Digital Certificate and its Functions

1.1 concepts and functions of digital certificates

A digital certificate, also known as a digital identity, is a series of data that marks the identity information of network users. It provides an identity authentication method on the Internet, which is used to mark and prove the identity of both parties in the network communication. Generally speaking, digital certificates are the identity cards of individuals or organizations on the Internet.

A digital certificate is issued by a third-party legal digital authentication center (CA, encryption technology with digital certificates as the core can encrypt and decrypt the information transmitted over the network, digital signatures and signature verification to ensure the confidentiality and integrity of information transmitted over the Internet, as well as the authenticity of the transaction entity identity and the non-repudiation of signature information, thus ensuring the security of network applications.

1.1.1 Identity Authentication

Identity Authentication is identity recognition and identification. It is to confirm that the entity is the entity stated by itself and identify the authenticity of the identity. For authentication by both parties, Party A first needs to verify the authenticity of Party B's certificate. When Party B delivers the certificate to Party A online, first, you must use the public key of the CA to unbind the digital signature of the CA on the certificate. If the signature is verified, the certificate held by Party B is proved to be true. Then, Party A must verify the authenticity of Party B's identity, party B can use its own private key for Digital Signature transmission to Party A. Party A has obtained Party B's public key from Party B's certificate or from the certificate store, A can use the public key of B to verify the digital signature of B with its own private key. If the signature is verified, B's online identity will be conclusive.

1.1.2 Data Integrity

Data integrity is to confirm that the data is not modified, that is, the data is not modified whether during transmission or during storage. The main method to implement the data integrity service is digital signature technology, which can provide Entity Authentication and ensure the integrity of signed data. This is because of the guarantees provided by the cryptographic and signature algorithms. The hash algorithm is characterized by any changes to the input data that will cause unpredictable changes to the output data; the signature uses its own private key to encrypt the hash value and transmit it with the data to the receiver. If sensitive data is tampered with during transmission and processing, the recipient will not receive the complete data signature and the verification will fail. Otherwise, if the signature is verified, it indicates that the receiver receives the intact data that has not been modified.

1.1.3 data confidentiality

Data Confidentiality is to ensure that the data is confidential. Except for the specified entity, other unauthorized users cannot read or understand the data. The PKI confidentiality Service adopts the "digital envelope" mechanism, that is, the sender generates a symmetric key and encrypts sensitive data with this symmetric key. At the same time, the sender also uses the receiver's public key to encrypt the symmetric key, like loading it into a "digital envelope. The encrypted symmetric key ("digital envelope") and encrypted sensitive data are then transmitted to the receiver. The receiver uses its own private key to open a "digital envelope" and obtain a symmetric key. The receiver uses the symmetric key to unbind encrypted sensitive data. Other unauthorized people, because they have not opened the private key of the "digital envelope" and cannot see or understand the original data, have played a role in data confidentiality. Figure 3 illustrates the data confidentiality process.

1.1.4 Non-Repudiation

Non-repudiation service refers to technical implementation to ensure the authenticity of entities for their behaviors, that is, the use of digital signatures to prevent their denial of behavior. Among them, people are more concerned with the non-repudiation of data sources and the non-repudiation of reception, that is, the user cannot deny that sensitive information and files are not from him; and the non-repudiation after receiving, that is, the user cannot deny that he has received sensitive information and files. In addition, there are other types of non-repudiation, non-repudiation of transmission, non-repudiation of creation, and non-repudiation of consent.