> [TOC] # 1、TLS/SSL 协议的工作原理 ## 1.1、设计目的 ![image-20220817212031071](assets/image-20220817212031071.png) ## 1.2、TLS/SSL 发展 ![image-20220817212051206](assets/image-20220817212051206.png) ## 1.3、TLS 协议 ![image-20220817212109183](assets/image-20220817212109183.png) ![image-20220817212308198](assets/image-20220817212308198.png) # 2、对称加密的工作原理 ## 2.1、定义 ![image-20220817212442343](assets/image-20220817212442343.png) ## 2.2、AES 对称加密在网络中的应用 ![image-20220817212505949](assets/image-20220817212505949.png) ## 2.3、原理 ![image-20220817212603946](assets/image-20220817212603946.png) ## 2.4、填充 ![image-20220817212651251](assets/image-20220817212651251.png) # 3、对称加密的工作原理(2):工作模式 ## 3.1、定义 ![image-20220817213857230](assets/image-20220817213857230.png) ## 3.2、ECB(Electronic codebook)模式 ![image-20220817213952227](assets/image-20220817213952227.png) ## 3.3、CBC(Cipher-block chaining)模式 ![image-20220817214010222](assets/image-20220817214010222.png) ## 3.4、CTR(Counter)模式 ![image-20220817214101437](assets/image-20220817214101437.png) ## 3.5、完整性校验 ![image-20220817214203638](assets/image-20220817214203638.png) ## 3.6、验证完整性:MAC(Message AuthenticationCode) ![image-20220817214224192](assets/image-20220817214224192.png) ## 3.7、GCM ![image-20220817214310075](assets/image-20220817214310075.png) # 4、AES算法 ## 4.1、定义 ![image-20220817214522765](assets/image-20220817214522765.png) ![image-20220817215134263](assets/image-20220817215134263.png) ## 4.2、步骤 ![image-20220817215216891](assets/image-20220817215216891.png) ![image-20220817215247745](assets/image-20220817215247745.png) ![image-20220817215324654](assets/image-20220817215324654.png) ![image-20220817215332252](assets/image-20220817215332252.png) ![image-20220817215445932](assets/image-20220817215445932.png) ![image-20220817215454646](assets/image-20220817215454646.png) ![image-20220817215503390](assets/image-20220817215503390.png) ![image-20220817215511069](assets/image-20220817215511069.png) # 5、非对称密码与RSA 算法(解决密钥传递问题) ## 5.1、定义 ![image-20220817215623302](assets/image-20220817215623302.png) ## 5.2、算法过程 ![image-20220817215644744](assets/image-20220817215644744.png) ## 5.3、RAS算法 ![image-20220817215806745](assets/image-20220817215806745.png) ![image-20220817215821569](assets/image-20220817215821569.png) ![image-20220817215830689](assets/image-20220817215830689.png) # 6、非对称密码应用:PKI 证书体系 ## 6.1、定义 ![image-20220817221038193](assets/image-20220817221038193.png) ## 6.2、签发证书流程 ![image-20220817221245923](assets/image-20220817221245923.png) ## 6.3、签名与验签流程 ![image-20220817221323734](assets/image-20220817221323734.png) ## 6.4、证书信任链 ![image-20220817221531118](assets/image-20220817221531118.png) ## 6.5、PKI 公钥基础设施 ![image-20220817221557232](assets/image-20220817221557232.png) ## 6.6、证书类型 ![image-20220817221736019](assets/image-20220817221736019.png) # 7、非对称密码应用:DH密钥交换协议(沟通协商AES使用的密钥) ## 7.1、RSA密钥交换 ![image-20220817222203075](assets/image-20220817222203075.png) * 前向保密性:如果破解server私钥,可以解出公钥 ## 7.2、DH 密钥交换 ![image-20220817222402686](assets/image-20220817222402686.png) ## 7.3、存在的问题 ![image-20220817222532964](assets/image-20220817222532964.png) * 可以使用PKI解决 # 8、ECC 椭圆曲线的原理 ## 8.1、定义 ![image-20220817222743245](assets/image-20220817222743245.png) ## 8.2、特性 ![image-20220817222756877](assets/image-20220817222756877.png) ![image-20220817223025507](assets/image-20220817223025507.png) # 9、DH 协议升级:基于椭圆曲线的ECDH协议 ## 9.1、定义 ![image-20220817223113940](assets/image-20220817223113940.png) ## 9.2、步骤和原理 ![image-20220817223136812](assets/image-20220817223136812.png) ![image-20220817223142765](assets/image-20220817223142765.png) # 10、TLS1.2 与TLS1.3 中的ECDH协议 ## 10.1、TLS1.2 通讯过程 ![image-20220817223230693](assets/image-20220817223230693.png) ## 10.2、FREAK 攻击 ![image-20220817223328253](assets/image-20220817223328253.png) ## 10.3、openssl 1.1.1 版本对TLS1.3 的支持情况 ![image-20220817223457659](assets/image-20220817223457659.png) ## 10.4、密钥交换 ![image-20220817223551821](assets/image-20220817223551821.png) # 11、握手的优化 ## 11.1、session 缓存 ![image-20220817223718720](assets/image-20220817223718720.png) ## 11.2、session ticket ![image-20220817223732948](assets/image-20220817223732948.png) ## 11.3、TLS1.3 的 0RTT 握手 ![image-20220817223748524](assets/image-20220817223748524.png) ## 11.4、0-RTT 面临的重放攻击 ![image-20220817223806114](assets/image-20220817223806114.png)