You understand HTTPS, but you may not know X.509

The world is simply not the HTTPS protocol, only the HTTP protocol. - A certain friends know almost

One day, I received a leading indicator: X.509 learn about relevant principles.

Many developers as possible and I think the word X.509 very strange, but in fact we often deal with it, is a typical "daily and I do not know" things.

X.509 So what is it?
X.509 is a digital certificate of format standards .
Which is widely used now rely on HTTPS SSL certificate used is the use of X.509 format. This means that every time we open the site begins with https it will be used.

Format Standard

Simply put, the standard format is like the time of writing HTML file specification: the beginning of the document type declaration, htmlas the root tag, meta information on the headlabel, the page content on bodythe label, and so on.
Of course, this example is not so appropriate, because in fact this is not in accordance with written format html file browser can parse it out.
Should be more appropriate example JSON file format, provides nesting relationship must use braces, arrays must be enclosed in brackets, the string must be enclosed in double quotes, and so on, which if violated a rule, then it can not be parsed correctly .

What is the specific content of this standard is it?
X.509 format defined as follows:

版本号
序列号
签名算法
颁发者
证书有效期
  开始日期
  终止日期
主题
主题公钥信息
  公钥算法
  主体公钥
颁发者唯一身份信息（可选）
主题唯一身份信息（可选）
扩展信息（可选）
签名

The figure is a site X.509 certificate information

Digital Certificates

So what is a digital certificate?
Simply put, the digital certificate is a network through encryption algorithm to create the "×××", to prove the true identity of the communicating parties.
This "×××" The production process is also very interesting, is not issued by a unified organization, but layers of issue.
A holding such a trusted certificate, then it issues a certificate to B is also credible, then B to C certificates are also credible.
Overall structure like the data structure of the "tree", wherein A certificate is a "root certificate" for "intermediary certificate" B for the "terminal certificate" C's.
And A, B are called a certificate authority, referred to as CA (Certificate authority).

 根证书
   |
中介证书
   |
终端证书

• Root Certificate: usually pre-installed operating system and browser, by large companies and government co-produced (users can also produce their own, but there will be a security risk), the certificate chain as the starting point.
• Mediation Certificate: CA holds a certificate of intermediary is responsible for issuing certificates to the terminal, the terminal certificate both charges is also free, free terminal certificate generally use period is one year.
• Terminal Certificate: Certificate terminal in general is that we can view the certificate on the browser, usually for a specific site service. Such certificates will not be issued as a new certificate.

Each certificate can be traced back up along the tree root certificate, thereby forming a chain of trust.
For example, following a site certificate trust chain information in this figure is.

X.509 content would share about finished.

But the doubt in his heart that drives me to continue to explore this certificate fly it?
If the Certificate Authority *** *** fake website certificates it?

Security Mechanism

Certificate uses an asymmetric encryption mechanisms to ensure that the information is not stolen, and copied.

encryption

Here a little explanation asymmetric secrets, let us talk about cryptography.

Information encrypted demand actually been there, ancient ××× beginning to use various techniques to encrypt important information, but the level of encryption security encryption is based on the ancient way.

In other words, if someone knows the encryption method, then it can decrypt the ciphertext information.

Modern encryption security is the security key, which means that encryption (algorithm) is open, as long as the key is not stolen or leaked information is safe.

Although there are a variety of encryption algorithms, but can be roughly divided into two categories: symmetric encryption and asymmetric encryption.

Symmetric encryption communication with both encryption and decryption are the same key, asymmetrical encryption requires the use of different keys for encryption and decryption.

And then return to the certificate issuing process, many vendors offer cloud service function request a digital certificate, it will launch the application like CA, CA after receipt of the application, do the following things:

1. Using an encryption algorithm to generate public and private key pair. Generally based on the private key .keyfor the file extension, the public key to be stored in .csrfiles ending in.
2. In .csradd some information in the file, such as expiration date, the issuer, and with its private key to sign the certificate. This will generate a certificate X.509-compliant format.
3. After the user receives a certificate deployment on a web server (or load balancing and other equipment).

SSL Certificates

X.509 certificate in line with a variety of formats, for example here in SSL certificates.

Common scenario would be like the following:

1. The client, such as the browser sends a request to the server, the server in order to prove their identity, the certificate will be sent to the other party.
2. The browser reads the digital signature certificate section, with its own root certificate public key certificate list corresponding to decrypt it. If the decryption is successful and the certificate hash value and the hash value in the signature matches a consistent, proven site provides certificate is indeed the root CA certificate issued by or give risk warning.
3. After verification by using the certificate's public key and the random number encryption symmetric encryption algorithm, transmitted to the server, the server is decrypted with the private key to obtain a key and an encryption algorithm.
4. Server in subsequent communications with the browser will use the new encryption algorithm and a symmetric random encryption key information.

Certificate in the entire process played an important role, it can not by theft and forgery way to get the communication content?

• steal. First, of course, the certificate can be stolen, as it is disclosed, but only get the certificate and server communicate, other information can not be used to steal, as the private key of the server certificate is stored, can not be arbitrarily more It has been stolen.
• counterfeit. If someone forged a site certificate, the browser queries the CA certificate to verify the information when it will fail.

So it is absolutely safe? Definitely ~

In the case of DNS hijacking is still no solution. For example, when a browser to access the site to a fake certificate, and then verify that the CA certificate when they visit a fake website, it is possible to be verified by a certificate. *** thus can obtain and forward the data as an intermediary between the two sides.

to sum up

SSL certificate relates to the generation and use three times the encryption and decryption process:

1. Private key signature verification certificate when the certificate is generated when using the public key to decrypt.
2. After confirming that the certificate is valid, using the public key certificate encrypted using the server private key to decrypt.
3. Both sides use the newly generated random key for data encryption and decryption.

It shows the relation between the HTTPS and X.509 with a structure:

    HTTPS
  /       \
HTTP    TLS/SSL
        /      \
   通信内容    确认身份
   对称加密    SSL证书 —— X.509 格式，非对称加密

Reproduced in: https: //blog.51cto.com/14160840/2410369