理解SSL从Android的消费NET Web服务 [英] Understanding SSL for consuming .Net webservice from Android
问题描述
我开发一个Android应用程序,它需要消耗的.Net Web服务通过SSL我有没有经验。现在,我在找一些指导和解释上的SSL握手和证书。
I am developing an Android app which need to consume .Net webservices over SSL which I have no experience in. Now I am looking for some guidance and explanation on SSL handshake and certificates.
注意:服务器使用的 IP地址而非域名。这是一个Intranet应用程序。
Note: the server is using IP address and NOT domain name. It is an intranet application.
到目前为止,我已经创建了一个证书从IIS 7(称为自签名?)的Web服务器。 从Android应用程序使用它,我发现这样做的两种方式:
So far I have created a certificate(called self-signed?) in web server from IIS 7. To consume it from Android app, I found two ways of doing it :
1)。证书中嵌入的应用程序(的证书?如何获得呢?)的
2)。信任所有证书(PPL说,有安全问题,使用这种方法,你能更详细吗?它还是做握手?)的
证书
如何证明许多类型是否有在握手和它们是什么?的
How many type of certificates are there in the handshake and what are they?
是否自签名证书有根证书?如果是的话,我怎么能得到他们?的
Does self-signed certificate have root certificate? If yes, how can i get them?
是否可以移动/从一台服务器复制自签名证书到另一个?的
Is it possible to move/copy the self-signed certificate from one server to another?
握手:
首先,是这个过程是否正确?
First of all, is this process correct?
SSL握手过程(从网站复制),描述如下:
The SSL handshake process(copied from a website) is described below:
-
客户端通过发送URL发起SSL握手过程 开头所示:https://到服务器
The client initiates the SSL handshake process by sending a URL starting with the following: https:// to the server.
客户端最初向Web服务器发送的每个加密列表 算法支持。通过SSL支持的算法包括:RC4 和数据加密标准(DES)。客户端还发送服务器 这将在稍后被用于其随机询问串 流程。
The client initially sends the Web server a list of each encryption algorithm which it supports. Algorithms supported by SSL include RC4 and Data Encryption Standard (DES). The client also sends the server its random challenge string which will be utilized later in the process.
将在这里嵌入式证书发送?的
Will the embedded cert be sent in here?
Web服务器下一执行以下任务:
The Web server next performs the following tasks:
选择从加密列表中的加密算法 支持的算法,并从客户端接收的
Selects an encryption algorithm from the list of encryption algorithms supported by, and received from the client.
向客户端发送的服务器证书的副本。
Sends the client a copy of its server certificate.
向客户端发送的随机挑战字符串
Sends the client its random challenge string
客户端利用服务器证书的复印件,从接收到的 服务器验证服务器的身份。
The client utilizes the copy of the server certificate received from the server to authenticate the identity of the server.
客户端获取的服务器从所述服务器的公开密钥 证书。
The client obtains the public key of the server from the server certificate.
客户端接下来产生premaster秘密。这是一个不同的 这将反过来被用于生成会话随机串 键SSL会话。然后,客户端加密一个不同的值 所谓使用的服务器的公共密钥的premaster秘密,以及 返回此加密值到服务器。这是伴随着 握手消息的加密哈希,和主键。哈希 用于保护在握手过程交换的消息。 散列是从所发送的前两个随机串生成 服务器和客户端之间
The client next generates a premaster secret. This is a different random string which will in turn be utilized to generate the session key for the SSL session. The client then encrypts a different value called the premaster secret using the public key of the server, and returns this encrypted value to the server. This is accompanied with a keyed hash of the handshake messages, and a master key. The hash is used to protect the messages exchanged in the handshake process. The hash is generated from the former two random strings transmitted between the server and the client.
万能钥匙是什么?的
What is a master key?
服务器向客户端发送的所有握手密钥的散列 交换双方之间的消息为止。
The server sends the client a keyed hash of all the handshake messages exchanged between the two parties so far.
什么是使这个密钥哈希?的
What is this keyed hash made from?
