收藏几篇关于ssl handshake的好文
http://www.slashroot.in/comment/1242
SSL protocol, does its fantastic job of securing communication over the wire, with the help of multiple layers of protocols, above TCP(And After Application Layer).
Always keep in mind that, although HTTP protocol is the protocol, which highly makes use of SSL, to secure communication. SSL is an application layer independent protocol.So you can use that with any application layer Protocol.
There are different versions and types of encryption and authentication algorithms out there. SSL can make use of, most of them out there. But a major point to note here is that, both the server and client must first agree on the same algorithm, that they are going to use in their communication.
As the client is the first person to begin the communication, the first step that the client does is to tell server, about the cipher suits and MAC(Message Authentication code, this is made in record Layer.Read Record Layer Protocol in SSL) hash algorithm's it supports.
This is done by sending a CLIENT-HELLO message. The client's Hello message consists of the following contents.
SSL version that the client supports
In what order the client prefer the versions
The ciphersuits(Cryptographic Algo's) supported by the client
Compression methods supported if any
Random Number
Keep in mind that, during the SSL initial handshake, nothing is encrypted. So anybody can sniff, and see whats going on. Encryption, starts only after the master secret(which will be used to encrypt and decrypt data as well as MAC calculation) is send by the client
Client Hello message content in SSL/TLS
SSL VERSION NUMBER : the client sends a list of ssl version it supports. And priority is given to the highest version it supports
Random Data Number : Its made up of 32 bytes. 4 byte number made up from client's date & time plus 28 byte randomly generated number(this will be used with server's random value made of date & time for generating the "master secret", from which encryption key will be derived).
SESSION ID: In order to enable client's resuming capabilities this session ID is included.
CIPHER SUITS: RSA algorithm is used for the initial key exchange which will be done using public key cryptography. And SHA is used for MAC and hashing. And also sends the encrption algo's supported by the client like DES for example.
Compression Algorithm: this will include compression algorithms details, if used.
After the client has sent, its client-hello message, its the job of the server to send back a server-hello message. Which will contain the below information.
Server Hello message in SSL/TLS
Version Number: Server selects an ssl version thats supported by both the server and the client, and is the highest version supported by both of them
Random Data: the server also generates a random value using the server's date and time plus a random number of 28bytes. Client will use this random value and its own random value to generate the "master key"
Sesssion ID: There are three possiblities, with regard to the session id. It all depends on the type of client-hello message. If the client requires to resume a previously created session, then both the client and server will use the same session ID. But, if the client is initiating a new session, the server will send a new session ID. Sometimes a null session ID is also used, where server will never support resuming the session, so no session id's are used at all.
Cipher Suits: Similar to the version number selected by the server, the server will select the best cipher suite version supported by both of them.
Certificate:The server also sends a certificate, which is signed and verified by a Certificate Authority, along with the public key(Content encrypted with public key can only be opened with a corresponding private key. In this case, only the server can unlock it because, the server has the private key for its public key).
A certificate signed by a certificate authority(a trusted third party), consists the complete information about the company using that certificate. The certificate identity of many well known certificate authority is made avialable to the web browser. Whenever a certificate is recieved by the client's browser, it is verified with the one it has from the certificate authority. So this proves that, that the server which claims, that it is "example.com" is infact correct.
Server Key Exchange: this step is taken by the server, only when there is no public key shared along with the certificate. If this key is used, this will be used to encrypt the "Client Key Exchange Method"
Client Certificate request: This is seldom used, because this is only used, when the client also needs to get authenticated, by a client certificate.
Server Hello Done: this message from the server will tell the client, that the server has finished sending its hello message, and is waiting for a response from the client.
Response from the client to server's hello message:
Client Certificate: The client sends a client certificate back to the server. This step is only used when a client certificate is requested by the server(through the server hello message).
Client Key Exchange: This message is only sent, after the client calculates, the premaster secret with the help of the random values of both the server and the client(Which was shared by both the server and the client through the hello message).
"Client Key exchange" message, is sent by encrypting it with the server's public key, which was shared through the hello message. This message can only be decrypted with the server's private key. If successful, the server is authenticated.
the client will also send the ssl protocol version once again along with the "client key exchange" method, so that the server can verify, this version with the previous one send, so as to prevent a man in the middle from changing the protocol version.
ssl 握手过程【收藏】的更多相关文章
-
SSL握手过程
原文地址: http://my.oschina.net/u/1188877/blog/164982 一.SSL握手有三个目的:1. 客户端与服务器需要就一组用于保护数据的算法达成一致:2. 它们需要确 ...
