SSL pool connection
Publish: 2021-05-03 07:19:43
1.
Hello
SSL connection is SSL protocol
it has been widely used for identity authentication and encrypted data transmission between web browser and server.
it is located between TCP / IP protocol and various application layer protocols, providing security support for data communication
SSL protocol can be divided into two layers:
SSL recording protocol: it is based on reliable transmission protocol (such as TCP), and provides basic functions such as data encapsulation, compression and encryption for high-level protocols
SSL handshake protocol: it is based on the SSL record protocol, and is used for identity authentication, encryption algorithm negotiation and encryption key exchange between the two communication parties before the actual data transmission starts
2.
Steps:
1. Click the browser settings button and select Internet Options.
2. In the window, select advanced options, check ssl2.0 and SSL3.0 in the settings, and then click apply → OK
3. < UL > < / UL >
in the use of HTTPS, it is necessary to ensure that the server is correctly configured with the corresponding security certificate
the client sends a request to the server
the server returns the public key and certificate to the client
the client will verify the security of the certificate after receiving it. If it passes, a random number will be generated randomly and encrypted with the public key, Send to the server
after receiving the encrypted random number, the server will decrypt it with the private key to get the real random number, Then use this random number as the private key to encrypt the data to be sent symmetrically
after receiving the encrypted data, the client uses the private key (that is, the generated random value) to decrypt the data and parse the data, presenting the results to the client
SSL encryption establishment
if you have any questions, you can consult Tianwei integrity
vtrus domain trust carries out strict written review on website organization and domain name ownership. After the review, it identifies the certificate website and website organization by issuing deployment server certificate (SSL / TLS certificate), so that Internet users can directly understand the real identity of the enterprise that owns the website and strengthen their trust in the website
at the same time, the server certificate establishes a secure transmission channel between the website and the user. In the website where SSL / TLS certificate has been deployed, whether the payment details, login password or other Internet-based transaction information are submitted, they will be encrypted for secure transmission
4. Gworg applies for SSL certificate and then enters the server to install SSL in the server environment.
5. SSL certificate, also known as server SSL certificate, is a kind of digital certificate complying with SSL protocol, which is issued by the certification authority (CA) of global trust after verifying the identity of the server. Installing SSL certificate on the website server can realize the al functions of website authentication and data encryption transmission.
6.
What SSL certificate do you use? You can apply for a globally trusted SSL certificate at watcom ca. wosign.com
7. The basic principle of HTTPS
1. Why is HTTP not secure
HTTP protocol does not have any encryption and authentication mechanism, so it is very easy to encounter eavesdropping, hijacking and tampering, which will cause serious security problems such as personal privacy leakage and malicious traffic hijacking
many foreign websites support full site HTTPS. At present, the domestic network has completed the search of full site HTTPS at the beginning of the year, and other large-scale websites are also following up. The biggest reason why the network completes full site HTTPS first is that the network, as the largest traffic entrance in China, must bear the brunt of hijacking, and the greater the tangible and intangible losses. As for the problem of traffic hijacking, I also mentioned it in another article. It is basically a common problem for Internet enterprises, and HTTPS is also recognized as a better solution at present. However, HTTPS will also bring a lot of performance and access speed sacrifice. Many Internet companies will encounter this problem when they grow up: the cost of HTTPS is high and the speed is slow. When it is small, it is enough when it comes to login and transaction. When it is big, it will encounter information leakage and hijacking. If they want to change it as a whole, the cost is very high
2. How to ensure the security of HTTPS
to solve the above problems, we need to introce encryption and authentication mechanism
at this time, we introced the concept of asymmetric encryption. We know that asymmetric encryption can only be decrypted if it is a data encrypted by public key, so I just need to send the public key to you, and you can use the public key to encrypt the secret key for future data exchange. When I send it to you, even if the person in the middle intercepts the information, it can't be decrypted, because the private key is with me, Only I can decrypt. After I get your information, I use the private key to decrypt it, and then I get the symmetric secret key for encrypting data. I use this symmetric key for subsequent data encryption. In addition, asymmetric encryption can manage the secret key well, and ensure that the symmetric key of each data encryption is different
but it seems that this is not enough. If the middleman forges a public key to send it to you instead of sending it to you after receiving my public key, this is that you encrypt the symmetric key with this public key and send it back to me. The middleman can decrypt it with the private key and get the symmetric key. At this time, he is sending this symmetric key back to me with my public key, In this way, the middleman gets the symmetric key and can decrypt the transmitted data. In order to solve this problem, we introce the concept of digital certificate. First of all, I generate the public and private keys, provide the public key to the relevant authority (CA), and the CA puts the public key into the digital certificate and issues the digital certificate to me. At this time, I will not simply give you the public key, but give you a digital certificate. Some digital signature mechanisms are added to the digital certificate to ensure that the digital certificate must be given to you by me
