Transport Layer Security
From Wikipedia, the free encyclopedia
| The five-layer TCP/IP model |
| 5. Application layer |
|
DHCP · DNS · FTP · Gopher · HTTP · IMAP4 · IRC · NNTP · XMPP · POP3 · SIP · SMTP · SNMP · SSH · TELNET · RPC · RTCP · RTSP · TLS · SDP · SOAP · GTP · STUN · NTP · (more) |
| 4. Transport layer |
| TCP · UDP · DCCP · SCTP · RTP · RSVP · IGMP · (more) |
| 3. Network/Internet layer |
| IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · IPsec · ARP · RARP · RIP · ICMP · ICMPv6 · (more) |
| 2. Data link layer |
| 802.11 · 802.16 · Wi-Fi · WiMAX · ATM · DTM · Token ring · Ethernet · FDDI · Frame Relay · GPRS · EVDO · HSPA · HDLC · PPP · PPTP · L2TP · ISDN · (more) |
| 1. Physical layer |
| Ethernet physical layer · Modems · PLC · SONET/SDH · G.709 · Optical fiber · Coaxial cable · Twisted pair · (more) |
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.
Contents |
[edit] Description
The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI.
TLS involves three basic phases:
- Peer negotiation for algorithm support
- Key exchange and authentication
- Symmetric cipher encryption and message authentication
During the first phase, the client and server negotiate cipher suites, which determine the ciphers to be used, the key exchange and authentication algorithms, as well as the message authentication codes (MACs). The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction.
Typical algorithms could be:
- For key exchange: RSA, Diffie-Hellman, DSA, SRP, PSK
- Symmetric ciphers: RC4, Triple DES, AES or Camellia. In older versions of SSL the ciphers RC2, IDEA and DES were also used.
- For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used, while older versions of SSL also used MD2 and MD4.
[edit] How it works
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security.
- The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions.
- From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.
- The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server's public encryption key.
The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.
- In order to generate the session keys used for the secure connection, the client encrypts a random number with the server's public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.
- Both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.
If any one of the above steps fails, the TLS handshake fails, and the connection is not created.
[edit] TLS Handshake in Detail
The TLS protocol exchanges records that encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.
When the connection starts, the record encapsulates another protocol, the handshake protocol, which has content type 22.
A simple connection example follows:
- A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
- The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client.
- The Server sends its Certificate (depending on the selected cipher suite, this may be omitted by the Server).
- The server may request a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest.
- The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
- The Client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.)
- The Client and Server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".
- The Client now sends a ChangeCipherSpec message, essentially telling the Server, "Everything I tell you from now on will be encrypted." Note that the ChangeCipherSpec is itself a record-level protocol, and has type 20, and not 22.
- Finally, the Client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
- The Server will attempt to decrypt the Client's Finished message, and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
- Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.
- At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.
[edit] TLS Record Protocol
| + | Bits 0–7 | 8-15 | 16-23 | 24–31 |
|---|---|---|---|---|
| 0 | Content Type | Version (MSB) | Version (LSB) | Length (MSB) |
| 32 | Length (LSB) | Protocol Message(s) | ||
| ... | Protocol Message (cont.) | |||
| ... | MAC (optional) | |||
| ... | Padding (optional) | |||
- Content Type
- This field identifies the Record Layer Protocol Type contained in this Record.
| Content Types | |
|---|---|
| 20 | ChangeCipherSpec |
| 21 | Alert |
| 22 | Handshake |
| 23 | Application |
- Version
- This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.
| Versions | ||
|---|---|---|
| Major Version | Minor Version | Version Type |
| 3 | 0 | SSLv3 |
| 3 | 1 | TLS 1.0 |
| 3 | 2 | TLS 1.1 |
| 3 | 3 | TLS 1.2 |
- Length
- The length of Protocol message(s), not to exceed 214 bytes.
