Topic: 请教一个SSL的问题：我理解的SSL应该是Server端生成certificate，用户下载证书，加密数据。但使用银行的online banking时，没有让我下载certificate，也就进入https页面看自己的帐户信息了。它是怎么用SSL的？ @佛州华人论坛:佛州枫下论坛 The Rolia Forum of Florida

工作学习 / IT技术讨论 / 请教一个SSL的问题：我理解的SSL应该是Server端生成certificate，用户下载证书，加密数据。但使用银行的online banking时，没有让我下载certificate，也就进入https页面看自己的帐户信息了。它是怎么用SSL的？ -liding_wang(大砍刀再战江湖); 2003-1-15 (#978586@0)

如果颁发证书的机构是很牛x的(认可的,如verisign等), 自动下载...你感觉不到 -expertune(伪而不劣); 2003-1-15 (#978593@0)

Thx . 那我能在硬盘找到它么？另外，我的Windows2000 Server好象下载啥都通知我一声的。 -liding_wang(大砍刀再战江湖); 2003-1-15 (#978600@0)

ie --- tools --- option --- security---里面有, 具体物理在什么地方没注意过, 应该在profile里面吧... -expertune(伪而不劣); 2003-1-16 (#978610@0)

自己生成而没有经过权威人证的certificate, IE都会提示的, 反而那些经过人证的, IE不会提示 -dahuaidan(一个顶仨); 2003-1-16 (#978601@0)
多谢两位! -liding_wang(大砍刀再战江湖); 2003-1-16 (#978608@0)

没关系. 2年前曾经在上面下了很多功夫, 唉, 现在全忘光喽....惨,老了 -expertune(伪而不劣); 2003-1-16 (#978622@0)

:-) -liding_wang(大砍刀再战江湖); 2003-1-16 (#978626@0)

Tools / Internet options / content / Certificates / trust root certification authorities -zhoulang(Lion Sleeping); 2003-1-16 (#978635@0)

哇，果然别有洞天，一大堆可信任的CA名。谢谢。 -liding_wang(大砍刀再战江湖); 2003-1-16 (#978641@0)

你剩下的事就去交钱吧...每年几十百把美金弄一个放自己网站上, 多酷呀 -expertune(伪而不劣); 2003-1-16 (#978645@0)

没啥好加密的东西啊, 再说人家也不信啊. -liding_wang(大砍刀再战江湖); 2003-1-16 (#978654@0)

找那些CA签的名，别人一定会信的 :-) -dennis2(Dennis); 2003-1-16 (#978671@0)

嘿嘿，export了一个仔细看，有趣。 -liding_wang(大砍刀再战江湖); 2003-1-16 (#978649@0)
睡吧.. -expertune(伪而不劣); 2003-1-16 (#978653@0)

晚安 :-) -liding_wang(大砍刀再战江湖); 2003-1-16 (#978655@0)

You are a roaming user, your certificate is stored in the remote LDAP which is in the bank, the certificate is not sent to you. -bryan_swoomn(bfdsfdsf); 2003-1-18 (#983202@0)

？不解，没有证书，数据如何加密呢？ -liding_wang(大砍刀再战江湖); 2003-1-18 (#983218@0)

而且它让我一次性输入账号密码（没有登陆），如果根据我的帐号去Server取我的证书，我的密码传输时不是没有加密？而我解密时是现场下载证书？不解。 -liding_wang(大砍刀再战江湖); 2003-1-18 (#983233@0)

client 端用对方证书中的公钥加密传送数据，而自己本身并不需要证书，server端用私钥解。反之，server端用私钥加密数据，client端用server的公钥解。 -flying_snow(飞雪浮冰); 2003-1-18 (#983244@0)

嗯，这样client只要知道Server（银行）的public key就行了，看来这是一个只加密而没有签名验证的过程。我也觉得roaming user是一个好方案，我还觉得我的密码传过去时没加密（难以想象client用javascript做RSA），是吗？Thx。 -liding_wang(大砍刀再战江湖); 2003-1-18 (#983255@0)

哦，当然也可能只用一个小DES加密，才想出来：-） -liding_wang(大砍刀再战江湖); 2003-1-18 (#983263@0)

