Recently Session will look at the things hijack, hijacking has already been realized, yahoo and some did not use Https agreement mailbox is successfully hijacked (issued no later article), because of the Https not familiar with, so I looked Https why can not hijack the conversation .
SSL is mainly described in this article relates to the "digital certificates" this stuff.
1. What is a digital certificate?
Digital certificate is an authoritative electronic document. It provides a verify your identity on the Internet the way, and its role in daily life like driving license or ID card drivers. It consists of a certificate by the authority authorized ---- CA (Certificate Authority) issued by the center, people can use it to identify the identity of the other exchanges with the Internet. Of course, digital certificate authentication process, the Certificate Authority (CA) as the authoritative, impartial, credible third parties, whose role is crucial.
Ok, know what is the digital certificate, take a look at it long what it:>, a thumbnail file as follows:
Double-click to open the following:
2. CA CB / CA Certification Center
What 1. CA Certification Center is?
CA Certification Center is responsible for issuing, agency management, digital certificate authentication, Internet-based platform for the establishment of a fair, authoritative and credible third-party organizations.
2. CA Certification Center on the world more than one, then what is the relationship between them (the relationship between the CA Certification Center)?
Ah, answering this question can take a look at the following figure:
Can be seen from the figure, between a certification authority CA is a tree, a root certification authority CA may authorize a plurality of two authentication center CA, empathy two authentication center CA may authorize a plurality of level 3 CA Certification Center ... If you are a digital certificate applicant (for example: Bank of Communications), you can root CA certificate to the center, or two, CA request a digital certificate authentication center three levels, it is no limit, when you succeed after the application, you will be called a digital certificate owners. It is worth noting that the root CA certificate center is more, that there will be more trees this tree. FireFox record some information which default root CA certificate authority, as:
See here, surely someone will ask, if there is now established a new root CA certificate authority, FireFox is certainly no information that the CA Certification Center (This information is used to verify the sub-CA certificate authority, it is important to be back We talked about), how to do it? Ah ~ ~ Indeed, if suddenly set up a new CA Certification Center where today 2009-1-8 day, which I certainly did not he FireFox information! But the solution is still there, fancy map, you can find a "Import" button, and when we encounter such a misfortune, only themselves to download and import the root CA certificate information center (in fact, doing so is less secure !), or the expected FireFox upgrade will upgrade the information, but I'm not sure of this.
3. Why CA Certification Authority is authoritative?
After the fact, understand this problem, you will truly understand "how CA certification center is to empower sub-CA certificate authority?", "Why forged digital certificate is invalid," "Why digital certificate is an authoritative electronic document "and so a series of problems. And SSL can be said to establish authority in the CA Certification Center, just and based on reliable, CA authentication center if the information can be forged, then everything would be finished with SSL ......
First, let's take a look at the information in the record of FireFox CA certification center in the end is what? ? Pictured above, click an item, Export Export Export .... You will see something very familiar, but it was a digital certificate! !
Virtually every CA Certification Center / digital certificate owners, they all have a digital certificate, and their own RSA public and private keys, these are their parent CA Certification Center issued to them, probably here to explain RSA , the RSA is an asymmetric encryption algorithm, its public and private keys are paired, if the public key encryption, a private key to decrypt the plaintext can be obtained; if private key encryption, decryption with the public key can be obtained the original plaintext, which is determined by the characteristics of the RSA, he effect can be summarized by the following chart:
For private key: CA Certification Center / digital certificate owner to save themselves, not public.
For the public: his presence in the digital certificate authentication center CA CA's public key certification center / digital certificate owners will.
(1) First, CA Certification Center / digital certificate for all its manifestations on the network can only be a digital certificate! So we can put some sheets of digital certificates is equivalent to an authentication center CA / digital certificate owners. In this case, verify the legitimacy of a digital certificate can determine whether the CA authentication center / owner of the digital certificate is legitimate! ! !