- Protocol message(s)
- One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
- MAC
- A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
[edit] ChangeCipherSpec Protocol
| + | Bits 0–7 | 8-15 | 16-23 | 24–31 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 20 | Version (MSB) | Version (LSB) | 0 | ||||||||||||||||||||||||||||
| 32 | 1 | 1 (CCS protocol type) | ||||||||||||||||||||||||||||||
[edit] Alert Protocol
| + | Bits 0–7 | 8-15 | 16-23 | 24–31 |
|---|---|---|---|---|
| 0 | 21 | Version (MSB) | Version (LSB) | 0 |
| 32 | 2 | Level | Description |
- Level
- This field identifies the level of alert.
| Level Types | |
|---|---|
| Code | Description |
| 1 | Warning - connection or security may be unstable |
| 2 | Fatal - connection or security may be compromised, or an unrecoverable error has occurred |
- Description
- This field identifies which type of alert is being sent.
| Description Types | |
|---|---|
| Code | Description |
| 0 | Close notify (warning or fatal) |
| 10 | Unexpected message (fatal) |
| 20 | Bad record MAC (fatal) |
| 21 | Decryption failed (fatal, TLS only) |
| 22 | Record overflow (fatal, TLS only) |
| 30 | Decompression failure (fatal) |
| 40 | Handshake failure (fatal) |
| 41 | No certificate (SSL v3 only) (warning or fatal) |
| 42 | Bad certificate (warning or fatal) |
| 43 | Unsupported certificate (warning or fatal) |
| 44 | Certificate revoked (warning or fatal) |
| 45 | Certificate expired (warning or fatal) |
| 46 | Certificate unknown (warning or fatal) |
| 47 | Illegal parameter (fatal) |
| 48 | Unknown CA (fatal, TLS only) |
| 49 | Access denied (fatal, TLS only) |
| 50 | Decode error (fatal, TLS only) |
| 51 | Decrypt error (TLS only) (warning or fatal) |
| 60 | Export restriction (fatal, TLS only) |
| 70 | Protocol version (fatal, TLS only) |
| 71 | Insufficient security (fatal, TLS only) |
| 80 | Internal error (fatal, TLS only) |
| 90 | User cancelled (fatal, TLS only) |
| 100 | No renegotiation (warning, TLS only) |
[edit] Handshake Protocol
| + | Bits 0–7 | 8-15 | 16-23 | 24–31 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 22 | Version (MSB) | Version (LSB) | Length (MSB) | ||||||||||||||||||||||||||||
| 32 | Length (LSB) | Message type | Message length | |||||||||||||||||||||||||||||
| 64 | Message length (cont.) | Handshake message | ||||||||||||||||||||||||||||||
| ... | Handshake message | Message type | Message length | |||||||||||||||||||||||||||||
| ... | Message length | Handshake message | ||||||||||||||||||||||||||||||
- Message type
- This field identifies the Handshake message type.
Handshake Types are: 0 HelloRequest 1 ClientHello 2 ServerHello 11 Certificate 12 ServerKeyExchange 13 CertificateRequest 14 ServerHelloDone 15 CertificateVerify 16 ClientKeyExchange 20 Finished
- Message length
- This is a 3-byte field indicating the length of the handshake data, not including the header.
Note that multiple Handshake messages may be combined within one record.
[edit] Application Protocol
| + | Bits 0–7 | 8-15 | 16-23 | 24–31 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 23 | Version (MSB) | Version (LSB) | Length (MSB) | ||||||||||||||||||||||||||||
| 32 | Length (LSB) | Application data | ||||||||||||||||||||||||||||||
| 64 | Application data (cont.) | |||||||||||||||||||||||||||||||
| ... | MAC (20B for SHA-1, 16B for MD5) | |||||||||||||||||||||||||||||||
| ... | Variable length padding (block ciphers only) | Padding length, (block ciphers only)(1B) | ||||||||||||||||||||||||||||||
[edit] Security
TLS/SSL have a variety of security measures:
- The client may use the certificate authority's (CA's) public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.
- The client verifies that the issuing CA is on its list of trusted CAs.
- The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.
- To protect against Man-in-the-middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. Browser-dependent, not defined by TLS.
- Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
- Numbering all the Application records with a sequence number, and using this sequence number in the message authentication codes (MACs).
- Using a message digest enhanced with a key (so only a key-holder can check the MAC). This is specified in RFC 2104. TLS only.
- The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.
- The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together. This provides protection if one of these algorithms is found to be vulnerable. TLS only.
- SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication. Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to man-in-the-middle attacks.
