Читать книгу Security Engineering - Ross Anderson - Страница 189

I remarked above that a server could publish a public key and any web browser could then send a message containing a credit card number to it encrypted using : . This is in essence what the TLS protocol (then known as SSL) was designed to do, at the start of e-commerce. It was developed by Paul Kocher and Taher ElGamal in 1995 to support encryption and authentication in both directions, so that both http requests and responses can be protected against both eavesdropping and manipulation. It's the protocol that's activated when you see the padlock on your browser toolbar.

Here is a simplified description of the basic version of the protocol in TLS v1:

1 the client sends the server a client hello message that contains its name , a transaction serial number , and a random nonce ;

2 the server replies with a server hello message that contains its name , a transaction serial number , a random nonce , and a certificate containing its public key . The client now checks the certificate , and if need be checks the key that signed it in another certificate, and so on back to a root certificate issued by a company such as Verisign and stored in the browser;

3 the client sends a key exchange message containing a pre-master-secret key, , encrypted under the server public key . It also sends a finished message with a message authentication code (MAC) computed on all the messages to date. The key for this MAC is the master-secret, . This key is computed by hashing the pre-master-secret key with the nonces sent by the client and server: . From this point onward, all the traffic is encrypted; we'll write this as in the client-server direction and from the server to the client. These keys are generated in turn by hashing the nonces with .

4 The server also sends a finished message with a MAC computed on all the messages to date. It then finally starts sending the data.

Once a client and server have established a pre-master-secret, no more public-key operations are needed as further master secrets can be obtained by hashing it with new nonces.