therefore, we can synthesize the above three points: asymmetric encryption algorithm (public key and private key) exchange secret key + digital certificate authentication (verifying whether the public key is forged) + using symmetric encryption algorithm to encrypt data = security
3. Introction to the HTTPS protocol
why is it a protocol introction? Because there are too many things involved in HTTPS, especially some encryption algorithms, which are very complex, we don't need to do in-depth research on these algorithms. This part is just to sort out some of the most basic principles of HTTPS, so as to lay a theoretical foundation for the decomposition of the connection establishment of HTTPS and the optimization of HTTPS
3.1 symmetric encryption algorithm
symmetric encryption is an encryption algorithm that uses the same key for encryption and decryption. It requires the sender and receiver to agree on a key before secure communication. The security of symmetric algorithm depends on the key, and leaking the key means that anyone can decrypt the messages they send or receive, so the confidentiality of the key is very important for communication
symmetric encryption can be divided into two modes: stream encryption and packet encryption
stream encryption treats the message as a bit stream, and uses mathematical functions to act on each bit. When stream encryption is used, the same plaintext bit will be converted into different ciphertext bits every time it is encrypted. Stream encryption uses a key stream generator, which generates a bit stream XOR with the plaintext bit to generate ciphertext. Now RC4 is commonly used, but RC4 is no longer secure. Microsoft also suggests that the network should not use RC4 stream encryption as far as possible
packet encryption is to divide the message into several bit packets, which are then processed by mathematical functions, one at a time. Suppose that the message to the opposite end needs to be encrypted, and the 64 bit block cipher is used. At this time, if the message length is 640 bits, it will be divided into 10 64 bit blocks. Each block is processed with a series of mathematical formulas, and finally 10 encrypted text groups are obtained. Then, the ciphertext message is sent to the opposite end. The peer must have the same block cipher, decrypt 10 ciphertext blocks in reverse order using the previous algorithm, and finally get the plaintext message. There are des, 3DES and AES in common use. DES is an old encryption algorithm, which has been proved to be insecure. 3DES is a transitional encryption algorithm, which is equivalent to triple operation on the basis of DES to improve security, but it is essentially consistent with DES algorithm. AES is an alternative algorithm of DES algorithm and one of the most secure symmetric encryption algorithms. In addition to the algorithm itself, there are many different operation modes of block encryption algorithm, such as ECB, CBC, CFB, OFB, CTR, etc. these different modes may only be effective in the environment of specific functions, so it is necessary to understand various modes and the use of each mode. This section will be discussed in detail later in the article
advantages and disadvantages of symmetric encryption algorithm:
advantages: open algorithm, small amount of calculation, fast encryption speed and high encryption efficiency
disadvantages: (1) both sides of the transaction use the same key, so the security can not be guaranteed
(2) each pair of users need to use a unique key that others don't know when using symmetric encryption algorithm, which will make the number of keys owned by both sender and receiver increase geometrically, and key management becomes the burden of users
(3) confidentiality can be provided, but authentication and non repudiation cannot be provided
3.2 asymmetric encryption algorithm
before the emergence of asymmetric key exchange algorithm, a big problem of symmetric encryption is that it does not know how to generate and keep the key safely. Asymmetric key exchange process is mainly to solve this problem, making the generation and use of symmetric key more secure
the key exchange algorithm itself is very complex. The key exchange process involves random number generation, molar index operation, blank completion, encryption, signature and other operations
common key exchange algorithms include RSA, ecdhe, DH, DHE and so on. Involving more complex mathematical problems, the following is a brief introction to the most classic RSA algorithm. RSA: simple algorithm, born in 1977, has a long history, after a long time of crack testing, high security. The disadvantage is that it needs a relatively large prime number, that is, prime number (2048 bits are commonly used at present) to ensure the security strength, which consumes CPU computing resources. RSA is the only algorithm that can be used for both key exchange and certificate signature. I think RSA can be regarded as the most classic asymmetric encryption algorithm. Although the algorithm itself is a mathematical thing, as the most classic algorithm, I also spent some time to study the algorithm, which will be introced in detail later
asymmetric encryption is more secure than symmetric encryption, but it also has two obvious disadvantages:
1, CPU computing resource consumption is very large. In a complete TLS handshake, the asymmetric decryption computation ring key exchange accounts for more than 90% of the whole handshake process. The computation of symmetric encryption is only 0.1% of that of asymmetric encryption. If asymmetric encryption and decryption are also used in application layer data, the performance overhead is too large to bear
