SSL:在中间攻击中如何保护证书免受人的攻击? [英] SSL: How are certificates protected against man in the middle attacks?
问题描述
我的问题是关于ssl证书,但我认为这些问题应该适用于所有证书。为了清楚起见,我已经包括SSL过程。
My question is about certificates specifically in ssl but I think the questions should apply to all certificates. I have included the SSL procedure for the sake of clarity.
在SSL中,这是我理解的过程:
In SSL this is what I understand to be the procedure:
1)客户
- 发送支持的加密算法
- 发送客户端随机数
2)服务器
- 选择(发送)a
- 对称算法
- 公开密钥算法
- MAC算法
3)客户
- 验证证书
- 提取公钥
4)客户端和服务器
- 从PMS和随机数计算主分泌(MS)
- PMS被切片以生成两个加密&两个Mac金钥
5)客户
- 发送所有握手的MAC(以确保他们以前不曾修改)
6)服务器
- 发送所有握手的mac
>
Question
在第二步,什么阻止了中间人攻击的发生?为什么一个人在中间不能说,trudy捕获由服务器发送的证书,并更改其中的公钥(到它有私钥的东西)。
What stops a man in the middle attack from happening at step two? Why can't a man in the middle, say trudy, capture the certificate sent by the server and change the public key in it (to something it has the private key to).
我假设证书是以某种方式加密的。
I assume that the certificate is encrypted somehow.
但是,由于客户端还没有公钥,服务器无法加密证书。当服务器从权威机构获取密钥(如veri-sign)时,密钥是否使用verisign的公钥预先加密?我认为这应该工作,因为所有的网络浏览器应该有大多数当局的公钥。
However the server cannot encrypt the certificate because the client does not have the public key yet. When the server gets the key from an authority (like veri-sign) would the key be pre-incripted using verisign's public key? I think this should work because all web browsers should have the public keys of most authorities.
推荐答案
否,证书未加密。但是它由认证机构(CA)签署。由于这些检查证书中包含的信息(尤其是证书所属的URL),因此对于给定的URL不应有第二个有效的证书。
No, the certificate is not encrypted. But it is signed by a certification authority (CA). Since those check the information included in the certificate (especially the URL to which the cert belongs), there shouldn't be a second valid certificate for a given URL.
CA的证书与信任存储(例如在您的浏览器中)进行检查。如果此信任库被泄露,或者您不信任无效的证书,则在中间攻击中没有针对人的保护
The cert of the CA is checked against a trust store (e.g. in your browser). If this truststore is compromised, or if you trust not valid certificates, there is no protection against man in the middle attacks
这篇关于SSL:在中间攻击中如何保护证书免受人的攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!