Cisco Cisco Web Security Appliance S670 Betriebsanweisung
10-9
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 10 Decryption Policies
Digital Certificates
SSL Handshake
The SSL “handshake” is a set of steps a client and server engage in using the SSL
protocol to establish a secure connection between them. The client and server
must complete the following steps before they can send and receive encrypted
HTTP messages:
protocol to establish a secure connection between them. The client and server
must complete the following steps before they can send and receive encrypted
HTTP messages:
Step 1
Exchange protocol version numbers. Both sides must verify they can
communicate with compatible versions of SSL or TLS.
communicate with compatible versions of SSL or TLS.
Step 2
Choose a cipher that each side knows. First, the client advertises which ciphers
it supports and requests the server to send its certificate. Then, the server chooses
the strongest cipher from the list and sends the client the chosen cipher and its
digital certificate.
it supports and requests the server to send its certificate. Then, the server chooses
the strongest cipher from the list and sends the client the chosen cipher and its
digital certificate.
Step 3
Authenticate the identity of each side. Typically, only the server gets
authenticated while the client remains unauthenticated. The client validates the
server certificate. For more information about certificates and using them to
authenticate servers, see
authenticated while the client remains unauthenticated. The client validates the
server certificate. For more information about certificates and using them to
authenticate servers, see
.
Step 4
Generate temporary symmetric keys to encrypt the channel for this session.
The client generates a session key (usually a random number), encrypts it with the
server’s public key, and sends it to the server. The server decrypts the session key
with its private key. Both sides compute a common master secret key that will be
used for all future encryption and decryption until the connection closes.
The client generates a session key (usually a random number), encrypts it with the
server’s public key, and sends it to the server. The server decrypts the session key
with its private key. Both sides compute a common master secret key that will be
used for all future encryption and decryption until the connection closes.
Digital Certificates
A digital certificate is an electronic document that identifies and describes an
organization, and that has been verified and signed by a trusted organization. A
digital certificate is similar in concept to an identification card, such as a driver’s
license or a passport. The trusted organization that signs the certificate is also
known as a certificate authority.
organization, and that has been verified and signed by a trusted organization. A
digital certificate is similar in concept to an identification card, such as a driver’s
license or a passport. The trusted organization that signs the certificate is also
known as a certificate authority.
Certificates allow a client to know that it is talking to the organization it thinks it
is talking to. When a server certificate is signed by a well-known or trusted
authority, the client can better assess how much it trusts the server.
is talking to. When a server certificate is signed by a well-known or trusted
authority, the client can better assess how much it trusts the server.
X.509 is a standard example of a public key infrastructure (PKI). X.509 specifies
standards for certificates and an algorithm for validating certification paths. The
Web Security appliance uses the X.509 standard.
standards for certificates and an algorithm for validating certification paths. The
Web Security appliance uses the X.509 standard.