2. The length of the encrypted content is limited by the asymmetric encryption algorithm, which cannot exceed the length of the public key. For example, the common public key length is 2048 bits, which means that the content to be encrypted cannot exceed 256 bytes
therefore, public key encryption (extremely CPU consuming) can only be used for key exchange or content signature at present, which is not suitable for encryption and decryption of application layer transmission content<
3.3 authentication
the authentication part of the HTTPS protocol is completed by a digital certificate, which consists of public key, certificate body, digital signature, etc. after the client initiates an SSL request, the server will send the digital certificate to the client, and the client will verify the certificate (verify to see if the certificate is forged? That is, whether the public key is forged), and obtain the asymmetric key for secret key exchange (obtain the public key)
digital certificate has two functions:
1, identity authorization. Make sure that the website you visit is a trusted website verified by ca
2, distribute the public key. Each digital certificate contains the public key generated by the registrant (which is verified to be legal and non forged). The SSL handshake will be transmitted to the client through certificate message
to apply for a trusted digital certificate usually has the following process:
1. The terminal entity (which can be a terminal hardware or website) generates the public and private keys and certificate request
2. RA (certificate registration and auditing body) checks the legitimacy of the entity. If you are a person or a small website, this step is not necessary
3. The Ca (certificate issuing authority) issues the certificate and sends it to the applicant
4, the certificate is updated to the repository (responsible for the storage and distribution of digital certificate and CRL content), and the terminal subsequently updates the certificate from the repository and queries the status of the certificate
digital certificate verification:
when an applicant obtains the CA certificate and deploys it on the website server, how can he confirm that the certificate is issued by the CA after the browser sends a handshake to receive the certificate? How to prevent the third party from forging this certificate? The answer is digital signature. Digital signature is the anti-counterfeiting label of certificate. At present, sha-rsa (Sha is used for hash algorithm and RSA is used for asymmetric encryption algorithm) is the most widely used digital signature. The process of making and verifying digital signature is as follows:
1, signing and issuing of digital signature. Firstly, the hash function is used to hash the signature content and generate the message digest. Then, the private key of Ca is used to encrypt the message digest
2, digital signature verification. The public key of Ca is used to decrypt the signature, and then the same signature function is used to sign the content of the signature certificate, which is compared with the content of the signature in the server digital signature. If it is the same, the verification is considered successful
it should be noted that:
1) the key pair used in digital signature signing and verification is CA's own private and public key, which has nothing to do with the public key submitted by the certificate applicant
2) the signing process of digital signature is just opposite to that of public key encryption, that is, private key encryption and public key decryption
3) nowadays, large CAS have certificate chains. One of the advantages of certificate chains is security, which keeps the private key of the root CA offline. The second advantage is to facilitate deployment and revocation, that is, if there is a problem with the certificate, you only need to revoke the certificate of the corresponding level, and the root certificate will be revoked according to the
1. Why is HTTP not secure
HTTP protocol does not have any encryption and authentication mechanism, so it is very easy to encounter eavesdropping, hijacking and tampering, which will cause serious security problems such as personal privacy leakage and malicious traffic hijacking
many foreign websites support full site HTTPS. At present, the domestic network has completed the search of full site HTTPS at the beginning of the year, and other large-scale websites are also following up. The biggest reason why the network completes full site HTTPS first is that the network, as the largest traffic entrance in China, must bear the brunt of hijacking, and the greater the tangible and intangible losses. As for the problem of traffic hijacking, I also mentioned it in another article. It is basically a common problem for Internet enterprises, and HTTPS is also recognized as a better solution at present. However, HTTPS will also bring a lot of performance and access speed sacrifice. Many Internet companies will encounter this problem when they grow up: the cost of HTTPS is high and the speed is slow. When it is small, it is enough when it comes to login and transaction. When it is big, it will encounter information leakage and hijacking. If they want to change it as a whole, the cost is very high
2. How to ensure the security of HTTPS
to solve the above problems, we need to introce encryption and authentication mechanism
at this time, we introced the concept of asymmetric encryption. We know that asymmetric encryption can only be decrypted if it is a data encrypted by public key, so I just need to send the public key to you, and you can use the public key to encrypt the secret key for future data exchange. When I send it to you, even if the person in the middle intercepts the information, it can't be decrypted, because the private key is with me, Only I can decrypt. After I get your information, I use the private key to decrypt it, and then I get the symmetric secret key for encrypting data. I use this symmetric key for subsequent data encryption. In addition, asymmetric encryption can manage the secret key well, and ensure that the symmetric key of each data encryption is different
