1.SSL brief introduction ：

        SSL To ensure the security of network communication , A method of encrypting data transmitted over a network . Now the mainstream encryption method is SSL and TLS . It's usually used SSL Refer to SSL and TLS, Or you might say SST/TLS.

        SSL The function implementation mainly depends on the hash function Hash、 Symmetric and asymmetric encryption . It uses asymmetric encryption to realize identity authentication and key agreement , The symmetric encryption algorithm is used to encrypt the data by using the key negotiated in the previous step , And verify the integrity of information based on hash function .

2.SSL The reason for introducing

2.1 Limitations of symmetric encryption ：

        The original transmission of information was not encrypted in ancient times , Therefore, information interception and other things are likely to occur ( If the messenger is captured ). So in ancient times, the earliest symmetric encryption came into being . The most well-known symmetric encryption is Caesar encryption , All the letters in the plaintext go backwards in the alphabet （ Or forward ） Offset by a fixed number and replaced with ciphertext . Later, more complex encryption methods such as affine ciphers have evolved . However, considering that different English letters have different frequencies in Statistics . When the article is longer, the frequency of each letter is closer to the statistical results . commonly e The most. , So lock the most letters and e Guess the password based on the organic rate . So Caesar encryption is easy to crack . Affine isomorphism , Just lock the mapping relationship between two plaintext letters and ciphertext letters .

         In the computer age , In order to solve the problem that the old encryption is easy to crack , More complex symmetric encryption is derived . The common symmetric encryption in the computer age is DES,AES etc. .DES use 56bit Data as key , When it first appeared, there was little computer power to decipher . But with the improvement of computer computing power ,56bit It is easy to be exhausted . So it's derived from 256bit Of AES. Then a more secure state secret algorithm is derived SM1,SM7 etc. . This shows that the latest symmetric encryption can basically meet the security for a period of time , With the increase of computing power, more reliable symmetric encryption .

        In the network age, the biggest problem of symmetric encryption is not that the key is easy to be decoded , But the key is easy to be intercepted . In the past, there were few occasions where encryption was required , You can negotiate the key with the target before communicating . Now the network is too developed , It is impossible for us to communicate with each communication target to negotiate the key , Symmetric keys can only be sent over the Internet , Then there is a great risk of being intercepted , Thus asymmetric encryption arises spontaneously .

2.2 Asymmetric encryption and its limitations ：

         Asymmetric encryption uses two keys , One is the public key (public key), One is the private key (private key). Through specific mathematical algorithms , Make data encryption and decryption use different keys , Therefore, it is called asymmetric encryption . The most classic asymmetric encryption is RSA Algorithm . The public key and private key in asymmetric encryption algorithm are mathematically related , Therefore, only when one of them is used for encryption can the other be used for decryption . But with the existing mathematical algorithms , Cannot calculate another key from one key , Even if you know this correlation .

         In the use of ,A and B Generate a public key and a private key respectively . The private key is only kept locally and the public key can be made public .A Use B Encrypted data with public key . After encryption ,A Send encrypted data to B.B After receiving it , First decrypt the data with your own private key , And vice versa . such A and B Only the public key can be used for encrypted communication , And no one else can decrypt using the public key .

        Considering that although other people get the public key, they can't decipher it , But they can tamper with the data , Therefore, asymmetric encryption is also generally used hash Encrypt data , And pass the encryption result to the target , The target needs to validate the data hash To verify data integrity . such as A First use your private key to encrypt data hash value , After that B Encrypted data with public key . after ,A Will be encrypted hash Value and encrypted data plus some other information , Send to B.B Decrypt the data with your own private key after receiving , A local operation hash value , Reuse A Public key decryption hash value , Compare two hash value , To check the integrity of the data .

        The above methods have been relatively safe , But there are security risks . Man in the middle attack can decipher asymmetric encryption . Imagine this ,C Mr. Zhang became his own public key and private key and intercepted A and B The public key , And send it to with your own public key A and B.A and B At this point, it is assumed that the public key comes from the other party . When A to B When sending messages ,A First use your private key to encrypt data hash value , After use C The fake public key encrypts the data , Send it out again .C After intercepting , First use C Decrypt data with your own private key ( Because the algorithm of the generated public key and private key is transparent , therefore C You can also decrypt by using your own private key C Public key encrypted data ),C You get A In plain text . after ,C Can tamper with data content , Encrypt data with your own private key hash value , Use the previously intercepted B The public key encrypts the data and sends it to B.B After receiving it , First decrypt the data with your own private key , Reuse C The fake public key is decrypted hash value , Match is found . such ,A and B All think they have successfully sent / Received message , But do not know that the information has been C Controlled . A solution is needed .

