TLS
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) is a Security protocol designed to ensure the Security and data integrity of Internet communication.
As shown, TLS is required to establish a connection
- The Client sends ClientHello (containing the supported protocol version, encryption algorithm, and Client Random) to the server
- The Server returns ServerHello, public key, certificate, and Server Random (B) to the client
- The client uses the CA certificate to verify that the certificate is correct. Generate a random number C (Premaster secret), encrypt it with the public key, and send it to the server
- The server decrypts a random number C (Premaster secret) with the private key, then generates a symmetric key (the encryption algorithm determined during hello) based on the obtained random number ABC, and sends symmetric encryption to the data to be sent
- The client decrypts the data using a symmetric key (which the client also generates with a random number ABC).
- The two parties communicate using symmetric encryption algorithms with symmetric keys
Certificates on the server side of the process are critical.
certificate
Certificate A certificate used to prove the identity of the public key owner
First we need to know where the certificate came from.
A digital certificate is usually issued by a digital certificate authority
- The applicant uses an asymmetric encryption algorithm (RSA) to generate a pair of public keys and keys, and sends the required application information (country, domain name, etc.) together with the public key to the CA.
- After confirmation, CA uses message digest algorithm (MD5, SHA) to generate the digest signature M of the entire application information, and encrypts the signature M and the digest algorithm using the CA’s own private key
The certificate contains
- The public key
- Identity of the certificate owner
- Digital Certificate Authority (issuer) information
- Issuer’s digital signature of the document and the algorithm used
- The period of validity
The certificate format and authentication methods generally comply with X.509 international standards.
Certification Authority (CA)
Digital Certificate Authority (CA), also known as e-commerce certification Center or E-commerce certification Authority, is the Authority responsible for issuing and managing digital certificates. As a trusted third party in e-commerce transactions, CA is responsible for verifying the validity of public keys in the public key system.
In fact, any individual/organization can become a CA, but the client that you issue the certificate is not trusted and needs authority as mentioned above. Symantec, Comodo, Godaddy, Digicert.
The client trusts these cas and keeps their root certificates locally. The root certificate is the CA’s own certificate and is the beginning of the certificate verification chain. Root certificates have no authority to digitally sign them, so they are self-issued.
The CA uses an intermediate certificate to sign the certificate on the server instead of the root certificate to ensure that the key of the root certificate is unreachable.
Godaddy offers an explanation
What is an intermediate certificate? https://sg.godaddy.com/help/what-is-an-intermediate-certificate-868
Certificate trust chain
As mentioned above, when applying for a certificate from a CA, the CA’s private key is required to perform asymmetric encryption on the signature summary of the entire certificate, that is, the certificate can be decrypted through the CA’s public key to obtain the signature summary of the certificate. When we sign the entire certificate again with the same digest algorithm (the algorithm used to save the certificate is contained in the certificate), if the resulting signature is the same as the signature on the certificate, the certificate is trusted.
Similarly, mediation certificates can be trusted in this way. This whole process is called a Chain of trust.
I trust you (A>B). You absolutely trust him (B>C); I absolutely believe him (A>C)
Here’s the process:
- The client obtains the certificate returned by the server and reads the Issuer of the certificate.
- The client goes to the operating system to look for the issuer’s certificate and continues recursively until it gets the root certificate.
- Use the public key of the root certificate to decrypt and verify the validity of the upper-layer certificate, and then use the public key of the upper-layer certificate to verify the validity of the upper-layer certificate. Recursive backtracking.
- Finally verify that the certificate on the server side is trusted.
Reference
www.wikiwand.com/zh/ Root certificate www.wikiwand.com/zh-hans/ Trust chain www.wikiwand.com/zh-hans/ Certificate… www.cnblogs.com/JeffreySun/… www.ruanyifeng.com/blog/2011/0…
More and more
For more excellent content, please pay attention to the wechat public number to obtain, plus group can also communicate with partners to discuss oh!