SSL：在中间攻击中如何保护证书免受人的攻击？ [英] SSL: How are certificates protected against man in the middle attacks?

问题描述

我的问题是关于ssl证书，但我认为这些问题应该适用于所有证书。为了清楚起见，我已经包括SSL过程。

My question is about certificates specifically in ssl but I think the questions should apply to all certificates. I have included the SSL procedure for the sake of clarity.

在SSL中，这是我理解的过程：

In SSL this is what I understand to be the procedure:

1）客户

• 发送支持的加密算法


• 发送客户端随机数

2）服务器

• 选择（发送）a
  
  
  
  
  • 对称算法
  
  
  • 公开密钥算法
  
  
  • MAC算法
  
  

  3）客户

  
  
  • 验证证书
    
    
    
    
    • 提取公钥
    
    

    4）客户端和服务器

    
    
    • 从PMS和随机数计算主分泌（MS）
    
    
    • PMS被切片以生成两个加密&两个Mac金钥
    
    

    5）客户

    
    
    • 发送所有握手的MAC（以确保他们以前不曾修改）
    
    

    6）服务器

    
    
    • 发送所有握手的mac
    
    

    >

    Question

    在第二步，什么阻止了中间人攻击的发生？为什么一个人在中间不能说，trudy捕获由服务器发送的证书，并更改其中的公钥（到它有私钥的东西）。

    What stops a man in the middle attack from happening at step two? Why can't a man in the middle, say trudy, capture the certificate sent by the server and change the public key in it (to something it has the private key to).

    我假设证书是以某种方式加密的。

    I assume that the certificate is encrypted somehow.

    但是，由于客户端还没有公钥，服务器无法加密证书。当服务器从权威机构获取密钥（如veri-sign）时，密钥是否使用verisign的公钥预先加密？我认为这应该工作，因为所有的网络浏览器应该有大多数当局的公钥。

    However the server cannot encrypt the certificate because the client does not have the public key yet. When the server gets the key from an authority (like veri-sign) would the key be pre-incripted using verisign's public key? I think this should work because all web browsers should have the public keys of most authorities.

    推荐答案

    否，证书未加密。但是它由认证机构（CA）签署。由于这些检查证书中包含的信息（尤其是证书所属的URL），因此对于给定的URL不应有第二个有效的证书。

    No, the certificate is not encrypted. But it is signed by a certification authority (CA). Since those check the information included in the certificate (especially the URL to which the cert belongs), there shouldn't be a second valid certificate for a given URL.

    CA的证书与信任存储（例如在您的浏览器中）进行检查。如果此信任库被泄露，或者您不信任无效的证书，则在中间攻击中没有针对人的保护

    The cert of the CA is checked against a trust store (e.g. in your browser). If this truststore is compromised, or if you trust not valid certificates, there is no protection against man in the middle attacks

    这篇关于SSL：在中间攻击中如何保护证书免受人的攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！