Current location - Quotes Website - Personality signature - HTTPS-handshake, certificate and key agreement
HTTPS-handshake, certificate and key agreement
First, learning ideas.

Second, the HTTPS protocol level.

SSL and TLS provide support for data security communication.

Third, the design idea of HTTPS

1. server generates public key pair A, and sends public key and other information info to CA to apply for certificate;

2.CA organization has a set of its own public key pairs. CA organization generates digital abstracts from information and encrypts the abstracts with private keys. CA organization has a set of certificates in the operating system, in which the public key is stored.

3.CA sends information and encrypted digital abstract to the server to generate certificate;

4. Server

When visiting an https website, the browser first checks whether the certificate has been revoked. If the certificate has been revoked, a warning message will be displayed: "The certificate of this organization has been revoked. A security certificate problem may indicate that someone is trying to cheat you or intercept the data you send to the server. It is recommended to close this webpage and do not continue browsing the website. "

5.2. Chain of trust

The organizational structure of CA is a tree structure. There are multiple midCAs under a root ca, and midcas can contain multiple midcas.

Both root CA and mid CA can issue certificates to users, namely root certificate and intermediate certificate. The certificate used by the end user to verify the public key is called the end user certificate.

If the end-user certificate is issued by mid CA, the intermediate certificate needs to be sent to the client during the handshake phase.

Certificate chain verification process:

Sixth, the key negotiation process

In the TLS handshake phase, determine the cipher suite used by both parties.

(Key negotiation, certificate verification and data encryption are three independent processes)

For example:

TLS _ DHE _ RSA _ band _ AES_256_CBC_SHA

DHE_RSA: indicates the asymmetric encryption algorithm used in the handshake process (DHE is used for key exchange and RSA is used for certificates). If there is only one with, it means using the same algorithm to exchange information and certificates.

(Optional key exchange algorithms include RSA, DH, ECDH and ECDHE. Optional main certificate algorithms include: RSA, DSA, ECDSA. The two can be independently selected and do not conflict)

AES_256_CBC_SHA: Symmetric encryption algorithm and hash algorithm for encrypted channels.

?

Seven, key exchange algorithm

In the process of handshake, both parties determine the key of subsequent communication through key exchange algorithm.

Common key exchange algorithms: RSA and DH key exchange algorithms.

7. 1, RSA key exchange process:

a-& gt; B

B: Put the public key in the certificate.

A: Generate a key by random number algorithm and send it to B by public key encryption.

Problems faced by RSA: Once the private key is leaked (the private key participates in the negotiation process), the key can decrypt all the ciphertexts it has listened to before (forward insecurity), and the security depends on whether the private key is well preserved.

7.2. A more secure DH class key exchange algorithm.

DH key algorithms are: DH, DHE, ECDH, ECDHE.

DH (static DH algorithm, the same private key is always selected for key exchange, so the private key is the same every time).

DHE (temporary DH algorithm, each connection generates a temporary DH key, so the same key will never be used twice. Forward secrecy)

7.3. Simple explanation of DHE key exchange algorithm (based on discrete logarithm problem):

a-& gt; B

A: Generate a random number X (as its own private key), where a = g x mod p(g's x-power modulus P), where P is a big prime number and G is a survival number, and send A to B..

B: generate a random number y (as your private key), B = g y mod p, and send b to a. ..

Answer: the calculation key1= b x mod p.

B: calculate key 2 = a y mod p.

According to mathematical logic, key 1=key2, so the key exchange is successful.

The security of DHE is that only A, B, P and G are transmitted, and there are no private keys X and Y in the middle. When these four numbers are known, it is difficult to distinguish X and Y (depending on discreteness), which ensures security.

Example of DH key calculation:

Suppose g = 10, p = 7, x = 3, a = 6, Y = 1 1, and B = 5.

Key1= ((g x) mod p) y modulo p = ((10 3) mod 7)1/modulo 7 =6.

Key 2 = ((g y) mod p) x modulo p = ((1011) mod 7) 3 modulo 7 =6.

7.4. Key Exchange Algorithm Based on Elliptic Discrete Logarithm Problem

The operation of ECDHE replaces the modular power operation in DHE with the point multiplication operation, which is faster and more difficult to reverse.

a-& gt; B

A: Generate a random number ra and calculate Pa(x, y) = Ra * Q(x, y), which is the basic point of an elliptic curve algorithm recognized all over the world. Send Pa(x, y) to the server.

B: generate random value Rb and calculate Pb(x, y)= Rb * Q(x, y). Send Pb(x, y) to the client.

A: calculate Sa(x, y) = Ra * Pb(x, y).

B: calculate Sb(x, y) = Rb * Pa(x, y).

The algorithm ensures that Sa =Sb = S, and extracts the X vector of S as the key (pre-master key).

Related articles
  • What are the good projects for Kunshan entrepreneurship?
  • Birthday invitation template
  • How to talk about confidence from signature?
  • What are the configurations of Xiaomi Mi 11?
  • Why is the uninstalled 360 still running?
  • How to transfer the enterprise account of ABC on the computer?
  • I am loyal to lunch. Can you help me think of a screen name and signature about martial arts? Please accept a word from Yao.
  • Disappearing coins, magical magic essay 700 words
  • Good night, excellent composition, 450 words
  • Does the signature of traditional Chinese characters have legal effect?

    • copyright 2024 Quotes Website All rights reserved