DOCX

Principle of the digital certificate

By Manuel Porter,2015-11-24 09:12
16 views 0
Principle of the digital certificate

    Principle of the digital certificate

    This paper first explains some basic knowledge and concepts of the encryption to decrypt, and then through an example of encryption communication illustrates the role of the encryption algorithm, and the appearance of digital certificates.Then for a digital certificate to do a detailed explanation, and discuss the management of the digital certificate in Windows, the final demo use makecert generate digital certificate.If it is found that there are all the wrong places, or any place said clearly enough, welcome to point out! 1, the basic knowledge

    This part mainly explain some concepts and terminology, it is better to understand this part.

    1.1, the public key cryptosystem (public - key cryptography)

    Public key cryptosystem is divided into three parts, the public key and private key, encryption, decryption algorithm, its encryption the decryption process is as follows:

    ; Encryption: through the content and public key encryption algorithm

    to encrypt (or exposition), get the ciphertext.Need to use the

    public key encryption process.

    ; Decryption: the decryption algorithm and a private key to decrypt

    the ciphertext to, get clear.The decryption process need decryption

    algorithm and a private key.Note that by the content of the public

    key encryption, only by the private key to decrypt, that is to say,

    by the content of the public key encryption, if you don't know the

    private key, is unable to decrypt.

    A public key and algorithm of public key cryptosystems are public (why it is called public key cryptosystems), the private key is kept secret.Everyone to use the public key encryption, but only the holder of a private key to decrypt.In practical use, the people in need will generate a pair of public and private keys, give others to use the public key published out, keep the private key.

    1.2, symmetric encryption algorithm (symmetric key algorithms

    Used in symmetric encryption algorithm, encryption key and decryption and the key is the same.That is to say, the encryption and decryption are using the

    same key.So symmetric encryption algorithm to ensure the security, key should be confidential and will only make use of people know, cannot be made public.The public key cryptosystems is different, and the public key is encrypted with the public key cryptosystem, decrypt using the private key, and symmetric encryption algorithm, encryption and decryption is to use the same key, do not distinguish between public and private keys.

    / / key, generally is a string or number, during encryption or decryption is passed to the encryption/decryption algorithm.In public key cryptosystems said in front of the public key and private key is the key, the public key is encrypted using a key, the private key is decrypted using keys.

    1.3, asymmetric encryption algorithm (asymmetric key algorithms

    Used in the asymmetric encryption algorithm, encryption key and decryption key is not the same.Said the public key cryptography is an asymmetric encryption algorithm, he is a public key and private key is not the same, that is encrypted using the decryption keys and key is different, so it is an asymmetric encryption algorithm.

    1.4, the introduction of RSA

    RSA is a kind of public key cryptosystems, now very widely used.If interested in RSA itself, see I have time to write a RSA behind concrete is introduced.

    RSA cryptosystem is a kind of public key cryptography, a public key, private key secret, it's encrypted decryption algorithm is open.The content can be a public key encryption and can only be carried out by the private key, and the content can be a private key encryption and can only be encrypted by a public key.That is to say, this a pair of public and private RSA key can be used to encrypt and decrypt, and one party encrypted content can be made from each other and can only be decrypted.

    1.5, signature and encryption

    We say that encryption, refers to a particular content encryption, can decrypt the encrypted content reduction.We put to encrypt E-mail, for example, the encrypted content on the network transmission, the receiver, after received by decryption can restore the true content of the message.

    Here mainly to explain the signature, the signature is behind the information plus a content, can prove that information has not been modified, how to achieve this effect?Generally is made a hash of information to calculate a hash value, note that this process is irreversible, that is through the hash is worth out of the original information content.When to send out the information,

    the hash value as an encrypted signature and the information sent out together.The receiving party after receiving information, will recalculate the hash value of information, and information attached to the hash value (decrypted), if consistent, means that the content of the information has not been modified, because here the hash calculation can ensure that the content of different will have different hash value, so as long as the content is modified, according to the information content calculated hash value will change.Malicious person, of course, also can modify the contents of the information at the same time also modify hash value, so that they can be matched, in order to prevent this kind of situation, usually encrypted hash value (that is, signature) and information together to send, again to ensure that the hash value is not modified.As to how to let others can decrypt the signature, the process involves the concept of the digital certificate, behind us in detail again, when it comes to the digital certificate here you first need to understand first signature of this concept. 2, an encrypted communication process of evolution

