Network security protocol

　　TCP / IP protocol suite designed and did not take into account security issues, information security during transmission can not be guaranteed, the recipient can not confirm the identity of the sender can not determine the received information is the same as the original information.

　　Accordingly, the network security researcher at the link layer, network layer and transport layer security developed corresponding supplementary protocol desired at all levels, respectively, confidentiality, integrity and security goals of non-repudiation. EAP and 802.1X protocol is used on the link layer sender authentication, IPSec and SSL are at the network layer and the transport layer is formed using cryptographic technology to achieve the three basic objectives security, 802.11i protocol family defines a WLAN encryption and integrity detection mechanism.

SSL protocol

　　Secure Sockets Layer protocol (Secure Socket Layer, SSL) specifies a mechanism for providing data security between the application layer protocol and TCP / IP protocol, to provide privacy for the TCP / IP connection, integrity, server authentication, and optionally the client authentication is mainly used for secure communication between Web servers and browsers.

　　SSL protocol stack consists of:

SSL handshake protocol	SSL password change protocol	SSL Alert Protocol	HTTP
SSL Record Protocol
TCP
IP

FIG composition 1-1 SSL protocol stack

SSL Record Protocol provides basic security services to application layer protocols, HTTP is generally implemented on top of the SSL Record Protocol.
SSL handshake protocol used between the client and the server before establishing a secure connection, both connected to a pre-established secure channel, and a particular encryption algorithm can identify each other.
SSL change cipher spec protocol is a relatively simple protocol is used, comprising a length of 1 byte message, for setting the current state and the current key set, it indicates that the corresponding encryption policy has been set.
Alert Protocol SSL handshake protocol for data encryption or other operations when an error occurs, an alarm message is transmitted to the other party or the current connection is terminated, it has two bytes of data, i.e., alarms and alarm levels, alarm level is divided into "warning" and " fatal "two kinds, fatal type of alarm causes the connection is terminated immediately.

SSL Record Protocol

　　A record consists of two parts, namely the head and the recording data:

Content Type	The major version number	Minor version number	Data length
Compressed data				encryption
MAC

FIG. 1-2 SSL Record Protocol format

　　(1) Content Type: 8 bits, the upper layer protocol type, such as a change cipher spec protocol 20, protocol is the alarm 21, 22 is the handshake protocol.

　　(2) Protocol Version: 16 bits, the table name SSL version number, the higher 8 bits are the major version number, the lower eight bits the minor version number.

　　(3) Data length: length after if compressed, it is compressed.

SSL handshake protocol

　　SSL SSL Handshake Protocol is the most complex protocol negotiation result which is the basis of the SSL record protocol processing, it is divided into three parts: the type of data (Table 1-1), data length (3 bytes) and data content (related parameter types).

　　Prior to both send and receive communications, first using a handshake protocol negotiation of various parameters, including a protocol version, cryptographic algorithms, related key, the MAC algorithm, and identity authentication, the last client generates a random number as the pre-master key with the server's public after the encrypted key, to the server, and thereafter, all data can use the pre-master key is encrypted according to the key exchange algorithm generates a session key, to ensure security.

type of data	parameter
hello_request	no
client_hello	The version number, nonce, the session ID, a password parameter, a compression method
server_hello
certificate	X. 509 v3 certificate chain
server_key_exchange	Parameter signature
certificate_request	Type, CA
server_hello_done	no
certificate_verify	Signature to be verified
client_key_exchange	Parameter signature
finished	Hash code

Form data types and handshake protocol parameters 1-1

　　Handshaking process is divided into three phases:

　　1. hello stage

　　　　The main job is to negotiate the version number, session ID, cipher suite, compression algorithms and exchange random numbers.

　　(1) client_hello: The client initialization message, customer support of the establishment of parameters sent to the server to choose safe passage.

　　(2) server_hello: When the server receives client_hello alarm message can answer a representation handshake fails, or answer server_hello, the server decided to choose the combination of parameters transferred back to the client, including new random number generated by the server.

　　2. key negotiation stage

　　　　The main job is to send a server certificate, the client certificate request (optional), if the customer is required certificate is sent.

　　（1）certificate：服务器发送自己的证书给客户，表明身份。客户检查证书的签名并获得服务器的公钥，随后使用该公钥加密随机产生的预主密钥。

　　（2）server_key_exchange：当hello阶段协商的算法仅仅使用certificate的信息无法进行密钥交换时，使用该报文发送密钥交换所必需的其他信息。

　　（3）server_hello_done：服务器表明server_hello结束，等待客户响应。

　　　　（4）client_key_exchange：客户用服务器的公钥加密一个随机生成的预主密钥，然后发送给服务器，服务器收到后，用自己的私钥解开，然后根据hello阶段协商的算法，各自计算主密钥，最后产生通信使用的会话密钥。

　　3. finished阶段

　　　　主要工作是改变密码组，完成握手。

　　（1）密码规范变更报文：表示记录协议的加密算法和认证方式的改变，随后将启用新的密钥。

　　（2）finished：双方互相验证收到的finished类型的报文是否正确无误，从而确定对方已经生成正确的会话密钥。此时握手协议完成，双方可以用新的会话密钥安全传输数据。