SSL握手步骤【收藏】
http://www.codeweblog.com/ssl-handshake-process-of-interaction-and/
SSL to send a message in the following order:
1.Client Hello
Client sends the server information including passwords group it supports. Password set in cryptographic algorithms and key sizes;
2.Server Hello
The server choose the client and server support the password set to the client.
3.Certificate
Server sends a certificate or a certificate chain to the client, a certificate chain, starting at the end of the server public key certificate and the root certificate authority in the show. This information is optional, but the server certificate as necessary, to use it.
4.Certificate request
When the server needs to identify clients, it sends a certificate request to the client. In web applications, very little to send the message.
5.Server key exchange
When the server sends to the public key of the key exchange is not very good when a server key exchange message to send.
6.Server hello done
Server to tell clients to complete its initialization flow of information.
7.Certificate
If the server requires a client certificate, the client sends a certificate chain. (Only when the server requires client certificate)
8.Client key exchange
Customers generate a key for the symmetric algorithm. Customers with a server on the RSA public key cryptography this key information and send it to the server.
9.Certificate verify
In web applications, very few send this message, it is primarily used to allow the server to handle the end of the customer identification. When using this information, the client sends a password function of the digital signature information to the server, when the service ended with a public key to decrypt the message, the server can identify clients.
10.Change cipher spec
Client sends a message to tell the server to change the encryption mode.
11.Finished
Client tells the server it is ready to secure data communication.
12.Change cipher spec
Server sends a message to the client and tell clients modify encrypted mode.
13.Finished
Server tells the client that it is ready to secure data communication. This is a client-server handshake protocol the last step.
14.Encrypted data
Client with the server using a symmetric encryption algorithm and cryptographic functions, and with the client to the server secret key encrypted communication.
SSL handshake process:
Extracted from the "SSL and TLS"
Objective:
1. The client and server need to protect data on a set of algorithms for consensus;
2. They need to establish a set of algorithms that are used by the encryption key;
3. Handshake can also choose to authenticate the client.
Process:
1. Client list and its support for the algorithm used to generate a random number key sent to the server;
2. Server list from the algorithm to choose a encryption algorithm, and it contains the server public key and a certificate sent to the client; The certificate also contains the server ID for authentication purposes, the server also provides a generate random numbers for keys;
3. Client-side validation on the server's certificate (certificate of verification, can refer to the digital signature), and to take the server's public key; then, and then generate a random password string called pre_master_secret, and use the server's public key pair The encrypted (refer to non-symmetric encryption / decryption), and encrypted information is sent to the server;
4. Client-side and server-side and under the pre_master_secret client and server calculate a random value independent encryption and MAC keys (see DH key exchange algorithm).
5. Client MAC values of all handshake messages sent to the server;
6. Server MAC values of all handshake messages sent to the client.
Step 5 and 6 to prevent themselves from being tampered with shaking hands. Envisaged an attacker wants to control the use of client and server algorithms. Client offers a variety of algorithms are quite common, some of the strength of weak and some strong intensity, in order to be able to support the weak intensity algorithm with only the server to communicate. An attacker can remove the client provided in step 1 all the high-intensity algorithm, so they force the server to choose a weak strength of the algorithm. Step 5 and Step 6 of the MAC be able to prevent the exchange of such attacks, because the client's MAC is calculated according to the original message, but the server's MAC is modified according to the news of the attacker is calculated, so that after inspection will find do not match. As provided by the client and server random number key generation process, and so the hands will not be replay attacks. The message is the first in a new encryption algorithm and key messages encrypted under.
Just described every step through one or more handshake messages to achieve. In this first message with a brief description of which corresponds to what steps, then a detailed description of the contents of each message. The following diagram describes the messages:
Step 1 corresponds to a single handshake message, ClientHello.
Step 2 corresponds to a SSL handshake message, the server sends the first message to ServerHello, which contains its chosen method, then again in the Certificate message send their certificates. Finally, the server sends a message to indicate ServerHelloDone the completion of the handshake stage. Need ServerHelloDone because some of the more complex variants would also like to shake hands after the Certifacate send other messages. When the client receives ServerHelloDone message, it knows there will be no other similar news coming, so he can continue it on this side of the handshake.