SSL v2 is flawed in a variety of ways:
- Identical cryptographic keys are used for message authentication and encryption.
- MACs are unnecessarily weakened in the "export mode" required by U.S. export restrictions (symmetric key length was limited to 40 bits in Netscape and Internet Explorer).
- SSL v2 has a weak MAC construction and relies solely on the MD5 hash function.
- SSL v2 does not have any protection for the handshake, meaning a Man-in-the-middle downgrade attack can go undetected.
- SSL v2 uses the TCP connection close to indicate the end of data. Meaning that truncation attacks are possible; the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSLv3 fixes this problem by having an explicit closure alert).
SSL v2 is disabled by default in Internet Explorer 7,[1] Mozilla Firefox 2,[2] Opera 9[3] and Safari. Support for SSL v2 (and weak 40-bit and 56-bit ciphers) will be removed completely from the upcoming Opera 9.5 (code-named Kestrel).[4]
[edit] Applications
TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. SMTP is also an area in which TLS has been growing and is specified in RFC 3207. These applications use public key certificates to verify the identity of endpoints.
An increasing number of client and server products support TLS natively, but many still lack support. As an alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80.
TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.
TLS is also increasingly being used as the standard method for protecting SIP application signaling. TLS can be used to provide authentication and encryption of the SIP signalling associated with VoIP and other SIP-based applications.
[edit] History and development
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996 (Rescorla 2001). This later served as the basis for TLS version 1.0, an Internet Engineering Task Force (IETF) standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.
SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.
[edit] Early short keys
Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. The US government explicitly imposed a 40-bit keyspace, which was small enough to be broken by brute-force search by law enforcement agencies wishing to read the encrypted traffic, while still presenting obstacles to less-well-funded attackers. A similar limitation applied to Lotus Notes in export versions. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions. The 40-bit key size limitation has mostly gone away, and modern implementations use 128-bit (or longer) keys for symmetric key ciphers.
[edit] Standards
The first definition of TLS appeared in:
- RFC 2246: “The TLS Protocol Version 1.0”.
The current approved version is 1.1, which is specified in
- RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.
The next version is proposed:
- RFC Draft 4346 - The TLS Protocol, Version 1.2 (published October 2007, expires April 2008)
Other RFCs subsequently extended TLS, including:
- RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
- RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit ciphersuites defined in this memo appear only for the purpose of documenting the fact that those ciphersuite codes have already been assigned.
- RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
- RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
- RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
- RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) ciphersuites to the previously existing symmetric ciphers.
- RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
- RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compression methods and the DEFLATE compression method.
- RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.
- RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.
- RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.
- RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new ciphersuites for the TLS protocol to support authentication based on pre-shared keys.
- RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols (such as UDP).
- RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions, and a generic extension mechanism.
- RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
- RFC 4507: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.
- RFC 4680: “TLS Handshake Message for Supplemental Data”.
- RFC 4681: “TLS User Mapping Extension”.
- RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.
[edit] Implementation
Programmers may use the OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy.
[edit] TLS 1.1
As noted above, TLS 1.1 is the current approved version of the TLS protocol. TLS 1.1 clarifies some ambiguities and adds a number of recommendations, but remains very similar to TLS 1.0. A full list of differences is provided in RFC 4346 (Section 1.1).
[edit] Certificate providers
A 2005 Netcraft survey determined that VeriSign and its acquisitions such as Thawte have a 53% share of the certificate authority market, followed by GeoTrust (25%), Comodo (12%), GoDaddy (4%) and Entrust (2%).[5] (GeoTrust has since been acquired by VeriSign.)
A more recent market share report from Security Space as of April 2007 determined that VeriSign and its acquisitions (including GeoTrust) have a 59.6% share of the certificate authority market, followed by Comodo (8.3%), GoDaddy (5.3%), DigiCert (2.1%), Entrust (1.3%) and Network Solutions (1.1%).
CAcert.org is a community-driven certificate authority that issues free public key certificates.
