, the server and the client will use the symmetric encryption password to ensure communication process security information.

doubt:

1, the client is how to verify server certificate of legitimacy, what criteria? General client also fitted with a temporary certificate issued by a certificate authority, communication Well, certainly there must be identity or to take the client to the server PKI certificate authority validates? Think it is, I have here a temporary certificate issued by the PKI, PKI can be used as a token to apply for verification.

2, the difference between one-way authentication, mutual authentication is two-way certificate authentication verifies the client and obtain the client's public key, bring the client's public key to encrypt the time server sends back an encryption scheme to the client, returned to the client .

Also for subsequent supplementary question again

References:

https://blog.csdn.net/ayang1986/article/details/80810050

https://blog.csdn.net/qq_25406669/article/details/80596664