SSL (Secure? Sockets? Layer) Secure Socket Layer Protocol

It is a secure communication protocol launched by Netscape in 1995. SSL provides a secure connection between two computers, encrypting the entire session, ensuring secure transmission. The SSL protocol is built on the reliable TCP transmission control protocol and has nothing to do with the upper layer protocol. Various application layer protocols (such as HTTP, FTP, TELNET, etc.) can be transparently transmitted through the SSL protocol.

The SSL protocol is divided into two layers: SSL handshake protocol and SSL record protocol. The relationship between the SSL protocol and the TCP/IP protocol is shown in Figure 1:

HTTPS, FTPS, TELNETS, IMAPS, etc.

SSL handshake protocol

SSL record protocol

TCP Transmission Control Protocol

IP Internet Protocol

Figure 1 The relationship between the SSL protocol and the TCP/IP protocol

Security provided by the SSL protocol The connection has the following three basic characteristics:

(1) The connection is confidential: there is a unique session key for each connection, and a symmetric cryptography system (such as DES, RC4, etc.) is used to encrypt the data ;

(2) The connection is reliable: the message transmission uses MAC algorithm (such as MD5, SHA, etc.) for integrity check;

(3) The peer entity is identified using Asymmetric cryptography systems (such as RSA, DSS, etc.) are used for authentication.

1.2? SSL handshake protocol

The SSL handshake protocol is used to establish a secure transmission channel between the communicating parties. It specifically implements the following functions: (1) Verify the server on the client side. The SSL protocol uses public Key-based identity authentication; (2) Verify the client on the server side (optional); (3) Negotiate between the client and the server for encryption algorithms and compression algorithms supported by both parties. Optional encryption algorithms include: IDEA, RC4 , DES, 3DES, RSA, DSS, Diffie_hellman, Fortezza, MD5, SHA, etc.; (4) Generate session keys for symmetric encryption algorithms; (5) Establish an encrypted SSL connection. The general handshake process is shown in Figure 2:

Figure 2 Handshake process of SSL protocol

The handshake process is divided into 4 stages:

(1) Initialization For logical connection, the client first sends a ClientHello message, and the server should also return a ServerHello message. These two messages are used to negotiate the security capabilities of both parties, including protocol version, random parameters, session ID, exchange key algorithm, symmetric encryption algorithm, Compression algorithm, etc.

(2) The server should send the server certificate (including the server's public key, etc.) and session key. If the server requires verification of the client, it must send a CertificateRequest message. Finally, the server sends a ServerHelloDone message, indicating that the hello phase is over, and the server is waiting for a response from the client.

(3) If the server requires verification of the client, the client first sends a Certificate message, then generates a session key, encrypts it with the server's public key, and encapsulates it in the ClientKeyExchange message. If the client sends its own certificate, then send a digital signature CertificateVerify to verify the certificate.

(4) The client sends a ChangeCipherSpec message to notify the server that future messages will be encrypted using the previously negotiated security parameters, and finally sends an encrypted Finished message. After receiving the above two messages, the server also sends its own ChangeCipherSpec message and Finished message. At this point, the handshake is complete and both parties can start transmitting application data.

The SSL handshake protocol establishes appropriate session state information elements on both communicating parties, as shown in the following table:

Session state information element description

Conversation identification server selection Used to identify an active, restarted conversation identifier

Peer certificate The X509 certificate of the peer entity

The data compression algorithm used by the compression method

The data encryption algorithm and MAC algorithm used in the encryption description

Session key The session key shared by the client and server

Restartable identifies whether this conversation can be restarted Used to initialize new flags

1.3? SSL record protocol

After the SSL record protocol receives the data from the upper layer, it must be segmented, compressed and encrypted, and finally sent out by the transport layer . In the SSL protocol, all transmitted data are encapsulated in records. The SSL record protocol specifies the format of the record header and record data.

Each SSL record contains the following information: (1) Content type: refers to the high-level protocol of SSL; (2) Protocol version number: refers to the version number of the SSL protocol used, currently there are versions 2.0 and 3.0; (3) Length: refers to the length of the recorded data, the maximum length of the recorded data is 16383 bytes; (4) Data payload: the result of processing the data using the compression method and encryption method defined in the SSL handshake stage; (5) MAC: The MAC is calculated before the valid data is encrypted and placed in the SSL record for data integrity checking. If the MD5 algorithm is used, the MAC data length is 16 bytes. The SSL record protocol adopts a revised version of the HMAC structure in RFC2104. A sequence number is placed in the message before the HASH function is used to resist various forms of retransmission attacks. The sequence number is a 32-bit incrementing counter.

