Android Security Encryption: Digital signature and digital certificate detailed _android

Android security encryption feature article index

• Android Secure encryption: Symmetric encryption
  
• Android Secure encryption: Asymmetric encryption
  
• Android Secure encryption: Message digest Digest
  
• Android Security Encryption: Digital signatures and digital certificates
  
• Android Secure encryption: HTTPS programming

The above learning all content, symmetric encryption, asymmetric encryption, message digest, digital signature and other knowledge is to understand the work of digital certificates as a preliminary knowledge. Digital certificate is the ultimate weapon in cryptography, is the crystallization of the wisdom of human thousands of years history, only after understanding the working principle of digital certificate, can we understand the secure communication mechanism of HTTPS protocol. It will eventually be handy in the SSL development process.

In addition, the two knowledge points of symmetric encryption and message digest can be used separately.

Knowledge Point Series:

Digital certificates use all the knowledge you have learned

1. Symmetric encryption and asymmetric encryption are used to achieve the secret key exchange, after which the two parties use the secret key for symmetric encrypted communication.
2. Message digest and asymmetric encryption to achieve digital signature, the root certificate authority to sign the target certificate, at the time of verification, the root certificate with the public key to verify it. If the checksum succeeds, the certificate is trusted.
3. The Keytool tool can create certificates, then submit them to the root certification authority for direct use of self-signed certificates, as well as output the RFC format information for certificates.
4. Digital signature technology realizes the guarantee of identity authentication and data integrity.
5. The encryption technology guarantees the confidentiality of the data, the message digest algorithm guarantees the integrity of the data, the high efficiency of symmetric encryption guarantees the reliability of the processing, and the digital signature technology guarantees the non-repudiation of the operation.
   

Through the above content of learning, we should be able to grasp the following knowledge points:

1. Basics: Bit bits, bytes, characters, character encodings, incoming transformations, IO
2. Know how to use symmetric encryption to solve problems in actual development
3. Know symmetric encryption, asymmetric encryption, message digest, digital signature, digital certificate is to solve the problem of what happened
4. Understanding the SSL communication process
5. How to request HTTPS interface in actual development
   

Digital signatures

1. Overview

Combination application of asymmetric encryption and digital digest for digital signature

2. Application Scenarios

Verify user identity (using private key signature, public key checksum, as long as the public key can be checked through, the information must be issued by the private key holder)
Verify the integrity of the data (with the decrypted message digest compared to the original message digest)

3. Signature process

"When sending a message, the sender uses a hash function to generate a message digest from the message text, then encrypts the digest with its own private key, and the encrypted digest is sent to the receiver as a digital signature and a message, The receiver first computes the message digest from the received original message using the same hash function as the sender, the sender's public key is then used to decrypt the digital signature appended to the message, and if the two digests are the same, the receiver can confirm that the digital signature is the sender.

Digital signatures have two functions: one is to determine that the message is actually signed by the sender, because the sender's signature is not fake. The second is that the digital signature can determine the integrity of the message. Because the characteristic of the digital signature is that it represents the characteristics of the file, if the file changes, the value of the numeric digest will also change. Different files will get a different summary of the numbers. A digital signature involves a hash function, the sender's public key, and the sender's private key. ”

4. Use steps

Gets the Signature object, initializes the algorithm: Md2withrsa, Md5withrsa, or Sha1withrsa
Signature Signature = Signature.getinstance (" Md5withrsa ");
Create private key (read from disk)
Privatekey Privatekey = (privatekey) serializableutil.readobject (
"Heima.privatekey");
Initializes
signature.initsign (Privatekey) using the private key;
Incoming data
signature.update (Content.getbytes ()) required for signature;
Execute signature
byte[] sign = signature.sign ();

Create Public key (read from disk)
PublicKey PublicKey = (publickey) serializableutil.readobject (
"Heima.publickey");
Initializes the
signature.initverify (publickey) using the public key;
Incoming data that needs to be validated (i.e. the original text above)
signature.update (Content.getbytes ());
Perform a checksum
boolean verify = Signature.verify (sign);

5. Summary

Digital signatures are generally not used alone, are basically used in digital certificates to implement the SSL communication protocol. The following will be the study of digital certificate is based on digital signature technology implementation.

