Shulou(Shulou.com)06/01 Report--

Encryption, digital signatures and digital certificates

1 symmetric encryption

In the symmetric encryption algorithm, encryption and decryption use the same secret key, so the protection of the secret key is very important. The symmetric encryption and decryption process is shown below:

Symmetric algorithm encryption process

Symmetric algorithm decryption process

Although the symmetric key can satisfy the encryption of the content, the symmetric algorithm still has the following two problems.

1. The risk of secret key disclosure: the server and the client must agree on the key to be used between each other, and the process of this agreement may have the risk of disclosure.

2. If there are 100 or more clients to send files to the server. In that case, the server may need to have more than 100 contracted key processes.

Thus it can be seen that symmetric keys are problematic in terms of security and availability. And two problems must be solved.

2 asymmetric encryption

The asymmetric algorithm uses different keys for encryption and decryption. The encryption algorithm has a pair of keys, namely, the public key and the private key. The public key is public and the private key is kept by itself.

Asymmetric algorithm encryption process

Decryption process of asymmetric algorithm

3 Digital signature and encryption

Encryption refers to the encryption of a certain content, and the encrypted content can also be restored by decryption. For example, we encrypt an email, and the encrypted content is transmitted on the network. After receiving it, the receiver can restore the real content of the email through decryption.

A signature is to add a paragraph to the end of the message to prove that the message has not been modified. Signature is generally a hash calculation of the information to get a hash value, note that this process is irreversible, that is to say, it is impossible to get the original information content through hash. When the message is sent, the hash value is encrypted (encrypted using the private key of the asymmetric algorithm) and sent as a signature along with the message. After receiving the message, the receiver will recalculate the hash value of the message and compare it with the hash value attached to the message (after decryption). If it is consistent, it means that the content of the message has not been modified, because the hash calculation can guarantee that different contents will get different hash values, so as soon as the content is modified, the hash value calculated based on the information content will change. Of course, people with bad intentions can also modify the content of the message as well as the hash value so that they can match. To prevent this, the hash value is usually encrypted (that is, the signature) and then sent with the message to ensure that the hash value is not modified.

Digital signature solves the problems of non-repudiation and unusurable modification of information security.

4 digital certificate

Based on the asymmetric key algorithm, Bob generates a pair of public and private keys. Bob publishes the public key in a public KeyStore. When Alice sends encrypted files to Bob or verifies files signed by Bob, it fetches the public key of Bob from the public KeyStore. We already know that, in general, a public key is a fixed-length string with no specific meaning.

In order to make Alice easily identify the public key, we can consider attaching some information to the public key, such as the algorithm used by the public key, the owner of the public key (subject), the validity period of the public key, and so on. Such data structures are called PKCS10 packets.

For the subject of public key, we use a unique identifier (or DN-distinguished name) to identify the public key owner as uniquely as possible. The following is the PKCS10 data structure defined based on abstract syntax notation:

We already have the PKCS10 packet, in addition to the public key information, there is also the public key holder, the public key version number and other information. However, such a data structure does not have any authority. For example, one day a person named Richard wanted to pretend to be Bob, also generated a pair of public and private keys, and used the same public key theme to encapsulate the P10 data structure. Alice has no way to tell which is the public key of the real Bob.

In order to solve this problem, an authoritative third-party organization is needed to authenticate the data of P10 structure. It's like stamping an authoritative seal on the P10 file to prevent imitation. Such an authority is called CA (Certificate Authority) Digital Certificate Certification Authority. And how does CA stamp P10 data? It is very simple, which is the digital signature technology that we mentioned earlier:

① as shown in the figure above, the CA organization actually holds a private key. Generally speaking, CA will give special protection to this private key and strictly prohibit disclosure and embezzlement.

After ② Bob appends its public key with a series of information, it forms a P10 packet (request packet) and sends it to CA.

③ CA recognized Bob's identity by other means, such as viewing Bob's identity information. So use your own private key to sign the P10 request. (you may also make some simple changes to the data first, such as changing the validity period or theme, etc.)

The result of a signature like ④ is called a digital certificate.

Digital certificates also follow a format standard, which we call the X509 standard, as we generally refer to X509 certificates.

5 process of sending files based on digital certificates

Based on the digital certificate, let's take a look at how Bob sends Alice an undeniable, untampered file:

Step 1: Bob not only signs the file, but also attaches its own digital certificate. Send it to Alice together.

Step 2: Alice first uses the public key of CA to verify the certificate. If the verification is successful, extract the public key from the certificate and verify the signature of the file sent by Bob. If the verification is successful, the proof document is undeniable and untampered.

As you can see, based on the digital certificate, Alice no longer needs a public KeyStore to maintain the public key certificate of Bob (or someone else), as long as it holds the public key of CA. Digital certificates are widely used in e-commerce and electronic authentication, just like the × × in the computer world, which can prove the identity of enterprises, individuals, websites and other entities. At the same time, based on digital certificate, the technology of encryption algorithm can also support some secure interaction protocols (such as SSL).

Reference: https://yq.aliyun.com/articles/54155

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.