Preface
"Detailed Web Protocol and Packet Capture" course study, lectured by Teacher Tao Hui
Learning Content:
- HTTP–TLS/SSL–TCP/IP learns web protocols from top to bottom based on application-TLS principle
- Practical verification combined with packet capture tools: network panel, Tcpdump, Wireshark under chrome
How the TSL protocol works
The realization of TLS/SSL functions mainly relies on three types of basic algorithms: hash function Hash, symmetric encryption and asymmetric encryption. It uses asymmetric encryption to achieve identity authentication and key negotiation, and the symmetric encryption algorithm uses negotiated keys to encrypt data. , Verify the integrity of the information based on the hash function.
aim of design:
- Authentication
- Confidentiality
- Completeness
TLS protocol content:
- Record protocol
- Symmetric encryption
- Handshake agreement
- Verify the identity of the communicating parties
- Security suite for exchange encryption and decryption
- Negotiate encryption parameters
TLS security key suite
How does encryption work?
The application of AES symmetric encryption in the network, for related concepts, please refer to my other article: The Cryptographic Foundation of Web Security
The core operation of symmetric encryption-XOR exclusive OR operation
Padding
-
Block cipher: divide the plaintext into multiple equal-length Block modules, and encrypt and decrypt each module separately
-
Purpose: When the length of the last plaintext block is insufficient, it needs to be filled
-
Filling method:
Symmetric encryption working mode
ECB mode: electronic codebook mode
Electronic codebook mode:
- Directly decompose the plaintext into multiple blocks, and encrypt each block independently
- Problem: Unable to hide data characteristics
CBC mode: cipher block chain mode
Cipher-block chaining模式
- Each plaintext block is XORed before the previous ciphertext block before being encrypted
- Problem: Serialization of the encryption process
CTR mode: Counter mode
Counter mode:
- Generate a continuous key stream by incrementing an encryption counter
- Problem: Cannot provide integrity check of ciphertext message
Encrypted message integrity verification-[hash function]
Use MAC (Message AUthentication Code) algorithm for integrity verification based on hash function
GCM mode
- Galois/Counter Mode
- Equivalent to CTR+GMAC
AES encryption algorithm
Advanced Encryption Standard Advanced Encryption Standard Algorithm
Three key lengths of AES:
-
AES packet length is 128 bits (16 bytes)
-
There are three key lengths
Encryption steps:
Encryption process:
- C = E(K, P)
- Where C stands for ciphertext, E stands for encryption function, P stands for plaintext, K stands for key
- Initial round
- AddRoundKey round key plus
- Ordinary wheel
- SubBytes byte substitution
- ShiftRows row shift
- MixColumns
- AddRoundKey round key plus
- Final round
- SubBytes byte substitution
- ShiftRows row shift
- AddRoundKey round key plus
4 operating stages in a round
These four stages of operation make the input bits fully confused. For details, please refer to the detailed introduction and implementation of the AES encryption algorithm
SubBytes byte substitution
The byte substitution of AES is actually a simple table lookup operation. AES defines an S-box and an inverse S-box.
