一种方式 SSL 是一种方式加密? [英] One way SSL is one way encryption?
问题描述
如果使用一种方式 SSL(服务器证书身份验证),那么从客户端发送的数据将使用服务器证书的公钥进行加密.因此,对客户端发送的数据提供隐私保护.我的问题是
If one way SSL is used (Server Certificate authentication) then data sent from client gets encrypted using Public key of the server certificate. So privacy protection is available for data sent from client. My questions are
这是否意味着从服务器发送到客户端的 SSL 数据以一种方式未加密并以纯文本形式发送?
Does this mean that in One way SSL data sent from Server to client is not encrypted and sent as plain text ?
对于服务器到客户端和客户端到服务器的通信,数据/消息没有签名,因此无法保证篡改保护或数据完整性.在使用基于 SSL 的传输安全而不是消息安全选项时,是否还有其他方法可以实现数据完整性?
For both server to client and client to server communications the data/message is not signed and so tamper protection or data integrity is not assured. Are there any other means to achieve data integrity while using SSL based transport security and not Message security options ?
推荐答案
SSL 的一种方式只是意味着服务器不验证客户端的身份.它对 SSL 的任何其他安全属性没有影响.
One way SSL just means that the server does not validate the identity of the client. It has no effect on any of the other security properties of SSL.
虽然 SSL 协议有点复杂,但发生的基本要点是:客户端生成一个随机密钥,对其进行加密,以便只有服务器才能解密,然后将其发送到服务器.服务器和客户端现在拥有一个共享密钥,可用于加密和验证双向通信.
While the SSL protocol is a bit complex, the basic gist of what happens is this: The client generates a random key, encrypts it so that only the server can decrypt it, and sends it to the server. The server and client now have a shared secret that can be used to encrypt and validate the communications in both directions.
服务器不知道客户端的身份,但除此之外,加密和消息验证是两种方式.
The server has no idea of the client's identity, but otherwise, the encryption and message validation is two way.
更新:
1) 是的,两种方式的加密都是对称的,并且使用在会话设置期间生成的共享密钥.
1) Yes, encryption both ways is symmetric and uses a shared secret generated during session setup.
2) 使用共享秘密,消息完整性的保证是微不足道的.您只需确保消息具有特定的形式.例如,我可以在我发送的每条消息前面加上一个序列号,并在加密之前在上面附加一个校验和.您使用共享密钥对其进行解密并验证序列号和校验和.攻击者如何在不知道共享秘密的情况下替换或修改消息,同时保持序列号和校验和完好无损?
2) With a shared secret, message integrity is trivial to assure. You just ensure the message has a particular form. For example, I can prefix every message I send with a sequence number and append a checksum onto it before encryption. You decrypt it with the shared secret and validate the sequence number and checksum. How can an attacker substitute or modify the message without knowing the shared secret and still keep the sequence number and checksum intact?
这篇关于一种方式 SSL 是一种方式加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
