Basic knowledge of digital certificates

In the previous "iOS developer certificate and code Signing learning Notes" blog post introduced the iOS development certificate and Code signing knowledge points, in order to better understand the characteristics of the certificate, the digital certificate and related knowledge are collated and summarized.

Before the digital certificate, we must talk about asymmetric plus algorithm and Digest algorithm , because the basis of digital certificate is a variety of encryption and decryption algorithm (asymmetric encryption, digest algorithm), and the core of which is the asymmetric encryption algorithm. Encryption methods can now be divided into two main categories. One is the single-key encryption (private key cryptography) can also be called symmetric encryption, and a class of two-key encryption (public key cryptography) can also be called asymmetric encryption. The former encryption and decryption process all use the same set of passwords, the latter encryption and decryption process with a different password. Here's a look at symmetric, asymmetric, and digest algorithms, and how they are applied in digital certificates.

Symmetric encryption

Symmetric encryption (also known as private key encryption) refers to encrypting and decrypting cryptographic algorithms that use the same key. Sometimes called a traditional cryptographic algorithm, the encryption key can be inferred from the decryption key, and the decryption key can also be inferred from the encryption key. In most symmetric algorithms, the encryption key and decryption key are the same, so the encryption algorithm is also called the secret key algorithm or single key algorithm.

When the algorithm is applied, it requires the sender and receiver to agree on a key before communicating securely. The security of a symmetric algorithm relies on the key, which means that anyone can decrypt the message they send or receive, so the confidentiality of the key is critical to the communication. The symmetric encryption algorithm is characterized by its openness, low computational capacity, fast encryption speed and high encryption efficiency. Symmetric encryption has many algorithms, and because of its high efficiency, it is widely used in the core of many cryptographic protocols. The disadvantage is that both sides of the transaction use the same key, the security is not guaranteed.

A common symmetric encryption algorithm

• DES: The Data Encryption Standard (Des,data encryption) is a block cipher encrypted with a key, based on a symmetric algorithm that uses a 56-bit key, because it contains some secret design elements, The relatively short key length and the backdoor that is suspected to be included in the U.S. National Security Agency (NSA) are controversial at the outset, and Des is now not considered a secure cryptographic algorithm, primarily because it uses a 56-bit key that is too short to be easily cracked. In order to provide the required security, the DES derivation algorithm 3DES can be used to encrypt, although 3DES also has a theoretical attack method.

• AES: Advanced Encryption Standard (English: Encryption Standard, abbreviation: AES), which is used to replace the original DES, has been analyzed by many parties and widely used worldwide, 2006, The Advanced Encryption Standard has become one of the most popular algorithms in symmetric key cryptography. The block length of AES is fixed at 128 bits and the key length can be 128,192 or 256 bits .

• RC4: RC4 encryption algorithm is the famous RSA trio of the number one figure Ronald Rivest in 1987 designed the key length of the variable stream encryption algorithm cluster. The speed of the algorithm can reach about 10 times times of DES encryption, and it has a high level of nonlinearity. RC4 was originally used to protect trade secrets. But in September 1994, its algorithms were posted on the Internet, and there was no more trade secrets.

• idea: J.massey, a Swiss Chinese youth scholar, came to learn Jia and the famous cryptographic expert, who was introduced in 1990. It was officially announced in 1990 and strengthened later. This algorithm is developed on the basis of the DES algorithm, similar to the Triple DES, and the same as the Des idea is the symmetric key algorithm. The idea was developed because of the disadvantage that Des has too short a key, which is outdated. Idea has a 128-bit key, so long keys should be secure over the next few years.

Asymmetric encryption

Unlike symmetric encryption algorithms, an asymmetric encryption algorithm requires two keys: a public key (PublicKey) and a private key (Privatekey), and the encryption key and decryption key are paired. Asymmetric encryption algorithms use different keys in the encryption and decryption process, and asymmetric encryption is also known as public-key cryptography, where one key is exposed externally and can be obtained by all, known as public keys, where a key is not exposed as a private key.

Features of asymmetric encryption

• For a public key, there is only one private key corresponding to it.
• The public key is public, and the private key cannot be rolled back through the public key.
• Ciphertext encrypted by private key can only be decrypted by public key, and ciphertext encrypted by public key can only be decrypted by the private key.