-
SSL 握手过程
SSL协议的握手过程 SSL 协议既用到了公钥加密技术又用到了对称加密技术,对称加密技术虽然比公钥加密技术的速度快,可是公钥加密技术提供了更好的身份认证技术.SSL 的握手协议非常有效的让客户和服务器 ...
-
HTTPS和SSL握手过程(转载)
https介绍 HTTPS = HTTP + 一组对称.非对称和基于证书的加密技术 HTTPS是最常见的HTTP安全版本.它得到了很广泛的应用,所有主要的商业浏览器和服务器都提供HTTPS.HTTPS ...
-
SSL交互和握手过程
SSL消息按如下顺序发送: 1.Client Hello 客户发送服务器信息,包括它所支持的密码组.密码组中有密码算法和钥匙大小: 2.Server Hello 服务器选择客户和服务器都支持的密 ...
-
SSL/TLS握手过程
----------------------------------专栏导航----------------------------------HTTPS协议详解(一):HTTPS基础知识 HTTPS ...
-
【计算机网络】SSL交互和握手过程
SSL消息按如下顺序发送: 1.Client Hello 客户发送服务器信息,包括它所支持的密码组.密码组中有密码算法和钥匙大小: 2.Server Hello 服务器选择客户和服务器都支持的密 ...
-
SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程
相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868.shtml http://www.gxu.edu.cn/college ...
-
SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程(缺heartbeat)
SSL.TLS协议格式.HTTPS通信过程.RDP SSL通信过程 相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868 ...
-
SSL握手通信详解及linux下c/c++ SSL Socket代码举例
SSL握手通信详解及linux下c/c++ SSL Socket代码举例 摘自:http://www.169it.com/article/3215130236.html 分享到:8 发布时 ...
随机推荐
-
内存VSS/RSS/PSS/USS名词解释
VSS(virtual set size)虚拟耗用内存(包含共享库占用的内存) RSS(Resident set size)实际使用物理内存(包含共享库占用的内存) RSS是进程实际驻存在物理内存的部 ...
-
diff/merge configuration in Team Foundation - common Command and Argument values - MSDN Blogs
One of the extensibility points we have in Team Foundation V1 is that you can configure any other di ...
-
Oracle Cursor的使用
When Oracle Database executes a SQL statement, it stores the result set and processing information i ...
-
解决运行nodejs代码Error: listen EADDRINUSE
问题是什么 EADDRINUSE其实拆分来看就是error address use表示错误地址的使用,也代表着端口占用. 如何解决问题 那讲道理来说,接下来你就需要找到你要用的端口被哪一个进程所占用了 ...
-
MySQL学习笔记-事务相关话题
事务机制 事务(Transaction)是数据库区别于文件系统的重要特性之一.事务会把数据库从一种一致状态转换为另一个种一致状态.在数据库提交工作时,可以确保其要么所有修改都已经保存了,要么所有修改都 ...
-
FMX StringGrid向上滑动自动加载记录(一)
有时候,做的app还是需要用StringGrid来显示数据,但如果用StringGrid的Livebinding绑定到一个数据集TDataset,当记录超过1000条时,效率非常低,甚至达不到实用状态 ...
-
elementUI的导航栏怎么根据路由默认选中相关项
1. <el-menu :default-active="this.$route.path.substr(1)" class="left-nav"> ...
-
让IE浏览器支持HTML5
<!DOCTYPE html> <html lang="zh"> <head> <meta charset="UTF-8&quo ...
-
巧用 git rebase 合并多个 commit。
一.为什么需要合并多个 commit 呢? 有时候,我们开发一个功能. 修修补补 commit 了很多次,过多的 commit 会显得很复杂. 不够直观,不能比较清晰查看那些 commit 是对应 ...
-
[ZJb417]区间众数
题目大意: 给定一个长度为$n(1\leq n\leq10^5)$的正整数序列$s(1\leq s_i\leq n)$,对于$m(1\leq m\leq10^)$次询问$l,r$,每次求区间$[s_l ...