Apple certificate and public key private key encryption

Source: Internet
Author: User
Tags asymmetric encryption

Today saw a bit about the public key encryption of the content, quickly write down the province's forgotten.

Here are a few concepts: public key, private key, encryption, authentication, authentication Center (CA), digital certificate.

Public and private keys are asymmetric encryption, and the public and private keys are completely different, but correspond to each other. A private key can only correspond to a public key. As the name implies, the public key is open to all, everyone can obtain, the private key is their own custody.

Encryption and authentication

Public-key-based cryptography

The purpose of encryption is to ensure that the ciphertext can only be read by certain people, and no one else can know what is inside. The function of the public key is encryption. Example: Alices sends a message to Bob. She encrypts the plaintext with Bob's public key. After Bob gets the ciphertext, he decrypts it with his private key. This process guarantees that even if others get a cipher, they can't see it.

Figure 1

Private key-based authentication

The function of the private key is to authenticate the authenticity of the user. Or the above example, Alices to Bob. But Bob's public key is a lot of people, how to know the letter received is Alices hair? Must rely on the private key authentication. Alices can send Bob a message with a piece of information and then encrypt it with his private key. When Bob receives the letter, he first decrypts the message with Alices's public key, and if it is correct, it is alices, and then decrypts the letter with its private key.

Figure 2

Certificate Authority (CA) and digital certificates

the role of the certification center is to ensure that the public key is correct. For example: Alices want to send Bob a top secret letter, and at this time, Alices and Bob do not have the other's public key. At this point, Bob gives Alices the public key, alices if you know it was given by Bob instead of someone else impersonating it? What to do?! This is the time for the CA to go. Bob submits his own information and public key to the CA. The CA encrypts this information with its own private key, generating a digital certificate. Bob gives the digital certificate to Alices,alices to decrypt the digital certificate through the CA's public key, and the public key is Bob's public key.

Personal feeling asymmetric encryption a very important link is the role of CAs. First, the CA must ensure that its public key cannot be replaced, otherwise it will not play. This estimate is not difficult, determine a URL, only download from this is the CA's public key. or other, more advanced measures. Second, the CA is guaranteed to certify the individual. For example, when Tom submits his personal information and public key, the CA will guarantee that it cannot impersonate Bob. This estimate depends on the person or other measures, in short can guarantee. These are CA's things, we don't care.

Figure 3

Apple's signature

Here's the play, let's talk about the relationship between the Apple signature and the above. After so long iOS development, often by the development of various certificates to get dizzy, this is really a big hole, but had to.

First, digital signature (digitally signature)

Uses a hashing algorithm for the specified information, obtains a fixed-length information digest, and then uses the private key (note must be the private key) to encrypt the digest, the digital signature is obtained. The so-called code signature is what this means.

Second, digital certificate (certificate)

Certificate generation

When applying for an iOS development certificate, developers need to generate a CSR file via keychain (Certificate Signing request), which is submitted to Apple worldwide Developer relations Certification authority (WWDR) certification Center for signature, and finally downloaded from the Apple official website and installed use. This process also generates a private key, where the certificate and private key are located in the keychain.

Figure 4

Certificate composition

The digital certificate after WWDR digital signature looks like this:

It consists of two parts:

· The certificate itself

Contains information about the user's public key, user's personal information, certification Authority information, certificate validity period, and so on.

· Certificate signing

WWDR uses the hash algorithm of the certificate itself to obtain a fixed-length information digest, and then uses its own private key to encrypt the information digest to generate a digital signature, the entire process:

Certificate usage

The iOS system originally holds the public key of the WWDR (which guarantees the correctness of the CA public key), the system first calculates the content of the certificate through the specified hash algorithm to obtain a message digest, and then decrypts the digital signature contained in the certificate using the WWDR's public key, resulting in a digest of the information encrypted by the WWDR private key. The final comparison of two information summaries, if the same content, indicates that the certificate is trustworthy. The whole process:

After verifying that the certificate is trustworthy, the iOS system can obtain the public key of the developer included in the certificate and use that public key to determine the availability of the code signature.

The meaning of certificate existence

Through the certificate use process can be seen, the certificate itself is only an intermediary, the iOS system does not care about the certificate, it actually only want the certificate contains the developer's public key!!

But how can developers prove that the public key is their own? How can the iOS Security system Trust this public key as the developer?

No matter which developer is on the iOS security system, this public key is mine, the system is not believed, that is, the system of developers have a sense of distrust. But the iOS security system is trustworthy for its wwdr, and Apple has built the WWDR public key into the iOS system. With the certificate, the iOS security system only needs to pass the WWDR public key to obtain to any developer's trusted public key, this is the certificate existence significance!!

Third, public key

The public key is included in the digital certificate, and the digital certificate is included in the description file (Provisioning file), which is copied to the iOS device when the app is installed.

The iOS security system can determine the developer identity through the certificate, it can be obtained from the certificate by the public key to verify that the developer with the public key corresponding to the private key signed code, resource files, etc. have been changed to destroy, and finally determine whether the application is legitimate on the iOS device legitimate operation.

Iv. private Key

Each certificate (in fact, the public key) should have a private key,

The private key is used to sign code, resource files, and so on. Only development certificates and profiles are not properly debugged because no private key can be signed at all.

V. Generation of Provisioning Profile

I still remember that it took a lot of effort to build this thing at first. First, a CSR file is generated from the keychain, and the file is submitted to the Apple Dev Center to generate a CER file. In fact, the process is to put their own public key to Apple, as mentioned above if the certainty of the public key, the access to the development center of the account and password, if this thing leaked, then no one can do nothing.

Once you have downloaded the CER file, you will have an extra option in the keychain, as shown in 4. The following is your private key, which is important. Don't ask if the private key exists, I don't know, but it can be exported as a P12 file.

        cer is done in the Developer Center add AppID, equipment, etc., not detailed. Finally to generate provisioning profile. First you have to choose the type, which is for development or for publishing, followed by AppID. The following options are important to select certificates This is the choice you want to include the public key, it is used for encryption, I usually choose. If it is development, the following is the choice of equipment, and then the name of the finished. Designed to encrypt is Certificates the selection of .

So when developing the private key is the P12 file and provisioning profile matching is the most important. The private key encrypts the code and the public key is decrypted. The entire process is the certification process, ensuring that the iOS device installation program is approved by Apple. This is the purpose of Apple's so much strength.

In the Xcode6 codesing and provisioning configuration are selectable, select a certain match, or not the real machine can not be tuned, or upload is unsuccessful.

Describe the whole process: first the developer uploads the CSR file, which is the public key to Apple. Select the corresponding public key when generating provisioning profile. Then download and install the appropriate provisioning file. When the program is packaged, the code is encrypted with the private key, and the provisioning file is included in the app file. When an iOS device installs an app, it first decrypts the developer's public key with the CA's public key, and then decrypts the code with the developer's public key to complete the installation.

It seems that Apple is pretty hard to keep the source of the code!

Apple certificate and public key private key encryption

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.