2SET Protocol

2.1 Overview of SET Protocol

SET (Secure Electronic Transaction) secure electronic transaction protocol was developed in 1996 by MasterCard (Visa) and Secure electronic transaction specifications jointly formulated by Visa (MasterCard), two major international credit card companies. It provides authentication between consumers, merchants and banks, ensures the confidentiality, reliability and non-repudiation of transactions, and ensures the security of online shopping using credit cards in an open network environment.

2.2? Data encryption model used in the SET protocol

The data encryption model used in the SET protocol is shown in Figure 3.

Figure 3 Data encryption model used in the SET protocol

This model has the following characteristics:

(1) The identity of transaction participants uses digital certificates To complete, the format of the digital certificate generally adopts the X.509 international standard;

(2) The non-repudiation of the transaction is achieved by digital signature. Since the digital signature is generated by the sender's private key, and the sender's private key is known only to him, the sender cannot deny the transaction data he has sent;

(3) Use message summary algorithm to ensure the integrity of the data;

(4) Since the asymmetric encryption algorithm has a slow operation speed, it must be used in conjunction with the symmetric encryption algorithm. The symmetric encryption algorithm is used to encrypt the data, and the digital envelope is used to encrypt the data. Exchange symmetric keys.

2.3? Data exchange process of SET protocol

The shopping system of SET protocol consists of five parts: cardholder, merchant, payment gateway, acquiring bank and card-issuing bank. These five parts The data exchange process between parts is shown in Figure 4.

Figure 4 Data exchange process of SET protocol

3 Comparison between SSL protocol and SET protocol

The differences between SSL protocol and SET protocol are mainly reflected in the following aspects :

(1) User interface: The SSL protocol has been built-in by browsers and WEB servers, and there is no need to install special software; while in the SET protocol, the client needs to install special e-wallet software, which is processed on the merchant server and bank network Corresponding software also needs to be installed.

(2) Processing speed: The SET protocol is very complex and large, and the processing speed is slow. A typical SET transaction process requires verifying the electronic certificate 9 times, verifying the digital signature 6 times, delivering the certificate 7 times, performing 5 signatures, 4 symmetric encryptions and 4 asymmetric encryptions. The entire transaction process may take 1.5 to 2 minutes. ;The SSL protocol is much simpler and the processing speed is faster than the SET protocol.

(3) Authentication requirements: The early SSL protocol did not provide an identity authentication mechanism. Although in SSL3.0, identity authentication between the browser and the web server can be achieved through digital signatures and digital certificates, but Multi-party authentication is still not possible, and in SSL only the authentication of the merchant server is required, while client authentication is optional. In contrast, the SET protocol has higher authentication requirements. All members participating in SET transactions must apply for digital certificates, and solves the multi-party authentication problems between customers and banks, customers and merchants, and merchants and banks.

(4) Security: Security is the most critical issue in online transactions. The SET protocol uses public key encryption, information digests and digital signatures to ensure the confidentiality, authenticity, integrity and non-repudiation of information. The SET protocol uses double signatures to ensure the mutual isolation of the information of each participant, making it Merchants can only see the cardholder's order data, while banks can only obtain the cardholder's credit card information. Although the SSL protocol also uses public key encryption, information digest and MAC detection, which can provide confidentiality, integrity and a certain degree of identity authentication, it lacks a complete authentication system and cannot provide a complete anti-repudiation function. Therefore, SET is much more secure than SSL.

(5) Protocol level and function: SSL is a security technical specification of the transport layer. It does not have the business, coordination and integration functions of e-commerce. The SET protocol is located at the application layer. It not only standardizes the entire business activity process, but also formulates strict encryption and authentication standards, and has business, coordination and integration functions.

Summary:

Because the SSL protocol is low-cost, fast, and simple to use, it does not require major modifications to the existing network system, so it has been widely used. However, as the scale of e-commerce expands, the risk of online fraud is also increasing. In future e-commerce, the SET protocol will gradually dominate.