[Reprint] the basics of digital certificates

Others 2019-12-22 20:08:54 views: null

Basics of digital certificates

http://www.enkichen.com/2016/02/26/digital-certificate-based/

 

 Posted 2016-02-26  Classified in  knowledge organize / summarize  Views  5536   

Before the "iOS developer certificate and code signing study notes," Bowen introduced the iOS developer certificate and code signing relevant knowledge, in order to better understand the characteristics of which certificates, where digital certificates and relevant knowledge were consolidated and to sum up.

We must talk about before talking about digital certificates asymmetric encryption algorithms and digest algorithms , because the underlying digital certificate is a variety of encryption and decryption algorithms (asymmetric encryption, digest algorithm), of which the core is a non-symmetric encryption algorithm. For now, encryption methods can be divided into two categories. One is a single encryption key (private key cryptography) may also be referred to as a symmetric encryption, there is a class called dual-key encryption (public key cryptography) may also be referred to as asymmetric encryption. The former encryption and decryption processes are using the same set of passwords, encryption and decryption of the latter using a different password. Let's look symmetric encryption, asymmetric encryption and digest algorithms, how they are used in digital certificate.

Symmetric encryption

Symmetric encryption (also called private key) encryption algorithm decryption means and the encryption using the same key. Sometimes called traditional cryptographic algorithms, cryptographic key that can be inferred from the decryption key while the decryption key can also be inferred from the encryption keys. In most symmetric algorithms, the encryption and decryption keys are the same, so that the encryption algorithm is also known as secret key algorithm or a single key algorithm.

In applying this algorithm, it requires a sender and a receiver before the security communication, agree on a key. Security symmetric algorithm depends on the key, the key leak means that anyone can decrypt messages sent or received on them, so privacy is crucial for the communication of the key. Symmetric encryption algorithm is an algorithm disclosed features, a small amount of calculation, high speed encryption, the encryption efficiency high. There are many symmetric encryption algorithms, it is due to the high efficiency, it is widely used encryption protocol in the heart of many of them. The downside is, both parties use the same key, security can not be guaranteed.

Common symmetric encryption algorithm

  • The DES : Data Encryption Standard (DES, Data Encryption Standard) key is encrypted using a block cipher, which is based on the use of 56-bit key symmetric algorithm, the algorithm because it contains confidential design elements, and the relatively short key length back door is suspected of containing the US national security Agency (NSA) while at the beginning is controversial, DES is now not regarded as a secure encryption algorithm, mainly because it uses a 56-bit key is too short, resulting in easy It has been cracked. In order to provide the security necessary for practical, can be used to derive algorithms 3DES DES encryption, 3DES although there are theoretical attacks.

  • AES : Advanced Encryption Standard (English: Advanced Encryption Standard, abbreviation: AES), the standard used to replace the original DES, has been widely analyzed and multi- used around the world in 2006, has become the Advanced Encryption Standard encryption symmetric key one of the most popular algorithms. AES fixed block length is 128 bits, the key length may be 128, 192 or 256 bits .

  • RC4 : RC4 encryption algorithm is the top man Ronald Rivest of RSA famous trio in the key length of 1987 design variable stream encryption algorithm clusters. The speed of the algorithm can reach 10 times the DES encryption, and having a very high level of non-linear. RC4 was initially used to protect trade secrets. But in September 1994, its algorithm was posted on the Internet, there is no longer any trade secrets of.

  • IDEA : living in Switzerland and China is the young scholars to study and Kerry famous cryptologists J.Massey proposed in 1990. It officially announced in 1990 and enhanced in the future. This algorithm is developed on the basis of DES algorithm, similar to Triple DES, DES and IDEA also belong to the same symmetric key algorithm. Development IDEA also has a disadvantage because they feel DES key is too short and so on, are outdated. IDEA key is 128 , so long the key in the next few years should be safe.

Asymmetric encryption

And symmetric encryption algorithms, asymmetric encryption algorithm requires two keys: a public key (the publickey) and private key (PrivateKey); and the encryption and decryption keys are paired. Asymmetric encryption algorithm for encryption and decryption use different keys, asymmetric encryption is also called public key encryption, the key pair, one of the keys is open to the public, everyone can get to, called public key, wherein a key is called the private key is private.

