tls加密走tcp传输
If you want to have a confidential conversation with someone you know, you might meet up in person and find a private place to talk. If you want to send data confidentially over the internet, you might have a few more considerations to cover.
如果您想与您认识的人进行秘密对话,您可以亲自见面并找到一个私人的谈话场所。 如果要通过Internet秘密发送数据,则可能需要考虑一些其他事项。
TLS, or Transport Layer Security, refers to a protocol. “Protocol” is a word that more or less means “the way we’ve agreed to do things around here.” The “transport layer” part of TLS simply refers to host-to-host communication, such as how a client and a server interact, in the Internet protocol suite model.
TLS或传输层安全性是指协议。 “协议”这个词或多或少地意味着“我们同意在此处做事的方式”。 TLS的“传输层”部分仅指Internet协议套件模型中的主机到主机通信,例如客户端和服务器之间的交互方式。
The TLS protocol attempts to solve these fundamental problems:
TLS协议尝试解决以下基本问题:
- How do I know you are who you say you are? 我怎么知道你是谁,你说你是谁?
- How do I know this message from you hasn’t been tampered with? 我怎么知道您的来信没有被篡改?
- How can we communicate securely? 我们如何安全地沟通?
Here’s how TLS works, explained in plain English. As with many successful interactions, it begins with a handshake.
TLS的工作方式以简单的英语解释。 与许多成功的交互一样,它始于握手。
开始了解你 (Getting to Know You)
The basic process of a TLS handshake involves a client (such as your web browser) and a server (such as one hosting a website) establishing some ground rules for communication. It begins with the client saying hello. Literally. It’s called a ClientHello message.
TLS握手的基本过程涉及一个客户端(例如您的Web浏览器)和一个服务器(例如一个托管网站的服务器)来建立一些通信的基本规则。 它始于客户打招呼。 从字面上看。 这称为ClientHello消息。
The ClientHello message tells the server which TLS protocol version and cipher suites it supports. While “cipher suite” sounds like a fancy hotel upgrade, it just refers to a set of algorithms that can be used to secure communications. The server, in a similarly named ServerHello message, chooses the protocol version and cipher suite to use from the choices offered. Other data may also be sent (e.g. a session ID if the server supports resuming a previous handshake).
ClientHello消息告诉服务器它支持哪些TLS协议版本和密码套件。 虽然“密码套件”听起来像是一家高档酒店的升级,但它只是指一组可用于保护通信安全的算法。 服务器以类似的名称ServerHello消息,从提供的选项中选择要使用的协议版本和密码套件。 也可以发送其他数据(例如,如果服务器支持恢复先前的握手,则为会话ID )。
Depending on the cipher suite chosen, the client and server exchange further information in order to establish a shared secret. Often, this process moves the exchange from asymmetric cryptography to symmetric cryptography with varying levels of complexity. Let’s explore these concepts at a general level and see why they matter to TLS.
根据选择的密码套件,客户端和服务器交换更多信息,以建立共享机密。 通常,此过程将交换从非对称密码学转移到具有不同复杂程度的对称密码学。 让我们从总体上探讨这些概念,并了解它们为何对TLS至关重要。
不对称的起点 (Asymmetric Beginnings)
This is asymmetry:
这是不对称的:
Asymmetric cryptography is one method by which you can perform authentication. When you authenticate yourself, you answer this fundamental question: “How do I know you are who you say you are?”
非对称加密是一种可以执行身份验证的方法。 当您对自己进行身份验证时,您会回答以下基本问题:“我怎么知道你是谁,你说的是谁?”
In an asymmetric cryptographic system, you use a pair of keys in order to achieve authentication. These keys are asymmetric. One key is your public key, which, as you would guess, is public. The other is your private key, which — well, you know.
在非对称密码系统中,您使用一对密钥以实现身份验证。 这些密钥是不对称的。 一个密钥是您的公共密钥,您可能会猜到它是公共密钥。 另一个是您的私钥,您知道。
Typically, during the TLS handshake, the server will provide its public key via its digital certificate (sometimes still called its SSL certificate), though TLS replaces the deprecated Secure Sockets Layer (SSL) protocol. Digital certificates are provided and verified by trusted third parties known as Certificate Authorities (CA), which are a topic for a whole other article in themselves.
通常,在TLS握手期间,服务器将通过其数字证书(有时仍称为SSL证书)提供其公共密钥,尽管TLS取代了已弃用的安全套接字层(SSL)协议。 数字证书由称为证书颁发机构(CA)的受信任的第三方提供和验证,这本身就是整个其他文章的主题。
While anyone may encrypt a message using your public key, only your private key can then decrypt that message. The security of asymmetric cryptography relies only on your private key staying private, hence the asymmetry. It’s also asymmetric in the sense that it’s a one-way trip. Alice can send messages encrypted with your public key to you, but neither of your keys will help you send an encrypted message to Alice.
