The data structure of the SSL certificate, the architecture of the SSL

The data structure of an SSL certificate typically follows a certificate standard, which defines the fields and how the data is organized within the certificate. The following is the general data structure of an SSL certificate:

Certificate Version: Indicates the version number of the certificate.

Serial Number: The serial number that uniquely identifies the certificate.

Signature Algorithm ID: Indicates the algorithm ID used to sign the certificate.

Issuer: Identification information for the Certificate Authority (CA), including the name of the issuing authority and the unique identifier of the issuing authority.

Expiration date: The validity period of the certificate, including the start date and end date of the certificate.

Principal: The identity information of the entity to which the certificate belongs, usually the name and other identifying information of the certificate applicant (server or client).

Public key: The public key of the certificate holder, which is used for encryption and key agreement processes.

Extended Field: An optional extended field that contains some additional information, such as the topic alternate name, key purpose, extended key purpose, and so on.

Signature Algorithm: The algorithm used to sign the certificate.

Signing Value: The result of the certificate authority signing the contents of the certificate using its private key.

certificate.

version.

Serial number.

algorithm id.

issuer.

validity period.

not before valid start date.

not after effective termination date.

subject User.

subject public key info

public key algorithm.

subject public key.

issuer unique identifier (optional).

subject unique identifier (optional)

extensions (optional) extensions.

Certificate Signature Algorithm.

Certificate Signature.

The architecture of SSL consists of two protocol sublayers, the bottom layer of which is the SSL record protocol layer; The upper layer is the SSL Handshake Protocol Layer. The SSL protocol stack is shown in the figure, and the shaded part is the SSL protocol.

The role of the SSL record protocol layer is to provide basic security services for higher-level protocols. The SSL recording protocol is specially designed for the HTTP protocol, which enables the hypertext transmission protocol HTTP to run in SSL. The record encapsulates various high-level protocols, and the backup implements specific operations related to security services, such as compression and decompression, encryption and decryption, calculation and verification of MAC.

The SSL handshake protocol layer includes SSL Handshake Protocol, SSL Change Cipher Spec Protocol, Application Data Protocol, and SSL Alert Protocol. These protocols at the handshake layer are used for the exchange of SSL management information, allowing application protocols to authenticate data transmitted to each other, negotiate cryptographic algorithms, generate keys, and more. The role of the SSL handshake protocol is to coordinate the state of the client and the server, so that both parties can achieve state synchronization.

In order to consider browser compatibility, the following BAI algorithm is commonly used:

Encryption algorithm: du

zhirsa

Hash signature algorithm: SHA256

Number of encryption bits: 2048

Recently, the DAOECC algorithm is also more common, the main advantage is that the reading speed is faster, but on the contrary, the browser support rate has decreased, first of all, IE7, IE6 is definitely not supported, and even IE8 is not supported.

Common numbers.

There are three main signature copy algorithms: RSA, Baidsa, and ECDSA.

RSA digital signature algorithm: RSA is a classic algorithm in computer cryptography. It is also the most widely used DAO digital signature algorithm at present;

DSA stands for Digital Signature Algorithm, DSA is just an algorithm, and RSA is different in that it cannot be used for encryption and decryption, nor can it be used for key exchange, only for signing, so it is much faster than RSA, and its security is similar to that of RSA.

ECDSA: ECDSA is used for digital signatures, which is a combination of ECC and DSA, and the whole signature process is similar to DSA, except that the algorithm adopted in the signature is ECC, and the final signed value is also divided into R, S. ECC (Elliptic Curves Cryptography) is an elliptic curve cryptography.

Modern cryptography is divided into two categories according to the type of key: symmetric cryptography (secret key cryptography) and weighted asymmetric cryptography (public key cryptography).

Symmetric key cryptography uses the same secret key for encryption and decryption, and both parties to the communication must obtain the key and keep the key secret. The encryption key (public key) and the decryption key (private key) used in asymmetric key encryption systems are different.

Symmetric encryption algorithms are used to encrypt sensitive data and other information, and commonly used algorithms include:

DES (Data Encryption Standard): a data encryption standard with high speed and suitable for encrypting large amounts of data.

Triple DES (triple DES): Based on DES, a piece of data is encrypted three times with three different keys, which is stronger.

AES (Advanced Encryption Standard): Advanced encryption standard, which is a next-generation encryption algorithm standard with fast speed and high security level.

Common asymmetric encryption algorithms are as follows:

RSA: Invented by RSA, it is a public key algorithm that supports variable-length keys, and the length of the file block that needs to be encrypted is also variable;

DSA (Digital Signature Algorithm): Digital signature algorithm, which is a standard DSS (Digital Signature Standard);

ECC (Elliptic Curves Cryptography): Elliptic Curves Cryptography.