的服务器和客户端然后产生从所述会话密钥 不同的随机值和密钥,并通过施加一个数学 计算。
The server and the client then generate the session key from the different random values and keys, and by applying a mathematical calculation.
会话密钥用作共享密钥来加密和 解密服务器和客户端之间的数据交换。
The session key is used as a shared secret key to encrypt and decrypt data exchanged between the server and the client.
在SSL会话,也倍出或终止会话密钥将被丢弃。
The session key is discarded when the SSL session either times-out or is terminated.
推荐答案
我会尽力回答,尽我所知,在这里
I'll try to answer to the best of my knowledge here
-
内嵌在应用程序中的证书(证书?如何获得呢?) 这个识别所述客户机的/应用程序身份的证书。你可以把它通过签名的CA或自我。此证书将被用于由服务器验证客户端的/应用程序身份
Embedded the certificate in the app (Which certificate? How do I get it?) This the certificate identifying the client's/app identity. You can either get it through CA or self signed. This certificate will be used by the server to verify the client's/app identity
信任所有证书(PPL说,有安全问题,使用这种方法,你能更详细吗?它还是做握手?) 它仍然握手,但它不会做证书验证这是很危险的,除非你是在内部连接(你似乎)。信任所有证书是指一个实体可以声称有人他们是谁不是,因此能够获得来自用户的机密信息。
Trust all the certificates ( ppl said there is security issue with this approach, could you elaborate more? Does it still do the handshake?) It still does the handshake but it doesn't do the certificate validation which is dangerous unless you are connecting internally (which seems you are). Trusting all certificate means an entity can claim as someone who they are not and thus could obtain confidential information from the users.
有多少类型的证书是在握手那里,它们是什么?在握手,你有服务器的证书以及可选的客户端证书(适用于两个因素认证)
How many type of certificates are there in the handshake and what are they? In handshake you have the server's certificate and optionally the client certificate (for two factors authentication)
是否自签名证书有根证书?如果是的话,我怎么能得到他们?的根证书,据我所知是指那些标识由CA本身,因此它没有其他人签字确认。至于你的身份,仍然可以验证并需要由CA签名,你就不会被归类为根证书
Does self-signed certificate have root certificate? If yes, how can i get them? Root certificate as far as I know means the ones that identifies by CA itself and thus it has no else to sign it. As your identity can still be verified and needs to be signed by CA, yours would not be classified as root certificate
是否可以移动/从一台服务器复制自签名证书到另一个?简短的回答是肯定的,虽然从一个平台的程序,其他人都不同。查看这个link)(http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html),它具有复制证书几个平台的说明
Is it possible to move/copy the self-signed certificate from one server to another? The short answer is yes though the procedures from one platform to the others are different. Check [this link)(http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html), it has instructions to copy certificate for few platforms
将在这里嵌入式证书发送?否,嵌入式(客户端)证书的验证之后发送服务器的识别完成
Will the embedded cert be sent in here? No, the embedded (client's) certificate is sent after validation of the server's identify is complete
万能钥匙是什么?主密钥是用来导出会话密钥后通信的关键。它也用于散列消息和验证消息的真实性,在下一组阶段
What is a master key? Master key is the key that is used to derived the session key for later communication. It is also used to hash the messages and to verify authenticity of the messages in the next set of stages
什么是使这个密钥哈希?这是一个从客户端发送的主密钥进行。为了验证所有邮件,服务器发送已通过所有信息,并且与主密钥散列它。客户端将其散列消息以及使用相同的密钥,然后与由服务器所发送的数据进行比较。只有当哈希接着匹配,我们可以肯定,我们仍然使用相同的服务器通信
What is this keyed hash made from? It's made from the master key sent by the client. In order to verify all messages, the server sent all messages that have been passed and hashed it with the master key. The client will hashed its messages as well with the same key and then compared with the data sent by the server. Only when the hash matches then we could be sure we are still communicating with the same server
这篇关于理解SSL从Android的消费NET Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