也许当你访问对方网页的时候已经下载了对方的证书。我想你一定是在https下载的网页上填写的密码吧？那么对方证书应该在建立ssl通道的时候就悄悄下载了。然后你在这个网页上填写密码，自然就加密以后send回去了。 -flying_snow(飞雪浮冰); 2003-1-18 (#983276@0)

啊，www.royalbank.ca的online banking，是在http下写密码和用户名，验证后弹出https窗口——所以才怀疑它加密了没有。：-） -liding_wang(大砍刀再战江湖); 2003-1-18 (#983284@0)

难怪，TD bank 的网站是在https网页里输入密码的。 -flying_snow(飞雪浮冰); 2003-1-18 (#983297@0)

谢谢，这个问题终于比较明白了。：-） -liding_wang(大砍刀再战江湖); 2003-1-18 (#983302@0)

不是这样。 -dennis2(Dennis); 2003-1-18 (#983845@0)

就是说如果你使用IE的话，它调用winInet函数进行网络通话，winInet 自带ssl加密功能，如果访问https，INTERNET_FLAG_SECURE flag被设置，IE 调用winInet函数先下载对方证书，然后取出对方公钥将你上传的数据加密后传送出去。 -flying_snow(飞雪浮冰); 2003-1-18 (#983292@0)

真是高人啊，（真心的），我一直钻不到这么深。多谢你这么晚了还帮我解答问题！ -liding_wang(大砍刀再战江湖); 2003-1-18 (#983301@0)
公钥（应该是certificate）是做authentication用的，对数据加密用的是临时生成的session key。 -dennis2(Dennis); 2003-1-18 (#983843@0)

Sorry dennis2, 才看到你的回贴。按这种说法，加密时用的并不是RSA是吗？你说的session key是个server端产生的随机数吧，那么client端如何得到它解密数据呢？又是怎样应用SSL的呢？ -liding_wang(大砍刀再战江湖); 2003-1-27 (#1005625@0)

I think you are right, I studied it before. -flying_snow(飞雪浮冰); 2003-1-18 (#983228@0)

Then could you tell me about #983233? -liding_wang(大砍刀再战江湖); 2003-1-18 (#983241@0)

Normally RSA is only used to protect the real key used to encrypt the data stream. use RSA to encrypt the whole stream is too expensive. -jchonc(James); 2003-1-18 (#983450@0)

You are right that it is only used to pretect the encryption key. But you still need to get the PK of the receiver (for whatever it encrypts), isn't it? -liding_wang(大砍刀再战江湖); 2003-1-18 (#983772@0)

SSL uses both encryption methods.That is, synchronous and asynchronous encryption ways(Public Key and Private Key). -rockman12(TianTian); 2003-1-18 {635} (#983886@0)

I don't think client will need to generate private key -jchonc(James); 2003-1-28 {536} (#1005941@0)

If you only need server authentication, then only the server needs certificate while the client doesn't. In such situation,the client will generate a session key and encrypt it using the server's PK and then send it back to the server.Then they can establish an encrypted session using this session key. The server won't generate session key in this case.

If you need client authentication as well, then the client needs a certificate. In this case, both the server and the client can generate session keys. -secfan(SecurityCat); 2003-1-28 {390} (#1006736@0)

Is it true that the client and server will use 128/56 bits session key and algorithm to secure the information involved in the communication?So when will the server and client needs authentication for the CA center, can any one give me a detail explaination, thx. -elac(elac); 2003-1-28 {122} (#1006832@0)

You are right. The client and server will use 128/56-bit session key (symmetric algorithm) to secure the data. -secfan(SecurityCat); 2003-1-28 {1290} (#1006911@0)

Thank you so much for such a professional answer. could u please keep on answer som further question about it? -elac(elac); 2003-1-28 {660} (#1007427@0)

Some guess(1) No. As long as the root certificate is in your trusted list. Otherwise it will just ask you. Technically your workstation just need to check if the signature has been broken, anyway, talk to www.verisign.com is not safer, cause hacker can also hijack the packets.
(2) I think that restriction been lifted, no? Anyway, there are some seperate package you can download for IE 128, no problem using it in China, just not legal. -jchonc(James); 2003-1-29 {429} (#1008421@0)

@Florida

Topic

More Topics