Asymmetric encryption features

  • For a public key, and only one corresponding private key.
  • The public key is public, and can not be launched by anti-public private key.
  • By ciphertext encrypted private key can only be decrypted by the public key can, ciphertext encrypted by the public key can only be decrypted by the private key can.

The public key is extremely difficult to figure out the private key, only through an exhaustive, so long as the key is long enough, in order to calculate the private key from the public key is almost impossible.

The main purpose of the asymmetric encryption

  • Confidentiality of information, to prevent the middleman attack : plaintext using public key cryptography, transmission to the recipient, so to ensure that information can only be decrypted private key owner, other people lack access to plaintext, because without the private key can not be decrypted. The method generally used to exchange 对称密钥.
  • Prevent tampering and authentication information : private key encryption using a private owner expressly authorized period, and authorizing the ciphertext and the encrypted plaintext, and a public key sent out together, by the recipient only needs the public key of the ciphertext decryption comparison and authorization are the same plaintext, we can judge whether the plaintext has been tampered with in the middle. This method is used 数字签名.

Common non-symmetric encryption algorithm

  • RSA : 1977 years, the three mathematicians Rivest, Shamir and Adleman devised an algorithm that can achieve asymmetric encryption. This algorithm uses three of them named, called the RSA algorithm. From then until now, RSA algorithm has been the most widely "asymmetric encryption algorithm" used. It is no exaggeration to say that, as long as the computer network of the place, there is the RSA algorithm. This algorithm is very reliable, the longer the key, the harder it is to crack. According to the disclosure of documents, currently the longest crack RSA keys are 768 bits. In other words, the length of more than 768 key, can not crack (at least no one publicly announced). It follows that the 1024 RSA keys basic security, a key 2048 is extremely safe . For digital signatures and key exchange. The algorithm is the most widely used public-key encryption algorithm, especially for the transmission of data over the Internet.

  • DSA : Digital Signature Algorithm (Digital Signature Algorithm, DSA) by the National Security Agency (United States National Security Agency, NSA ) invention, has a digital signature standard. In the DSA digital signature and authentication, the sender uses his private key to sign a file or message, the recipient receives the message using the sender's public key to verify the authenticity of the signature. Just a DSA algorithm, and except that it can not be used RSA encryption and decryption, key exchange can not be performed only for the signature, it is much faster than RSA. DSA algorithm depends on the security of difficulty from computing discrete logarithms. This algorithm does not apply to data encryption, only for digital signatures.

  • -Hellman Diffie : a way to ensure safe crossing method KEY insecure network sharing. Whitefield and Martin Hellman in 1976 presented a wonderful key exchange protocol, called the Diffie-Hellman key exchange protocol / algorithm (Diffie-Hellman Key Exchange / Agreement Algorithm). This ingenious mechanism that requires secure communications both symmetric key can be determined with this method. You can then use the encryption and decryption key. Note, however, the key exchange protocol / key exchange algorithm can be used, but not to encrypt and decrypt messages. The two sides determined to use the key, to use other symmetric key encryption algorithm actual operating encrypt and decrypt messages. The algorithm only for key exchange.

  • ECC : elliptic encryption algorithms (ECC) is a public key encryption scheme, originally proposed by Koblitz and Miller both in 1985, compared with the classic RSA, DSA and other public key cryptosystem, elliptic cryptosystem has the following advantages: 160 RSA and elliptic bit key security key 1024 is the same; on private key encryption and decryption speed, ECC algorithm, DSA faster than RSA; small memory footprint; low bandwidth requirements; ECC algorithm is the mathematical theory esoteric and complex, more difficult to achieve in engineering applications, but its strength is relatively high security unit.

Asymmetric encryption algorithm may be the world's most important algorithms, it is the cornerstone of today's e-commerce field. Asymmetric encryption algorithm is so robust, there is a drawback is that encryption and decryption time-consuming. Accordingly, in practical use, often used in conjunction with a symmetric encryption and digest algorithms. The column is between entities exchange symmetric key, or when the hash of the signed message (digital signature).

A fixed-length hash result is obtained by applying a one-way mathematical function, for data, called a hash algorithm.