S box of AES:
Row/column | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 0x63 | 0x7c | 0x77 | 0x7b | 0xf2 | 0x6b | 0x6f | 0xc5 | 0x30 | 0x01 | 0x67 | 0x2b | 0xfe | 0xd7 | 0xab | 0x76 |
1 | 0xca | 0x82 | 0xc9 | 0x7d | 0xfa | 0x59 | 0x47 | 0xf0 | 0xad | 0xd4 | 0xa2 | 0xaf | 0x9c | 0xa4 | 0x72 | 0xc0 |
2 | 0xb7 | 0xfd | 0x93 | 0x26 | 0x36 | 0x3f | 0xf7 | 0xcc | 0x34 | 0xa5 | 0xe5 | 0xf1 | 0x71 | 0xd8 | 0x31 | 0x15 |
3 | 0x04 | 0xc7 | 0x23 | 0xc3 | 0x18 | 0x96 | 0x05 | 0x9a | 0x07 | 0x12 | 0x80 | 0xe2 | 0xeb | 0x27 | 0xb2 | 0x75 |
4 | 0x09 | 0x83 | 0x2c | 0x1a | 0x1b | 0x6e | 0x5a | 0xa0 | 0x52 | 0x3b | 0xd6 | 0xb3 | 0x29 | 0xe3 | 0x2f | 0x84 |
5 | 0x53 | 0xd1 | 0x00 | 0xed | 0x20 | 0xfc | 0xb1 | 0x5b | 0x6a | 0xcb | 0xbe | 0x39 | 0x4a | 0x4c | 0x58 | 0xcf |
6 | 0xd0 | 0xef | 0xaa | 0xfb | 0x43 | 0x4d | 0x33 | 0x85 | 0x45 | 0xf9 | 0x02 | 0x7f | 0x50 | 0x3c | 0x9f | 0xa8 |
7 | 0x51 | 0xa3 | 0x40 | 0x8f | 0x92 | 0x9d | 0x38 | 0xf5 | 0xbc | 0xb6 | 0xda | 0x21 | 0x10 | 0xff | 0xf3 | 0xd2 |
8 | 0xcd | 0x0c | 0x13 | 0xec | 0x5f | 0x97 | 0x44 | 0x17 | 0xc4 | 0xa7 | 0x7e | 0x3d | 0x64 | 0x5d | 0x19 | 0x73 |
9 | 0x60 | 0x81 | 0x4f | 0xdc | 0x22 | 0x2a | 0x90 | 0x88 | 0x46 | 0xee | 0xb8 | 0x14 | 0xde | 0x5e | 0x0b | 0xdb |
A | 0xe0 | 0x32 | 0x3a | 0x0a | 0x49 | 0x06 | 0x24 | 0x5c | 0xc2 | 0xd3 | 0xac | 0x62 | 0x91 | 0x95 | 0xe4 | 0x79 |
B | 0xe7 | 0xc8 | 0x37 | 0x6d | 0x8d | 0xd5 | 0x4e | 0xa9 | 0x6c | 0x56 | 0xf4 | 0xea | 0x65 | 0x7a | 0xae | 0x08 |
C | 0xba | 0x78 | 0x25 | 0x2e | 0x1c | 0xa6 | 0xb4 | 0xc6 | 0xe8 | 0xdd | 0x74 | 0x1f | 0x4b | 0xbd | 0x8b | 0x8a |
D | 0x70 | 0x3e | 0xb5 | 0x66 | 0x48 | 0x03 | 0xf6 | 0x0e | 0x61 | 0x35 | 0x57 | 0xb9 | 0x86 | 0xc1 | 0x1d | 0x9e |
E | 0xe1 | 0xf8 | 0x98 | 0x11 | 0x69 | 0xd9 | 0x8e | 0x94 | 0x9b | 0x1e | 0x87 | 0xe9 | 0xce | 0x55 | 0x28 | 0xdf |
F | 0x8c | 0xa1 | 0x89 | 0x0d | 0xbf | 0xe6 | 0x42 | 0x68 | 0x41 | 0x99 | 0x2d | 0x0f | 0xb0 | 0x54 | 0xbb | 0x16 |
The elements in the state matrix are mapped to a new byte according to the following rules:Use the upper 4 bits of the byte as the row value and the lower 4 bits as the column value, Take out the elements of the corresponding row in the S-box or the inverse S-box as output. For example, when encrypting, the output byte S1 is 0x12, then check the 0x01 row and 0x02 column of the S box to get the value 0xc9, and then replace the original 0x12 of S1 with 0xc9
In the same way, the reverse byte replacement during decryption also has a corresponding reverse S-box for table lookup mapping
ShiftRows row shift
Cyclically shift each row in the matrix
- The first line is unchanged
- The second line rotates 1 byte left
- The third line rotates to the left by 2 bytes
- The fourth line rotates 3 bytes to the left
In the same way, the reverse row shift is to perform the opposite shift operation for each row in the state matrix (ie right shift operation)
MixColumns
Column mixing transformation is realized by matrix multiplication, using the knowledge points of linear algebra, if you are interested, you can learn more
AddRoundKey round key plus
Key extension
Asymmetric encryption
Encryption process:
RSA algorithm
Refer to the basics of cryptography for web security
Mainly use RSA algorithm to generate CA certificate
openssl verify RSA
openssl genrsa -out private.pem # 生成私钥
openssl rsa -in private.pem -pubout -out public.pem # 从私钥中生成公钥
openssl asn1parse -i -in private.pem # 查看ASN.1格式的私钥
openssl rsautl -encrypt -in hello.txt -inkey public.pem -pubin -out hello.en # 使用RSA公钥加密
openssl rsautl -decrypt -in hello.en -inkey private.pem -out hello.de # 使用RSA私钥解密
- Generate private key
- Generate public key from private key
- View the private key in ASN.1 format
- View the public key in ASN.1 format
- Use RSA for encryption and decryption
Asymmetric encryption application: PKI certificate system
The core concept of digital signature:Based on private key encryption, only public key can be used for decryption. In this way, everyone who has the public key knows who sent a message, which plays the role of identity authentication
Since the RSA algorithm cannot ensure the legitimacy of the server's identity, because the public key does not contain the server's information , there are at least two types of problems:Man-in-the-middle attacks and information denial。
The key to solving the above-mentioned identity verification problem is to ensure that the obtained public key is legal and can verify the identity of the server. For this, an authoritative third-party organization CA (such as Wotong CA) needs to be introduced. CA is responsible for verifying the information of the owner of the public key and issuing certification "certificates". At the same time, it can provide users with certificate verification services, namely the PKI system (PKI basic knowledge) .