Digital certificates

1. Overview

The digital certificate is a serial number of the identity information of the communication parties in Internet communication. Provides a way to authenticate the identity of a communication entity on the Internet, a digital certificate that is not a digital ID, but a chapter or print (or a signature on a digital ID) that is covered by an identity certification authority. It is issued by the authority's--CA agency, also known as the Certificate Authority (certificate Authority) center, which people can use to identify each other on the Internet.

2. Application Scenarios

The certainty, non-repudiation and non-modification of the trader's identity
Sign the application for authentication (e.g., Android APK)

3. Digital certificate format

The format of digital certificates is generally based on X.509v3 international standards, and a standard X.509 digital certificate contains the following elements:

1. Version information of the certificate;
2. The serial number of the certificate, each certificate has a unique certificate serial number;
3. The signature algorithm used by the certificate;
4. The name of the issuing organization of the certificate, the naming rule is generally in x.500 format;
5. The validity period of the certificate, the General certificate is generally in UTC time format, its timing range is 1950-2049;
6. The name of the certificate owner, the naming convention is generally in X.500 format;
7. Public key of the certificate owner;
8. The certificate publisher's signature to the certificate.
   

4. Principle of digital certificate

Digital certificate is the ultimate weapon in the security field, the most important thing in SSL communication protocol is digital certificate. He involves all the knowledge mentioned above: symmetric encryption, asymmetric encryption, message digest, digital signature, and so on.

Digital certificates can be generated from the Java Keytool tool, and the resulting digital certificates are generally kept in keystore. KeyStore can be called a secret key warehouse.

Secret key Warehouse can keep 3 kinds of data: keystore.privatekeyentry (private key in Asymmetric secret), Keystore.secretkeyentry (secret key in symmetric encryption), Keystore.trustedcertificateentry (Trusted certificate)

5. Keytool Tools

Path: Jre\bin\keytool.exe

Common commands:
Generate KeyPair

Keytool-genkeypair
Keytool-genkeypair-alias Lisi(the latter section specifies an alias for the certificate, otherwise the default name is MyKey)

See what items are in the KeyStore:

Keytool-list or Keytool-list-v
Keytool-exportcert-alias Lisi-file Lisi.cer

To generate a printable certificate:

Keytool-exportcert-alias Lisi-file LISI.CER–RFC

To display certificate information in a digital certificate file:

Keytool-printcert-file Lisi.cer

Double-click Lisi.cer and open Lisi.cer with the Windows system's built-in program

6. Android KeyStore Related knowledge

Debug Signature path: User.android\debug.keystore

Alias and password for Debug.keystore:
Alias: Androiddebugkey, Password: Android

Signature Command (jdk1.6):

Jarsigner-verbose-keystore Debug.keystore-signedjar 1signed.apk 1.apk Androiddebugkey

Signature Command (jdk1.7):

Jarsigner-verbose-keystore Debug.keystore-signedjar 1signed.apk 1.apk androiddebugkey-digestalg
Sha1-sigalg Md5withrsa

Optimization command:

Zipalign-v 4 1signed.apk 1signedaligned.apk

Verify that the signature is successful:

Jarsigner-verify 1signed.apk

7. Supplementing

Signing Certificate:

The default client is trusted by the authority issued to the server or by an individual to prove his or her identity. The main purpose is to encrypt and guarantee the integrity and non-repudiation of the data.

For example, the root certificate authority Symantec issued to Baidu is the signing certificate, is trusted.

Self-Signed Certificate:

Issued by the server itself, used to prove their identity, not authoritative authority issued, the default client is not trusted, the main purpose is to encrypt and ensure the integrity and non-repudiation of data, and the same as the signing certificate.

For example, the China Iron Group (Srca) method to 12306 of the certificate is self-signed certificate, the issue itself.