You are on page 1of 28

Giao thc SSL/TLS

Giao thc TLS-Transport Layer Security


c pht trin t giao thc SSL-Secure Sockets Layer ca hng Netscape Nhm gii quyt cc vn v bo mt, ton vn v xc thc

TLS SSL/TLS em li cc yu t sau cho truyn thng trn internet:


B mt - S dng mt m Ton vn - S dng MAC -Xc thc- S dng chng ch X.509

SSL/TLS ngy nay c s dng cc web server v cc trnh duyt internet

ng dng trong HTTP Cc ng dng da trn http s dng TLS rt ph bin


https://

s dng c cn c Web Server h tr TLS (IIS, Tomcat, Apache ..) Trnh duyt h tr TLS
Firefox Internet Explorer Opera Sarafi Vv..

Cc ng dng khc s dng TLS

Telnet FTP LDAP POP3 SSLrsh Vv.

Giao thc TLS L mt giao thc trn tng vn ti Hot ng da trn s giao thc truyn tin cy H tr mi giao thc ng dng trn tng IP

HTTP

Telnet TLS TCP IP

FTP

LDAP

Vn m bo bo mt ca TLS M ho cc thng ip truyn i S dng cc m ho quy c vi cc kho chia s S dng cc thut ton
DES, 3DES RC2, RC4 IDEA

A Message

$%&#!@

B Message

Vn trao i kho trong TLS TLS cn phng php an ton trao i kho b mt v n s dng h mt kho cng khai thc hin iu ny H mt thng thng c s dng l RSA hoc Diffie-Hellman

TLS m bo tnh ton vn Tnh di c nh ca m xc thc thng ip (MAC)


Bao gm gi tr bm ca thng ip Gi tr chia s b mt S tun t cc gi tin

Truyn MAC vi thng ip

TLS m bo tnh ton vn Bn nhn to ra mt gi tr MAC mi v so snh vi gi tr MAC c truyn th thng ip mi c coi l ton vn TLS s dng cc hm bm MD5, SHA-1

A Message MAC

B Message MAC

MAC =?

TLS m bo tnh xc thc Kim tra danh tnh ca thnh phn tham gia truyn thng Chng ch c s dng ng b nh danh vi kho cng khai v cc thuc tnh khc

A Certificate

B Certificate

Cc bc hot ng ca TLS Thit lp mt phin lm vic


ng b thut ton m ho Chia s kho b mt Thc hin xc thc

Truyn d liu ca ng dng


m bo tnh b mt v ton vn

Kin trc ca TLS TLS nh ngha cc bn ghi (record protocol) truyn thng tin ca ng dng v ca TLS Phin lm vic c thit lp s dng giao thc bt tay (HandShake Protocol)

Handshake Protocol

Change Cipher Spec

Alert Protocol

TLS Record Protocol

Giao thc bn ghi (Record Protocol)

Pha bt tay Tho thun b thut ton m ho gm


Thut ton m ho i xng s dng Phng php trao i kho

Thit lp v chia s kho b mt

Pha bt tay Thng ip Hello Thng ip trao i kho v chng ch Thay i CiperSpec v gi thng ip kt thc pha bt tay v chuyn sang qu trnh truyn d liu

Hello
Client Hello - Khi to phin lm vic
Gi thng tin phin bn giao thc Thng tin v b m ho s dng Server chn giao thc v b m ho ph hp

Client c th yu cu s dng cc phin lm vic c t trc nm trong cache


Server la chn sao cho ph hp

Trao i kho Server gi chng ch cha kho cng khai (RSA) hoc tham s ca Diffie-Hellman Client to ra 48-byte ngu nhin gi ti Server s dng kho cng khai ca server Mm kho b mt c tnh ton
S dng cc gi tr b mt truyn trong thng ip Hello gia Server v Client

Chng ch kho cng khai Chng ch X.509 ng b kho cng khai vi nh danh ngi dng Trung tm CA to ra chng ch
Da vo cc chnh sch v cc nh danh c xc nhn K ln chng ch

Ngi s dng chng ch phi m bo l n hp l

Kim tra tnh hp l ca chng ch

kim tra c th cc CA phi tin cy ln nhau


Mt CA c th pht hnh chng ch cho CA khc

Kim tra chng ch vn cn hiu lc


CA phi a ra danh sch cc chng ch ht hiu lc, phi thu hi (CRL-Certificate Revocation List)

Ni dung chng ch X.509


Version Serial Number Signature Algorithm Identifier
Object Identifier (OID) e.g. id-dsa: {iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 1}

Subject X.500 name Subject Public Key

Issuer (CA) X.500 name Validity Period (Start,End)

Algorithm Value Issuer Unique Id (Version 2 ,3) Subject Unique Id (Version 2,3) Extensions (version 3)
optional

CA digital Signature

K ln chng ch

K bng RSA
To ra hm bm ca chng ch M ho s dng kho b mt ca CA

Xc minh ch k (Signature verification)


Gii m s dng kho cng khai ca CA Kim tra, i chiu gi tr bm

Trao i kho pha Server


Client ClientHello ServerHello Certificate ServerKeyExchange
Hello messages struct { } HelloRequest; struct { uint32 gmt_unix_time; opaque random_bytes[28]; } Random; opaque SessionID<0..32>; uint8 CipherSuite[2]; enum { null(0), (255) } CompressionMethod; struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites CompressionMethod compression_methods } ClientHello;

Server

struct { ProtocolVersion server_version; Random random; SessionID session_id; CipherSuite cipher_suite; CompressionMethod compression_method; } ServerHello;

Yu cu chng ch
Client ClientHello ServerHello Certificate ServerKeyExchange CertificateRequest Server

struct { select (KeyExchangeAlgorithm) { case diffie_hellman: ServerDHParams params; Signature signed_params; case rsa: ServerRSAParams params; Signature signed_params; }; } ServerKeyExchange

Chng ch Client
Client ClientHello ClientCertificate ClientKeyExchange ServerHello Certificate ServerKeyExchange CertificateRequest Server

struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: DiffieHellmanClientPublicValue; } exchange_keys; } ClientKeyExchange;

i kho v thc hin truyn d liu


Client [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Application Data Application Data Server

Thng nht thut ton m ha s dng Tho thun thut ton m ho s dng Kt thc
Gi bn sao chp ca pha bt tay s dng phin lm vic mi Cho php kim tra tnh ng n ca pha bt tay

S dng phin lm vic


Client ClientHello (Session #) ServerHello (Session #) [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Application Data Application Data Server

You might also like