Shulou(Shulou.com)06/02 Report--

How to understand X.509, aiming at this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

Many developers may find the word X.509 as strange as I do, but in fact, we often deal with it, which is a typical "everyday but unknown" thing.

So what is X.509?

X.509 is a standard format for digital certificates.

It is widely used, and now the SSL certificate that HTTPS relies on uses the X.509 format. That is to say, every time we open a website at the beginning of https, we will use it.

Format standard

In a nutshell, the format standard is like the specification when writing HTML files: declare the document type at the beginning, html as the root tag, meta-information in the head tag, page content in the body tag, and so on.

Of course, this example is not so appropriate, because in fact, html file browsers that are not written in this format can parse it.

A more appropriate example would be the JSON file format, which stipulates that nested relationships must use curly braces, arrays must use square braces, strings must use double quotation marks, and so on, if a rule is violated, then it cannot be parsed correctly.

What is the specific content of this standard?

The format specified by X.509 is roughly as follows:

Version number serial number signature algorithm issuer certificate validity date end date subject public key information subject public key algorithm subject public key issuer unique identity information (optional) topic unique identity information (optional) extended information (optional) signature

The following picture shows the X.509 certificate information of a website.

Digital certificate

So what is a digital certificate?

To put it simply, a digital certificate is a network created by an encryption algorithm to prove the true identity of the communicating party.

This "× ×" production process is also very interesting. It is not issued by a single organization, but is issued layer by layer.

For example, if A holds a trusted certificate, the certificate it issues to B is also trusted, and the certificate issued by B to C is also trusted.

Both An and B are called certification bodies, referred to as CA (Certificate authority).

Root certificate | intermediary certificate | Terminal certificate

Root certificates: usually pre-installed in operating systems and browsers, are jointly produced by large companies and governments (users can also make their own, but there are security risks), as the starting point of the certificate chain.

Intermediary certificate: the CA that holds the intermediary certificate is mainly responsible for issuing certificates to the terminal. These terminal certificates are both free and free. The general useful life of the free terminal certificate is one year.

Terminal certificate: terminal certificate is generally the certificate that we can see on the browser, which is usually used in specific website services. Such certificates will no longer be used to issue new certificates.

Each certificate can be traced up the tree to the root certificate, forming a chain of trust.

For example, the following figure is the trust chain information of a website certificate.

The content about X.509 is shared.

But the doubt in my heart drives me to continue to explore, is this certificate reliable?

What if * forged a certification body to issue a certificate to * website?

Security mechanism

The certificate uses an asymmetric encryption mechanism to ensure that the information is not stolen and copied.

Encryption technology

Here is a little explanation of asymmetric secrets, let's start with cryptography.

In fact, the need for information encryption has always existed. Since ancient times, various technologies have been used to encrypt important information, but the degree of encryption security in ancient times is based on encryption.

In other words, if others know the encryption method, then they can decrypt the ciphertext information.

The security of modern encryption technology lies in the security of the key, that is to say, the encryption method (algorithm) is public, as long as the key is not stolen or disclosed, the information is secure.

Although there are many encryption algorithms, they can be divided into two categories: symmetric encryption and asymmetric encryption.

Both sides of symmetric encryption use the same key for encryption and decryption, while asymmetric encryption requires different keys for encryption and decryption.

Use an encryption algorithm to generate public and private key pairs. The private key is usually a file with the suffix .key, and the public key is stored in a file that ends with .csr.

Add some information such as expiration date to the .csr file, the issuer, and sign the certificate with your own private key. This generates a certificate that conforms to the X.509 format.

After receiving the certificate, the user deploys it on the web server (or load balancer and other devices).

SSL certificate

There are a variety of certificates that conform to the X.509 format. Take the SSL certificate as an example.

A common scenario would be like this:

The client, such as the browser, sends a request to the server, and the server sends a certificate to the other side in order to prove its identity.

The browser reads the digital signature part of the certificate and decrypts it with the corresponding public key certificate in its root certificate list. If the decryption is successful and the hash value of the certificate matches the hash value in the signature, it can be proved that the certificate provided by the site was indeed issued by the CA root certificate, otherwise a risk hint is given.

The subsequent communication between the server and the browser will use the new symmetric encryption algorithm and random key to encrypt the information.

Certificates play an important role in the whole process, so can we obtain communication content through theft and forgery?

Steal. First of all, the certificate can of course be stolen, because it is public, but after obtaining the certificate, it can only communicate with the server and cannot be used to steal other information. As for the private key of the certificate is stored in the server, it is even less likely to be stolen at will.

Forgery. If someone forges a website certificate, the browser will fail to verify the certificate information when querying CA.

So it's absolutely safe? No ~

There is no solution to the case of DNS hijacking. For example, if the browser gives a fake certificate when visiting a website, and then visits a fake website when verifying the certificate to CA, the certificate may be verified. Thus * * can be used as an intermediary to obtain and forward the data of both parties.

From generation to use, the SSL certificate involves three encryption and decryption processes:

When the certificate is generated, the private key is used to sign, and when the certificate is verified, the public key is used to decrypt.

After confirming that the certificate is valid, the public key in the certificate is used for encryption, and the server uses the private key to decrypt it.

Both parties use the newly generated random key to encrypt and decrypt the data.

Use a structure diagram to show the relationship between HTTPS and X.509:

HTTPS /\ HTTP TLS/SSL /\ Communication content confirmation identity symmetric encryption SSL certificate-X.509 format, asymmetric encryption questions on how to understand X.509 is shared here, I hope the above content can be of some help to you, if you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.