I've read and watched a lot of articles and videos about SSL AES and RSA, but one thing is ALWAYS missing in every explanation( or I just don't get it ) is how the client decrypts sensitive data that comes from the server!(e.g. how much money you have)
我已经阅读并观看了很多关于SSL AES和RSA的文章和视频,但是在每个解释中总是缺少一件事(或者我只是没有得到它)是客户端如何解密来自服务器的敏感数据! (比如你有多少钱)
I get it that your public key can encrypt anything and send it to the server and anyone can have it, but what do you do when you want to retrieve something from the server? Does it comes just as plain text?
我知道你的公钥可以加密任何东西并将其发送到服务器,任何人都可以拥有它,但是当你想从服务器检索某些东西时你会怎么做?它是否像纯文本一样?
Any of the articles and videos point that out, they all just say that you have a private key that you shouldn't share and a public key that you can encrypt your messages and share it in the internet, but they don't say how the client makes a GET request with a encrypted message and decrypt it so it can be human readable.
任何文章和视频都指出这一点,他们都只是说你有一个你不应该分享的私钥和一个公钥,你可以加密你的消息并在互联网上分享,但他们没有说明如何客户端使用加密消息发出GET请求并对其进行解密,使其具有人类可读性。
As it says in this link about AES:
正如在这个关于AES的链接中所说:
Asymmetric cryptography works by having two different keys, one for encryption and one for decryption. It's also often called 'public key cryptography' because it's possible to make one key public (allowing someone to encrypt a message) while keeping the other private (only the holder of the private key can decrypt the message encrypted with its related public key).
非对称加密通过使用两个不同的密钥来工作,一个用于加密,一个用于解密。它通常也被称为“公钥加密”,因为它可以使一个密钥公开(允许某人加密消息),同时保持另一个私有(只有私钥的持有者可以解密用其相关公钥加密的消息)。
Any help is welcome!
欢迎任何帮助!
I will leave some links about web security that I found useful to learn: https://www.coursera.org/learn/internet-history/lecture/L7HzI/security-integrity-and-certificate-authorities
我将留下一些我认为有用的网络安全链接:https://www.coursera.org/learn/internet-history/lecture/L7HzI/security-integrity-and-certificate-authorities
1 个解决方案
#1
If you want all the details grab a copy of SSL and TLS: Designing and Building Secure Systems. For a more arid lecture, read RFC2246 The Transport Layer Security (TLS) Protocol.
如果您希望所有细节都获得SSL和TLS的副本:设计和构建安全系统。有关更干旱的讲座,请阅读RFC2246传输层安全性(TLS)协议。
The short story is this: during the TLS/SSL handshake the client and the server exchange a secret (the PMS, pre-master-secret). This secret is used to derive session keys, initialization vectors and HMAC keys for use by client and server. Each one uses this keys to encrypt and sign everything send from it's side, and each one use the other's key to decrypt and validate the data sent by the other. Nothing ever goes in clear text, in any direction.
简短的故事是这样的:在TLS / SSL握手期间,客户端和服务器交换秘密(PMS,预主密钥)。该秘密用于导出客户端和服务器使用的会话密钥,初始化向量和HMAC密钥。每个人都使用这个密钥来加密和签署从它发送的所有内容,每个人使用另一个密钥来解密和验证另一个发送的数据。在任何方向上都没有明确的文字。
Authorization and authentication based on the certificate used is a completely orthognal issue.
基于所使用的证书的授权和认证是完全正交的问题。
#1
If you want all the details grab a copy of SSL and TLS: Designing and Building Secure Systems. For a more arid lecture, read RFC2246 The Transport Layer Security (TLS) Protocol.
如果您希望所有细节都获得SSL和TLS的副本:设计和构建安全系统。有关更干旱的讲座,请阅读RFC2246传输层安全性(TLS)协议。
The short story is this: during the TLS/SSL handshake the client and the server exchange a secret (the PMS, pre-master-secret). This secret is used to derive session keys, initialization vectors and HMAC keys for use by client and server. Each one uses this keys to encrypt and sign everything send from it's side, and each one use the other's key to decrypt and validate the data sent by the other. Nothing ever goes in clear text, in any direction.
简短的故事是这样的:在TLS / SSL握手期间,客户端和服务器交换秘密(PMS,预主密钥)。该秘密用于导出客户端和服务器使用的会话密钥,初始化向量和HMAC密钥。每个人都使用这个密钥来加密和签署从它发送的所有内容,每个人使用另一个密钥来解密和验证另一个发送的数据。在任何方向上都没有明确的文字。
Authorization and authentication based on the certificate used is a completely orthognal issue.
基于所使用的证书的授权和认证是完全正交的问题。