Basic concepts and usage of public key, private key, and certificate

This article references

Http://www.cnblogs.com/jimshen/archive/2009/11/09/1599347.html

Http://blog.csdn.net/allwtg/archive/2009/12/09/4969543.aspx

Concepts of public and private keys

In modern cryptographic systems, encryption and decryption use different keys (public keys), that is, public keys.Algorithm(Also called asymmetric algorithms and two-key algorithms) ", each communication party requires two keys, namely, the public key and the private key. These two keys can be mutually decrypted. The Public Key is public and does not need to be kept confidential. The private key is held by the individual and must be kept properly and kept confidential.

Certificate Concept

A digital certificate is a digital certificate issued by a certificate authority (CA) to verify the real identity of the certificate applicant, A digital file formed by using the CA root certificate to sign some basic information of the applicant and the applicant's public key (equivalent to the Public Seal of the certificate sender. After a certificate is issued, the Ca publishes the certificate to the certificate library (Directory Server) of the CA. Anyone can query and download the certificate. Therefore, the digital certificate is public like the public key. In fact, a digital certificate is a ca-certified public key.

Principles:

1. a public key corresponds to a private key.

2. The key pair that everyone knows is the public key. If you do not know it, you only know it. It is the private key.

3. If one of the keys is used to encrypt data, only the corresponding key can be decrypted.

4. If one of the keys can be used for data decryption, the data must be encrypted by the corresponding key.

5. the main application of asymmetric key cryptography is public key encryption and public key authentication. The process of public key encryption is different from that of public key authentication.

 

Public Key-based encryption process

For example, two users Alice and Bob, Alice want to send a piece of plain text to bob through the two-key encryption technology. Bob has a pair of public and private keys, the encryption and decryption process is as follows:

1. Bob transfers his public key to Alice.

2. Alice uses Bob's public key to encrypt her message and then sends it to Bob.

3. Bob uses his private key to decrypt Alice's message.

Public Key-based authentication process

Identity authentication and encryption are different. The main users identify the authenticity of users. Here, we can identify a user's private key as long as it is correct. For Alice and Bob, Alice wants Bob to know that she is a real Alice, rather than a fake one. Therefore, Alice only needs to use public key cryptography to sign the file and send it to Bob, bob uses Alice's public key to decrypt the file. If the decryption succeeds, it proves that Alice's private key is correct and thus completes Alice's identity authentication. The authentication process is as follows:

1. Alice uses her private key to encrypt the file and sign the file.

2. Alice transfers the signed file to Bob.

3. Bob decrypts the file with Alice's public key to verify the signature.

Public Key, private key, certificate generation

1. an https server first creates its own key pair, which includes the public key and private key.

2. Send his public key to the CA center over the network. The public key contains personal authentication information (his name, address, serial number of the device used, and so on ).

3. the CA creates and signs a certificate containing the public key and personal information to ensure key validation.

4. the certificate holder can verify the authenticity of the certificate by verifying the signature of the CA center (verifying that the CA signature requires the CA Public Key.

Public Key, private key, and certificate usage

In the handshake phase of the HTTPS protocol, the public key, private key, and certificate are used in typical scenarios. The typical sequence of HTTPS handshake is as follows:

 

The solid line part is required, and the dotted line part is optional. This process completes two tasks: Server Authentication and encrypted transmission of symmetric encryption keys.

1. Client Hello and server hello indicate that both parties need to establish an encrypted session.

2. The server transmits the digital certificate to the client. The certificate contains the public key of the server. The client uses the public key to parse the digital signature in the certificate to verify the identity of the server.

3. Server Hello done indicates that the hello process has ended.

4. The client generates a symmetric encryption key for encrypted transmission of actual data and encrypts it with the public key of the server to transmit the generated key to the server. At the same time, it carries a "client finished" encrypted with the generated encryption key ".

5. The server receives the symmetric encryption key and tries to use the key to decrypt the encryption field. If the plaintext "client finished" is obtained, the key is considered valid and can be used for subsequent encrypted data transmission. At the same time, use this key to encrypt "server finished" and pass it to the client.

6. The client uses a symmetric secret key for decryption. If the plaintext "server finished" is obtained, the client deems that the server has correctly received the symmetric key.

7. Encrypted data transmission starts.

The dotted line is the server that requires customer authentication.