建立安全协商 SSL Client SSL Server Server hello 1. The Server hello message is composed of a. SsL Version (highest) that is understood by the client TLSV1 b Key Exchange to identify the method of exchanging keys RSA C Data Encryption to identify the encryption methods available to the client DES d Message Digest for data integrity MDS e Data Compression method for message exchange PKZip f a Random number to compute the secret key
27 SSL Client SSL Server Server Hello 1. The Server Hello message is composed of a. SSL Version (highest) that is understood by the client. TLSv1 b. Key Exchange to identify the method of exchanging keys. RSA. c. Data Encryption to identify the encryption methods available to the Client. DES d. Message Digest for data integrity. MD5 e. Data Compression method for message exchange PKZip f. A Random number to compute the secret key 一、建立安全协商
Cipher Suite Alternatives Data Encryption Key Exchange ARC2-40 RSA RC4-128 Fixed Diffie-Hellman DES Ephemeral Diffie-Hellman DES 40 Anonymous Diffie-Hellman 3DES Fortezza IDEA Fortezza Message digest Data Compression: MD5 PKZip SHA Winzip gzIp Stufflt 28
28 Data Encryption: RC2-40 RC4-128 DES DES 40 3DES IDEA Fortezza Message Digest: MD5 SHA. Cipher Suite Alternatives Key Exchange. RSA Fixed Diffie-Hellman Ephemeral Diffie-Hellman Anonymous Diffie-Hellman Fortezza Data Compression: PKZip WinZip gzip StuffIt
、服务器鉴别和密钥交换 SSL Client SSL Server Server Certificate The Server Certificate message is composed of a. The server Identifier information b. A Digital Certificate of the sever information encrypted with the CAs Private Ke This contains the server's public Key lient certificate revues 1. The Client Certificate request message is composed of a. The Certificate ty pe to indicate the type of public key b. The Certificate Authority is a list of distinguished names of Certificate Authorities acceptable to the Server Server done message 1. This Server done message has no parameters
SSL Client SSL Server Server Certificate 1. The Server Certificate message is composed of a. The server Identifier information b. A Digital Certificate of the sever information encrypted with the CAs Private Key. This contains the server's Public Key Client Certificate Request 1. The Client Certificate Request message is composed of a. The Certificate type to indicate the type of public key b. The Certificate Authority is a list of distinguished names of Certificate Authorities acceptable to the Server Server Done Message 1. This Server Done message has no parameters. 二、服务器鉴别和密钥交换
客户机验证和密钥交换 SSL Client Client Certificate 1. The Client Certificate message is composed of SSL Server a. the server Identifier information b. A Digital Certificate of the client information encrypted with the CAs Private Key 1. The Client authenticates the Server with the CA a. Extracts the public key of the root signed certificate that came installed with the client and computes a md of the server certificate information b Decrypts the server certificate(that was issued by the root ca)that contains the hash computed by the Ca Private Key c Compares the computed hash with the hash contained in the server Digital Certificate 2. Generates a session key(psuedo-random number) to use as a Pre-master Key the 3. Encrypts the session key with the server's public key
SSL Client SSL Server Client Certificate 1. The Client Certificate message is composed of a. The server Identifier information b. A Digital Certificate of the client information encrypted with the CAs Private Key 1. The Client Authenticates the Server with the CA. a. Extracts the public key of the root signed certificate that came installed with the client and Computes a MD of the server certificate information. b. Decrypts the server certificate (that was issued by the root CA) that contains the hash computed by the CA Private Key c. Compares the computed hash with the hash contained in the server Digital Certificate. 2. Generates a session key (psuedo-random number) to use as a Pre-Master Key then 3. Encrypts the session key with the server’s public key. 三、客户机验证和密钥交换
、客户机验证和密钥交换 SSL Client SSL Server Client Key exchange The Client Key Exchange message is composed of a. The encrypted session key which will serve as a pre-master secret key encrypted with the server's public key Both the client and the server use the pre-master secret key to compute three identical sets of secret key pairs a. The first pair(i.e. DES)is used to encrypt outgoing traffic from the client to the server and to decrypt incoming traffic to the server while b. The second pair (i. e. HMAC)is used to enoffgcong outgoing traffic from the server and to decrypt traffic to the client C. The third pair is used to initialize the cipher lv (Initialization Vector) Note: Both the Client and the server each generate three sets of keys
SSL Client SSL Server Client Key Exchange 1. The Client Key Exchange message is composed of a. The encrypted session key which will serve as a pre-master secret key encrypted with the server’s public key. 1. Both the client and the server use the pre-master secret key to compute three identical sets of secret key pairs a. The first pair (i.e. DES) is used to encrypt outgoing traffic from the client to the server and to decrypt incoming traffic to the server while b. The second pair (i.e. HMAC) is used to encrypt outgoing traffic from the server and to decrypt incoming traffic to the client c. The third pair is used to initialize the cipher IV (Initialization Vector) Note: Both the Client and the Server each generate three sets of keys 三、客户机验证和密钥交换