SSL - Secure Sockets Layer

Enterprise 2023-07-28 18:18:14 views: null

SSL (Secure Socket Layer) is a network security protocol first adopted by Netscape. It is a security protocol implemented on the transmission communication protocol (TCP/IP), using public key technology . SSL widely supports various types of networks while providing three basic security services, all of which use public key technology.

security service

1) Information confidentiality , through the use of public key and symmetric key technology to achieve information confidentiality. All traffic between an SSL client and server is encrypted using the keys and algorithms established during the SSL handshake. This prevents some users from illegally eavesdropping by using IP packet sniffing tools. Although packet sniffing can still capture the content of the communication, it cannot decipher it.

2) Integrity of information to ensure that all SSL services achieve their goals. It should be ensured that the information content between the server and the client is protected from corruption. SSL utilizes secret sharing and hash function group to provide message integrity service.

3) Two-way authentication , the process in which the client and the server recognize each other. Their identification numbers are encoded with a public key, and their respective identification numbers are exchanged during the SSL handshake. To verify that the certificate holder is its legitimate user (and not an imposter), SSL requires the certificate holder to digitally identify the exchanged data during the handshake. The certificate holder identifies all the information and data including the certificate to show that he is the legal owner of the certificate . This prevents other users from impersonating the certificate. The certificate itself does not provide authentication, only the certificate and the key work together.

4) SSL security services should be as transparent as possible to end users. Under normal circumstances, users only need to click a button or connection on the desktop to connect with the SSL host. Unlike standard HTTP connection requests, a typical web host that supports SSL accepts SSL connections on port 443 by default, not 80.

Advantage

The advantage of the SSL protocol is that it is independent of the application layer protocol . High-level application-layer protocols (such as HTTP, FTP, Telnet, etc.) can be transparently built on top of the SSL protocol. The SSL protocol has completed the encryption algorithm, communication key negotiation and server authentication work before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of communication.

Architecture of SSL

SSL is designed to use TCP to provide a reliable end-to-end security service. It is not a single protocol, but a two-layer protocol. The lower layer is the SSL record layer, which is used to encapsulate different upper-layer protocols, and the other layer is the encapsulated protocol. , that is, the SSL handshake protocol , which allows the server and client to negotiate encryption algorithms and encryption keys before transmitting application data. The client proposes all the encryption algorithms it can support, and the server chooses the most suitable algorithm for it.

The record protocol provides basic security services for different higher-level protocols, and its characteristic is that the Hypertext Transfer Protocol (HTTP), which provides transport services for web client/server interactions, can run on top of SSL. Three higher-level protocols are defined as part of SSL: the Handshake Protocol, the Modified Ciphertext Protocol, and the Alert Protocol.

Two important concepts in SSL are SSL session and SSL connection. The specifications are as follows:

1) Connection: A connection is a transport that provides the appropriate type of service, and for a connection like SSL it is a point-to-point relationship. Connections are short-lived, and each connection is associated with a session.

2) Session: The SSL session is the association between the client and the server, and the session is created through the handshake protocol. A session defines a set of cryptographic security parameters that can be shared by multiple connections. Sessions can be used to avoid expensive negotiation of new security parameters for each connection.

Multiple secure connections may exist between any pair of interacting entities. Theoretically, there may also be multiple simultaneous sessions among interacting entities, but in practice each session has a set of states. Once a session is established, there is a current operational state for reading and writing (i.e. receiving and sending). Additionally, during the handshake protocol, pending read and write states are created. Once the handshake protocol is successful, the pending state becomes the current state.

SSL Record Protocol

The SSL Record Protocol provides two services for SSL connections:

1) Confidentiality: The handshake protocol defines shared keys that can be used for general encryption of SSL payloads.

2) Message integrity: The handshake protocol also defines a shared key that can be used to form a message's authentication code (MAC).

The record protocol receives transmitted application messages, fragments the data into manageable chunks, optionally compresses the data, applies MAC, encrypts, adds headers, and transmits the resulting units in TCP segments. The received data is decrypted, authenticated, decompressed and reassembled before being delivered to more advanced users.

Modify the ciphertext protocol

The Change Cipher Spec Protocol (Change Cipher Spec Protocol) is one of the three SSL-related protocols that use the SSL Record Protocol, and it is the simplest, for using the newly negotiated encryption method and integrity method. This protocol consists of a single message consisting of a single byte with value 1.

Alarm protocol

The alarm protocol is used to transmit SSL-related alarms to the counterparty entity. As with other cases where SSL is used, the alert message is compressed and encrypted as per the current state specification. Each message of this protocol consists of two bytes. The value of the first byte is warning or fatal, which is used to convey the severity level of the message. If the level is fatal, SSL terminates the connection immediately. Other connections to the same session can continue, but no new connections can be made to this session. The second byte contains the code indicating the specific alarm.

