Recently two or three months, we have been dealing with intermittent CA certificate related things. CA certificate in essence is a kind of encryption and decryption, and therefore some of the encryption and decryption technology related to natural, which I understand CA at the same time, but also to encrypt and decrypt had a better knowledge and understanding.
The following is a more complex, but it seems there are some summary relevance, so I divided several parts:
1. The encryption and signature
2. symmetric encryption and asymmetric encryption
3. keys, public and private
4 illustrate the need for signing and encryption
5.CA certificate conversion
Encryption and signature
Network communication process, to ensure the safety and security of data communications, it is necessary to confirm the identity of the interaction between the two sides, and ultimately ensure that the data service usage is correct, is not tampered with, stolen and can not be resolved.
To achieve the above requirements, you need to use encryption and signatures, they are usually referred to the interaction between the two sides confirmed the identity of signature verification check, and security of business data is called encryption and decryption.
On the current understanding, the signature verification is also a sign the actual encryption and decryption.
Symmetric encryption and asymmetric encryption
Generally requires a decryption key, if the same key and decrypting the encrypted key is referred to as symmetric encryption. Otherwise, if the encryption key and the decryption key are not the same, the called asymmetric encryption.
Key, public and private keys
Whether public or private, it is key.
Key is to be understood as ciphertext encryption and decryption keys.
Public, understood as the public key.
Private, I understood as the private key.
Note that the key, not keys. I am new time, I always confuse these two, resulting in several concepts innocently tell.
Because the secret key and a private key seems to be a meaning, so once the key to understanding the secret key, it will affect the understanding of the public and private keys.
General public and private key pairs, have their own relationship, you can encrypt and decrypt each other, that is, the private key to decrypt the encrypted public key, private key encryption public key to decrypt it.
Illustration of the need for signatures and encryption
Initial network used for data transmission is transmitted in plaintext, then the communication process completely unable to ensure that data is not stolen use and tampering, as shown below:
thereby giving rise to encryption of data, which ensures the communication process stolen data, no adhesion difficult to be resolved in the case where the key. Even been tampered with, the recipient can not be resolved without logic processing continues, as shown below:
However, in this case once they steal data also have a key, then the same can parse and tampering with the data. Symmetric encryption scenario, the same key, a great possibility of leakage, non-symmetric encryption scenario, public key is published, a lot of people being held in itself.
Then the data thief had a key to the scene after roughly as follows:
Therefore, on the basis of data encryption, and again the introduction of authentication, so that you can ensure that even if the data has been tampered with, it will not be properly verified and resolved, further ensuring the security service, as follows:
above the software application, is actually based on an http request, signing, encryption and so occur in the actual code.
So then have a further security measure, namely https, where the edge on the introduction of concepts and techniques CA certificate.
Just from the communication level is concerned, CA certificate has to distinguish between the root certificate and certificate of communication, in fact, to further ensure reliability between the server and the client, to further ensure the legality of the identity of communication between the two sides.
Ca for more relevant content can refer to my other two blog:
https://blog.csdn.net/tuzongxun/article/details/88647172
https://blog.csdn.net/tuzongxun/article/details/89217001
CA Certificate Transfer
ca certificate has a variety of formats and different end of the file, many of which are can be converted to each other, but also has a different usage scenarios.
For example java commonly used jks files, Andrews often used bks file, the browser may use pfx files.
The following is a partial conversion of the record:
Pem root certificate chain transfer jks
keytool -import -noprompt -file root.pem -keystore root.jks -storepass 123456
Certificate pfx turn jks
keytool -importkeystore -srckeystore client.pfx -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS
Certificate pfx turn crt and key
openssl pkcs12 -in client.pfx -nodes -out client.pem openssl rsa -in client.pem -out client.key openssl x509 -in client.pem -out client.crt
Pem root certificate chain transfer cer
openssl x509 -inform pem -in root.pem -outform der -out root.cer
Jks transfer certificate bks need to use tools
See
http://www.jcodecraeer.com/a/anzhuokaifa/androidkaifa/2015/0831/3393.html