Secure communication identity authentication

Xiao Ming went to the xx bank counter to withdraw money. The small aunt at the counter said sweetly and politely: Hello, please show your ID card and bank card.

Xiao Ming handed his ID card and bank card to the little aunt and waited happily.

The networked public security ID card authentication system was quickly passed. The beautiful little aunt also secretly sneaked a few eyes on Xiao Ming, Xiao-Ming felt a few waves inside. . .

In fact, the little aunt just looked at Xiao Ming in front of him and Xiao Ming on the ID card as the same person. Xiao Ming was a bit passionate.

The little aunt let Xiao Ming enter the password for the card.

Xiao Ming enters the correct password, the transaction password is verified, and the small aunt can help Xiao Ming complete the withdrawal operation.

The above is the experience of Xiao Ming going to the physical bank. The whole operation process has the following characteristics:

(1) The bank verified the identity of the cashier

(2) The bank verifies that the password entered by the cashier is the same as the password stored in the background database.

(3) The cashier did not verify the identity of the bank

At least Xiao Ming did not check the bank's industrial and commercial registration certificate, which is not surprising, because almost everyone will not go to see the bank's registration certificate. That is because everyone thinks that banks located in the streets and lanes will not be fake banks, otherwise the Public Security Bureau has already put them on.

In other words, everyone believes that a physical bank can stand quietly on the streets, and the public security organs have long helped us to authenticate our true identity.

The transaction process described above is familiar to all readers who have been to the bank. The first part of the transaction is certification, which ensures the authenticity of the identity of the transaction.

In layman's terms, banks need to ensure that the cashiers sitting in front of the counter are the same as the owners of the bank cards, not fake Xiaoming; Xiao-Ming wants to ensure that the bank in front of him is a real bank, not a fake bank.

Since the Internet, people can do a lot of things on the Internet. In the world of the Internet, there is a famous saying: You can't know whether you are chatting with people or AI robots!

Taking the ICBC online banking http://mybank.icbc.com.cn as an example, the DNS domain name resolution from the first step is not safe.

DNS is transmitted using the TCP/IP stack, and the TCP/IP protocol itself does not provide any security.

Security here means:

(1) Unable to authenticate the true identity of the other party

(2) There is no guarantee that the DNS response data will tamper in the middle.

DNS itself is not secure, and DNS can't know if the answer it's getting comes from a real DNS server.

If the DNS answer is the IP address of a phishing website, then the browser will communicate with the IP address of the phishing website.

Since the HTTP protocol itself is not secure, the end result is that the browser chats happily with a phishing website posing as ICBC. The entire interface is almost exactly the same as the real online banking. Users can easily trust it and enter the account. With the password, the user's secret information of Xiao Ming's online banking was leaked.

In the above, the TCP/IP stack was blamed for no security, and the DNS was not blamed for security. It also accused that HTTP is not secure. Who is safe in the end?

Its name is TLS protocol, Transport Layer Security.

To measure the security of a protocol, just look at the following key elements:

(1) Is there an authentication mechanism?

(2) Is it possible to protect the confidentiality of data?

(3) Is it possible to protect the integrity of the data?

(4) Is there the ability to verify duplicate data?

The TLS protocol was born to accomplish all of the above tasks, so the TLS protocol is inherently secure. Clik this and we will easy pass the CCNA Security exam.

Online banking protected by the TLS protocol

Again, visit ICBC Internet Banking https://mybank.icbc.com.cn as an example. Readers and friends must polish their eyes. Is there any TLS protocol protection? Just look at the HTTP behind S. If not, then it is Not protected by the TLS protocol, not secure.

(1) Online banking without TLS protection (http://mybank.icbc.com.cn)

IP / UDP / DNS (Domain Name Resolution Traffic)

IP / TCP / HTTP (Internet banking traffic)

As discussed above, since IP, UDP, TCP, and HTTP are not security protocols, all of the above traffic is not secure.

(2) Online banking protected by the TLS protocol (https://mybank.icbc.com.cn)

IP / UDP / DNS (Domain Name Resolution Traffic)

IP / TCP / TLS / HTTP (Internet Banking Traffic)

TLS protects TLS itself, as well as HTTP behind it, and all online banking traffic uses HTTP transmission, so TLS can protect online banking traffic.

There are a lot of questions that students may have here, so let's answer them one by one.

Q1: TLS cannot be protected by IP/TCP protocol before TLS?

A1: Yes.

Q2: In the event of a transmission, the IP/TCP protocol field has been maliciously altered. How?

A2: It's fine to tamper with it because the fields in IP/TCP are only related to the underlying transport details. If you can't reach the destination, the HTTP network traffic is safe.

Q3: Since TCP is not protected, then the third party injects a valid TCP Reset message. How?

A3: The TCP connection will be disconnected, but it still can't hurt the HTTP online banking traffic.

Q4: What does the legality mentioned in Q3 mean?

A4: The Sequence Number of the injected TCP message is located in the sliding window of the receiver.

Q5: TLS does not protect DNS domain name resolution traffic. Is DNS traffic still insecure?

A5: Yes, the domain name resolution of the theoretical online banking will still be resolved to the phishing website.

Q6: Since it is resolved to the phishing website, the browser will still blindly believe in the DNS protocol, is there security?

A6: The browser will use the TLS protocol to authenticate the other party after the TCP connection is completed, and the fake certificate provided by the phishing website cannot be verified by the certificate chain. Finally, TLS will refuse to establish a secure connection with the other party and naturally will not transmit HTTP online banking traffic. Go to the phishing website.

Q7: "icbc.com.cn" online banking digital certificate is open, phishing website used to use, can you get away with it?

A7: Good question. However, the TLS protocol requires that the TLS server not only have to present a digital certificate (including the plaintext public key)but also to make a whole signature (Signature) for its transmitted message (Message), that is, encrypt the message with its own private key. Summary (Message Digest).

Message Digest = Hash (Message)

Signature = private key encryption {MessageDigest}

The browser will first use the public key in the certificate to decrypt the signature. Since the phishing website does not have the private key of "icbc.com.cn", the signature must not be unlocked with the public key of "icbc.com.cn".

Again, the public key of "icbc.com.cn" can only decrypt the private key signature of "icbc.com.cn".

TLS of the browser immediately realized that the other party did not have the "icbc.com.cn" private key, the certificate verification failed and refused to connect.

After answering the above questions, let's summarize them.

The TLS protocol in the browser, as the chief security officer CSO (Chief Security Officer), is solely responsible for authenticating the other end of the communication, ensuring that the other party is the one who really wants to communicate. Although it is separated from each other, it can use the digital certificate authentication mechanism to authenticate the other party's true identity.

This is also the real purpose of the digital certificate. In the above process, I have never seen the online banking server certification Xiaoming, right?

Yes, when Xiao Ming completely sees the homepage of online banking, online banking will enter a dialog box for “card number” and “password”. Once Xiaoming enters, the online banking server will naturally authenticate Xiaoming’s identity, because the server believes that Xiaoming’s password is known. It should be Xiao Ming. Since the password is correct, the password should be Xiaoming. Therefore, online banking has realized the two-way authentication mechanism of the physical bank.