    Now let's look at an example, assume that the "server" and "customer" in the network communication, and they are going to use the RSA (see the previous introduction of RSA) to encrypt communications to ensure the safety of the conversation.As is the use of RSA public key cryptosystems, the "server" need to release to the public key (algorithm does not need to publish, RSA algorithm) is known to all, keep the private key."Customer" released by some way to get the "server" public key, the customer does not know the private key."Customer" of the concrete is through what way to get the public key, behind us again to illustrate, here have a look at both sides how to confidential communications: The first round of 2.1:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server

    "Customer" - > "server" :????

    Because the news is on the network transmission, can someone masquerading as the "server" sends a message to the customer.For example, the above message can be hacked as follows:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server

    "Customer" - > "hacker" : hello / / hackers in the "customer" and "server" on a router between intercept "customer" information sent to the server, and pretend to be the "server"

    "Hacker" - > "customer" : hello, I am a server

    So "clients" after receiving the message and not sure this news is made by the "server", some "hackers" can pretend to be the word "server".How do you determine the information is from the "server" hair come over?There is a solution, because only the server have the private key, so if there is a private key as long as able to identify each other, then the other is the "server".So the communication process can be improved as the following:

    2.2 the second round:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server

    "Customer" - > "server" : prove to me you are the server

    "Server" - > "customer" : hello, this is the server} {hello, I'm server [private key | RSA]

    / / note here agreed that {} said the content after the RSA encryption, [|] said what kind of encryption key and the algorithm, the back of the sample in this way, such as the above} {hello, I'm server/private key | RSA means with the private key for "hello, I'm server" will be encrypted in a result.

    In order to prove himself to the "customer" is the "server" and "server" with its own private key to encrypt a string, the plaintext and encrypted cryptograph together to "customer".For example, here is the string "hello, I am a server" and the string with the private key encrypted content} {hello, I'm server private key | RSA to clients.

    "Customer", after receipt of the information she unlock, with its public key and plaintext, if agree, that information is sent by the server.That is to say, "customer"} {hello, I'm server [private key | RSA] this content is decrypted with the public key, and then "hello, I'm server".Because by the "server" with the private key encrypted content, encrypted by and only by the public key, private key is only the "server" hold, so if you decrypt content can be up to, then that information is from the "server".

    Hypothesis "hackers" want to pretend to be the "server".

    "Hacker" - > "customer" : hello, I am a server

    "Customer" - > "hackers" : prove to me you are the server

    "Hacker" - > "customer" : hello, I am a server} {hello, I'm server [????? | RSA] / / hackers cannot pretend to be here, because he didn't know the private key, can't use the private key to encrypt a string of backwardness to customer to verify.

    "Customer" - > "hackers" :????

    As a result of "hackers" without the "server" private key, so it sends the contents of the past, "customer" is not through the server's public key to decrypt, so can identify each other an impostor!

    Here, the "customer" can confirm the identity of the "server", can be at ease, and the "server" to communicate, but there is a problem, the content of the communication on the Internet are not confidential.Why can't a secret?Communication process is not something we can use public key, private key encryption?Actually use RSA private key and public key is not enough, we to specific analysis process, see the following illustration:

    2.3 the third round:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server

    "Customer" - > "server" : prove to me you are the server

    "Server" - > "customer" : hello, this is the server} {hello, I'm server [private key | RSA]

    "Customer" - > "server" : {my account is aaa, the password is 123, the balance of information sent to me I see} [public key | RSA]

    The "server" - > "customer" : {your balance is RMB 100} [private key | RSA]

    Note that the above information {your balance is RMB 100} [private key], this is the "server" with the private key encrypted content, but we have said before, the public key is released out, so all the people know that the public key, so in addition to the "customer", other people can use the public key of {your balance is RMB 100} / private key to decrypt.So if the "server" to the "customer" is encrypted with the private key, the information is not secret, because as long as there is the public key can decrypt the content.However, the "server" can't use the public key encryption to send content, because there is no private key, "customer" to send a "customer" can decrypt.

