1. Introduction to SSL
The Chinese name of SSL is Secure Sockets Layer (Secure Sockets Layer) , and it is the most widely used data encryption protocol nowadays . The protocol has gone through three versions, namely SSL1.0, SSL2.0, and SSL3.0. Until the IETF standardized SSL and called it TLS (Transport Layer Security) transport layer security. Strictly speaking, TLS (Transport Layer Security) is a more secure upgraded version of SSL, and the TLS protocol is basically used now. But since the term SSL is more commonly used, we still refer to our security certificates as SSL or SSL/TLS . Up to now, TLS has gone through four versions, namely TLS1.0, TLS1.1 (2006), TLS1.2 (2008), and TLS1.3 (2018).
1.1 Asymmetric encryption algorithm
The so-called "asymmetric encryption technology" means: "encryption" and "decryption" use different keys, that is, each user has two keys, one public key and one private key. The public key is released to the outside world. Everyone can see everyone's public key. The private key is kept by themselves. Everyone only knows their own private key and not others. After being encrypted with the user's public key, only the user's private key can decrypt it. In this case, the public key is used to encrypt the message, ensuring that only a specific person (whose public key is used) can decrypt the message. In the second case, the public key is used to decrypt the information, to ensure that others know that this information is really published by me and is complete and correct. This allows the recipient to know that the message really came from someone who has the private key, which is called a digital signature, and the public key is in the form of a digital certificate
1.2 Symmetric encryption algorithm
The so-called "symmetric encryption technology" is relatively simple, which means: "encryption" and "decryption" use the same key . Just like you use 7zip or WinRAR to create an encrypted archive with a password (password). When you want to unpack this compressed file next time, you need to enter the same password . In this example, the password / password is like the " key " just mentioned .
1.3 Features
• SSL can encrypt transmitted data to prevent third parties from stealing data
• The SSL protocol has a tamper-proof mechanism. If the transmitted data is tampered with during transmission , the two parties in the communication will immediately find out
• SSL also has an authentication mechanism to prevent identities from being impersonated
1.4 The position of SSL in the TCP/IP model
2. Basic operation process
The basic idea of the SSL/TLS protocol is to use an asymmetric encryption algorithm. The client first requests the public key from the server, and then encrypts the data with the public key. After the server receives the ciphertext, it decrypts it with its own private key.
• 1. The client requests and verifies the public key from the server
• 2. The two parties negotiate to generate a "dialogue key"
• 3. The two parties use the "conversation key" for encrypted communication
As can be seen from the brief process above, we also use a symmetric encryption algorithm . This is because if each session between the client and the server uses the public key for encryption operations, the amount of calculation due to public key encryption is very large. , so in order to reduce the time consumed by this encryption calculation , we use a symmetric encryption algorithm for the interactive data (the time consumption is much less than that of an asymmetric algorithm), we only need to use the public key encryption algorithm at the beginning to obtain the symmetric encryption given by the server The conversation key of the algorithm , and the next data interaction can be encrypted and decrypted using the conversation key .
The above 1 and 2 we also call it the " handshake phase ". In the handshake phase, there are four communications between the client and the server, and the communication data are all transmitted in plain text .
2.1 Client request
The client sends a request to the server for encrypted communication. This step is called a ClientHello request. The information provided by the client is as follows
| information |
|---|
| The TLS protocol version supported by the client |
| The client generates a random number for subsequent generation of a "session key" |
| The encryption method supported by the client, such as the DHE-RSA asymmetric encryption algorithm |
| Supported Compression Algorithms |
2.2 Server response
| information |
|---|
| Confirm the TLS protocol version to be used |
| The server will also generate a random number for subsequent generation of "conversation key" |
| Confirm the encryption algorithm used, such as DHE-RSA asymmetric encryption algorithm |
| server's certificate |
| If the server needs to confirm the identity of the client, it will include a certificate request, asking the client to provide a client certificate to confirm the identity |
2.3 The client responds again
After the client gets the response, it first verifies the server's certificate. If there is a problem, it will prompt the user to warn whether to continue accessing. If there is no problem, the client will take out the public key in the certificate, and then send the following data to the server
| information |
|---|
| Send a random number data encrypted with the public key, this random number is also called pre-master key |
| Encoding change notification, telling the server that future data will be sent using the agreed upon encryption method and key |
| The client handshake end notification, this item is also the hash value of all the content sent before, which is used to provide the server for tamper-proof verification |
At this point, we may have questions about why it is necessary to use three random numbers to generate session keys. The reasons are as follows:
Whether it is a client or a server, a random number is needed so that the generated key will not be the same every time. Since the certificate in the SSL protocol is static, it is very necessary to introduce a random factor to ensure the randomness of the negotiated key.
For the RSA key exchange algorithm, the pre-master-key itself is a random number, plus the randomness in the hello message, and the three random numbers finally derive a symmetric key through **a key exporter**.
The existence of the pre master is that the SSL protocol does not trust that each host can generate a completely random random number. If the random number is not random, then the pre master secret may be guessed, so it is not appropriate to only use the pre master secret as the key Therefore, a new random factor must be introduced, then the key generated by the client and the server plus the three random numbers of the pre master secret is not easy to be guessed. A pseudo-random may not be random at all, but it is three Pseudo-random is very close to random. Every time you add a degree of freedom, the randomness increases by more than one. "
2.4 The server's final response
After the server receives the third random number pre-master key from the client, it calculates and generates the " session key " used for this session .
| information |
|---|
| Encoding change notification, telling the server that future data will be sent using the agreed upon encryption method and key |
| The server handshake end notification, this item is also the hash value of all the content sent before, which is used to provide the client for data tamper-proof verification |
At this point, the entire handshake phase is over . After that, the client can communicate with the server encrypted, and the data is encrypted symmetrically using the "session key".