Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ HTTPS Encryption Algorithm     - Execute command sentence can result in equipment permanently bricked in Linux laptop (Linux)

- Linux System Getting Started Learning: DeVeDe installed on Linux to create a video DVD (Linux)

- Spacewalk Linux system configuration and installation (Linux)

- Unix system security configuration (Linux)

- Java memory model subclasses (Programming)

- Will Laravel become the most successful PHP framework? (Programming)

- Why do you need close contact Rust 1.0 (Programming)

- Simple RPM package production (Linux)

- Java data structures - the linear form of the single-chain applications (Programming)

- Ubuntu manually set the DSL broadband connection (Linux)

- Copy and paste in Linux terminal and Vim (Linux)

- Optimized to minimize the installation of CentOS 5.8 (Linux)

- Java transient keyword (Programming)

- After installation of Debian 6.0 do a few things first (Linux)

- C ++ Supplements - Virtual Function Principle (Programming)

- Linux operating system Start Tutorial: Xmanager Remote Access Linux graphical interface (Linux)

- Use Visual Studio Code Development TypeScript (Linux)

- Oracle to read and modify the data block process (Database)

- How to install MySQL on Linux Dock (Database)

- The difference between Objective-C language nil, Nil, NULL, NSNull (Programming)

  HTTPS Encryption Algorithm
  Add Date : 2016-05-21      
  When you enter beginning with https in the browser address bar URL, it will be a lot of communication in the next few hundred milliseconds between the browser and the server. InfoQ's article on this very detailed description. The first step in a complex procedure, negotiation is a key algorithm used in subsequent communications between the browser and the server. This process is simply this:

The browser itself supported by a series of Cipher Suite (key algorithm suite, hereinafter referred to as the Cipher) [C1, C2, C3, ...] to the server;
After the server receives the browser all Cipher, with its own support package for comparison, if both sides find support Cipher, then tell the browser;
Browser and the server using the matching Cipher for subsequent communication. If the server does not find a matching algorithm, the browser (in Firefox 30, for example, follow the example of the browser are using this version of Firefox) will give an error message

Secure Connection Failed error

This article describes how to explore the process.

1. Browser

What browsers support Cipher? It depends on the browser supports SSL / TLS protocol version. Traditionally, we usually HTTPS and SSL protocol put together; in fact, SSL protocol is an agreement Netcape company in the mid-1990s raised itself to the development of version 3.0. The 1999 agreement by the ITEL takeover standardized, renamed TLS. It can be said, TLS 1.0 is SSL 3.1 version. SSL on Wikipedia does not separate entries, but will be redirected to the TLS, it shows the close relationship the two protocols. Currently TLS latest version is 1.2. There are more than 99% of the site supports TLS 1.0, and TLS 1.2 support is still less than 40% of sites on the Internet. Open the Firefox browser, the address bar enter about: config, then search tls.version


Wherein security.tls.version.min security.tls.version.max two decisions and the Firefox support SSL / TLS versions, according to the document describes Firefox, the two optional protocols values ​​and their representatives are:

0 - SSL 3.0
1 - TLS 1.0
2 - TLS 1.1
3 - TLS 1.2
Therefore, the figure shows that the current limit is set browser support is protocol SSL 3.0, the upper limit is TLS 1.2. Now, if the security.tls.version.min one to three, then the browser will only support the TLS 1.2. Mentioned before, only less than 40% of websites support TLS 1.2, for example, Amazon is not in this column of 40%, so in this case access https://amazon.com, will receive a "Secure Connection Failed" error message, as shown in picture 2.

Learn the SSL / TLS protocol, you can use Wireshark (or a similar tool for network packets may be taken away) by analyzing network packets of information, to see the browser sends to the server all Cipher. Wireshark is a simple but very powerful capture tool.

The browser will first initiate a handshake agreement, both a "ClientHello" message in the message body, you can find Firefox support Cipher. In Wireshark, sorted according to Protocol agreement, and then find an Info as "Client Hello" from the TLS 1.2 protocol packets. Select this, and then turn to find the Secure Sockets Layer information in the following message window -> TLSv1.2 Record Layer -> Handshake Protocal -> Cipher Suites. The first example is a Cipher TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, a total of 23


If you continue to find an Info "ServerHello" message, the server can be found in the returned Cipher similar position, in this case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA


The meaning of this long list of names of key algorithm, described later. Next, the browser must wait for the server to respond to its request. Let's take a look at the server side have done.