    That again, the problem that how to solve?In the actual application process, usually symmetric encryption is introduced to solve this problem, see the following illustration:

    The fourth round 2.4:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server

    "Customer" - > "server" : prove to me you are the server

    "Server" - > "customer" : hello, this is the server} {hello, I'm server [private key | RSA]

    "Customer" - > "server" : {behind our communication process, use symmetric encryption for, here is a symmetric encryption algorithm and the key} [public key | RSA] / / blue font part is, the specific content of the symmetric encryption algorithm and key customer send them to the server.

    The "server" - > "customer" : {OK, received!} [key] | symmetric encryption algorithm

    "Customer" - > "server" : {my account is aaa, the password is 123, the balance of information sent to me I see} [key] | symmetric encryption algorithm

    "Server" - > "customer" : {your balance is RMB 100} [key] | symmetric encryption algorithm

    In the process of the above communication, "customer" after confirmed the identity of the "server", "customer" choose a symmetric encryption algorithm and a key, the symmetric encryption algorithm and the key together with the public key encryption backwardness to "server".Note that due to the symmetrical encryption algorithm and the key is to use of public-key encryption, even if the encrypted content was intercepted by the "hacker", because there is no private key, "hackers" also don't know if the content of the symmetric encryption algorithm and key.

    Because it is encrypted with the public key, only the private key can decrypt, so that you can ensure that only the server can know the symmetric encryption algorithm and key, and other people may not know (the symmetric encryption algorithm and the key is "customer" of your choice, so "customer", of course, know how to decrypt the encrypted).So the "server" and "customer" can use symmetric encryption algorithm and the key to encrypted communication content.

    To summarize, RSA encryption algorithm play a main role in the communication process, there are two:

    ; Because only the "server" have the private key, so "customer" can

    determine whether the other party has the private key to judge

    whether the other is the "server".

    ; The client through the cover of the RSA, the security and the server

    of the company good behind a symmetric encryption algorithm and the

    key to ensure the safety of the content of the communication

    process.

    If here why don't you understand the use RSA encryption communication process, but to determine a symmetric encryption algorithm to guarantee the security of the communication process, so that you understand the content of the front.(if not clear, see 2.3 and 2.4, if still not clear, that we should be clear, you can leave a message to ask questions.)

    Here, the "customer" can confirm the identity of the "server", and both sides of the communication content can be encrypted, even if others had intercepted communications, also cannot decrypt.Indeed, as a communication process is relatively safe.

    But there still have a problem, at the beginning we said that the "server" to release to the public, the "server" how to send the public key to the "customer"?Our first reaction might think of the following two methods:

    A) put the public on the Internet somewhere a download address, prior to the "customer" to download.

    B) every time and "customer" began to communication, the "server" send a public key to the "customer".

    But the two methods have some problems,

    For a) method, the "customer" unable to determine the download address is released the "server", what makes you believe that this address download things is released the "server" rather than others forged, one thousand downloaded to a fake?In addition to all the "client" before communication prior to download the public key is not realistic.

    To b) method, also has a problem, because anyone can generate its own a pair of public and private keys, he just send his or her own private key to the "customer" can pretend to be the "server".Indicated as follows:

    "Customer" - > "hacker" : hello / / hacked "customers" to the message in the "server"

    "Hacker" - > "customer" : hello, I am a server, this is my public / / hackers generated a pair of public and private keys, the public key to the "customer", keep the private key

    "Customer" - > "hackers" : prove to me you are the server

    "Hacker" - > "customer" : hello, I am a server} {hello, I'm server [hacking their private key | RSA] / / customer received "hackers" information that is encrypted with the private key, is "hackers" can be used to your public key to decrypt, so as to be mistaken for "hacker" is the "server"

    Therefore "hackers" only need to generate a pair of public and private keys, and then send the public key to the "customer", keep the private key, such as "customer" can use the hacker's public key to decrypt the hacker's private key encryption, the content of the "customer" will believe "hacker" is the "server", leading to a security issue.The root of the problem here is that everyone can generate a public key and private key pair, who are unable to confirm the public key to.If you can determine who is a public key, I wouldn't have a problem.For example, if you receive "hackers" pretend "server" sending a public key, after a check, if you can find the public key is not the "server".

