Shulou(Shulou.com)06/01 Report--

These terms are often mentioned in the secure communication between network and operating system: RSA, public key, private key, CA, digital signature, digital certificate.

I have found a lot of information, but few of them are comprehensive in terms of doubts and difficulties. However, if we do not explain these clearly, it is difficult to have a clear understanding and understanding.

I also try this way now. I can summarize it myself so that I can check it later. At the same time, I also hope to help some people avoid detours and save time for baidu, google and RFC.

Symmetric and asymmetric, public and private keys:

There are two ways of encryption: symmetric encryption and asymmetric encryption.

Symmetric encryption: the encryption key is also called the public key and the decryption key (also known as the private key) is the same. It is characterized by open algorithm, small amount of computation, fast encryption speed and high encryption efficiency.

Asymmetric encryption: encryption and decryption use two different keys, so this algorithm is called asymmetric encryption algorithm. RSA is an asymmetric encryption algorithm.

RSA is the initials of the three experts who studied the algorithm.

In the encryption algorithm, the public key is used to encrypt the data and the private key is used to decrypt the data. Of course, this can also be understood intuitively:

A public key is a public key that can be used to encrypt data only when it is made public. A private key is a private key, and whoever has it can decrypt the ciphertext.

In the signature algorithm, the private key is used to sign the data, and the public key is used to verify the signature. This can also be understood intuitively:

To sign a document, of course, use the private key, because we hope that only we can complete the signature. The verification process certainly wants everyone to be able to perform it.

When you see that the signature can be verified, it is proved that I did sign it myself. If you encrypt it with a private key, everyone can find the public key and decrypt it, so it can't be called encryption and decryption.

Digital signature

The digital signature is not to sign a word to prove that it is mine, but to do a mathematical calculation. Digital signature (Digital Signature) is to first Hash the content of the message to get a string of numbers, and then encrypt the number with the private key.

The digital signature serves two purposes: to prove that you sent the message, and to prove that the message is indeed complete. (authentication and integrity).

Hash the message (either md5 or sha1), then encrypt the hash with your private key as a signature, and publish it together

When someone receives your announcement, he can use your public key to decrypt your signature, if the decryption is successful, and the decrypted hash value is indeed the same as your original announcement.

Then he proved two points: you did send this message, and the content is complete.

When we download files on the Internet, we often have a long string of character MD5 values. After we download the data, linux can check it with md5sum and compare the value of the command output with the MD5 value on the website. If consistent, the file is downloaded completely. If it is inconsistent, the downloaded file has changed. Windows can be verified by software such as winmd5.

3. Digital Certificate Digital Certificate and Certificate Authority Certificate Authority

The "server" wants to publish the public key, so how does the "server" send the public key to the "client"? In our first reaction, we may think of the following two ways:

A) put the public key at a download address somewhere on the Internet and download it to the "customer" in advance.

B) each time the server begins to communicate with the client, the server sends the public key to the client.

But there are some problems with both methods.

As for the a) method, the "customer" is unable to determine whether the download address is published by the "server". Why do you believe that the download from this address is published by the "server" and not forged by others? what if you download it to a fake one? In addition, it is also unrealistic to require all "customers" to download the public key before communicating.

For the b) method, there is also a problem, because anyone can generate a pair of public and private keys himself, and he can pass himself off as a "server" by sending his own private key to the "client".

In order to solve this problem, the digital certificate appeared, which can solve the problem above us. Let's take a look at what a digital certificate is. A certificate contains the following details:

The algorithm used by the public key certificate owner (Subject) to sign the certificate of the certificate's issuer

Fingerprint and fingerprint algorithm

In addition to issuing certificates to others, certificate publishers also have their own certificates. Where did the certificate issuer get the certificate?

The digital certificate of this certificate issuer (usually generated by himself) when our operating system is first installed (such as windows xp and other operating systems)

The digital certificates of these certificate publishers have been installed in the operating system by Microsoft (or other operating system development organizations).

Microsoft and other companies will select certificate publishers with good reputation and pass certain security certification according to the evaluation of some authoritative security organizations.

The certificates of these certificate publishers are installed in the operating system by default and are set as digital certificates trusted by the operating system.

These certificate issuers hold their own private keys corresponding to their own digital certificates, which he uses to encrypt the fingerprints of all certificates he has issued as digital signatures.

Summary of digital certificates:

Two premises: CA can be trusted (CA is a real company with credibility). Microsoft has installed CA's digital certificate (public key) in the operating system by default, that is, there is a CA public key in the operating system.

The server requests a digital certificate from CA. CA generates the server's digital certificate (which contains the server's public key) and private key to the server. The client requests a web page, and then the client receives a message and a digital certificate from the server. The client uses the CA public key to unlock the server digital certificate and get the server public key.

With the server public key, the client can unlock the server's encrypted web page.

How to create your own certificate

Each certificate publisher has its own tool for creating certificates, and different types of certificates have certain formats and specifications. Microsoft provides us with a tool for creating certificates, makecert.exe, which will be installed when installing Visual Studio. It doesn't matter if you don't have it installed, you can go online to the next one and search makecert. Certificate creation tool (Makecert.exe).

+ +

1. Typesetting is a bit troublesome. It takes time to make it look good.

two。 There is a gap between what you think and what you write.

+ +

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.