尽管任何人都可以使用您的公钥加密邮件,但是只有您的私钥才能解密该邮件。 非对称密码学的安全性仅取决于您的私钥保持私有状态,因此不对称。 从单程旅行的角度来看,它也是不对称的。 Alice可以向您发送使用您的公共密钥加密的消息,但是您的任何一个密钥都不会帮助您向Alice发送加密的消息。
对称秘密 (Symmetric Secrets)
Asymmetric cryptography also requires more computational resources than symmetric cryptography. Thus when a TLS handshake begins with an asymmetric exchange, the client and server will use this initial communication to establish a shared secret — sometimes called a session key. This key is symmetric, meaning that both parties use the same shared secret and must maintain that secrecy for the encryption to be secure.
与对称密码相比,非对称密码还需要更多的计算资源。 因此,当TLS握手以不对称交换开始时,客户端和服务器将使用此初始通信来建立共享机密(有时称为会话密钥) 。 该密钥是对称的,这意味着双方使用相同的共享机密,并且必须保持该保密性以确保加密的安全性。
By using the initial asymmetric communication to establish a session key, the client and server can rely on the session key being known only to them. For the rest of the session, they’ll both use this same shared key to encrypt and decrypt messages, which speeds up communication.
通过使用初始的非对称通信来建立会话密钥,客户端和服务器可以依靠仅对他们已知的会话密钥。 在剩下的会话中,他们俩都将使用相同的共享密钥来加密和解密消息,从而加快了通信速度。
安全会话 (Secure Sessions)
A TLS handshake may use asymmetric cryptography or other cipher suites to establish the shared session key. Once the session key is established, the handshaking portion is complete and the session begins.
TLS握手可以使用非对称加密或其他密码套件来建立共享会话密钥。 一旦建立了会话密钥,握手部分就完成了,会话开始了。
The session is the duration of encrypted communication between the client and server. During this time, messages are encrypted and decrypted using the session key that only the client and server have. This ensures that communication is secure.
会话是客户端和服务器之间加密通信的持续时间。 在这段时间内,使用只有客户端和服务器才具有的会话密钥对消息进行加密和解密。 这样可以确保通信安全。
The integrity of exchanged information is maintained by using a checksum. Messages exchanged using session keys have a message authentication code (MAC) attached. This is not the same thing as your device’s MAC address. The MAC is generated and verified using the session key. Because of this, either party can detect if a message has been changed before being received. This solves the fundamental question, “How do I know this message from you hasn’t been tampered with?”
通过使用校验和来维护交换信息的完整性。 使用会话密钥交换的消息带有消息验证码(MAC) 。 这与设备的MAC地址不同。 使用会话密钥生成并验证MAC。 因此,任何一方都可以在收到消息之前检测到消息是否已更改。 这就解决了一个基本问题:“我怎么知道你的来信没有被篡改?”
Sessions can end deliberately due to network disconnection or from the client staying idle for too long. Once a session ends, it must be re-established via a new handshake or through previously established secrets called session IDs that allow resuming a session.
由于网络断开连接或客户端闲置时间过长,会话可能会故意终止。 会话结束后,必须通过新的握手或通过先前建立的称为会话ID的机密来重新建立会话,以允许恢复会话。
TLS和你 (TLS and You)
Let’s recap:
让我们回顾一下:
- TLS is a cryptographic protocol for providing secure communication. TLS是用于提供安全通信的加密协议。
- The process of creating a secure connection begins with a handshake. 创建安全连接的过程始于握手。
- The handshake establishes a shared session key that is then used to secure messages and provide message integrity. 握手建立一个共享的会话密钥,然后将其用于保护消息并提供消息完整性。
- Sessions are temporary, and once ended, they must be re-established or resumed. 会话是临时的,会话一旦结束,就必须重新建立或恢复。
This is just a surface-level skim of the very complex cryptographic systems that help to keep your communications secure. For more depth on the topic, I recommend exploring cipher suites and the various supported algorithms.
这只是非常复杂的密码系统的表面级别的摘要,有助于保护您的通信安全。 有关该主题的更多信息,建议浏览密码套件和各种受支持的算法。
The TLS protocol serves a very important purpose in your everyday life. It helps to secure your emails to family, your online banking activities, and the connection by which you’re reading this article. The HTTPS communication protocol is encrypted using TLS. Every time you see that little lock icon in your URL bar, you’re experiencing firsthand all the concepts you’ve just read about in this article.
TLS协议在您的日常生活中起着非常重要的作用。 它有助于保护发送给家人的电子邮件,在线银行活动以及阅读本文的联系方式。 HTTPS通信协议使用TLS加密。 每次在URL栏中看到那个小锁图标时,您都会亲身体验本文中刚刚了解的所有概念。
Now you know the answer to the last question: “How can we communicate securely?”
现在您知道了最后一个问题的答案:“我们如何安全地进行通信?”
tls加密走tcp传输
4381
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