The most complex and important part of SSL is the handshake protocol. This protocol is used to establish a session; negotiate encryption methods, authentication methods, compression methods, and initialization operations so that the server and client can mutually identify each other, negotiate encryption and MAC algorithms, and encrypt keys used to protect data sent in SSL records . Before any application data is transmitted, a handshake protocol is used. It consists of a series of messages exchanged between the client and server. All messages have the format shown in Figure 4(c). Each message has three fields:

(1) Type (1 byte): Indicates one of 10 types of messages. Table 2 lists the defined message types.

(2) Length (3 bytes): The length of the message in bytes.

(3) Content (greater than or equal to 1 byte).

The process of SSL handshake

An SSL handshake will have the following events:

A) Client and server exchange X. 509 certificate so that both parties can confirm each other. During this process, the entire proof chain can be exchanged, or only some underlying proofs can be exchanged. The verification of the certificate includes: checking the validity date and verifying the signature authority of the certificate.

B) The client computer randomly generates a set of keys, which are used for information encryption and MAC calculation . These keys are encrypted with the server's public key before being sent to the server . There are four keys in total for server-to-client and client-to-server communication .

C) Information encryption algorithm (for encryption) and Hash function (for ensuring information integrity) are used together. Netscape's SSL implementation is: the client provides a list of all algorithms it supports, and the server chooses the cipher it thinks is the most effective. Server administrators can use or prohibit certain passwords.

The security of the secure socket layer is realized through the SSL handshake protocol, SSL ciphertext protocol, SSL alarm protocol, and SSL record protocol. For web security, we can use the above methods, because their security technologies are reliable.

process 

The SSL handshake process for two-way certificate authentication.

The following briefly describes how the SSL protocol works. The client needs to send and receive several handshake signals:

1) Send a " ClientHello " message, indicating the list of cipher algorithms it supports , the compression method and the highest protocol version, and also send a random number that will be used later .

2) Then receive a " ServerHello " message, including the connection parameters selected by the server , derived from the " ClientHello " provided by the client at the beginning .

3) When both parties know the connection parameters, the client and server exchange certificates (depending on the chosen public key system). These certificates are usually based on X.509, although there are drafts to support OpenPGP-based certificates.

4) The server requests the client public key. If the client has a certificate, it means two-way identity authentication. If there is no certificate, the public key is randomly generated.

5) The client and the server negotiate a common master and private key through public key confidentiality (random negotiation between the two parties) , which is realized through a carefully designed pseudo-random number function. The result may use a Diffie-Hellman exchange, or simplified public-key encryption that each party decrypts with its own private key. All other critical data is encrypted using this "master key".

6) The server sends the MAC address of the handshake message to the client.

In data transmission, the record layer (Record layer) is used to encapsulate higher-level protocols such as HTTP. Record layer data can be freely compressed, encrypted, and compressed together with message verification codes. Each record layer packet has a Content-Type segment to record the protocol used by the upper layer.

Difference Between TLS and SSL

SSL (Secure Sockets Layer) is a secure transmission protocol designed by Netscape and mainly used for the Web. This protocol has been widely used on the Web. IETF standardized SSL, namely RFC2246 , and called it TLS (Transport Layer Security), and its latest version is RFC5246 , version 1.2. Technically speaking, the difference between TLS1.0 and SSL3.0 is very small.

TLS uses key algorithms to provide endpoint identity authentication and communication confidentiality on the Internet, based on public key infrastructure (PKI). However, in typical examples of implementations, only the web server is reliably authenticated, not necessarily its clients . This is because public key infrastructures are commonly used commercially, and electronic signature certificates are usually purchased for a fee. The design of the protocol can make the master-slave architecture application communication itself prevent eavesdropping, tampering, and message forgery to some extent.

TLS consists of three basic phases:

1) Key algorithms supported by peer-to-peer negotiation.

2) Information transmission encryption and identity authentication based on asymmetric key, and identity authentication based on PKI certificate.

3) Data transmission confidentiality based on symmetric key

In the first phase, the client negotiates with the server the cryptographic algorithm to use. The currently widely implemented algorithm choices are as follows:

  • Public key private key asymmetric key encryption system: RSA, Diffie-Hellman, DSA and Fortezza;

  • Symmetric key encryption systems: RC2, RC4, IDEA, DES, Triple DES, AES and Camellia;

  • One-way hash functions: MD5, SHA1, and SHA256.

TLS/SSL has various security protection measures:

  • All record layer data are numbered for message authentication code verification.

 Reposted from: https://baike.baidu.com/item/%E5%AE%89%E5%85%A8%E5%A5%97%E6%8E%A5%E5%B1%82/9442234?fromtitle=SSL&fromid =320778

Guess you like

Origin blog.csdn.net/fuhanghang/article/details/131956163
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com