Step 3 corresponds to ClientKeyExchange news.
Step 5 and 6 corresponding Finished message. The news is just negotiated the first algorithm used to protect the information. In order to prevent the handshake has been tampered with, the contents of the message to all the previous stage handshake message MAC. However, the Finished message is a good method of protection, consultations, so they will have consultations with the new MAC key - a message from the calculation of the value of their MAc.
Note that the image above omits two ChangeCipherSpec news.
SSL Record Protocol:
In SSL, the actual data transmission is to use the SSL record protocol to achieve. SSL record protocol is divided by the data stream into a series of clips and transfer them to work, in which each fragment separately protection and transmission. In the receiver, each record on a separate decryption and verification. This program has resulted in the figures have been ready to be sent from one end to connect to the other end, and received instantly be addressed.
In the transmission segment, you must prevent attacks. MAC can be calculated to provide data integrity protection. MAC transmitted together with the fragment, verified by the receiver to achieve. The MAC appended to the fragment of the tail, and data and integrate the contents of the MAC is encrypted to form encrypted Load (Payload). Finally on top of information to the load equipment. Header information and encrypted links to known records of load (record), record the actual transfer of the content is. The following diagram describes the transfer process:
1. Recorded the first message:
Record header information is to receive the work to achieve (receiving implementation) to explain the records provided the necessary information. In practice, it refers to three types of information: content type, length, and SSL version. Length field can the receiver is aware that he was taken from the line Duoshao octet processing the message, version number, Zhi Shi 1 to ensure that each party use the consultation version of the redundancy check. Content-Type field indicates the message type.
2. SSL Record Type:
SSL support for the four content types: application_data, alert, handshake and change_cipher_spec.
Use SSL, software to send and receive all the data are based on application_data type to send, the other three kinds of Neirongleixing used on communications Jinxingguanli, Ruwan Cheng handshake and reporting Cuowu so.
Content type alert is mainly used for reporting all types of errors. Most of the alert (warning) for reporting handshake Chuxian problems, but there are some instructions to try to Jin Xing Ji Lu Zai right or Renzheng decryption errors that occur, alert messages to other Yongtu yes instructions would be Guanbi Lian Jie.
Used to carry content type handshake handshake message. Even if the initial connection handshake message is formed by the recording layer in order to handshake types of records to load the. As the encryption key has not yet established, these initial message was not encrypted or authentication, but the other process is the same. Possible existing connections on a new handshake initialization, in this case, the new record is like shaking hands, like other data, to go through encryption and authentication.
change_cipher_spec recorded message said to change the encryption and authentication. Once the handshake agreed on a new set of keys, the send change_cipher_spec to indicate at this point will enable the new key.
Work with a variety of sources:
As we have seen, SSL is a layered protocol, it is a recording layer and recording layer of a CD bearing the same message type composition. And the recording layer will by some reliable transport protocol such as TCP to carry. The following diagram describes the structure of the Association to:
The complete process a ssl connection:
SSL握手步骤【收藏】的更多相关文章
- SSL握手过程
原文地址: http://my.oschina.net/u/1188877/blog/164982 一.SSL握手有三个目的:1. 客户端与服务器需要就一组用于保护数据的算法达成一致:2. 它们需要确 ...
- SSL握手流程
一.SSL是什么? 安全套接字(SSL)协议是Web浏览器和Web服务器之间安全交换信息的协议. SSL介于应用层和TCP层之间,应用层数据不再直接传递给传输层,而是传递给SSL层,SSL层对从应用层 ...
- ssl握手数据结构
ssl握手 SSL记录头(5字节) 字节0:记录内容的类型 Content Type Hex Code Description Change_Cipher_Spec 0x14 指示加密方式的更改 Al ...
- HTTPS和SSL握手过程(转载)
https介绍 HTTPS = HTTP + 一组对称.非对称和基于证书的加密技术 HTTPS是最常见的HTTP安全版本.它得到了很广泛的应用,所有主要的商业浏览器和服务器都提供HTTPS.HTTPS ...
