tls

The first handshake

1. The client sends client hello news ：tls Version number , List of supported password conditions , And the random number generated .

The second handshake

The second handshake server hello
After the server receives the message , return server hello,

however , This time, the selected cipher suite is the same as RSA It's different. , Let's analyze the meaning of this cipher suite .

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

The key agreement algorithm uses ：ECDHE
The signature algorithm uses ：ECDSA
Use communication algorithm after handshake ：AES Symmetric algorithm , Key length ：128 position , Group mode ：GCM
Abstract algorithm ：SHA256

The certificate is issued under the second handshake

In order to prove their identity , send out 「Certificate」 news , The certificate will also be sent to the client .

The server exchange key of the second handshake

Because the server chose ECDHE Key agreement algorithm , So after sending the certificate , send out 「Server Key Exchange」 news .

In this process, the server does three things ：
● You have chosen the name named_curve The elliptic curve of , The selected elliptic curve is equivalent to the base point of the elliptic curve G It's settled , These will be exposed to the client ;
● Generate a random number as the private key of the elliptic curve of the server , Keep it locally ;
● According to the base point G And the private key to calculate the elliptic curve public key of the server , This will be made public to the client .
To ensure that the public key of the elliptic curve is not tampered by a third party , The server will use RSA The signature algorithm makes a signature for the elliptic curve public key of the server .
And then , Namely 「Server Hello Done」 news , The server indicates to the client ：“ That's what I'm offering , After the greeting ”.

The third handshake

The third handshake Client Key Exchange

After the client receives the certificate from the server , Naturally, we need to check whether the certificate is legal , If the certificate is legal , Then it's OK for the server to end to identity . Verify certificate to process , Will go through the certificate chain to verify level by level , Confirm the authenticity of the certificate , And then verify the signature with the public key of the certificate , In this way, the identity of the server can be confirmed , After confirmation , You can go on down .
The client will generate a random number as the private key of the client elliptic curve , And then according to the information given by the server , Generate the elliptic curve public key of the client , And then use 「Client Key Exchange」 The message is sent to the server .

thus , Both sides have each other's elliptic curve public key 、 My own elliptic curve 、 The base point of the elliptic curve G. therefore , Both sides worked out a point （x,y）, among x The coordinate values are the same on both sides , I said before ECDHE When the algorithm , say x It's the session key , But in practice ,x It's not the final session key yet .
Remember TLS handshake phase , Will the client and server generate a random number to pass to each other ？
The final session key , Just use 「 Client random number + Server random number + x（ECDHE The shared key calculated by the algorithm ） 」 Three materials made of .
The reason why it's so troublesome , Because TLS Designers don't trust clients or servers 「 Pseudo random number 」 The reliability of the , To make sure that it's really completely random , Mix up three unreliable random numbers , that 「 Random 」 The degree is very high , The hacker cannot calculate the final session key , safer .

The third handshake Change Cipher Spec

The fourth handshake

Last , The server will have the same operation , Hair 「Change Cipher Spec」 and 「Encrypted Handshake Message」 news , If both sides verify that encryption and decryption are OK , So the handshake is officially complete . therefore , You can send and receive encrypted HTTP Request and respond to .

The fourth handshake , stay wireshark Not found in

Reference address ：

The illustration ECDHE Key exchange algorithm

https://www.likecs.com/show-124371.html