It is extremely difficult to derive a private key through a public key, only by means of a poor lift, so as long as the key is long enough, it is almost impossible to derive the private key from the public key.

Main uses of asymmetric encryption

• confidentiality of information to prevent man-in-the-middle attacks: the plaintext is encrypted with the public key, transmitted to the receiver, so that the information can only be decrypted by the owner of the private key, others cannot obtain plaintext information, because no private key cannot be decrypted. This method is generally used 对称密钥 for swapping.
• Authentication and prevention of information tampering : The private key owner uses the private key to encrypt a section of authorized plaintext, and the authorization plaintext and encrypted ciphertext, as well as the public key is sent out, the receiver only need to decrypt the cipher through the public key and the authorization plaintext comparison is consistent, you can determine whether the clear text in the middle is tampered with. This method is 数字签名 used for.

A common asymmetric encryption algorithm

• RSA: In 1977, three mathematicians Rivest, Shamir, and Adleman designed an algorithm that could implement asymmetric encryption. This algorithm is named after their three people, called the RSA algorithm. From then until now, the RSA algorithm has been the most widely used "asymmetric encryption algorithm". It is no exaggeration to say that as long as there is a computer network, there is the RSA algorithm. This algorithm is very reliable, the longer the key, it is more difficult to crack. According to the already disclosed literature, the longest RSA key currently cracked is 768 bits. In other words, a key that is longer than 768 bits is not cracked (at least not publicly announced). Therefore, it can be considered that the1024-bit RSA key is basically secure, and the 2048-bit key is extremely secure . Applies to digital signatures and key exchange. The algorithm is the most widely used public-key encryption algorithm, especially for data transmitted over the Internet.

• DSA: Digital Signature algorithm, DSA, invented by the U.S. National Security Agency (United States Nation Safety Agency, NSA), is a digitally signed Quasi -. In DSA digital signature and authentication, the sender uses his private key to sign the file or message, and the recipient receives the message and uses the sender's public key to verify the authenticity of the signature. DSA is just an algorithm that differs from RSA in that it cannot be used for encryption and decryption, or for key exchange, but only for signing, which is much faster than RSA. The security of DSA algorithm depends on the difficulty of self-computing discrete algorithm. This algorithm, which does not apply to data encryption, applies only to digital signatures.

• Diffie-hellman: A way to ensure that a shared key securely crosses an unsecured network. Whitefield and Martin Hellman in 1976 presented a wonderful key exchange protocol called Diffie-hellman Key exchange protocol/algorithm (Diffie-hellman key exchange/agreement Algorithm). The trick of this mechanism is that both parties that need secure communication can use this method to determine the symmetric key. This key can then be used for encryption and decryption. Note, however, that this key exchange protocol/algorithm can only be used for exchange of keys, not for the encryption and decryption of messages. After both sides determine the key to be used, the encryption algorithm is actually encrypted and decrypted using the other symmetric key operations. The algorithm is only applicable to key exchange.

• ECC: Elliptic cryptographic Algorithm (ECC) is a public-key cryptography system, originally proposed by Koblitz and Miller in 1985, compared with the classic RSA,DSA and other public-key cryptography system, The elliptic cryptosystem has the following advantages: The 160-bit elliptic key is the same as the 1024-bit RSA key security, the ECC algorithm is faster than RSA and DSA in the encryption and decryption speed of the private key, the storage space is small, the bandwidth requirement is low, and the mathematical theory of ECC algorithm is very abstruse and complex. It is difficult to realize in engineering application, but its unit security strength is relatively high.

Asymmetric encryption algorithm is probably the most important algorithm in the world, it is the cornerstone of e-commerce and other fields today. Asymmetric encryption algorithm is so powerful and reliable, but there is a disadvantage, that is, encryption and decryption is more time-consuming. Therefore, in practice, it is often used in conjunction with symmetric encryption and digest algorithms. Columns, such as when a symmetric key is exchanged between entities, or when a hash of a message is signed (digitally signed).