- 加密、签名和SSL握手机制细节
openssl系列文章:http://www.cnblogs.com/f-ck-need-u/p/7048359.html 1.1 背景知识 对称加密 :加密解密使用同一密钥,加解密速度快.随 ...
- SSL握手通信详解及linux下c/c++ SSL Socket代码举例
SSL握手通信详解及linux下c/c++ SSL Socket代码举例 摘自:http://www.169it.com/article/3215130236.html 分享到:8 发布时 ...
- SSL握手通信详解及linux下c/c++ SSL Socket代码举例(另附SSL双向认证客户端代码)
SSL握手通信详解及linux下c/c++ SSL Socket代码举例(另附SSL双向认证客户端代码) 摘自: https://blog.csdn.net/sjin_1314/article/det ...
- SSL 重点SSL会话步骤
SSL.TLS协议 在wiki百科查看下,两者的区别 实现SSL协议的软件 OpenSSL开源软件 SSL会话步骤 1:客户端向服务端索取CA证书,然后验证证书 2:客户端与服务端约定一个通信中使 ...
- linux apache Tomcat配置SSL(https)步骤
https简介 它是由Netscape开发并内置于其浏览器中,用于对数据进行压缩和解压操作,并返回网络上传送回的结果.HTTPS实际上应用了Netscape的安全套接字层(SSL)作为HTTP应用层的 ...
随机推荐
- ACPI I/O resource conflict with SMBus
ACPI I/O resource conflict with SMBus 以電子郵件傳送這篇文章BlogThis!分享至 Twitter分享至 Facebook分享到 Pinterest 這幾天遇到 ...
- 翻译:微软style的并行计算
Parallel Microsoft-Style By Andrew Binstock, July 20, 2011 Note:主要是自动翻译,俺做了小量修改 1 Comment The actor ...
- 准备开源一套异形UI控件
今天整理磁盘,发现在一个以前加密过的一个磁盘文件中发现了一些以前做的UI代码.平时都没怎么去用,放着放着只会慢慢的去遗忘,所以打算慢慢的将一些UI代码整理整理,然后开源出来,集合广大Delphier的 ...
- 阿里云里面的Linux 系统挂载数据盘
转自:http://www.cnblogs.com/adjk/p/5112360.html 适用系统:非IO优化+SSD云盘Linux(Redhat , CentOS,Debian,Ubuntu)实例 ...
- session和jsessionid有什么关系
首先,并不是说你一打开一个页面就会产生一个session. 所谓session你可以这样理解:当你与服务端进行会话时,比如说登陆成功后,服务端会为你开壁一块内存区间,用以存放你这次会话的一些内容,比如 ...
- windows下使用vim+ctags+taglist
最近在公司的同事指导下,学会使用这个东西编写代码,效率提高了不少.所以记录下来,方便大家使用. 1. 下载gvim74.exe文件,并安装.注意一般安装的路径中不要存在空格 2. 下载taglist_ ...
- 用git上传本地项目到github上
首先确认自己已经安装了git,打开git bash,输入ssh-keygen -t rsa -C "自己的邮箱地址@XXX.com" ,生成自己的公钥与私钥 一路默认回车,会生 ...
- Android开发(51) 摄像头自动对焦。在OpenCV图像识别中连续拍照时自动对焦和拍照。
概述 对焦,这里所说的“焦”是指“焦距”.在拍照时,一定是需要调焦的.一般会在目标位置最清晰的时候会停止对焦.最近在处理OpenCV进行图像识别时,需要连续的调焦(对焦),并在对焦完成后进行拍照,获取 ...
- 关于windows的service编程
最近需要学习下windows的service编程框架,查了下msdn发现不知所云.于是谷歌之,发现了一个非常不错的文章,重点推荐讲的非常详细,深入,看完之后基本上就能很清楚windows的servic ...
- iOS 数据持久化(扩展知识:模糊背景效果和密码保护功能)
本篇随笔除了介绍 iOS 数据持久化知识之外,还贯穿了以下内容: (1)自定义 TableView,结合 block 从 ViewController 中分离出 View,轻 ViewControll ...