[edit] See also
- Extended Validation Certificate
- SSL acceleration
- Certificate authority
- Datagram Transport Layer Security
- Multiplexed Transport Layer Security
- X.509
- Virtual private network
- SEED
- Server gated cryptography
[edit] Software
- OpenSSL: a free (and very popular) implementation (Apache-like license)
- GnuTLS: a free implementation
- SharkSSL 45Kbyte commercial SSL library
- JSSE: a Java implementation included in the Java Runtime Environment
- Network Security Services (NSS): FIPS 140 validated open source library
- Crypt::OpenSSL: Perl wrapper modules for OpenSSL
- System.Net.Security: a Microsoft implementation for the .NET Common Language Runtime
- Mono.Security a free software implementation for the Common Language Runtime
[edit] References
- ^ Lawrence, Eric (2005-10-22). IEBlog : Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2. MSDN Blogs. Retrieved on 2007-11-25.
- ^ Bugzilla@Mozilla - Bug 236933 - Disable SSL2 and other weak ciphers. Mozilla Corporation. Retrieved on 2007-11-25.
- ^ Pettersen, Yngve (2006-05-16). Opera Labs - What's new in the SSL/TLS engine of Opera 9?. Opera Software. Retrieved on 2007-11-25.
- ^ Pettersen, Yngve (2007-04-30). 10 years of SSL in Opera - Implementer's notes. Opera Software. Retrieved on 2007-11-25.
- ^ The Netcraft Secure Server Survey
- Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol". The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press.
- Eric Rescorla,. SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3.
Replies, comments and Discussions:
- 工作学习 / 学科技术讨论 / 网上购物时,一般用的是公钥证书机制保证安全吧?一直有个疑惑,他们会发来一个证书,里面有公钥(对方公钥?),那么私钥在哪儿呢?从加密的理论来说,这个私钥应存在我自己的电脑里,不应再网上传输,这个私钥是什么时候产生的呢? -(moving); 2007-11-27 (#4084825@0)
- 私钥在人家服务器那儿呢。你用它的公钥加了密,服务器只能用私钥才能解密。没有私钥,谁也破解不了你发出去的数据包信息,那么就安全了。 -(猫眼); 2007-11-27 (#4084847@0)
- 私钥和公钥都是CA认证服务器产生的。公钥加密的数据只能由私钥解密,私钥加密的数据只能由公钥解密。在北美,CA大部分都是由专业CA服务商运营的,在中国大陆,好多都是自己运营。不过类似银行业,也有一个专门的金融认证中心去做这份工作。普通用户不用关心的啦。 -(猫眼); 2007-11-27 (#4084856@0)
- RSA。我的毕业论文,没空和你长篇大论。 -(denegation); 2007-11-27 (#4084902@0)
- 握手,我的毕业论文是enhanced rsa,不过我都忘差不多了. -(scarb); 2007-11-27 (#4085067@0)
- 握手,我的毕业论文是super enhanced rsa,不过我都忘差不多了 -(Dicom); 2007-11-28 (#4086787@0)
- 握手,我的毕业论文是super extreme rsa,不过我都忘差不多了 -(Driver Coding); 2007-11-29 (#4088417@0)
- 握手一下,我的课外活动是研究 integration of RSA, AES and SHA-1024,可是我发现既然要 one-way hash,就没有必要 public key,结果 iteration 也没什么意义了 :D -(sowen); 2007-11-29 (#4088448@0)
- 非对称加密 -(bot); 2007-11-27 (#4085309@0)
- 俺懂RSA,俺知道这边公钥加了密的东西到服务器端用它的私钥解秘。俺的问题是:这种加密通信不是双向的吗?如果是,服务器发给我的东西我用什么解密呢? -(moving); 2007-11-27 (#4085595@0)
- u r so funny, 风马牛不相及。 -(蔓毒黛扬); 2007-11-27 (#4085625@0)
- 顺便提下,通信过程中的数据传输加密和对方的ca 证书没什么关系。 -(蔓毒黛扬); 2007-11-27 (#4085629@0)
- Why? Isn't the session key encrypted using server's public key? -(avaya); 2007-11-28 (#4085982@0)
- 我指的是数据的加密,你说的是session key本身,如果传输的数据也要用public key来加密的话,吃不消的。 -(蔓毒黛扬); 2007-11-28 (#4086340@0)
- Fair enough :) -(avaya); 2007-11-28 (#4086523@0)
- 连这个也搞不明白还咬定懂RSA? -(猫眼); 2007-11-27 (#4085669@0)
-
我也是一知半解,我的理解是真正加密并不用rsa密钥. client 可以随机生成一个对称密钥,用rsa公钥加密送给server,然后它们全用对称密钥加密。
-(again);
2007-11-28
{257}
(#4085999@0)
非对称密钥速度很慢的。当然实际ssl实现比这复杂得多。我现在正头大找不到一个支持 ssl 的.Net 1.1 class. 现成的HttpWebRequest 是 https (http over ssl), 但是我只要ssl,不要 http. 同样功能用php 一个 socketopen ("ssl://") 就解决了,用.Net 就是找不到一个封装好的类。
- Your browser is trusting some public CAs by default, which means you have their public keys already when your OS was set up. -(FansOfStripedbass); 2007-11-28 (#4086664@0)
- Those CA are root CA, they are mostly used to validate certificates of second level CA. -(avaya); 2007-11-28 (#4087140@0)
- when you trust a root CA, you then trust all certificates it issues. -(FansOfStripedbass); 2007-11-28 (#4087815@0)
- I think maximum is 8 levels. -(Driver Coding); 2007-11-29 (#4088423@0)
- session key (nomally RC4) -(只吃草的牛); 2007-11-29 (#4088482@0)
-
SSL->
