您的位置: 首页  >  文章  >  https建立安全连接,tls握手协商过程的疑问

https建立安全连接,tls握手协商过程的疑问

分类: 文章 2023-04-07 16:04:58

查看了很多讲解https的东西,最后总结如下:

https建立安全连接,tls握手协商过程的疑问

  1. The client sends a “Client hello” message to the server, along with the client’s random value(RAlice) and supported cipher suites.该过程为明文。
  2. The server responds by sending a “Server hello” message to the client, along with the server’s random value(RBob). The server sends its certificate to the client for authentication and may request a certificate from the client. The server sends the “Server hello done” message.If the server has requested a certificate from the client, the client sends it.该过程为明文
  3. The client creates a random Pre-Master Secret(S) and encrypts it with the public key from the server’s certificate, sending the encrypted Pre-Master Secret to the server.
  4. The server receives the Pre-Master Secret(S). The server and client each generate the Master Secre and session keys based on the Pre-Master Secret.
  5. The client sends “Change cipher spec” notification to server to indicate that the client will start using the new session keys for hashing and encrypting messages. Client also sends “Client finished” message.
  6. Server receives “Change cipher spec” and switches its record layer security state to symmetric encryption using the session keys. Server sends “Server finished” message to the client.
  7. Client and server can now exchange application data over the secured channel they have established. All messages sent from client to server and from server to client are encrypted using session key.

https建立安全连接的过程使用的是混合加密机制,先使用计算复杂度高的非对称加密协商出一个临时的对称加***(会话**),然后双方再通过对称加密算法对传递的大量数据进行快速的加解密处理。

第2步中server传递给client的证书中包含如下内容:
1. 证书的发布机构CA
2. 签名
3. 公钥
4. 证书所有者,有效期。。。

(1)首先client读取证书中的证书所有者、有效期等信息进行一一校验

(2)client查找操作系统中已内置的受信任的证书发布机构CA,与服务器发来的证书中的颁发者CA比对,用于校验证书是否为合法机构颁发

(3)如果找不到,client就会报错,说明服务器发来的证书是不可信任的。

(4)如果找到,那么client就会从操作系统中取出 颁发者CA 的公钥,然后使用相同的hash算法计算出服务器发来的证书的hash值,将这个计算的hash值与证书中签名做对比

(5)对比结果一致,则证明服务器发来的证书合法

(7)此时client就可以读取证书中的公钥,用于后续加密了

反正我没看懂,我就纳闷了,这个安全到底是怎么建立的,到底是使用server的公钥进行加解密的呢还是使用第一幅图片中的K进行加解密的呢,在tls握手的过程中,我没看到非对称加密啊??如果谁懂的话,给我讲一讲

参考文献:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380513(v=vs.85).aspx

https://mp.weixin.qq.com/s?src=3&timestamp=1520414724&ver=1&signature=6QFjq9sccuvl*WhO1AgXD0agxTtbkcVK0MAZ1rsB1uiNWGZGfGsJXPlcj9OMcT6*eH2y5tK3-yt2yWyl6w74esQ0Q2dYjxkbsosX2m7D6MyWOECljHh4I*6QIENmJCwUM*eBhqwFBJFKfwths-*5BQap5K3ouq31KQzOqEIGxME=

相关推荐