2.3 CA certificate ：

        CA Full name Certificate Authority, The certification authority . Now, this method is generally used to ensure the authenticity of the public key .CA It also works based on asymmetric encryption algorithm .B Will first put their own public key （ And some other information ） hand CA.CA Encrypt the data with your own private key , The encrypted data is called B The digital certificate of .B Want to A Pass on CA Encrypted digital certificate .A After receiving it , Will pass CA released CA certificate （ contain CA The public key ）, To decrypt B The digital certificate of , In order to gain B The public key .

        There may be questions ,C You can put a fake CA The certificate is issued to A, Then continue with the steps similar to man in the middle attack . But in general CA Will put their own CA The certificate is integrated into the browser and operating system .A When you get the browser or operating system , Already there. CA certificate , There is no need to get... Through the network , Therefore, it cannot be intercepted .

        What we need to understand is CA The security of certificates lies in CA Institutions .CA An institution is like an authoritative official , Therefore, its credibility mainly depends on the official credibility . Like anti-counterfeiting marks , Genuine anti-counterfeiting marks can show that something is true , But suppose that this authority makes certain transactions with pirated manufacturers , Print genuine anti-counterfeiting marks for the products of pirated manufacturers , Then there is no way . So in the choice CA This approach is meaningless when the organization has no credibility . However, in general, this situation does not need to be considered .

        Besides , If you use a pirated system , Or unofficial browsers , Or attacked by a virus , At this time, it is possible to recognize non CA Certified Digital Certificate ,C You have a chance to launch a middleman attack . So in making sure CA If the mechanism will not operate in a dark box, try to use the genuine version to ensure that it will not be tampered with .

2.4 introduce ssl：

        From the above, we can find that a secure encrypted channel requires the following operations ：

        1. adopt CA Exchange public key .

        2. Exchange symmetric encryption keys through asymmetric encryption algorithm .

        3. Through symmetric encryption algorithm , Encrypt communication data .

        General encryption is optimized based on the above architecture to avoid some generic or potential dangerous situations in specific situations . In asymmetric encryption hash Processing is an optimization method , But this method is basically used .

        Some people may have questions , Ask why you must use asymmetric encryption to pass the key of symmetric encryption , Just use asymmetric encryption to communicate directly ？ This is because asymmetric encryption is much slower than symmetric encryption in most cases , You can see from the above steps . Therefore, in order to speed up the Internet access, it is necessary to pass the symmetric encryption key .

        SSL It is an encryption method based on the above process .

3.SSL step ：

3.1 To get the certificate ：

        CA Although it can ensure the authenticity of the digital certificate . But in practice ,CA Certification is basically a fee , And we can't pay extra for certificates in order to use online banking or online trading software such as a treasure . At this time, you may find it difficult to ensure the security of network communication , But there is a solution .

         Generally, banks and other large institutions obtain their own digital certificates and add them to their own web Server . When users want to visit their web pages , You will go through the following steps ：

        1. The user to web Server initiates request .

        2. Server return CA digital certificate , The certificate contains the public key of the server .

        3. Users get the digital certificate and use the built-in CA Decrypt the certificate to get the public key of the server . If the certificate is tampered with , The certificate of your browser will report an error .

        4. The user encrypts a key for the next symmetric encryption algorithm with the public key of the server , Pass to web The server . Only the private key of the server can be decrypted, so it is not afraid to be intercepted .

        5. The server gets the encrypted key , Decrypt get key , Then you can use the key to complete the next network communication with the user .

        So you do these steps without using a certificate . We will find that the user is always authenticating the server , The server does not authenticate users , And users don't have CA certificate , Therefore, questions arise , How the server authenticates users ？ In fact, the way is very simple , The user name and password can verify the user's information .

3.2 SSL handshake ：

        SSL Handshake protocols are complicated , Here is a brief summary of the steps ,A On behalf of the customer ,B On behalf of the server ：

        1.A Give support SSL Agreement version No , A client random number r1, Information such as encryption methods supported by the client .

        2.B Confirm the encryption method after receiving the message , And return the server digital certificate and a random number generated by the server r2 Etc ;

        3.A Confirm the validity of the digital certificate , And then generate a new random number r3, Then the random number is encrypted with the public key in the digital certificate and sent to B.

        4.B Use your own private key , Get the random number from Alice r3.

        5.A and B Through the agreed encryption method (AES,SM1,SM7 etc. ), Use r1,r2,r3 These three random numbers generate the dialog key , Used to encrypt the next communication content .