-(avaya);
2007-11-27
{86797}
(#4085958@0)
Transport Layer Security
From Wikipedia, the free encyclopedia
The five-layer TCP/IP model 5. Application layer DHCP · DNS · FTP · Gopher · HTTP · IMAP4 · IRC · NNTP · XMPP · POP3 · SIP · SMTP · SNMP · SSH · TELNET · RPC · RTCP · RTSP · TLS · SDP · SOAP · GTP · STUN · NTP · (more)
4. Transport layer TCP · UDP · DCCP · SCTP · RTP · RSVP · IGMP · (more) 3. Network/Internet layer IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · IPsec · ARP · RARP · RIP · ICMP · ICMPv6 · (more) 2. Data link layer 802.11 · 802.16 · Wi-Fi · WiMAX · ATM · DTM · Token ring · Ethernet · FDDI · Frame Relay · GPRS · EVDO · HSPA · HDLC · PPP · PPTP · L2TP · ISDN · (more) 1. Physical layer Ethernet physical layer · Modems · PLC · SONET/SDH · G.709 · Optical fiber · Coaxial cable · Twisted pair · (more) Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.
Contents
[edit] Description
The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI.
TLS involves three basic phases:
- Peer negotiation for algorithm support
- Key exchange and authentication
- Symmetric cipher encryption and message authentication
During the first phase, the client and server negotiate cipher suites, which determine the ciphers to be used, the key exchange and authentication algorithms, as well as the message authentication codes (MACs). The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction.
Typical algorithms could be:
- For key exchange: RSA, Diffie-Hellman, DSA, SRP, PSK
- Symmetric ciphers: RC4, Triple DES, AES or Camellia. In older versions of SSL the ciphers RC2, IDEA and DES were also used.
- For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used, while older versions of SSL also used MD2 and MD4.
[edit] How it works
SSL handshake with two way authentication with certificates
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security.
- The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions.
- From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.
- The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server's public encryption key.
The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.
- In order to generate the session keys used for the secure connection, the client encrypts a random number with the server's public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.
- Both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.
If any one of the above steps fails, the TLS handshake fails, and the connection is not created.
[edit] TLS Handshake in Detail
The TLS protocol exchanges records that encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.
When the connection starts, the record encapsulates another protocol, the handshake protocol, which has content type 22.
A simple connection example follows:
- A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
- The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client.
- The Server sends its Certificate (depending on the selected cipher suite, this may be omitted by the Server).
- The server may request a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest.
- The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
- The Client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.)
- The Client and Server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".
- The Client now sends a ChangeCipherSpec message, essentially telling the Server, "Everything I tell you from now on will be encrypted." Note that the ChangeCipherSpec is itself a record-level protocol, and has type 20, and not 22.
- Finally, the Client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
- The Server will attempt to decrypt the Client's Finished message, and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
- Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.
- At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.
