Author: ho brother's daily
link: https: //zhuanlan.zhihu.com/p/89905893
Source: know almost
copyrighted by the author. Commercial reprint please contact the author authorized, non-commercial reprint please indicate the source.
TLS
Transport Layer Security protocol TLS (Transport Layer Security), and its predecessor, Secure Sockets Layer SSL (Secure Sockets Layer) is a security protocol, for the purpose of Internet communications, provide security and data integrity protection.
As shown, the TLS when establishing a connection is needed
- The client sends ClientHello (protocol version includes support for encryption algorithm and a random number A (Client Random) ) to the server
- The server returns ServerHello, public key certificate, the random number B (Server random) to the client
- The client uses the CA certificate to verify the correct return the certificate after. Generating a random number C (premaster Secret) , encrypts it with the public key, sent to the server
- Server with the private key decrypted random number C (premaster Secret) , has been followed according to the generation (encryption algorithm determined hello time) symmetric key nonce the ABC , and the data to be transmitted is transmitted symmetric encryption
- The client uses the symmetric key to decrypt the data (the client random number is also used to generate symmetric key ABC).
- The two sides handheld symmetric key using a symmetric encryption algorithm newsletter
And this process Certificate Services side is crucial.
certificate
The public key certificate used to prove the identity of the certificate owner
First of all we need to know is how come the certificate.
Digital certificates are generally issued by a certificate authority, we need to
- Applicants by asymmetric encryption algorithm (RSA) generates a pair of public key and the key , and the application information (country, domain name, etc.) together with the need to send the public key certificate authority (CA)
- After confirmation by the CA configuration message digest algorithm to generate the signature digest information throughout the application, M (MD5, SHA), then the signature of M and digest algorithms used by the CA itself private key encrypting
Certificate contains
- Public Key
- The identity of the certificate owner information
- Certificate authority (issuer) information
- Issuer of digital signatures and document the use of algorithms
- Validity
Certificate format and authentication methods generally follow the X.509 international standard.
Certificate authority (CA)
The first: (Certificate Authority, CA for short English), also known as e-commerce certification center, e-commerce certification authority, is the authority responsible for issuing and managing digital certificates, and e-commerce transactions as a trusted certificate authority tripartite test the legality of public responsibility in the public key system.
In fact, any individual / organization can become a CA (self-signed), but you send a certificate issued by the client is not trusted, but also on the authority of the previously mentioned needs. For example, the Symantec, Comodo, Godaddy, Digicert .
客户端信任这些CA,就会在其本地保持这些CA的 根证书(root certificate),根证书是CA自己的证书,是证书验证链的开头。 根证书没有机构(已经是权威了)再为其做数字签名,所以都是自签证书。
CA会通过 中介证书(intermediate-certificate) 替代根证书的去做服务器端的证书签名,确保根证书密钥绝对不可访问。
Godaddy 给出了解释
What is an intermediate certificate?
证书信任链
前文提到,在向CA 申请证书时是需要 CA的私钥 去对整个证书的签名摘要做非对称加密的,也就是证书是可以通过 CA的公钥 去解密得到证书的签名摘要的。 当我们再次用 相同的摘要算法(证书里面有保存所使用的算法)对整个证书做签名,如果得到的签名和证书上的签名是一致的,说明这个证书是可信任的。
同理,中介证书 也是可以被这样的方式证明其可信任。这样的一整个流程称为 信任链(Chain of trust)。
就是我绝对相信你(A>B);你绝对相信他(B>C);等于我绝对相信他(A>C)
以下是整个流程:
- 客户端得到服务端返回的证书,通过读取得到 服务端证书的发布机构(Issuer)
- 客户端去操作系统查找这个发布机构的的证书,如果是不是根证书就继续递归下去 直到拿到根证书。
- 用 根证书的公钥 去 解密验证 上一层证书的合法性,再拿上一层证书的公钥去验证更上层证书的合法性;递归回溯。
- 最后验证服务器端的证书是 可信任 的。