Digest Algorithm

Digest algorithm is a magical algorithm, also known as hash or hash value. And an encryption key (symmetric key or public key) a different type of data conversion. By way mathematical hash function is applied to a hashing algorithm called the data, converts a block of data of any length of a fixed length digital irreversible, which length is usually in between 128 ~ 256. The length of the generated hash value should be long enough so that the chance to find two data having the same hash value is very small.

Digest algorithm has the following features:

  • As long as different from the source text, the calculated results, must be different (or few opportunities).
  • Unable to launch the source data (that is, of course, or else the energy is not conserved) from the results reversed.

Common digest algorithm:

  • The MD5 : a one-way hashing algorithm developed by RSA Data Security, MD5 is widely used, can be used to perform the data blocks of different lengths password calculation into a fixed bit value (usually 128).
  • . 1-the SHA : DSA public key algorithm and similar, Secure Hash Algorithm 1 (SHA-1) is also designed by the NSA, by inclusion in the NIST FIPS, the hash data as a standard. It produces a 160-bit hash value. SHA-1 is a popular one-way hash algorithm used to create digital signatures.
  • The MAC (the Message the Authentication Code) : message authentication code is a one-way function using a key, can use them in a file or message authentication system or between users, it is common HMAC (hash key for message authentication column algorithm).
  • The CRC (Cyclic Redundancy the Check) : cyclic redundancy check code, CRC checking because simple, strong error detection capability, are widely used in various applications in data validation. Less system resources, can achieve with hardware and software, it is a data transmission error detection means to be a good (hash algorithm in the strict sense CRC is not carried out, but its role and about the same hashing algorithm, so attributed such).

Digest algorithm whether a consistent source of contrast information, as long as the source data changes summary obtained must be different. Because usually the result is much shorter than the source data, so called "summary."

Application scenario, such as the sender of the message to generate a hash value, and encrypts it, and send it along with the message itself. While at the same time the recipient to decrypt the message and the hash value, generated by the received message a further hash value, and then compares the two hash values. If they are the same, the message is likely nothing has changed during transmission.

digital signature

Digital signature is for an application of asymmetric encryption and digest algorithms, to ensure information is not tampered with (digest algorithm characteristics) after release, to ensure the integrity and credibility of the data; but also can prevent data from being falsified others ( asymmetric encryption algorithm characteristics); when a column such, we need to publish some text authorization, in order to prevent tampering with the contents of the middle published, to ensure the integrity of the publication of the text, and the text was released by the specified publisher. So, we can digest algorithm summary of your posts, after obtaining summary, the publisher uses a private key to encrypt ciphertext (signature), this time the source text, cipher text (signature) and released with the public key can go out.

Verification process: first public key to verify whether the publisher's public key, and then use the public key to decrypt the ciphertext to obtain a summary, use the publisher to get the same summary text of text digest algorithm, if compared to the same summary to confirm whether information has been tampered with or specified publisher released.

digital signature

Digital signatures can quickly verify the integrity and legitimacy of the text, it has been widely used in various fields.

Verification public key authentication method mentioned in the subsequent authorization of the digital certificate chain.

Digital Certificates

Certificate in real life

In real life, the certificate name suggests, it is proof of permission issued by the agency. For example, English 6 certificate is awarded to the education sector through a personal assessment of the evidence 6, to prove the person's English skills. Let's look at the composition of this certificate:

  • People proved: Pharaoh
  • Content: By the CET
  • Stamp: official seal or stamp of the education sector

When Pharaoh to find a job with this certificate, the employer will be by looking at the credentials of the content (especially seal) to verify the legitimacy and capacity of Pharaoh's certificate. In real life there is often a false certificate of six, these fake certificates of the most important is to have a fake seals. In real life use laws and regulations to constrain the behavior Sike false official seal, but the employer may not be very accurate judgments are true or false official seal. The digital signature can be used to solve this kind of problem.

