SSL stands between application layer (e.g. HTTP, FPT, SMTP etc) and transport layer, the-man-in-middle (TCP osi 5 layer theory)
Key words: RSA 不对称算法,private key / public key;浏览器/客户端会生成自己的private key;服务器和客户端在SSL handshaking成功后都用客户端的私钥
Oracle JSSE User Guide:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
"Now run your applications with the appropriate key stores. This example assumes the default X509KeyManager and X509TrustManager are used, thus we will select the keystores using the system properties described in Customization.
% java -Djavax.net.ssl.keyStore=keystore \
-Djavax.net.ssl.keyStorePassword=password Server
% java -Djavax.net.ssl.trustStore=truststore \
-Djavax.net.ssl.trustStorePassword=trustword Client"
keyStore :
在keystore里,包含两种对应的数据:
(1)密钥实体(Key entity): 密钥(secret key)又或者是私钥和配对公钥(采用非对称加密)
(2)可信任的证书实体(trusted certificate entries): 也可称为公钥.
钥匙库,包括私有和公有,一般是私钥。又是自我认证的认证书,像用以下java工具自签:
keytool -genkey -alias <name> -keyalg RSA -keystore <filepath>
生成私有钥匙,使用以下命令查看:
keytool -list v -keystore <filepath>
再使用以下命令生成证书:
keytool -export -alias <name> -keystore <filepath> -rfc -file <certFilepath>
再使用以下命令生成trustStore:
keytool -import -alias <name> -file <certFilepath> -keystore <trustStoreFilepath>
trustStore:
信任库。保存客户端的授权证书.
jsse中,有默认的库:
default truststore |
| * |
Relationships between TrustManager
s and KeyManager
s
Historically there has been confusion regarding the jobs ofTrustManager
s andKeyManager
s. In summary, here are the primary responsibilities of each manager type:
Type Function TrustManager
Determines whether the remote authentication credentials (and thus the connection) should be trusted. KeyManager
Determines which authentication credentials to send to the remote host.
http://docs.oracle.com/javase/1.5.0/docs/api/index.html?javax/net/ssl/KeyManagerFactory.html
......
The client and server exchange information that allows them to agree on the same secret key. For example, with RSA, the client uses the server's public key, obtained from the public key certificate, to encrypt the secret key information. The client sends the encrypted secret key information to the server. Only the server can decrypt this message since the server's private key is required for this decryption.
Sending the Encrypted Data
Both the client and the server now have access to the same secret key.
.....