Secure Connection
- Protocol: SSL/TLS
- Application: HTTPS
TLS
1.Client
- Hello
2.Server
- Hello
- sends its certificate
3.Client
- verifies certificate;
- extracts server’s pub key;
- generates a premaster secret;
- encrypts it using server’s pub key and sends to server;
4.The server
- sends msg-3 to hardware security module (HSM);
- HSM decrypts premaster secret and sends it to server;
5.The server and The client
calculate a master secret using premaster secret and some other info in hello msg;
HTTPS
Hypertext Transfer Protocol Secure
| Threats | Solutions | |
| Eavesdropping | Encryption | |
| Manipulation | Integrity (MAC) | |
| Impersonation | Signature |
DNS
- 通过DNS服务器发送域名查找IP。
DNS Hijacking:发送错误的IP,导向错误的网站。
Web域名伪造:使用类似的域名。
Client Hello:
SSL Protocol version Session ID List of Cipher Suites CLIENT HELLO Extensions
Server Hello:
SSL Protocol version Session ID Selected Cipher Server Certificate---> public key SERVER HELLO Extensions Client Certificate Request (optional)
Certificate
- Issued by a trusted third party
- Certificate Authority (CA)
- VeriSign, GeoTrust, Digicert, etc.
Goal:
vouch for server public key
Principle:
signed by CA’s private key
verifiable by CA’s public key
Root CA || CA Chain
trigger 触发
symatric 对称的
eavesdrop 窃听
manipulation 操作
integrity 完整性
impersonation 模仿
forge 伪造
signature 签名
integrate 整合
visible 可见的
expired 到期的
cautious 谨慎的
revocation 撤销
0 条评论