Hashing is a fixed-length result obtained by applying a one-way mathematical function, which is called a hash algorithm for data.

Abstract algorithm

The abstract algorithm is a magical algorithm, also known as a hash or hash value. is a different type of data conversion than encryption based on a key (symmetric key or public key). Hashing is the application of a one-way mathematical function called a hashing algorithm to the data, which converts a piece of data of any length to a fixed-length, irreversible number, usually between 128~256 bits. The resulting hash value should be long enough so that there is little chance of finding two pieces of data with the same hash value.

The digest algorithm has the following characteristics:

• As long as the source text is different, the calculated results are necessarily different (or less likely).
• The source data cannot be rolled back from the results (that is, of course, otherwise the energy is not conserved).

A Common digest algorithm:

• MD5: is a one-way hashing algorithm developed by RSA Data security Company, MD5 is widely used, can be used to set different lengths of data blocks to operate a fixed bit of a number (usually 128-bit).
• SHA-1: Similar to the DSA public key algorithm, secure hashing algorithm 1 (SHA-1) is also designed by the NSA and is included in FIPS by NIST as a standard for hashing data. It can produce a 160-bit hash value. SHA-1 is a popular one-way hashing algorithm for creating digital signatures.
• MAC (Message authentication code): Messaging authentication codes, which are one-way functions that use keys to authenticate files or messages between users on a system or user, often HMAC (a key hashing algorithm for message authentication).
• CRC (Cyclic redundancy check): Cyclic redundancy check code, CRC verification due to simple implementation, the ability to detect errors, is widely used in various data validation applications. Less system resources, hardware and software can be achieved, is a data transmission error detection is a good means (CRC is not strictly a hashing algorithm, but its function and hash algorithm is roughly the same, so attributed to this class).

The abstract algorithm is used to compare the consistency of the information source, because the resulting digest is necessarily different as long as the source data is changed. Because the results are usually much shorter than the source data, they are called "summaries."

A scenario, such as sending a hash value of a message to the sender and encrypting it, then sends it along with the message itself. Instead, the recipient decrypts both the message and the hash value, generating another hash value from the received message, and then comparing the two hash values. If the two are the same, the message is most likely not to change during transmission.

Digital signatures

Digital signature is an application of asymmetric encryption and digest algorithm, which can ensure that the information will not be tampered with (abstract algorithm characteristics), ensure the integrity and credibility of the data, and also prevent the data from being forged by others (asymmetric cryptographic algorithm characteristics); GCA, we have an authorized text to be published, To prevent intermediate tampering with published content, the integrity of the published text is guaranteed, and the text is published by the specified publisher. Then, the summary algorithm can get the summary of the publication, after the summary, the Publisher uses the private key encryption to get ciphertext (signature), this time the source text, ciphertext (signature) and public key to publish together.

The verification process is: first verify that the public key is the publisher's public key, and then use the public key to decrypt the ciphertext, get a digest, using the publisher of the same digest algorithm to get the digest text, than the summary is consistent to confirm whether the information is tampered with or the designated publisher.

Digital signature can quickly verify the integrity and legitimacy of text, and has been widely used in various fields.

The validation of the public key refers to the authentication method in the authorization chain of the subsequent digital certificate.

Digital certificates real-life certificates

In real life, the certificate as the name implies, is the authority issued by the certificate. such as English Level 6 certificate, is the Education Department issued to pass the Level 6 examination of the person's proof, prove this person's English ability. Let's take a look at the composition of this certificate:

• Proven Man: Lao Wang
• Content: Passed the English level six
• A seal or stamp of the Education Department.

When Lao Wang uses this certificate to find a job, the employer will verify the legality of the certificate and the ability of Lao Wang by looking at the contents of the certificate (especially the official seal). In real life there are often fake 6-level certificates, the most important of these fake certificates is a fake seal. In real life, the use of laws and regulations to restrain the private seal of the act, but the employing unit may not be very accurate to judge the official seal is true. and digital signatures can be used to solve this kind of problem.

