为什么Chrome显示“SHA1”消息带有SHA2证书 [英] Why does Chrome display a "SHA1" message with a SHA2 certificate
问题描述
我刚刚重新键入了SHA1证书,并在其中安装了一个新的SHA2证书。
一切都正常。没有不安全的内容。 Digicert的诊断工具表示一切正常,签名算法= SHA256 + RSA。但是,Google Chrome表示(请注意我的重点):
I have just re-keyed a SHA1 certificate and installed a new SHA2 certificate in its place. Everything is working fine. There is no insecure content. Digicert's diagnostic tool says everything is ok, and "Signature algorithm = SHA256 + RSA". However, Google Chrome says (note my emphasis):
本网站的身份已通过DigiCert SHA2验证高
保证服务器CA,但没有公共审计记录。
The identity of this website has been verified by DigiCert SHA2 High Assurance Server CA but does not have public audit records.
您与[www.domain.com]的连接已加密为128位
加密。
Your connection to [www.domain.com] is encrypted with 128-bit encryption.
连接使用TLS 1.0。
The connection uses TLS 1.0.
连接使用AES_128_CBC加密,使用SHA1作为消息
认证和DHE_RSA作为密钥交换机制。
The connection is encrypted using AES_128_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
Google Chrome为什么说连接正在使用SHA1 for消息验证?
Why does Google Chrome say that the connection is using "SHA1 for message authentication"?
(注意:我已经清除缓存和刷新页面)
(Note: I have cleared cache and refreshed page)
推荐答案
消息身份验证用于对传输中的数据进行身份验证。它不用于保护证书(使用数字签名)。
Message authentication is used for authentication the data in transit. It is not used for securing the certificates (using digital signatures).
许多密码套件仍将使用SHA-1作为SHA-1使用HMAC(甚至MD5)在HMAC方案中是相当安全的(由于密钥在数据的开始和结束时都被散列,以保护)。
Many cipher suites will still use HMAC using SHA-1 as SHA-1 (and even MD5) is quite safe within a HMAC scheme (due to the fact that a key is hashed both at the start and at the end of the data to protect).
HMAC算法使得它不太容易受到基础散列算法的属性的攻击。 HMAC对目前(成功)对MD5和SHA-1的攻击具有相当的弹性。
The structure of the HMAC algorithm makes it less susceptible to attacks on properties of the underlying hash algorithm. HMAC is quite resilient against the current (successful) attacks on MD5 and SHA-1.
这篇关于为什么Chrome显示“SHA1”消息带有SHA2证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