    In order to solve this problem, a digital certificate appeared, we it can solve the above problems.First look at what is about the digital certificate, a certificate contains the specific content of the following:

    ; Certificate of release

    ; The validity of the certificate

    ; The public key

    ; Certificate owner (the Subject)

    ; Signature used by the algorithm

    ; Fingerprint and fingerprint algorithm

    The content of the certificate of detailed explanations behind a detailed explanation, here I just need to clear one point, a digital certificate can ensure that the public key in the digital certificate is the certificate owner (the Subject), or certificate can be used to confirm the identity of the other.That is to say, we get a digital certificate, we can determine who is the digital certificate.As to how to judge, behind will be explained in detail in the digital certificate will be discussed in detail.Now in front of the communication process using a digital certificate is modified to the following:

    2.5 the fifth round:

    "Customer" - > "server" : hello

    The "server" - > "customer" : hello, I am a server, here is my digital certificate / / here with replaces the public key certificate

    "Customer" - > "server" : prove to me you are the server

    "Server" - > "customer" : hello, this is the server} {hello, I'm server [private key | RSA]

    Note that the second communication, the "server" send your certificate to the "customer", rather than send the public key."Customer" can be according to the certificate check this certificate whether the "server", that is to check the certificate is the owner of the "server", so as to confirm the certificate of public key is the "server".At the back of the process is the same as before, "customers" to the "server" to prove their identity, "server" a content together with the clear text is encrypted with the private key to the "customer", "customer" after the encrypted content using the public key to decrypt the digital certificate and clear contrast, if is consistent, then the other party is indeed a "server", then both sides talks things over a symmetric encryption to ensure the security of the communication process.Here, the whole process is complete, we review:

    2.6 the complete process:

    Step1: "customers" to the server sends a communication request

    "Customer" - > "server" : hello

    Step2: "server" is sent to the customer's own digital certificate.With a public key to encrypt the information in certificate, the private key by the "server"

    The "server" - > "customer" : hello, I am a server, here is my digital certificate

    Step3: "customer" after receiving the certificate of the "server", it will be to test whether the digital certificate of the "server", a digital certificate do you have any problem, digital certificate if the check is no problem, just show the public key in a digital certificate is, indeed, the "server".After check the digital certificate, "customer" will send a random string to the "server" that is encrypted with the private key to server the encryption result is returned to the "customer", "customer" use public key to decrypt the return result, if the decryption results agree with the generated random string before, that means the other party is, indeed, the private key holder, or the other is the "server".

    "Clients" - > "server" : prove to me you are the server, this is a random string / / in order to facilitate in the previous example explanation, with "hello" and so on the content, the actual situation is generally randomly generated a string.

    "Server" - > "customer" : {a random string} [private key | RSA]

    Step4: after verify the identity of the "server", "customer", generating a symmetric encryption algorithm and key to the back of the communication of encryption and decryption.The symmetric encryption algorithm and the key, "customer" will be the coma is encrypted with the public key to the "server", others had intercepted also useless, because only the "server" can decrypt the private key in the hand.In this way, behind the "server" and "customer" can be used symmetric encryption algorithm to encrypt and decrypt the communication content.

    "Server" - > "customer" : {OK, has received more symmetrical encryption algorithm and key from you!What can I do for you?} [key] | symmetric encryption algorithm

    "Customer" - > "server" : {my account is aaa, the password is 123, the balance of information sent to me I see} [key] | symmetric encryption algorithm

    "Server" - > "customer" : {hello, your balance is RMB 100} [key] | symmetric encryption algorithm

    ....../ / to other communication

    2.7 other issues:

    The above process has been very near to the real communication process of HTTPS, completely can according to the process to understand the working principle of the HTTPS.But I in order to facilitate interpretation, some details above did not say that people are interested in can see this part of the content.You can skip, it doesn't matter.

    "Question 1"

    The above said, in the process of communication in after checking the certificate, "customers" to send a random string to the "server" to use the private key encryption, in order to determine whether the other party really holds the private key.But there is a problem, "hackers" can also be sent to the "server" to encrypt a string and get the encrypted content, such as for the "server" is not secure, because hackers can send some simple regular string for the "server" encryption, so as to find the rule of encrypted could threaten the

Report this document

For any questions or suggestions please email
cust-service@docsford.com