Digital certificates

Digital certificate is a digital signature through the implementation of the digital certificate, in the real life of the seal can be forged, but in the digital world, digital signature is no way to be forged, such as the above certificate, in a certificate file stating the contents of the certificate, the issuance of certificates, The Education Department uses their private key to sign the summary information of the file, publish the signature and the certificate file together, so that the certificate cannot be forged. To verify the validity of the certificate, first use the public key of the Education Department (public key is publicly available) to decrypt the signature to get a summary of information, using the same abstract algorithm in the Education Department to obtain another summary of the certificate, compared to two summary information is consistent to determine whether the certificate is legitimate. In the General Certificate Composition section, additional information is added, such as the validity period of the certificate.

Digital certificates also have a lot of issuing agencies, different issuing agencies issued certificates, the use is not the same, such as iOS development, the use of the IPA file signing certificate, need to apply to Apple. In the case of Web Access, in order to prevent the Web content from being transferred securely in the network, the SSL certificate required is issued to several recognized institutions. These issuing agencies are collectively referred to as CAS (Certificate authority).

Web Access-related certificates can be made available to several internationally recognized institutions:

1. WebTrust
2. GlobalSign
3. GTE
4. Nortel
5. Verisign

Verification of digital certificates

The certificate is requested for verification, such as the Web App-related SSL Certificate verifier is the browser, and the authenticator of the various iOS certificates is the iOS device. Because digital certificates are based on digital signatures, the legitimacy of all digital certificates is to verify that the signatures of digital certificates are correct, and that authentication of signatures is required for the public key of the issuing authority.

For an iOS development certificate, after the signing certificate is completed, you will also need to install Apple's public key certificate (which will be installed automatically after Xcode installation) to ensure that the certificate we have requested is verifiable (legal) and can be used to sign the IPA file. The validation of web-related certificate signatures is verified by the browser, and the public key certificate is built into a number of internationally recognized certificate authority browsers to verify the trustworthiness of the digital certificate.

When a digital certificate is verified, it can be done with a digital certificate, the iOS development certificate can be used to sign the app, SSL certificate can be used to do the Web content encryption processing related things. So with these certificates, you can guarantee that the data will not be tampered with during the transmission, and the source of information cannot be modified, so as to ensure the security of information.

For the Ios,ios system, this verification process has been cured in the system, unless the jailbreak, otherwise cannot bypass

Authorization chain for digital certificates

The digital certificate also contains an authorization chain information, for example: if you want to apply for 1 weeks of leave, need your boss approval, your boss needs his boss to agree, eventually need Big Boss agree, then this layer of authorization, form a chain of authorization, Big Boss is the root of the chain of authorization (root), These links are authorized by people closer to root.

For example, the Apple Developer's app signing certificate, which can be used to sign the app, is actually signed by Apple's worldwide Developer relations Certificate Authority (WDRCA). And it was signed by Apple Certificate Authority authorized. In this chain, Apple's CA is the root. The Apple CA root certificate is built into the Apple system by default, so the credibility of Wdrca can be verified by Apple's built-in CA root certificate.

Web-related SSL certificate at the top of the CA root, is the above mentioned several recognized issuing agencies, when we need the Web to do SSL certificate, we can apply to the above-mentioned institutions, usually to the root agency fees will be relatively high, you can also apply to some level two authorized institutions, The advantage of choosing a root authority certificate is that most browsers now have public key certificates built into these authoritative CAs, so the browser does not generally report risk alerts when using certificates issued by these authoritative CAs.

Summarize

The foundation of digital certificate signature is asymmetric encryption algorithm, which is realized by using asymmetric encryption authentication and preventing information tampering, in some other aspects, such as the encryption of non-symmetric cryptography for key exchange in HTTPS, which is the most widely used in asymmetric encryption algorithm. Asymmetric encryption Although good, but there is a drawback, is the addition of decryption time-consuming, so it is generally used with symmetric encryption.

This article is just a summary of the digital certificate, a lot of details are not involved, if you are interested in some details can be based on the knowledge points involved in more in-depth learning. At the same time, this article also does not involve the management of digital certificates and the format of digital certificates, such as the introduction of these content will be in subsequent articles for you to organize and introduce.

Resources

RSA Encryption and decryption
Principles of RSA algorithm
On the certificate and signing mechanism of iOS program

Basic knowledge of digital certificates