but it seems that this is not enough. If the middleman forges a public key to send it to you instead of sending it to you after receiving my public key, this is that you encrypt the symmetric key with this public key and send it back to me. The middleman can decrypt it with the private key and get the symmetric key. At this time, he is sending this symmetric key back to me with my public key, In this way, the middleman gets the symmetric key and can decrypt the transmitted data. In order to solve this problem, we introce the concept of digital certificate. First of all, I generate the public and private keys, provide the public key to the relevant authority (CA), and the CA puts the public key into the digital certificate and issues the digital certificate to me. At this time, I will not simply give you the public key, but give you a digital certificate. Some digital signature mechanisms are added to the digital certificate to ensure that the digital certificate must be given to you by me
therefore, we can synthesize the above three points: asymmetric encryption algorithm (public key and private key) exchange secret key + digital certificate authentication (verifying whether the public key is forged) + using symmetric encryption algorithm to encrypt data = security
3. Introction to the HTTPS protocol
why is it a protocol introction? Because there are too many things involved in HTTPS, especially some encryption algorithms, which are very complex, we don't need to do in-depth research on these algorithms. This part is just to sort out some of the most basic principles of HTTPS, so as to lay a theoretical foundation for the decomposition of the connection establishment of HTTPS and the optimization of HTTPS
3.1 symmetric encryption algorithm
symmetric encryption is an encryption algorithm that uses the same key for encryption and decryption. It requires the sender and receiver to agree on a key before secure communication. The security of symmetric algorithm depends on the key, and leaking the key means that anyone can decrypt the messages they send or receive, so the confidentiality of the key is very important for communication
symmetric encryption can be divided into two modes: stream encryption and packet encryption
stream encryption treats the message as a bit stream, and uses mathematical functions to act on each bit. When stream encryption is used, the same plaintext bit will be converted into different ciphertext bits every time it is encrypted. Stream encryption uses a key stream generator, which generates a bit stream XOR with the plaintext bit to generate ciphertext. Now RC4 is commonly used, but RC4 is no longer secure. Microsoft also suggests that the network should not use RC4 stream encryption as far as possible
packet encryption is to divide the message into several bit packets, which are then processed by mathematical functions, one at a time. Suppose that the message to the opposite end needs to be encrypted, and the 64 bit block cipher is used. At this time, if the message length is 640 bits, it will be divided into 10 64 bit blocks. Each block is processed with a series of mathematical formulas, and finally 10 encrypted text groups are obtained. Then, the ciphertext message is sent to the opposite end. The peer must have the same block cipher, decrypt 10 ciphertext blocks in reverse order using the previous algorithm, and finally get the plaintext message. There are des, 3DES and AES in common use. DES is an old encryption algorithm, which has been proved to be insecure. 3DES is a transitional encryption algorithm, which is equivalent to triple operation on the basis of DES to improve security, but it is essentially consistent with DES algorithm. AES is an alternative algorithm of DES algorithm and one of the most secure symmetric encryption algorithms. In addition to the algorithm itself, there are many different operation modes of block encryption algorithm, such as ECB, CBC, CFB, OFB, CTR, etc. these different modes may only be effective in the environment of specific functions, so it is necessary to understand various modes and the use of each mode. This section will be discussed in detail later in the article
advantages and disadvantages of symmetric encryption algorithm:
advantages: open algorithm, small amount of calculation, fast encryption speed and high encryption efficiency
disadvantages: (1) both sides of the transaction use the same key, so the security can not be guaranteed
(2) each pair of users need to use a unique key that others don't know when using symmetric encryption algorithm, which will make the number of keys owned by both sender and receiver increase geometrically, and key management becomes the burden of users
(3) confidentiality can be provided, but authentication and non repudiation cannot be provided
3.2 asymmetric encryption algorithm
before the emergence of asymmetric key exchange algorithm, a big problem of symmetric encryption is that it does not know how to generate and keep the key safely. Asymmetric key exchange process is mainly to solve this problem, making the generation and use of symmetric key more secure
the key exchange algorithm itself is very complex. The key exchange process involves random number generation, molar index operation, blank completion, encryption, signature and other operations