[edit] TLS Record Protocol
+ Bits 0–7 8-15 16-23 24–31 0 Content Type Version (MSB) Version (LSB) Length (MSB) 32 Length (LSB) Protocol Message(s) ... Protocol Message (cont.) ... MAC (optional) ... Padding (optional) - Content Type
- This field identifies the Record Layer Protocol Type contained in this Record.
Content Types 20 ChangeCipherSpec 21 Alert 22 Handshake 23 Application - Version
- This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.
Versions Major Version Minor Version Version Type 3 0 SSLv3 3 1 TLS 1.0 3 2 TLS 1.1 3 3 TLS 1.2 - Length
- The length of Protocol message(s), not to exceed 214 bytes.
- Protocol message(s)
- One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
- MAC
- A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
[edit] ChangeCipherSpec Protocol
+ Bits 0–7 8-15 16-23 24–31 0 20 Version (MSB) Version (LSB) 0 32 1 1 (CCS protocol type) [edit] Alert Protocol
+ Bits 0–7 8-15 16-23 24–31 0 21 Version (MSB) Version (LSB) 0 32 2 Level Description - Level
- This field identifies the level of alert.
Level Types Code Description 1 Warning - connection or security may be unstable 2 Fatal - connection or security may be compromised, or an unrecoverable error has occurred - Description
- This field identifies which type of alert is being sent.
Description Types Code Description 0 Close notify (warning or fatal) 10 Unexpected message (fatal) 20 Bad record MAC (fatal) 21 Decryption failed (fatal, TLS only) 22 Record overflow (fatal, TLS only) 30 Decompression failure (fatal) 40 Handshake failure (fatal) 41 No certificate (SSL v3 only) (warning or fatal) 42 Bad certificate (warning or fatal) 43 Unsupported certificate (warning or fatal) 44 Certificate revoked (warning or fatal) 45 Certificate expired (warning or fatal) 46 Certificate unknown (warning or fatal) 47 Illegal parameter (fatal) 48 Unknown CA (fatal, TLS only) 49 Access denied (fatal, TLS only) 50 Decode error (fatal, TLS only) 51 Decrypt error (TLS only) (warning or fatal) 60 Export restriction (fatal, TLS only) 70 Protocol version (fatal, TLS only) 71 Insufficient security (fatal, TLS only) 80 Internal error (fatal, TLS only) 90 User cancelled (fatal, TLS only) 100 No renegotiation (warning, TLS only) [edit] Handshake Protocol
+ Bits 0–7 8-15 16-23 24–31 0 22 Version (MSB) Version (LSB) Length (MSB) 32 Length (LSB) Message type Message length 64 Message length (cont.) Handshake message ... Handshake message Message type Message length ... Message length Handshake message - Message type
- This field identifies the Handshake message type.
Handshake Types are: 0 HelloRequest 1 ClientHello 2 ServerHello 11 Certificate 12 ServerKeyExchange 13 CertificateRequest 14 ServerHelloDone 15 CertificateVerify 16 ClientKeyExchange 20 Finished
- Message length
- This is a 3-byte field indicating the length of the handshake data, not including the header.
Note that multiple Handshake messages may be combined within one record.
[edit] Application Protocol
+ Bits 0–7 8-15 16-23 24–31 0 23 Version (MSB) Version (LSB) Length (MSB) 32 Length (LSB) Application data 64 Application data (cont.) ... MAC (20B for SHA-1, 16B for MD5) ... Variable length padding (block ciphers only) Padding length, (block ciphers only)(1B) [edit] Security
TLS/SSL have a variety of security measures:
- The client may use the certificate authority's (CA's) public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.
- The client verifies that the issuing CA is on its list of trusted CAs.
- The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.
- To protect against Man-in-the-middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. Browser-dependent, not defined by TLS.
- Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
- Numbering all the Application records with a sequence number, and using this sequence number in the message authentication codes (MACs).
- Using a message digest enhanced with a key (so only a key-holder can check the MAC). This is specified in RFC 2104. TLS only.
- The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.
- The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together. This provides protection if one of these algorithms is found to be vulnerable. TLS only.
- SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication. Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to man-in-the-middle attacks.
SSL v2 is flawed in a variety of ways:
- Identical cryptographic keys are used for message authentication and encryption.
