Current location - Quotes Website - Signature design - Detailed explanation of SSL+socket- concept
Detailed explanation of SSL+socket- concept
SSL protocol uses digital certificates and digital signatures to authenticate entities at both ends, uses asymmetric encryption algorithm to negotiate keys, uses symmetric encryption algorithm to encrypt data and transmit it, ensuring the confidentiality of data, and verifies whether the data is tampered or forged during transmission by calculating digital digest, which provides security for the transmission of sensitive data.

The services provided by SSL protocol mainly include:

1) authenticates users and servers to ensure that data is sent to the correct clients and servers.

Authenticate the legitimacy of users and servers so that they can ensure that data will be sent to the correct clients and servers. Both the client and the server have their own identification numbers, which are numbered by the public key. In order to verify whether the user is legitimate, SSL protocol requires digital authentication when exchanging data by shaking hands to ensure the legitimacy of the user.

2) Encrypt data to prevent data from being stolen.

The encryption technologies used in SSL protocol include symmetric key technology and public key technology. Before data exchange between client and server, SSL initial handshake information is exchanged, and SSL handshake information is encrypted by various encryption technologies to ensure its confidentiality and data integrity, and digital certificates are used for authentication to prevent illegal users from deciphering.

3) Maintain the integrity of the data and ensure that the data will not be changed during transmission.

SSL protocol provides information integrity service by using hash function and secret sharing method, and establishes a secure channel between client and server, so that all services processed by SSL protocol can reach their destinations completely and accurately during transmission.

SSL architecture:

SSL protocol is located between the network layer and the application layer of TCP/IP protocol model. TCP is used to provide reliable end-to-end security services, which means that the communication between client/server applications will not be captured by attacks, and the server always authenticates, and the client can selectively authenticate. The SSL architecture is shown in figure 1.

SSL protocol is located between the network layer and the application layer of TCP/IP protocol model. TCP is used to provide reliable end-to-end security services, which means that the communication between client/server applications will not be captured by attacks, and the server always authenticates, and the client can selectively authenticate.

In SSL communication, asymmetric encryption is first used to exchange information, so that the server can obtain the symmetric encryption key provided by the browser, and then the information is encrypted and decrypted with this key. In order to ensure that the message has not been tampered with during transmission, the hash code can be encrypted to ensure the integrity of the information. SSL communication process, as shown in Figure 2.

Generally speaking, when the customer is the sender of confidential information, the customer does not need a digital certificate to verify the authenticity of his identity, such as the application of electronic banking. The customer needs to send his account number and password to the bank, so the bank's server needs to install a digital certificate to show the validity of his identity. In some applications, the server also needs to verify the identity of the client. At this point, the client also needs to install a digital certificate to ensure that the server can identify the identity of the client during communication. The authentication process is similar to that of the server.

SslsSocket communication is an extension of socket communication. On the basis of Socket communication, a layer of security protection is added, which provides higher security, including identity authentication, data encryption and integrity verification.

Sslssocket two-way authentication implementation technology: JSSE (Java Secure Socket Extension), which implements SSL and TSL (Transport Layer Security) protocols. JSSE includes data encryption, server authentication, message integrity and client authentication. By using JSSE, data can be transmitted safely between client and server through TCP/IP protocol. To achieve message authentication:

Generation method of key and authorization certificate:

Use the keytool command that comes with Java and generate it on the command line.

1. Generate the server-side private key kserver.keystore file.

keytool-genkey-alias server key-validity 1-keystore kserver . keystore

2. According to the private key, export the server-side security certificate.

keytool-export-alias server key-keystore kserver . keystore-file server . CRT

3. Import the server-side certificate into the client's trust keystore.

keytool-import-alias server key-file server . CRT-keystore t client . keystore

4. Generate the client private key kclient.keystore file.

keytool-genkey-alias client key-validity 1-keystore kclient . keystore

5. According to the private key, export the client security certificate.

keytool-export-alias clientkey-keystore kclient . keystore-file client . CRT

6. Import the client certificate into the server-side trust keystore.

keytool-import-alias client key-file client . CRT-keystore tserver . keystore

The generated files are divided into two groups: server-side storage: kserver.keystore server.keystore client-side storage: kclient.keystore client.kye store.

The client uses the private key in kclient.keystore to encrypt data and send it to the server, and the server uses the client.crt certificate in tserver.keystore to decrypt the data. If the decryption is successful, the message is proved to be from a trusted client and processed logically. The server uses the private key in kserver.keystore to encrypt data and send it to the client, and the client uses the server.crt certificate in tclient.keystore to decrypt the data. If the decryption is successful, the message is proved to be from a trusted server and processed logically. If the decryption fails, the source of the message is proved to be wrong. There is no logical processing.

Security of SSL socket two-way authentication;

(1) can ensure that data is transmitted to the correct server and client.

(2) The message can be prevented from being stolen during transmission.

(3) Prevent the message from being modified during transmission.

The following conditions may occur during system operation:

(1) Both the server and the client hold the correct key and security certificate, so the server and the client can communicate normally.

(2) The client's key and security certificate are incorrect, so the server and the client can't communicate normally.

(3) The client has no key and security certificate, so the server and the client can't communicate normally.