Android Secure encryption: Digital signatures and digital certificates

Android secure encryption feature article index

1. Android Secure encryption: Symmetric encryption
2. Android Secure encryption: Asymmetric encryption
3. Android Secure encryption: Message digest msg Digest
4. Android Secure encryption: Digital signatures and digital certificates
5. Android Secure encryption: HTTPS programming

All of the above learning, symmetric encryption, asymmetric encryption, message digest, digital signature and other knowledge is to understand how digital certificates work as a preparatory knowledge. Digital certificate is the ultimate weapon in cryptography, the crystallization of wisdom of human thousands of-year history, only after understanding the principle of digital certificate, can we understand the security communication mechanism of HTTPS protocol. In the end, the SSL development process will be handy.

In addition, symmetric encryption and message digest are two points of knowledge that can be used separately.

Knowledge point concatenation:

The digital certificate uses all the knowledge learned above

• Symmetric encryption is used in conjunction with asymmetric encryption to achieve a secret key exchange, after which the two parties use the secret key for symmetric encrypted communication.
• Message digest and asymmetric encryption implement a digital signature, the root certificate authority to sign the target certificate, at the time of verification, the root certificate with the public key to verify it. If the validation is successful, the certificate is trusted.
• The Keytool tool can create a certificate, which is then passed to the root certification authority for direct use of the self-signed certificate, and can also output the RFC format information for the certificate.
• Digital signature technology realizes identity authentication and data integrity guarantee.
• Encryption technology to ensure the confidentiality of data, Message digest algorithm to ensure the integrity of the data, symmetric encryption of high efficiency to ensure the reliability of data processing, digital signature technology to ensure the non-repudiation of the operation.

Through the above content of learning, we should be able to grasp the following knowledge points:

• Basics: Bit bit, Byte, character, character encoding, binary conversion, IO
• Know how to use symmetric encryption to solve problems in real-world development
• Know symmetric encryption, asymmetric encryption, message digest, digital signature, digital certificate are to solve what problems occur
• Understanding SSL Communication processes
• How to request HTTPS interface in real development

First, the digital signature 1. Overview

Combination application of asymmetric encryption and digital digest for digital signature

2. Application Scenarios

• Verify the user identity (using the private key signature, public key check, as long as the public key can be verified through, the information must be issued by the private key holder)
• Verify the integrity of the data (by comparing the decrypted message digest with the message Digest of the original)

3. Signature process

"When sending a message, the sender uses a hash function to generate a message digest from the message text and then encrypts the digest with its own private key, which is sent to the receiver as the digital signature and message of the message. The receiver first calculates the message digest from the original message received with the same hash function as the sender, and then decrypts the appended digital signature with the sender's public key, and if the two digests are the same, then the receiver can confirm that the digital signature is the sender.

Digital signature has two functions: one is to determine that the message is actually sent by the sender's signature, because others can not impersonate the sender's signature. Second, the digital signature can determine the integrity of the message. Because the digital signature is characterized by the characteristics of the file, if the file changes, the value of the numeric digest will also change. Different files will get different numeric summaries. A digital signature involves a hash function, the sender's public key, and the sender's private key. ”

4. Steps to use

//Get Signature object, Initialize algorithm: Md2withrsa, Md5withrsa, or Sha1withrsaSignature Signature = signature.getinstance ("Md5withrsa");//Create private key (read from disk)Privatekey Privatekey = (privatekey) serializableutil.readobject ("Heima.privatekey");//Initialize with private keySignature.initsign (Privatekey);//Incoming data that needs to be signedSignature.update (Content.getbytes ());//Execute signaturebyte[] sign = signature.sign ();//Create Public key (read from disk)PublicKey PublicKey = (publickey) serializableutil.readobject ("Heima.publickey");//Use public key for initializationSignature.initverify (PublicKey);//Pass in the data that needs to be verified (i.e. the original text above)Signature.update (Content.getbytes ());//Perform verificationBooleanVerify = Signature.verify (sign);

5. Summary

Digital signatures are generally not used alone and are basically used in digital certificates to implement SSL communication protocols. The following digital certificates will be learned based on digital signature technology implementation.

Second, digital certificate 1. Overview

Digital certificate is an Internet communication in the identification of the identity of all parties, a number of information, provides a way to verify the identity of the communication entity on the Internet, digital certificate is not a digital ID card, but the identity of the certification authority on a digital ID card on a chapter or printed (or added to a digital ID). It is issued by the Authority--CA agency, also known as the Certificate Authority (Certificate Authority) center, where people can use it to identify each other.

2. Application Scenarios

• Certainty, non-repudiation and non-modification of trader's identity
• Sign the app for authentication (e.g. Android APK)

3. Digital certificate format

The format of digital certificates is generally used in X.509v3 international standards, a standard digital certificate of the number of the following content includes:

• The version information of the certificate;
• The serial number of the certificate, each certificate has a unique certificate serial number;
• The signature algorithm used by the certificate;
• The name of the issuer of the certificate, the naming convention generally adopts X.500 format;
• The validity period of the certificate, the common certificate generally in UTC time format, its timing range is 1950-2049;
• The name of the certificate owner, the naming convention generally adopts X.500 format;
• The public key of the certificate owner;
• The certificate issuer's signature on the certificate.

4. Digital certificate principle

Digital certificates are the ultimate weapon in the field of security, and the most important thing in SSL communication protocols is digital certificates. He deals with all the knowledge mentioned earlier: symmetric encryption, asymmetric encryption, message digest, digital signature, and so on.

Digital certificates can be generated from Java's Keytool tools, and the resulting digital certificates are generally stored in keystore. The KeyStore can be called a key repository.

The KeyStore can store 3 types of data: keystore.privatekeyentry (private key in Asymmetric secrets), Keystore.secretkeyentry (secret key in symmetric encryption), Keystore.trustedcertificateentry (Trusted certificate)

5. Keytool Tools

Path: Jre\bin\keytool.exe

Common commands:
Generate KeyPair

keytool -genkeypairkeytool -genkeypair -alias lisi（后面部分是为证书指定别名，否则采用默认的名称为mykey）

See what items are in KeyStore:

keytool -list 或keytool -list -vkeytool -exportcert -alias lisi -file lisi.cer

To generate a printable certificate:

keytool -exportcert -alias lisi -file lisi.cer –rfc

Displays the certificate information in the digital certificate file:

-printcert-file lisi.cer

Double-click the Lisi.cer and open with the window System's built-in program Lisi.cer

6. KeyStore related knowledge of Android

Debug Signature path: User.android\debug.keystore

Aliases and passwords for Debug.keystore (alias):
Alias: Androiddebugkey, Password: Android

Signature Command (jdk1.6):

11.apk androiddebugkey

Signature Command (jdk1.7):

11.apk androiddebugkey -digestalgSHA1 -sigalg MD5withRSA

Optimization command:

41signed.apk1signedaligned.apk

Verify that the signature is successful:

1signed.apk

7. Supplemental Signature Certificate:

The default client is trusted by an authoritative authority that is issued to a server or an individual to prove his or her identity. The main purpose is to encrypt and guarantee the integrity and non-repudiation of data
For example, the root certificate authority Symantec issued to Baidu is the signing certificate, is trusted.

Self-Signed Certificate:

Issued by the server itself to prove its identity, non-authoritative authority issued by the default client is not trusted, the main purpose is to encrypt and guarantee the integrity and non-repudiation of the data, and the same as the signing certificate.
For example, the Chinese iron Group (Srca) method to 12306 of the certificate is self-signed certificate, self-issued to themselves.

Android Secure encryption: Digital signatures and digital certificates