2. Server

Let us take an example Windows. To view the key algorithm which supports the operating system can run gpedit.msc, turn into the "Computer Configuration" -> "Administrative Templates" -> "Network" -> "SSL Configuration Settings", then you can see in the right window "SSL Cipher Suite Order" item


Click the item into the "SSL Cipher Suite Order". Here you can see a collection of operating system support Cipher, and sort of different Cipher


If you need to adjust this sort, or remove some weak Cipher, you can click the top left corner of the "Enabled", and then rewrite the list editor Cipher in the "Options" in. If you prefer the command line, you can modify key algorithm suite by the following Powershell command:

Set-ItemProperty-path HKLM: \ SOFTWARE \ Policies \ Microsoft \ Cryptography \ Configuration \ SSL \ 0001002-name Functions-value "XXX, XXX, XXX"
So Cipher This is a long list of what the name mean? In fact, the name of each Cipher contains four pieces of information, namely,

Key exchange algorithm used in the process of how authentication handshake between the client and server decide, used algorithms include RSA, Diffie-Hellman, ECDH, PSK, etc.
Encryption algorithm for encrypting the message stream, usually after the name with two numbers represent the length of the key and the initial vector, such as DES 56/56, RC2 56/128, RC4 128/128, AES 128 / 128, AES 256/256
Message authentication code information (MAC) algorithm is used to create a message digest, ensure the integrity of the message (not been tampered with), algorithms include MD5, SHA and the like.
PRF (pseudo-random number function) for generating a "master secret".
Get to know the full contents of the above seems to require presentation of a book (I already insufficient). But generally know, it helps to understand Cipher names, such as in front of the server sends back to the client Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Its name shows, it is

Based TLS protocol;
Use ECDHE, RSA as the key exchange algorithm;
Encryption algorithm is AES (length of the key and initialization vector is 256);
MAC algorithm (this is a hash algorithm) is SHA.
Cipher familiar with the meaning behind the name, let us look at this like IIS Web server How to Choose a key algorithm do? If the browser sent a key algorithm suite [C1, C2, C3], and Windows Server support kit [C4, C2, C1, C3] when, C1 and C2 are simultaneously support both algorithms, IIS priority return C1, C2 or what? The answer is C2. IIS server will traverse key algorithm suite, take the first C4, find your browser does not support; Then take the second C2, the supported browser! Thus, IIS select the C2 algorithm and include it in a "ServerHello" handshake protocol, sent back to the client. With this in Figure 5 results.

3. Choose

As a browser user, you can tell the browser can only access the support site TLS 1.2 protocol, for better security, and a worse experience. As a server maintainer, it seems to be the strongest Cipher top surface is the right choice. Just recently, we developed a Web tax system in a security check conducted by a third party, one was reported out of the problem is that the server default Cipher too weak (RC4-based), so we use the AES-based the Cipher, but just choose a key length of 128, rather than 256, mainly from worries behind performance - when encryption and decryption is a CPU-intensive operations, we are worried that the busy tax season, too strong Cipher will bring performance problem.

In fact, like Amazon and Google these Internet companies are using RC4-based encryption algorithm. This was another clash between theory and practice.
- Linux basic articles of the boot process (Linux)
- CentOS Linux firewall configuration and Close (Linux)
- Hadoop configuration ssh automation of automation (Server)
- xCAT error Unable to dispatch hierarchical sub-command to NORESOLUTION: 3001 (Linux)
- Oracle Incident Packaging Service (Database)
- Examples of RAID levels and achieve Operational Details (Linux)
- Physical backup and recovery SYSTEM table space (Database)
- MySQL multi-master multi-cluster deployment uses alive Galera (Database)
- Repair Chrome for Linux is (Linux)
- Single-node Hadoop installation notes distributed pseudo & (Server)
- linux remote control software (Linux)
- Source code is installed MySQL 5.6.28 (Database)
- Linux system with a firewall to prevent the DOS attack (Linux)
- Android webView URL redirects affect goBack () (Programming)
- Linux process group, session daemon (Linux)
- Easily solve the MySQL database connection error too many (Database)
- DupeGuru- find and remove duplicate files (Linux)
- Install Rubinius testing Ubuntu 14.04 native threads (Linux)
- OpenSIPS offline messaging feature set (Server)
- RHEL5 establish a local yum source (Linux)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.