SSL:可以在真正的加密开始之前嗅探密钥吗? [英] SSL: can the secret key be sniffed before the actual encryption begins?
问题描述
我一直在研究SSL和在服务器与客户端计算机之间建立加密连接所涉及的一些步骤.
I was looking into SSL and some of the steps that are involved to set up an encrypted connection between a server and a client computer.
我了解到服务器密钥和证书已发送到浏览器,并且正在计算密码,就像他们在以下视频中所说的那样:
I understand that a server key and certificate is sent to the browser, and that a secret code is being calculated, like they say in the following video:
http://www.youtube.com/watch?v=iQsKdtjwtYI
大约5:22,他们谈论了一个主密码,该密码正在被计算为以加密方式开始通话.
around 5:22, they talk about a master secret code that is being calculated to start talking in an encrypted way.
现在我的问题是:在实际加密连接之前(握手阶段),服务器和客户端之间的所有通信都可以被数据包嗅探器嗅探到.那么,是否有可能嗅探用于建立安全连接的加密密钥或其他数据?
My question now is: before the connection is actually encrypted (the handshake phase), all communication between the server and the client can be sniffed by a packet sniffer. Isn't it then possible to sniff the encryption key or other data that is used to set up a secure connection?
推荐答案
摘录自维基百科摘要,我认为您感兴趣的关键部分是:
From the Wikipedia summary, I think the key part you're interested in is:
客户端使用ClientKeyExchange消息进行响应,该消息可能 包含PreMasterSecret,公共密钥或不包含任何内容. (再次 取决于所选密码.)此PreMasterSecret已加密 使用服务器证书的公钥.
The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
这就是为什么公钥如此重要的原因.如果您使用了错误的公钥,那么您很容易受到中间攻击.
This is why the public key is so important. If you use the wrong public key, you're vulnerable to man in middle attacks.
每当伪造SSL证书问题(例如 DigiNotar ).
Witness the justified worry whenever bogus SSL certificate issues (e.g. DigiNotar).
这篇关于SSL:可以在真正的加密开始之前嗅探密钥吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
