preface

Summary: This article describes in detail the data encryption process in SSL protocol, digital certificate, symmetric encryption, asymmetric encryption, SSL handshake process and other concepts.

  • Data encryption process of SSL protocol in detail

  • Zhihu Column && Jianshu Special Topic: Front-end Aggressor (Zhihu) && Front-end Aggressor (Jianshu)

  • Blog address: Damonare’s personal blog

life

SSL

If you’ve heard of HTTPS, you probably haven’t heard of SSL, which is a security protocol. Those who do not know about Internet protocols can refer to another blog by Blogger: Getting Started with Internet Protocols

HTTP+SSL = HTTPS

HTTPS is secure because SSL is added to encrypt data. What is the specific encryption method?

Listen to me. Let’s start with two concepts:

  • Symmetric encryption

  • Asymmetric encryption

Do you know what the above two concepts mean? 😳

🤣OK, no matter you understand or not, I first use my way to explain to you:

Honey, have you ever cheated? 😑 Don’t tell me you haven’t cheated in your long school life (how boring is your school life?), what are the common ways we cheat? (said to write the answer in the arm thigh paper on the classmate asks you to go out, thank 🙂) of course is encrypted! For example, I want to help Xiaoming students cheat out of humanitarian, first of all, before the exam we will agree A code to pass the answer to the multiple choice question, touch the hair — A, touch the ear — B, cough — C, stomp — D, so an encryption method was born, this encryption method only xiaoming and I know. The teacher looked at me scratching my head, but he thought I was a psycho, and there was no direct evidence that I cheated. Well, this encryption method that Xiaoming and I know and others do not know is a symmetric encryption algorithm, symmetric encryption algorithm is also the most common encryption algorithm in our daily life. This algorithm 🔑 only one, encryption and decryption with the same key, once 🔑 leaked it all over.

With the progress of The Times, people find that in fact encryption and decryption can not be the same 🔑, as long as there is some relationship between the encryption and decryption of the two 🔑.

Therefore, emerging asymmetric encryption algorithms have been studied, so what kind of truth is it based on? Please remember this sentence strictly:

It’s easy to multiply a and b to get the product C, but it’s extremely difficult to derive a and B from the product C. It’s extremely difficult to factor a large number

Do not understand the factorization of children’s shoes to face the wall for 5 minutes, so many years of mathematics in vain? Give you the Wikipedia link, make up your own 🙂 : factor

Ok, moving on, asymmetric encryption algorithms have two more concepts — public key C and private key B.

The usage is as follows: Use only the private key to decrypt the ciphertext encrypted with the public key, and use only the public key to decrypt the ciphertext encrypted with the private key.

The public key can be disclosed freely, because the public key is useless to others, and the ciphertext encrypted by the public key can only be decrypted through the private key. It is extremely difficult to derive a and B from public keys. However, it is obvious that asymmetric encryption is not as efficient as symmetric encryption because asymmetric encryption requires the calculation of two keys.

We explain the process of this asymmetric encryption algorithm through two typical Alice and Bob figures in cryptography:

The client is called Alice and the server is called Bob.

Alice: Bob, I’m going to send you a message. Give me your public key.

Bob: OK, here’s my public key: 234nKJDFDHjbg324 **;

Alice: Received the public key. I sent you a message encrypted by the public key like this: #@ # @! * $% (@;

Bob: Ok, got it, honey. I’ll decrypt it with my private key and see what you’re really sending me;

The above process is an asymmetric encryption process, this process is safe? It seems so secure that even if Charlie (the third participant in the communication) intercepts the ciphertext and the public key he can’t get the clear text without the private key. 😂

But if the third party Charlie sends Alice his own public key, and Alice encrypts the ciphertext with Charlie’s public key and sends it out, and Charlie decrypts it with his own private key, the information will be leaked, right? We need to figure out a way for Alice to determine if Bob sent the public key.

Hence the concept of digital certificates:

Digital certificate is a sign of Internet traffic communication the identity information of a string of Numbers, provides a validation communication entity identity on the Internet, a digital certificate is not a digital id card, but the identity authentication institutions cover a chapter or printed on digital id (or add a signature on the digital id).

The official explanation at 😑 looks like a big one. It’s just a piece of information.

The content of the digital certificate is as follows:

  • The authority that issues the certificate
  • Bob’s encryption algorithm
  • The Hash algorithm Bob uses
  • Bob’s public key
  • Certificate Expiration Time
  • , etc.

Digital certificates are issued by the authority — CA agency, we absolutely trust this agency, as for the security of CA institutions… It’s 99.99% safe anyway. 🕵

In case someone changes the contents of the certificate in the middle, there is a concept of digital signature, the so-called digital signature is to Hash all the above contents to get a fixed length and then pass it to Bob. But what if someone else intercepts the certificate and changes the contents, generating a new Hash value at the same time? For this reason, the CA encrypts the Hash value with its own private key when issuing the certificate, preventing tampering with the digital certificate.

Ok, let’s go through the process:

  • Step 1: First, when Alice opens a new browser to visit Bob for the first time, Alice is first asked to install a digital certificate. The main information in this digital certificate is the public key of the CA organization.
  • ** Step 2: ** Bob sends in the digital certificate issued to him by the CA, Alice decrypts the Hash -A that the CA encrypted with the private key using the public key obtained in step 1 (this process is asymmetric encryption), and then generates a Hash b using the Hash algorithm passed in. If hash-a === hash-b then it’s authenticated and Bob sent it.

As above, the whole process of using digital certificates is like this.

Besides SSL, there are many practical examples of asymmetric encryption, such as SSH, electronic signature, etc.

As mentioned above, asymmetric encryption has a large amount of calculation, which is not as efficient as symmetric encryption. What is the most important thing we pay attention to when we open a web page? Is the speed! Is the speed! Is the speed! 🏃 🏃 🏃

This is where SSL plays a tricky game 🤣, where the communication parties encrypt the ciphertext using symmetric encryption, and then use asymmetric encryption to pass the keys used for symmetric encryption. In this way, efficiency and safety can be ensured.

Handshake process of THE SSL protocol

Let’s start with words:

  1. Step 1: Alice provides the SSL protocol version number, a Client random number (please note that this is the first random number), the encryption method supported by the Client and other information.
  2. Step 2: After receiving the information, Bob confirms the encryption method used by both parties and returns the digital certificate, a Server random number generated (note that this is the second random number) and other information;
  3. Step 3: Alice confirms the validity of the digital certificate, then generates a new random number (Premaster Secret), then encrypts this random number using the public key in the digital certificate and sends it to Bob.
  4. Step 4: Bob uses his private key to obtain the random number sent by Alice (Premaster secret); (The third and fourth steps are asymmetric encryption processes.)
  5. Step 5: Alice and Bob use the first three random numbers to generate the dialogue key through the agreed encryption method (USUALLY AES algorithm), which is used to encrypt the following communication content.

As the saying goes, a picture is worth a preface, so I drew a picture to illustrate the process:

OK, the entire data encryption process is complete. Let’s recall:

  • CA issued Bob a digital certificate;
  • Alice and Bob have an SSL handshake. Alice confirms Bob’s identity through a digital certificate.
  • Alice and Bob pass three random numbers, and the third random number is passed through an asymmetric encryption algorithm;
  • Alice and Bob use a symmetric encryption algorithm to generate a conversation key that encrypts the rest of their communication.

Afterword.

The article expounds the improper place also looks elegant, not stingy gratitude.

Please indicate the source of reprint.

The above.