There are four main types of algorithms:

Commonly used symmetric encryption algorithms are as follows:

Algorithm strengths and weaknesses.

AES-128-GCM supports complex Mac implementations and is slower than CBC.

AES-128-CBC is simple to implement and fast to run Mac features are not supported.

RC4 is simple to implement, fast to run, low in security, and has been verified to be unsafe.

chacha20-poly1305 is developed for mobile terminals, running fast and with a short time to market.

AES-GCM is a commonly used packet encryption algorithm, but it has a disadvantage that it is computationally intensive, resulting in high performance and power overhead. To solve this problem, Intel has introduced an X86 instruction extension called AES NI (Advanced Encryption Standard New Instructions) to provide hardware support for AES. For devices that support AES NI instructions, using AES-GCM is undoubtedly the best choice.

For mobile, the chacha20-poly1305 developed by Google is the best choice.

Chacha20-Poly1305 is a new streaming encryption algorithm optimized by Google for mobile CPUs, which delivers up to 3x better performance than normal algorithms, especially on ARM platforms with reduced CPU sets (more so before ARM v8). chacha20 refers to the symmetric encryption algorithm and poly1305 refers to the authentication algorithm. Using this algorithm, the amount of data generated by encryption and decryption can be reduced, which can improve the user experience, reduce wait time, save battery life, etc.

Due to its streamlined algorithm, strong security, and strong compatibility, Google is currently committed to promoting it on mobile terminals.

At present, it provides functions such as the subscription, management, and deployment of SSL certificates. In cooperation with top international CA institutions, the certificate types are abundant, the operation process is simple and convenient, and users are provided with a one-stop HTTPS security solution. The free version of the SSL certificate can be purchased and issued within 1 hour, and the paid version of the OV and EV SSL certificates can be purchased and issued within 3 days.

And the SSL certificate deployment can be completed with one click, and the HTTPS service of the whole site can be enabled immediately.

The difference between a single domain name version, a multi-domain version and a wildcard version of SSL certificates: please choose a web link according to your own situation, and it is best to understand each certificate, of course, if it is international, you need to use a brand agency with a high trust rate.

First of all, according to the encryption level, the verification method is divided into three types:

DV Domain Name Certificate: Only verifies domain ownership;

According to the different domain names, they are divided into the following types:

Single-domain name certificates: can protect TLDs with and without www, or protect a subdomain name;

Multi-domain certificate: This certificate can generally protect 3-4 domain names by default, so that it can be increased by payment;

Wildcard certificate: protects a primary domain name and all subdomains under the primary domain name.

SSL certificates are divided into three types: domain name certificates, organization certificates, and extended certificates, and how to choose them often depends on the application scenario.

Commonly used SSL certificates are mainly domain name validation (DV), organization validation (OV), and extended validation (EV), which are divided into single domain name certificates, multi-domain name certificates, and wildcard certificates. From the literal meaning, we can also roughly understand that a single-domain name certificate is only for the user to have only one domain name, and one domain name corresponds to one certificate. Usually used for simpler **.

A multi-domain certificate can protect multiple different domain names, and the number of domain names supported by the certificate varies depending on the certificate issuing authority. A wildcard certificate, on the other hand, is the type that covers everything on the root domain or hostname, and most importantly it will include all subdomains.

An SSL certificate is a type of digital certificate that is similar to an electronic copy of a driver's license, passport, and business license. Because it is configured on the server, it is also known as an SSL server certificate. SSL certificates are issued by trusted digital certificate authorities (CAs) (such as GlobalSign, WoSign) after verifying the identity of the server, and have the functions of server authentication and data transmission encryption.

SSL certificates are designed and developed by Netscape Communication by establishing an SSL secure channel (SSL) between the client browser and the web server. This security protocol is mainly used to provide authentication to users and servers; encrypt and hide the transmitted data; Ensuring that data is not altered in transit, i.e. data integrity, is now a global standard in this field. Since SSL technology has been established into all major browsers and web server programs, it is only necessary to install a server certificate to activate the function), that is, it can activate the SSL protocol, realize the encrypted transmission of data information between the client and the server, and prevent the leakage of data information.

The security of the information transmitted by both parties is guaranteed, and the user can verify whether the ** he is accessing is authentic and reliable through the server certificate. Digital signatures, also known as digital identifiers and seals (i.e., digital certificates, digital IDs), provide a method of identity verification on the Internet, and are digital information files used to mark and prove the identities of both parties to network communication, similar to the concept of driver's license or ID card in daily life. Digital signatures are mainly used for secure online electronic transaction activities such as sending secure e-mails, accessing secure sites, online bidding and bidding, online signing, online ordering, secure online document transmission, online office, online payment, online tax payment, and online shopping.