SSL:如何保护证书免受中间人攻击? [英] SSL: How are certificates protected against man in the middle attacks?
问题描述
我的问题是关于 ssl 中的证书,但我认为这些问题应该适用于所有证书.为了清楚起见,我已经包含了 SSL 过程.
My question is about certificates specifically in ssl but I think the questions should apply to all certificates. I have included the SSL procedure for the sake of clarity.
在 SSL 中,我理解的程序是:
In SSL this is what I understand the procedure is:
1)客户
- 发送支持的加密算法
- 发送客户端随机数
- 服务器
- 选择(并发送)一个
- 对称算法
- 一种公钥算法
- MAC 算法
- 发送它的证书
- 发送服务器随机数
- 客户
- 验证证书
- 提取公钥
- 生成预主密钥 (pms)
- 使用服务器公钥加密并发送
- 客户端和服务器
- 从 PMS 和 nonces 计算主分泌 (MS)
- PMS 切片生成两个加密 &两个 mac 键
- 客户
- 发送所有握手的 mac(以确保它们之前没有被修改)
- 服务器
- 发送所有握手的 mac
问题
是什么阻止了中间人在第二步发生攻击?为什么中间的人,比如 trudy,不能捕获服务器发送的证书并更改其中的公钥(更改为它拥有私钥的东西).
What stops a man in the middle attack from happening at step two? Why can't a man in the middle, say trudy, capture the certificate sent by the server and change the public key in it (to something it has the private key to).
我假设证书以某种方式加密.
I assume that the certificate is encrypted somehow.
但是服务器无法加密证书,因为客户端还没有公钥.当服务器从权威机构(如veri-sign)获取密钥时,是否会使用verisign 的公钥对密钥进行预加密?我认为这应该可行,因为所有网络浏览器都应该拥有大多数权威机构的公钥.
However the server cannot encrypt the certificate because the client does not have the public key yet. When the server gets the key from an authority (like veri-sign) would the key be pre-encrypted using verisign's public key? I think this should work because all web browsers should have the public keys of most authorities.
推荐答案
不,证书没有加密.但它是由证书颁发机构 (CA) 签署的.由于它们会检查证书中包含的信息(尤其是证书所属的 URL),因此给定 URL 不应该有第二个有效证书.
No, the certificate is not encrypted. But it is signed by a certification authority (CA). Since those check the information included in the certificate (especially the URL to which the cert belongs), there shouldn't be a second valid certificate for a given URL.
根据信任库(例如在您的浏览器中)检查 CA 的证书.如果此信任库遭到破坏,或者您信任无效证书,则无法防止中间人攻击
The cert of the CA is checked against a trust store (e.g. in your browser). If this truststore is compromised, or if you trust not valid certificates, there is no protection against man in the middle attacks
这篇关于SSL:如何保护证书免受中间人攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