- MACs are unnecessarily weakened in the "export mode" required by U.S. export restrictions (symmetric key length was limited to 40 bits in Netscape and Internet Explorer).
- SSL v2 has a weak MAC construction and relies solely on the MD5 hash function.
- SSL v2 does not have any protection for the handshake, meaning a Man-in-the-middle downgrade attack can go undetected.
- SSL v2 uses the TCP connection close to indicate the end of data. Meaning that truncation attacks are possible; the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSLv3 fixes this problem by having an explicit closure alert).
SSL v2 is disabled by default in Internet Explorer 7,[1] Mozilla Firefox 2,[2] Opera 9[3] and Safari. Support for SSL v2 (and weak 40-bit and 56-bit ciphers) will be removed completely from the upcoming Opera 9.5 (code-named Kestrel).[4]
[edit] Applications
TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. SMTP is also an area in which TLS has been growing and is specified in RFC 3207. These applications use public key certificates to verify the identity of endpoints.
An increasing number of client and server products support TLS natively, but many still lack support. As an alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80.
TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.
TLS is also increasingly being used as the standard method for protecting SIP application signaling. TLS can be used to provide authentication and encryption of the SIP signalling associated with VoIP and other SIP-based applications.
[edit] History and development
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996 (Rescorla 2001). This later served as the basis for TLS version 1.0, an Internet Engineering Task Force (IETF) standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.
SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.
[edit] Early short keys
Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. The US government explicitly imposed a 40-bit keyspace, which was small enough to be broken by brute-force search by law enforcement agencies wishing to read the encrypted traffic, while still presenting obstacles to less-well-funded attackers. A similar limitation applied to Lotus Notes in export versions. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions. The 40-bit key size limitation has mostly gone away, and modern implementations use 128-bit (or longer) keys for symmetric key ciphers.
[edit] Standards
The first definition of TLS appeared in:
- RFC 2246: “The TLS Protocol Version 1.0”.
The current approved version is 1.1, which is specified in
- RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.
The next version is proposed:
- RFC Draft 4346 - The TLS Protocol, Version 1.2 (published October 2007, expires April 2008)
Other RFCs subsequently extended TLS, including:
- RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
- RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit ciphersuites defined in this memo appear only for the purpose of documenting the fact that those ciphersuite codes have already been assigned.
- RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
- RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
- RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
- RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) ciphersuites to the previously existing symmetric ciphers.
- RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
- RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compression methods and the DEFLATE compression method.
- RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.
- RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.
- RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.
- RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new ciphersuites for the TLS protocol to support authentication based on pre-shared keys.
- RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols (such as UDP).
- RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions, and a generic extension mechanism.
- RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
- RFC 4507: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.
- RFC 4680: “TLS Handshake Message for Supplemental Data”.
- RFC 4681: “TLS User Mapping Extension”.
- RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.
[edit] Implementation
Programmers may use the OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy.
[edit] TLS 1.1
As noted above, TLS 1.1 is the current approved version of the TLS protocol. TLS 1.1 clarifies some ambiguities and adds a number of recommendations, but remains very similar to TLS 1.0. A full list of differences is provided in RFC 4346 (Section 1.1).
[edit] Certificate providers
A 2005 Netcraft survey determined that VeriSign and its acquisitions such as Thawte have a 53% share of the certificate authority market, followed by GeoTrust (25%), Comodo (12%), GoDaddy (4%) and Entrust (2%).[5] (GeoTrust has since been acquired by VeriSign.)
A more recent market share report from Security Space as of April 2007 determined that VeriSign and its acquisitions (including GeoTrust) have a 59.6% share of the certificate authority market, followed by Comodo (8.3%), GoDaddy (5.3%), DigiCert (2.1%), Entrust (1.3%) and Network Solutions (1.1%).
CAcert.org is a community-driven certificate authority that issues free public key certificates.