- Public key management: Public Key Infrastructure (PKI)
- The Certificate Authority (CA) digital certificate certification authority associates the user's personal identity information with the public key
- Public key digital certificate composition
- CA information, public key user information, public key, signature of an authority, and certificate validity period
- PKI users
- The user who verifies the public key with the CA
- Users who wish to use the verified public key
The specific process used by CA:Certificate issuance and client certificate verification
Certificate trust chain: The server certificate, the intermediate certificate and the root certificate are combined to form a legal certificate chain. The verification of the certificate chain is a bottom-up trust transfer process.
PKI public key infrastructure
Certificate type
Asymmetric encryption application: DH key exchange protocol
-
RSA key exchange
- There is no forward secrecy meaning:If the attacker saves all the communication messages between the two parties and unlocks the private key of the server one day in the future, he can decrypt the symmetric encryption key of the communication between the two parties, and then decrypt all the previous communication content of the two parties! !
In order to solve this problem, the DH key exchange protocol was created
-
DH key exchange protocol algorithm
Core principle:
Key:
Alice (client) Bob(server) Public key g,p,A B Private key a b - Examples:
-
Problems in DH key exchange protocol:
- Man-in-the-middle forgery attack
-
The amount of calculation is very large, the calculation speed is slow
-
Solution: Use ECDH key exchange protocol
- DH relies on the difficulty of solving the "discrete logarithm problem".
- ECDH relies on the difficulty of solving the "elliptic curve discrete logarithm problem"
-
Key principles:
-
ECDH steps:
-
TLS1.2 communication process
We use the flow chart of the communication process, combined with www.sina.com.cn
packet capture for practical learning
-
Client Hello
-
Server Hello
3/4/5. Certificate, Server Key Exchange, Server Hello Done
-
Client Key Exchange, Change Cipher Spec, Finished
-
Subsequent client and server both generate a common key and use symmetric encryption algorithm to communicate
Through the above demonstration, we can see that there are many TLS1.2 encryption suites, some of which are relatively old and can be easily cracked with current computing power. Therefore, a FREAK attack has occurred.
- The man in the middle attacks by tampering with the encryption suite supported by the client
- Delete the high-security package, forcing the server to choose the low-security package to try to crack the key
-
Improvements in TLS1.3
- Directly use high-safety kits
Handshake optimization (TLS1.3)
-
Session resume session ID
- Session cache: based on the session ID generated by the server
-
Session resume with session ticket
- Since the session ID cannot be shared when running in memory, the reverse proxy has to re-shakes hands to establish the key to other servers, so a session ticket is generated
-
0RTT handshake for TLS1.3
- Built in non-first request
Combining the characteristics of the three types of algorithms, the basic working mode of TLS is that the client uses asymmetric encryption to communicate with the server to achieve identity verification and negotiate the key used for symmetric encryption, and then the symmetric encryption algorithm uses the negotiated key to pair information and information digest For encrypted communication, different nodes use different symmetric keys, which can ensure that information can only be obtained by the communicating parties.