第七章 网络证协议.pptVIP

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * The cryptographic parameters of the session state are produced by the SSL Handshake Protocol, which operates on top of the SSL Record Layer. When a SSL client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public-key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows: The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: Protocol Version, Session ID, Cipher Suite, and Compression Method. Additionally, two random values are generated and exchanged: ClientHello.random and ServerHello.random. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Stallings Fig 17-2. * * An SSL session is stateful（是一个有状态协议）. It is the responsibility of the SSL Handshake protocol to coordinate the states of the client and server, thereby allowing the protocol state machines of each to operate consistently（使得客户和服务器状态一致）. * * An SSL session may include multiple secure connections; in addition, parties may have multiple simultaneous sessions. * 一个会话包含多个连接 * * * * 握手协议工作过程第二步 如果需要对客户端进行认证，服务器开始发送自己的证书消息等。该过程一般包含四条消息： 证书消息（Certificate） 服务器密钥交换消息（Server_Key_Exchange) 客户端证书请求消息（Certificate_Request) 服务器结束消息（Server_Hello_Done) Question：为什么需要服务器密钥交换和客户端密钥交换两个过程？ Answer：因为SSL在同一个连接的两个方向采用不同的密钥 * 第二阶段：服务器认证和密钥交换（服务器-客户） Certificate 说明： 服务器证书消息是服务器向客户端传送自己的证书，使得客户端知道服务器的公钥以及其他信息。 SSL Client SSL Server Port 443 The Server Certificate message * Server_key_Exchange 说明： （1）服务器密钥交换消息用来向客户端发送服务器自己的密钥信息 （2）T