[edit] See also
- Extended Validation Certificate
- SSL acceleration
- Certificate authority
- Datagram Transport Layer Security
- Multiplexed Transport Layer Security
- X.509
- Virtual private network
- SEED
- Server gated cryptography
[edit] Software
- OpenSSL: a free (and very popular) implementation (Apache-like license)
- GnuTLS: a free implementation
- SharkSSL 45Kbyte commercial SSL library
- JSSE: a Java implementation included in the Java Runtime Environment
- Network Security Services (NSS): FIPS 140 validated open source library
- Crypt::OpenSSL: Perl wrapper modules for OpenSSL
- System.Net.Security: a Microsoft implementation for the .NET Common Language Runtime
- Mono.Security a free software implementation for the Common Language Runtime
[edit] References
- ^ Lawrence, Eric (2005-10-22). IEBlog : Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2. MSDN Blogs. Retrieved on 2007-11-25.
- ^ Bugzilla@Mozilla - Bug 236933 - Disable SSL2 and other weak ciphers. Mozilla Corporation. Retrieved on 2007-11-25.
- ^ Pettersen, Yngve (2006-05-16). Opera Labs - What's new in the SSL/TLS engine of Opera 9?. Opera Software. Retrieved on 2007-11-25.
- ^ Pettersen, Yngve (2007-04-30). 10 years of SSL in Opera - Implementer's notes. Opera Software. Retrieved on 2007-11-25.
- ^ The Netcraft Secure Server Survey
- Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol". The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press.
- Eric Rescorla,. SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3.
- 这种叫做单向SSL, 证书只是用来验证public key的真伪的。你发信用public key 加密,他server用private key解密。反之他用private key加密发信息给你,你用他的public key解密 -(山大王); 2007-11-28 {289} (#4087506@0)
所有的通信内容都是加密的。
另外一种是双向ssl, ( 2 way SSL), 主要运用是公司和公司之间通信
比如我们的服务器要通过银行的服务器的webservice来验证用户密码。他们就要我们经CA认证的public key, 我们也要他们有CA认证的public key.
像你这种一般网上银行、商店之类,单向SSL就得了,他不用认证你是哪位。- private key 加密不是全世界都能解密? -(again); 2007-11-28 (#4087679@0)
- 又一个乱说的。 SSL上的数据是用SESSION KEY进行对称加密的, 而这个KEY是用PUBLIC/ PRIVAE KEY加密传送的。 Certificate只是保证PUBLIC KEY的确属于这个网站。 -(Cerboros Reborn); 2007-11-29 (#4088450@0)
- 那是不是说我截获别人的数据,用PUBLIC KEY解密就可以得到SESSION KEY,就可以解开用户数据? -(逛街的西瓜); 2007-11-29 (#4088463@0)
- Public key 解不出session key,只有private key可以解出session key. -(只吃草的牛); 2007-11-29 (#4088486@0)
- 我土了,你说的对吧 -(山大王); 2007-11-29 (#4089282@0)
- 信息加密: 公钥加密,私钥解密 .私钥加密的时候是用于数字签名和信息的完整性的.一般你的浏览器只关心你要交换信息的网站是不是假冒的. -(I like spring); 2007-11-28 {127} (#4087833@0)
ssl数据交换是由client和server协商好的master key生成的session key 加密的。这个master key由客户端用服务器的公钥加密后发给服务器。- 根据rsa算法,一次生成一对密钥,这2个密钥是唯一的,一一对应的,而且不能互相推导出来,你从公钥算不出私钥,反之亦然。他选一个作私钥,另一个作公钥公开,发信息之前他用私钥加密成密文,用户拿到密文用同样算法用公钥再作一次,就把密文解密成明文了。 -(scarb); 2007-11-29 {340} (#4089709@0)
因为私钥只有对方有,用户可以确保这个信息是由对方发的,而不是别人伪造的。
如果用户也有公钥和私钥,那么他可以先用他的私钥加密,再用你的公钥加密一遍,用户收到用他的公钥作一次,再用自己的私钥作一次,才可以看到明文。这样就可以既可以保证信息确实是他所发,也可以保证只有这个用户才能看到这个信息。
我记得算法其实不算复杂,就是要实现大数运算。- 这么多大侠对SSL熟悉,不知哪位有兴趣试用一下我的SSL网关PRODUCT?全功能评估版免费使用,只要能给俺回馈些意见或BUG就行:) -(一天到晚游泳的鱼); 2007-12-7 {64} (#4106523@0)
为免有广告嫌疑,感兴趣的朋友可PM我,现在可以免费下载,免费试用:)More Topics