With the rise of applications such as e-commerce and online banking, it has greatly facilitated people's daily lives and is favored by people.
Because these applications require online transactions on the network, they place higher requirements on the security of network communications. The traditional HTTP protocol does not have a security mechanism - it uses clear text for data transmission, cannot verify the identity of the communicating parties, cannot prevent the transmitted data from being tampered with, etc., resulting in HTTP being unable to meet the security requirements of applications such as e-commerce and online banking.
The security protocol SSL proposed by Netscape uses data encryption, identity verification and message integrity verification mechanisms to provide security guarantees for data transmission on the network. This ensures that data will not be intercepted or eavesdropped during transmission on the network.
SSL has the following functions
1. Provide higher security guarantee
SSL utilizes data encryption, identity authentication and message integrity verification mechanisms. Ensure the security of data transmitted over the network.
2. Support various application layer protocols
Although SSL was originally designed to solve the security problem of the World Wide Web, SSL is located between the application layer and the transport layer. It can provide security guarantees for various application layer protocols based on reliable connections such as TCP.
3. Simple deployment
Currently, SSL has become a global standard for identifying sites and web browsers on the Internet, and for encrypted communication between browser users and Web servers. . The SSL protocol has been integrated into most browsers, such as IE, Netscape, Firefox, etc. This means that any computer with a browser supports SSL connections. No need to install additional client software.
Security mechanism implemented by SSL protocol
Confidentiality of transmitted data: Data transmitted on the network is very easy to be stolen by illegal users. SSL uses the method of establishing an encrypted channel between the two communicating parties. The method guarantees the confidentiality of transmitted data.
Identity authentication mechanism: In applications such as e-commerce and online banking, it is necessary to ensure that the Webserver to be logged in is authentic to prevent important information from being illegally stolen. SSL utilizes digital signatures to verify the identity of the communicating peer.
Asymmetric key algorithms can be used to implement digital signatures. Because data encrypted by the private key can only be decrypted using the corresponding public key, the identity of the sender can be inferred based on whether the decryption is successful. It is as if the sender "signed" the data. for example. Alice uses her private key to encrypt a piece of fixed information and sends it to Bob. Bob uses Alice's public key to decrypt it. It is assumed that the decryption result is the same as the fixed information. Then it can be confirmed that the sender of the information is Alice. This process is called a digital signature.
SSLclient must verify the identity of SSLserver, and whether SSLserver verifies the identity of SSLclient. It is decided by SSLserver.
When using digital signatures to verify identity. It is necessary to ensure that the public key of the person being verified is authentic, otherwise. Illegal users may pretend to be the authenticated person to communicate with the authenticator. As seen in Figure 1. Cindy pretends to be Bob, sends her public key to Alice, and uses her private key to calculate the signature and sends it to Alice. Alice uses "Bob's" public key (actually Cindy's public key) to successfully verify the signature, then Alice It seems that Bob's identity authentication is successful, but in fact the person communicating with Alice is Cindy pretending to be Bob. SSL uses the mechanism provided by PKI to ensure the authenticity of the public key.
Message integrity verification: In order to prevent the data transmitted in the network from being illegally tampered with, SSL uses a MAC algorithm based on MD5 or SHA to ensure the integrity of the message.
The MAC algorithm is a data digest algorithm with the participation of a key, which can convert the key and random-length data into fixed-length data. The process of using the MAC algorithm to verify message integrity is shown in the figure.
The sender uses the MAC algorithm to calculate the MAC value of the message with the participation of the key. And add it to the message and send it to the recipient. The receiver uses the same key and MAC algorithm to calculate the MAC value of the message. And compared with the received MAC value. Assume both are the same. The message has not changed; otherwise, the message has been modified during transmission and the receiver will discard the message.
Typical networking application
HTTPS is an HTTP protocol based on SSL secure connection. HTTPS provides security mechanisms such as data encryption, identity authentication, and message integrity verification through SSL. It provides security guarantee for Web access and is widely used in online banking, e-commerce and other fields.
The picture below shows the application of HTTPS in online banking. For the convenience of customers, a bank provides online banking services. Customers can make account inquiries, transfers, etc. by accessing the bank's Webserver.
By establishing an SSL connection between the customer and the bank's Webserver, it can ensure that the customer's information is not illegally stolen.