All along, the issue of digital certificates, as well as trust and other things smattering. Finally have a leisurely weekend to summarize and delve into the relevant knowledge.
Ca:
A CA (Certificate authority) is the issuing authority for certificates, a third-party organization responsible for managing and issuing certificates, and a widely trusted institution. Generally in our computer, browser, or mobile phone will be built into a number of such a trusted authority root certificate.
Certificate trust chain:
For example, I am a CA agency I have issued a certificate I This certificate is the Trust B certificate of the other B certificate and trust the other C certificate ... Then the chain can be trusted to go down. So once the root certificate of the CA authority is not trusted, all certificates issued by him will become untrustworthy and have serious consequences.
Public Key Cryptography System:
Public key cryptosystem is divided into three parts, public key, private key, encryption and decryption algorithm, its encryption and decryption process is as follows:
- Encryption: The content (or description text) is encrypted by encryption algorithm and public key, and the ciphertext is obtained. The encryption process requires a public key.
- Decryption: Decryption algorithm and private key to decrypt ciphertext, get clear text. The decryption algorithm and the private key are used to decrypt the process. Note that the content that is encrypted by the public key can only be decrypted by the private key, that is, the content that is encrypted by the public key, and if the private key is not known, it cannot be decrypted.
Public key cryptography public keys and algorithms are public (this is why called Public key Cryptography), the private key is confidential. Everyone encrypts with a public key, but only the holder of the private key can decrypt it. In actual use, the person in need will generate a pair of public and private keys, publish the public key for others to use, and keep the private key.
CA Certificate:
As the name implies, a CA certificate is a certificate issued by a CA authority. In fact, anyone can sign the certificate, you can also give yourself a certificate, but because you are not widely trusted by the organization, so you issued a certificate of no use. The public network will not trust your credentials. The server certificate consists of the following types of information:
- Issuing authority for certificates
- Validity period of the certificate
- Public
- Certificate owner (Subject)
- The algorithm used by the signature
- Fingerprint and fingerprint algorithm
Issuer (issuing authority for certificates)
Indicate what agency issued this certificate, which is the company that created the certificate (just create the certificate, not the user of the certificate). For this certificate above, it means "securetrust CA" this body.
Valid from, Valid to (validity of certificate)
That is, the validity time of the certificate, or the term of use of the certificate. After the expiry date, the certificate will be void and cannot be used.
Public key
This we introduced in the previous public key cryptography system, the public key is used to encrypt the message, the 2nd chapter of the example is often used. This digital certificate has a 2048-bit public key, and its value can be seen in the dialog box in the middle of the graph, which is a long string of numbers.
Subject (Theme)
This certificate is issued to WHO, or the owner of the certificate, usually a person or a company name, the name of the organization, the website of the company's Web site, and so on. For the certificate here, the owner of the certificate is Trustwave the company.
Signature algorithm (algorithm used for signing)
This is the encryption algorithm used by the digital signature of the digital certificate, so that the public key is used in the certificate issuing authority's certificates to decrypt the fingerprint according to this algorithm. The cryptographic result of a fingerprint is a digital signature.
Thumbprint, thumbprint algorithm (fingerprint and fingerprint algorithm)
This is used to guarantee the integrity of the certificate, which means that the certificate has not been modified. The principle is that when the certificate is issued, the publisher calculates the hash value (fingerprint) of the whole certificate according to the fingerprint algorithm (a hash algorithm) and puts it together with the certificate, and when the user opens the certificate, he also calculates the hash value of the certificate according to the fingerprint Algorithm (fingerprint), if the value of the first is right, This means that the certificate has not been modified because the content of the certificate is modified, and the hash value (fingerprint) calculated based on the content of the certificate will change. Note that this fingerprint is encrypted with the certificate authority's private key using the signature algorithm (Signature algorithm) and the certificates are put together.
How CA issued a valid certificate to us:
For example, to make it easy to understand, let's say that our company "ABC companies" spent 1000 dollars, to a certificate issuing agency "Securetrust CA" for our own company "ABC companies" to apply for a certificate, note that this certificate issuing agency " Securetrust CA "is a recognized and accepted by some authoritative authority of the certification authority, our operating system has installed the" Securetrust CA "certificate. "Securetrust CA" when the certificate is issued to us, the Issuer,public key,subject,valid from,valid to the information in the form of plaintext written to the certificate, and then a fingerprint algorithm to calculate the contents of the digital certificate of a fingerprint, and the fingerprint and fingerprint algorithm with their own private key to encrypt, and then publish with the contents of the certificate, and "Securetrust CA" will give us a company "ABC companies" private key to us. We paid 1000 bucks for this certificate. The contents are as follows:
XXXXXXXXXXXXXXX Certificate content starts XXXXXXXXXXXXXXXXX
Issuer:securetrust CA
SUBJECT:ABC Company
Valid from: a date
Valid to: a date
Public Key: A string of very long numbers
...... Some other certificate content ...
{The thumbprint of the certificate and the fingerprint algorithm used to compute the fingerprint} [Securetrust CA's private key | RSA]//This is the "Securetrust CA" to the certificate of a digital signature, indicating that the certificate is indeed his release, there is any problem he will be responsible (took us 1000 dollars, the problem must be responsible for it)
So finally what happened when we were using https:
In conjunction with the above diagram, I explain the following steps:
1. The client initiates a request to a Web site that requires HTTPS access.
2. The server sends the certificate to the client for verification. The certificate contains its public key. Specifically, here's how the client verifies that the digital certificate sent by the other party is valid.
- First find out if there is a root certificate for the CA authority on this server certificate on the local computer. If there is a continuation next, if there is no pop-up warning.
- Decrypts the thumbprint and fingerprint algorithm of the server certificate using the public key of the CA authority root certificate.
- After obtaining the fingerprint algorithm, this fingerprint algorithm is used to calculate the digest of the server certificate to get the fingerprint.
- Compare the computed fingerprint to the fingerprint decrypted from the server certificate to see if the same is true if the authentication is the same.
3. After the validation is successful, the client generates a random string and then encrypts it with the public key of the server certificate and sends it to the server.
4. The server decrypts this random value by using its own private key.
5. The server begins to communicate with the client using this random value for symmetric encryption.
6. The client gets the value decrypted using a random value in symmetric encryption.
Why not use asymmetric encryption all the time, but instead start using the symmetric encryption algorithm for HTTPS communication after a similar handshake:
The consumption of asymmetric encryption and the required computation and time is much larger than the symmetric encryption, so after the handshake and authentication, the server and the client begin to encrypt the subsequent data transfer according to the agreed random string.
Preference:
https://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html digital certificates and the introduction of CA Literacy
Http://www.cnblogs.com/JeffreySun/archive/2010/06/24/1627247.html Digital Certificate principle
Digital certificate issuance, authorization and other related and HTTPS establishing communication process