Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the function of the certificate in the server". The content of the explanation in the article is simple and clear, and it is easy to learn and understand. let's study and learn "what is the role of the certificate in the server"?

The function of digital signature is to prevent tampering and camouflage, and to prevent denial. However, there is a very big premise for the correct use of digital signature technology, that is, the public key used to verify the signature must really belong to the sender.

If the public key you get is forged, no matter how perfect your signature algorithm is, you will get the wrong result.

So how can we safely obtain the sender's public key? You need to use the certificate here. The so-called certificate is obtained by signing the sender's public key through a third-party trusted institution.

There are two concepts: public key certificates (Public-Key Certificate, PKC) and certification authorities (Certification Authority, CA). Friends who are familiar with blockchain should often hear the term CA, and CA is the certification body here.

Examples of certificates

Let's take a look at an example that might be encountered in practice:

If A wants to send a message to B that wants to be encrypted with B's public key, but A cannot know what B's public key is in advance, you can use the following certificate architecture:

In the first step, B needs to generate its own key pair and then register the public key with CA. Here CA is a third-party trusted organization.

After obtaining the public key of B, CA uses its own private key to sign the public key of B to get the certificate.

An obtains the certificate and the public key of CA from CA (CA is a trusted institution and can be obtained from public sites), and uses the public key of CA to verify the validity of the certificate signature.

An obtains the public key of B and uses the public key of B to encrypt the message.

B decrypt the message with your own private key to get the plaintext.

Well, this is the simplest example of using a certificate.

Standard and generation of certificates

Because the certificate is issued by the certification authority, the consumer needs to verify it, so a standard certificate format is needed to facilitate the user to use. One of the most extensive certificate standard formats is the X.509 specification developed by ITU (International Telecommunication Union) and ISO (International Organization for Standardization).

X.509 has many extension formats including DER, CRT, CER, PEM, and so on. They have different uses in different environments.

So how do you generate a certificate? It can be generated with the help of third-party tools or using command-line commands such as openssl. I won't go into details about the specific generation commands here.

PKI

With the format of the certificate, can you actually use the certificate?

In fact, this is not enough, we also need to define who should issue the certificate, how to issue it, and if the certificate is invalidated. PKI (Public-Key Infrastructure) Public key Infrastructure is a series of specifications and protocols developed for the effective use of certificates.

PKI consists of three main parts:

User

Users are people who use PKI, that is, people who need to use CA to publish their own public keys and obtain other people's public keys.

Certification body

The certification body is CA, which is the person who manages the certificate. In addition to generating certificates, CA also has a very important task of invalidating certificates.

Because the user may lose the key, or for special reasons, discard some certificates. Then you can initiate an invalidation request to CA. The invalid certificate will be saved in CRL. CRL is an external certificate revocation list. When using a certificate, the user must first check whether the certificate is in the CRL list. If yes, the certificate cannot be used.

Warehouse

The warehouse is a database that holds certificates, and the certificates generated after user registration are stored in the warehouse for other users to obtain and use.

Hierarchical structure of CA

We have learned about the concept of root CA in Fabric. What does this mean?

As we can see from the above introduction, CA can not only be performed by an organization, but can be built by anyone who can sign the public key.

If a large organization wants to build a CA, for example, a head office wants to build a CA, then it can first build a root CA, and then build a sub-CA under the root CA, these sub-CA are responsible for the certificate issuance of the underlying specific users.

Attacks on certificates

Because certificates are based on digital signature technology, all attacks based on digital signature technology are applicable to certificates.

Here is an introduction to the attack on PKI system:

Replace the public key before the public key is registered.

If user B wants to generate a certificate, he needs to register with CA and submit his public key to CA. Then it may be maliciously replaced before the public key is submitted.

Steal the private key of the certification authority

All user public keys are signed by CA's private key, and all certificates are insecure if CA's private key is stolen.

In fact, CA is a centralized organization, and such problems often arise in centralized institutions. If you break one, you break everything.

Disguise as a certification body

An attacker can pretend to be an authentication body to fool a user. So users must be careful when registering.

CRL time difference attack

If B's key is lost, he will submit a discarded application to CA, but there is a time lag between submitting the application and taking effect, and there is a time lag between CRL generation and obsolete key can still be used legally during this period.

Thank you for your reading, the above is the content of "what is the role of the certificate in the server". After the study of this article, I believe you have a deeper understanding of the role of the certificate in the server. the specific use of the situation also needs to be verified by practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.