Location>code7788 >text

SSL/TLS in depth

Popularity:889 ℃/2024-07-29 16:31:29

SSL, https (HTTP over SSL), X.509, SSL certificates, certificate application/import/issuance, and other terms, I think there must be a certain amount of work experience in the partners, must have heard of, or at least listen to God side of the gods read. Although commonplace, but can be more systematic to clarify the relationship between them, from the whole to the local in-depth explanation of the person, it is estimated that at least one in ten. Anyway, no one to me, I had to sort it out myself. (Note that this article does not relate to the principles of cryptography and SSL protocol details, but have a foundation in cryptography, it will help enjoyable reading)

The reason for this is that the company has recently engaged in security reinforcement, remembered the historical reasons for using the FTP service for a long time, this thing is known to be plaintext, bare username and password, was listening to a matter of minutes. So I thought about adding a secret, searching for a FTPS ( FTP over SSL ), it is easy to associate a more commonly used https ( http over. SSL ), expand a search there are a variety of XXXX - over - SSL. Such as SMTPS, POP3S, LDAPS, etc., so the question is, SSL in the end what is the thing, why can be So the question arises, what is SSL and why can it be used by all kinds of over.

  • Origin of SSL

We are more familiar from the perspective of the http protocol, HTTP this protocol (that is, header, body, post get these) was released in the vicinity of roughly 1991, and its original design is used to transmit the display of web page content. The protocol is explicit, in the sense that the content of the page you read and submit is explicit, and every network node that passes through it knows exactly what is being transmitted. I guess early web pages were neither dynamic, nor private, nor did they have personal photo albums :-), so for simplicity, the http protocol itself did not consider encryption mechanisms.

Later, the WWW on fire, the network era officially came, the page is more and more powerful, support for dynamic, can provide different content for different users, you can already send a whisper, photos and so on. At this time, the demand for encryption naturally arose. So in 1994 there is a company called Netscape (Netscape), do browser, began to think how to encrypt http protocol transmission of web content. And as they did, they figured out thatSSL protocolIt was later refined, turned into a standard, changed its name, and is now called TLS, which is still widely used today.

Netscape has gone on a yellow crane, but it has made a significant contribution to the development and security of the Internet.

  • SSL protocol development

The SSL protocol was developed to solve the security problem of http transmission, and is still widely used, so it can be seen that the protocol developed by Netscape is still relatively scientific. The so-called world article a big copy, SSL is also borrowed from the foundation of the previous generation, the integration and become.

About 1976, the big strong across the ocean, put forward the concept of asymmetric encryption, digital certificates. 1977, also far away from the other side of the small Ming, invented a practical asymmetric encryption RSA algorithm, marking the birth of the public key encryption (that is, often referred to as the public key, private key, asymmetric, and so on).

With the genius Dazhuang and Xiaoming, the theory of digital certificate and asymmetric encryption has been completed, only waiting for application. So in some special internal networks (military, financial, enterprise) with high security requirements, some systems start to realize authentication and communication encryption based on digital certificates and asymmetric encryption algorithms according to the ideas provided by Dazhuang and Xiaoming.

Everything is first invented, and then applied, and then there are standards (refer to the battery, first invented, and then used, and then the provisions of the No. 5, No. 7 battery what specifications). Based on digital certificates and RSA algorithm encryption mechanism, because of the lack of standards, resulting in incompatibility between the implementation of various systems, certificates are not recognized by each other and other issues.

Thus a standard called X.509 was born in 1988, which defined the contents of the fields of a digital certificate, such as the name of the holder, the public key, the expiration date, the serial number, and the signature of the certificate authority (CA) that should be present. The creation of this standard also drove the standardization and popularization of CAs.

The X.509 standard only defines the content of the fields of the certificate, while some other file format standards, specifically define the storage format of the certificate file. Such as .pem .der .p12 .p7b and so on, these are the forms of certificate and private key existence that we can see in the system.

Based on the above, Netscape has defined a network protocol for client-server communication in the Internet, such as Send ABC to request a certificate, Send DEF to negotiate a cipher suite supported by both parties, and Send XYZ to indicate XXX. Such a network protocol.Name it SSL/TLS.

  •  XXX over ssl

SSL (Secure Sockets Layer) for what can be a variety of over, Layer As the name suggests, the role of the SSL protocol is mainly encryption and decryption, and specific transmission of data has nothing to do with the application of the data thrown to the SSL layer, the details of the details do not need to care too much. He will naturally help you to encrypt, send to the destination, decrypt, and then send to the application. So all the application layer protocols that are over SSL. Such as http, FTP, etc.

The process of communication is roughly the same as establishing an SSL channel first, with certificates verified and symmetric keys exchanged. This process of establishing an SSL channel is conceptually known as the SSL negotiation handshake. After the handshake is completed, the subsequent communication content is encrypted. Your application layer needs to pass a GET , POST, Header, body and so on, or according to the protocol of your application layer, what to do. So if your application layer is http, it's http over SSL, and if it's ftp, it's ftp over ssl.

For example: If you write your own chat client and server, can you use your custom chat protocol to LAOWANG over SSL?

  • fulfill

How to practice applying XXX over SSL.

1. Apply to CA for a server-side ssl certificate (x.509 certificate) - Through the above we can know that the x.509 certificate applies to, all kinds of https ftps pop3s laowangs . As well as other areas that rely on x509 certificates, such as electronic signatures.Note that we sometimes say https certificates, ssl certificates, ftps certificates, essentially are x509 certificates, used to be called ssl certificates, do not confuse.

2. On the server side, place the requested certificate and the corresponding private key, and configure to start SSL support - this is the basis of ssl protocol communication. Although the certificates are all x.509 certificates, the specific certificate files may require format conversion. nginx tends to use the PEM file format for certificates (.pem) and private keys.

3. Apply for a client certificate (optional) - I also just learned about it not long ago, and it turns out thatThe ssl protocol supports two-way authenticationWeb browser mode uses one-way authentication, but in some applications with higher security requirements, two-way authentication may be required, where the server can verify that the client's certificate is valid and, based on the certificate information such as the holder, decide whether or not a connection can be made.

4. Clients should communicate with clients that support SSL.

 

okI'm writing this to say goodbye.
*About cryptography fundamentals, in my other cybersecurity related articles, there is a brief introduction, feel free to refer to it