Digital Certificates

Digital certificate is a certificate digitized achieved through digital signature, in real life seal it can be forged, but in the calculation of the digital world, digital signatures is no way to be forged, such as the above-mentioned certificate, stated in a certificate file contents of the certificate, when issuing certificates, the education sector to sign the summary information document with their private key and certificate will be published together with the signature file, so that we can ensure that the certificate can not be forged. Verification certificate is legitimate, first with public education sector (public key is that anyone can get to) to decrypt the signature to get a summary of information, education departments use the same digest algorithm summary information obtained another certificate, contrast Are two consistent summary information can determine whether the certificate is legitimate. In the part of the general composition of the certificate, also added some additional information, such as the validity of the certificate.

Digital certificates also have a lot of issuing authority, a certificate issued by various issuing authority, use is not the same, such as iOS development, the use of ipa file signature to the certificate, you need to apply for Apple. In order to prevent the transmission of Web content security in the network, SSL certificates need to use will need to be issued to several recognized organizations in Web Access. The issuing authority referred to as CA (Certificate Authority).

Web access to the relevant certificate can be accepted to several international organizations:

  1. WebTrust
  2. GlobalSign
  3. GTE
  4. Nortel
  5. Verisign

Verify the digital certificate

Request a certificate for authentication, such as Web application-related SSL certificate verifier browser, iOS certificates of verification party is iOS devices. Because the digital certificate is based on digital signatures, digital certificates to verify the legality of all is to verify the digital signature certificate is correct, for signature verification is required to issue a public key to verify agencies;

For iOS development certificate, the signing certificate after you apply, you also need to install Apple's public key certificate (will be automatically installed after it is installed XCode), so as to ensure that we apply the certificate can be verified by the (legitimate) can be used to ipa file were signed. Signed certificate validation for Web-related, it is verified by the browser, for several internationally recognized Certificate Authority built-in browser its public key certificate, used to verify the credibility of digital certificates.

When the digital certificate has been validated, they can do things with a corresponding digital certificates, iOS development certificate can be used to sign the APP, SSL certificates can be used to make Web content encryption processing related things. So, after With these certificates, to ensure the transmission of data, the data is not tampered with, and is also a source of information can not be modified, so as to ensure information security.

For iOS, iOS system has cured the verification process in the system, unless escape, otherwise it is impossible to bypass

Digital certificate authority chain

Digital certificates also include an authorization chain information, for example: If you want to apply for leave one week, your boss needs approval, your boss needs the consent of his superiors, the final big boss needs to agree, then the layers of authorization, forming a chain of authorization, is the root of the boss authorization chain (root), the intermediate links are closer to the root of the authorized person.

For example, Apple APP developer's signing certificate, the certificate can be used to sign the APP, the certificate is actually made up of Apple's Worldwide Developer Relations Certificate Authority (WDRCA) authorized signature, and it is authorized by Apple Certificate Authority signed. In this relationship chain is Apple's CA root. Apple root CA certificate by default is the built-in Apple's system, so WDRCA credibility can be verified by Apple built its credibility CA root certificate.

Web-related SSL CA root certificate at the top, it is recognized as the issuing authority of several of the above-mentioned, when we need to do Web SSL Certificate, they can apply to the agency, usually root authority to apply the cost will be relatively high, can apply for authority to a number of two, choose the benefits of a root certificate authority that issued most browsers are pre-built these public key certificate authority CA, so that the use of such authority over the issuing CA certificate when The browser is generally not reported risk warning.

to sum up

Signed digital certificate based asymmetric encryption algorithm that uses the asymmetric encryption identity authentication, in other aspects, such as key exchange with the HTTPS is an asymmetric encryption and security features to prevent tampering with information characteristic to achieve to achieve the in asymmetric encryption algorithm RSA most widely used. Asymmetric encryption is good, but there is a downside, encryption and decryption is relatively time-consuming, so are generally used in conjunction with a symmetric encryption.

This article is the digital certificate was presented a summary of many of the details related to none, if you are interested in some of the details can go into more in-depth study based on knowledge referred to herein. Meanwhile this paper also does not relate to the introduction of knowledge management as well as the format of digital certificates digital certificates, etc. These contents will arrange for everyone and introduced in subsequent articles.

Reference material

RSA encryption and break the
RSA algorithm principle
certificates and signatures mechanisms Talk iOS apps

 
 

Guess you like

Origin www.cnblogs.com/jinanxiaolaohu/p/12080731.html
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com