common key exchange algorithms include RSA, ecdhe, DH, DHE and so on. Involving more complex mathematical problems, the following is a brief introction to the most classic RSA algorithm. RSA: simple algorithm, born in 1977, has a long history, after a long time of crack testing, high security. The disadvantage is that it needs a relatively large prime number, that is, prime number (2048 bits are commonly used at present) to ensure the security strength, which consumes CPU computing resources. RSA is the only algorithm that can be used for both key exchange and certificate signature. I think RSA can be regarded as the most classic asymmetric encryption algorithm. Although the algorithm itself is a mathematical thing, as the most classic algorithm, I also spent some time to study the algorithm, which will be introced in detail later
asymmetric encryption is more secure than symmetric encryption, but it also has two obvious disadvantages:
1, CPU computing resource consumption is very large. In a complete TLS handshake, the asymmetric decryption computation ring key exchange accounts for more than 90% of the whole handshake process. The computation of symmetric encryption is only 0.1% of that of asymmetric encryption. If asymmetric encryption and decryption are also used in application layer data, the performance overhead is too large to bear
2. The length of the encrypted content is limited by the asymmetric encryption algorithm, which cannot exceed the length of the public key. For example, the common public key length is 2048 bits, which means that the content to be encrypted cannot exceed 256 bytes
therefore, public key encryption (extremely CPU consuming) can only be used for key exchange or content signature at present, which is not suitable for encryption and decryption of application layer transmission content<
3.3 authentication
the authentication part of the HTTPS protocol is completed by a digital certificate, which consists of public key, certificate body, digital signature, etc. after the client initiates an SSL request, the server will send the digital certificate to the client, and the client will verify the certificate (verify to see if the certificate is forged? That is, whether the public key is forged), and obtain the asymmetric key for secret key exchange (obtain the public key)
digital certificate has two functions:
1, identity authorization. Make sure that the website you visit is a trusted website verified by ca
2, distribute the public key. Each digital certificate contains the public key generated by the registrant (which is verified to be legal and non forged). The SSL handshake will be transmitted to the client through certificate message
to apply for a trusted digital certificate usually has the following process:
1. The terminal entity (which can be a terminal hardware or website) generates the public and private keys and certificate request
2. RA (certificate registration and auditing body) checks the legitimacy of the entity. If you are a person or a small website, this step is not necessary
3. The Ca (certificate issuing authority) issues the certificate and sends it to the applicant
4, the certificate is updated to the repository (responsible for the storage and distribution of digital certificate and CRL content), and the terminal subsequently updates the certificate from the repository and queries the status of the certificate
digital certificate verification:
when an applicant obtains the CA certificate and deploys it on the website server, how can he confirm that the certificate is issued by the CA after the browser sends a handshake to receive the certificate? How to prevent the third party from forging this certificate? The answer is digital signature. Digital signature is the anti-counterfeiting label of certificate. At present, sha-rsa (Sha is used for hash algorithm and RSA is used for asymmetric encryption algorithm) is the most widely used digital signature. The process of making and verifying digital signature is as follows:
1, signing and issuing of digital signature. Firstly, the hash function is used to hash the signature content and generate the message digest. Then, the private key of Ca is used to encrypt the message digest
2, digital signature verification. The public key of Ca is used to decrypt the signature, and then the same signature function is used to sign the content of the signature certificate, which is compared with the content of the signature in the server digital signature. If it is the same, the verification is considered successful
it should be noted that:
1) the key pair used in digital signature signing and verification is CA's own private and public key, which has nothing to do with the public key submitted by the certificate applicant
2) the signing process of digital signature is just opposite to that of public key encryption, that is, private key encryption and public key decryption
3) nowadays, large CAS have certificate chains. One of the advantages of certificate chains is security, which keeps the private key of the root CA offline. The second advantage is to facilitate deployment and revocation, that is, if there is a problem with the certificate, you only need to revoke the certificate of the corresponding level, and the root certificate will be revoked according to the
8. SSL certificate is needed to access the HTTPS protocol. TLS is the name of SSL and HTTPS security transport layer protocol
differences between SSL and TLS and introction: https://www.gworg.com/ssl/422.html
detailed explanation of HTTPS encryption protocol (4): TLS / SSL handshake process: https://www.gworg.com/ssl/408.html
what is the difference between HTTPS and HTTP?: https://www.gworg.com/ssl/404.html
differences between SSL and TLS and introction: https://www.gworg.com/ssl/422.html
detailed explanation of HTTPS encryption protocol (4): TLS / SSL handshake process: https://www.gworg.com/ssl/408.html
what is the difference between HTTPS and HTTP?: https://www.gworg.com/ssl/404.html
9. This should be SSL certificate problem, to apply for a trusted formal SSL certificate, GDCA can help you
10. The bus fare from Zhengzhou Central Station South line to Shanghai is
238 yuan
Zhengzhou departure time
17:20
and
21:00
for reference only
238 yuan
Zhengzhou departure time
17:20
and
21:00
for reference only
Hot content