Title eight digital signature and sign test
[Title Description ]
In the online bank transfer, or payment orders by businesses in the process, the need for the user to sign the transaction data, while the data server to verify signatures submitted by users, ensure data validity and integrity.
It is assumed that the following scene, digital signature and verification:
1. The server generates a root CA certificate and a user certificate issued by the CA root certificate.
2. user on online banking transfers, and use a certificate to sign the transaction data and submit the transaction request.
3. submitted to the server to authenticate the user signature data, verify transfer transaction to a backend system through the submission, or fail to inform transfers.
[Requirements] questions
Specific requirements are as follows:
1. Create a new maven project.
2. The program signature for data interface, an input data source for the signature, the digital signature returned base64 encoded. Specific requirements, the client user credentials user1.jks Invoke bouncycastle the source data interfaces signature, digital signature format PKCS # 7, does not contain
The source data (the Detach method).
3. To achieve signature verification interface base64 encoded input digital signature and the data source, successfully returns true, otherwise returns false, and print specific failure information. Specific requirements, the server uses the CA certificate user1.jks Invoke bouncycastle related interfaces, data validation of the signature, signature and verify the validity of the certificate, including whether expired, is in effect, and check whether the CA-signed certificate root certificate.
other:
1, user1.jks contains the user's public key certificates, private keys and CA certificate. Wherein the user certificate alias is user1, CA certificate alias is rootca, user1.jks all passwords are 123456.
2, the source signature data: { "orderId": "1234", "amount": "100"}
3, bouncycastle version-dependent follows:
| <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcmail-jdk15on</artifactId> <version>1.56</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> <version>1.56</version> </dependency> |
【input Output】
1, the analog digital client signature, signature call interface, an input is: { "orderId": "1234", "amount": "100"}, base64-encoded signature print out the results.
2, the analog server to verify the signature, call test to check the interface, input is: { "orderId": "1234", "amount": "100"}, and testing steps signature data 1, the print validation results, include specific requirements 3 verify items.
Baseline [time]
3 hours
【Grading】
The accuracy of 100%
Complete correct digital signature was 30 points, 70 points have to verify the signature is correct
notes
1. Encryption - public key
to decrypt - private
signature - private key
authentication - public
2.1) public key and private key pairs appear
2) public key is called a public key, called a private key that only you know
3 ) encrypted with the public key data corresponding private key can be decrypted only
4) encrypted with the private data of the corresponding public key can be decrypted only
5) If the public key can be decrypted, it must be added to the encrypted private key corresponding
6) If the private key can decrypt the encrypted must be added corresponding to the public key
3. the public key cryptography, private key to decrypt - for Confidential
4. private key encryption, public key decryption - for digital signatures:
strictly said here that the private key is encrypted with the private key to encrypt the digest,
the recipient can use the public key to decrypt, decryption is successful, you can verify the sender's information is private owner.
The amount of digital signature of two parts:
a digital signature - Part 1: prove that the news is your hair.
-> be encrypted with the private key of the summary, the recipient can use the public key to decrypt, decryption is successful, you can verify the information of
the sender's private key is the owner of
the digital signature - Part 2: proof that the message content is indeed complete. that is not subjected to any form of tampering (including the replacement of missing, added)
-> announcement of your original to do a hash (md5 or sha1 will do), and then use your private key to encrypt this hash
as a signature and published out together. When people receive your notice, he can use your public key to decrypt your
signatures, If decryption is successful, and decrypts the hash value out of your original announcement and did the same, then he
It proved two things: this is indeed the message you send, but the content is complete
6. public key authentication - Digital certificates: Hackers can replace your public key, and then use his private key to do digital signatures sent you information, and you use hacker
forged public key can successfully verified, and you will mistakenly believe that the sources did not change.
Need CA (certificate authority certificate authority) for public key authentication in this case.
Center certificate with its private key, encrypted with the public key and some information on the sender,
generating a "digital certificate" (Digital Certificate)
7. The symmetric and asymmetric algorithms:
the HTTPS generally uses the following algorithm, including the non- asymmetric and symmetric encryption algorithms:
asymmetric encryption algorithms: RSA, DSA / DSS, for password encryption handshake generated
symmetric encryption algorithms: AES, RC4,3DES, real data for transmission is encrypted
HASH algorithm: the MD5 , SHA1, SHA256, used to verify the integrity of the data
works 8.HTTPS the
HTTPS for a handshake before the need to transfer data between the client (browser) and server (website), established in the handshake process
password information encrypted transmission of data both parties. Used in asymmetric encryption TLS / SSL, symmetric encryption algorithm and HASH
1. The browser sends the encrypted own set of rules to support the site.
2. The site selected from a group encryption algorithm and HASH algorithm, and their identity information in the form of a certificate sent back to the browser. Certificate inside
contains the website address, message encryption public key, and certificate of authority and so on.
3. After obtaining the certificate of the website your browser to do the following:
institutions a) verify the legitimacy of the certificate (a certificate is legitimate, website address if the address contained in the certificate is consistent with being accessed, etc.),
if the certificate is trusted, then the browser displays a small bar inside the lock, otherwise they will be given a certificate untrusted tips.
b) If the certificate is trusted, or is the user accepts the certificate is not the letter, the browser will generate a password string of random numbers and encrypted with the public key certificate provided.
c) using the HASH calculation good agreement handshake message, generated using a random number and to encrypt the message, and finally all of the information will be sent to the site previously generated.
4. The website receives data sent by the browser to do after the following operations:
A) uses its own private key to decrypt the message out passwords, using password decryption browser sent a handshake messages and verify whether the browser HASH sent consistent.
b) the use of password encryption for a handshake message, sent to the browser.
The calculated HASH browser and decrypts handshake message sent to the server and if the HASH, where this end of the handshake procedure, then by all communication data before
random password generated by the browser and is encrypted using a symmetric encryption algorithm.
Reference links https://blog.csdn.net/willpower1li/article/details/79494809