(2) digital certificates using digital signatures for verification! Here briefly explain the process of a digital signature: Your derived from Firefox / IE digital certificate contains three parts: the certificate content (F), the encryption algorithm (A), F encrypted ciphertext (F ') (structure of digital certificates will first Details of three parts), where, a is not an algorithm, but two, the ciphertext F 'F is the result of twice-encrypted.
First of all, F is SHA1 hashing algorithm to calculate the hash value h1 (called the Summary of 128bit), then h1 would be released this CA certification authority digitally signed with a private key for RSA encryption Note: This digital signature is released CA certification Authority, if now encrypted digital certificate is a Grade II listed CA certification bodies, then used to encrypt this certificate private key is the root CA certificate authority's private key! ! After RAS encryption, to form the ciphertext F '.
When you want to verify the digital certificate credibility / legitimacy, you need to find your digital certificate authentication center CA on the floor, and from which to obtain the public key certificate data in the ciphertext F 'for RSA decryption, if too the value of h1 and h2 comparison (h1 can be counted immediately certificate data in the F out of the scene), if they are equal, then that certificate is credible, legitimate! Because you can not know the private key is a layer of CA Certification Center, so you can not forge a digital certificate can be used for one CA Certification Authority public key to decrypt! !
Detailed flowchart follows:
Because a digital certificate for verification of digital certificates based on the top, then top digital certificate and legal? ? This will be a recursive been up phenomenon, the fact is the case, verify that a certificate is legitimate, we need to root certificate to verify his topmost legality! The picture got from other articles well expressed this idea:
Here certainly some people may ask, how top-level CA Certification Authority to prove its legitimacy it? ....... Oh ~ This is why the FireFox certificates in advance some of the most top-level (where the "top level" and "root" is the same concept) is added to the CA authentication center authority trusted list, because topmost CA certification Center no way to prove, so the top-level CA certification center is always trusted! ! In fact, the top-level CA certification center in the world is also one of the few. Here you should understand why I just say that they import the root CA certificate is less secure, because you can not verify.
3. The composition of digital certificates
I can take a look at the screenshot from Firefox's certificate:
1. Certificate (Certificate):
- Common Name (certificate holder name, referred to as CN, in fact, is the name of the certificate, as seen in the first picture: ABA.ECOMRoot ....)
- Version (version V3 is now generally a)
- Issuer (issuing authority)
- Validity (effective date)
- Subject (certificate information, you'll find inside the Issuer and its contents are the same)
- Subject's Public Key Info (owner of the public key certificate, the public key is to have said this!)
- Extension (extended information)
- Certificate Signature Algorithm (public key encryption algorithm),
This is a few more than the above mentioned certificate content (F).
2. Certificate Signature Algorithm:
This is the encryption algorithm described in the certificate, said that the encryption algorithm (A), see its Fireld Value, usually write: PKCS # 1 SHA-1 With RSA Encryption
3. Certificate Signature Value:
This record is the result of the certificate is encrypted, corresponding to the above said speaking F '.
4. Verify digital certificate
To answer how digital certificates are proven, we must first know that the digital certificate is to verify what things:> to verify the digital certificate, the above has been talked about some of this to make a summary:
- The credibility of the verification / validation legality: This has just been said quite understand it:>
- Integrity Verification: In the process of verification of credibility, the more h1 and h2, is already a way to verify its integrity.
- Validation: for example, verify its Vilidity value to see if expired ...
First write, Others supplement! And may be written in some places will be chaotic, that I will correct later:> ~ Paizhuan welcome!
5. References:
- http://baike.baidu.com/view/204415.htm
- http://finance.sina.com.cn/money/roll/20080401/00404692291.shtml
- http://blog.csdn.net/sfdev/archive/2008/03/12/2174305.aspx
- http://man.chinaunix.net/develop/rfc/RFC2313.txt
- http://www.zhlmmc.com/diary/14554