1. Learning ideas
2. HTTPS protocol level
SSL and TLS provide support for secure data communication.
3. HTTPS design ideas
1. The server generates public key pair A, sends the public key and other information info to the CA organization, and applies for a certificate;
2. The CA organization has its own set of public key pairs S. The CA organization generates a digital digest from info and uses S’s private key to encrypt the digest. The CA organization has a set of certificates in the operating system that save the public key of S;
3. The CA agency sends the info and encrypted digital digest to generate a certificate to the server;
4. The server performs
The browser is accessing the https website , first check whether the certificate has been revoked. If the certificate has been revoked, a warning message will be displayed: "This organization's certificate has been revoked. Security certificate issues may indicate an attempt to deceive you or intercept the data you send to the server. It is recommended to close This page, and do not continue to browse this website. ”
5.2. Chain of trust
The CA organizational structure is a tree structure. There are multiple mid CAs under a root CA, and mid CAs. It can also contain multiple mid CAs.
Both root CA and mid CA can issue certificates to users. The certificates issued are root certificates and intermediate certificates respectively. The certificate used by the end user to authenticate the public key is called the end-user certificate.
If the end-user certificate is issued by a mid CA, then during the handshake phase, the intermediate certificate needs to be sent to the client as well.
Certificate chain verification process:
6. Secret key negotiation process
During the TLS handshake phase, the cryptography suite used by both parties is determined.
(Key negotiation, certificate verification, and data encryption are three independent processes)
Example:
TLS_ DHE_RSA _WITH_ AES_256_CBC_SHA
DHE_RSA: Indicates the asymmetric encryption algorithm used in the handshake process (DHE is used for key exchange, RSA is used for certificates). If there is only one WITH, it means that the same algorithm is used for exchanging information and certificates
< p> (The main optional key exchange algorithms include: RSA, DH, ECDH, and ECDHE. The main optional certificate algorithms include: RSA, DSA, and ECDSA. The two can be selected independently and do not conflict)AES_256_CBC_SHA: Represents the symmetric encryption algorithm and hash algorithm of the encrypted channel
?
7. Secret key exchange algorithm
During the handshake process, the two parties Determine the secret key for subsequent communication through the key exchange algorithm
Commonly used key exchange algorithms: RSA, DH key exchange algorithms
7.1. RSA key exchange process: < /p>
A->B
B: Put the public key in the certificate
A: Use a random number algorithm to generate a secret key and encrypt it with the public key , sent to B.
Problems faced by RSA: Once the private key is leaked (the private key participates in the negotiation process), the key can decrypt all previously monitored ciphertexts (forward unsafe), and security depends on the private key. Whether the key is kept intact.
7.2. More secure DH key exchange algorithm
DH key algorithms include: DH, DHE, ECDH, ECDHE
DH (static DH algorithm, the secret key exchange always selects the same private key, so the shared private key is the same every time)
DHE (temporary DH algorithm, each connection generates a temporary DH key, Therefore the same secret key is never used twice.
Forward secrecy)
7.3. Simple explanation of DHE key exchange algorithm (based on discrete logarithm problem):
A->B
A: Generate a Random number X (as your own private key), a= g^x mod p (the p>B: Generate a random number Y (as its own private key), b= g^y mod p, and send b to A.
A: Calculate key1 = b^x mod p
B: Calculate key2 = a^y mod p
According to mathematical logic, key1=key2, so The secret key exchange is successful
The security of DHE is reflected in: only a, b, p, g are transmitted, and the private keys x and y are not transmitted in the middle. It is difficult to obtain x and y when these four numbers are known. (depending on discreteness), ensuring safety.
Example of DH secret key calculation:
Assume g =10, p = 7, x = 3, a = 6, y = 11, b = 5
key1 = ((g^x)mod p)^y mod p = ((10^3)mod 7)^11 mod 7 =6
key2 = ((g^y)mod p) ^x mod p = ((10^11)mod 7)^3 mod 7 =6
7.4. Key exchange algorithm based on ECDHE (based on elliptic discrete logarithm problem)
The operation of ECDHE is to replace the modular exponentiation operation in DHE with the dot multiplication operation, which is faster and more reversible
A->B
A: Generate a random number Ra , calculate Pa(x,y) = Ra * Q(x, y), Q(x, y) is the base point of an elliptic curve algorithm recognized around the world. Send Pa(x, y) to the server.
B: Generate a random value Rb and calculate Pb(x,y)= Rb * Q(x, y). Send Pb(x, y) to the client.
A: Calculate Sa(x,y) = Ra * Pb(x, y)
B: Calculate Sb(x,y) = Rb * Pa(x, y)
The algorithm guarantees Sa =Sb = S, and extracts the x vector of S as the key (pre-master key)