Bob,alice and digital certificates
The most well-known characters in network security are probably Bob and Alice, because many of the security principles are illustrated with these two virtual characters.
Let's see how Bob gets a digital certificate from the CA Center:
1, Bob first creates his own key pair (key pair), including the public key and private key;
2 , Bob sends his public key to the CA's center via the network, and the public key contains Bob's personal identification information (his name, address, serial number of the device used, and so on). This information is required by the certificate,
3, This certificate request is always in the waiting (pending) state on the CA center Until someone in the CA center starts to handle Bob's request;
4, someone in the center of the CA identified and confirmed that Bob is the person who committed the public key. In order to determine the correspondence between Bob and the key, this confirmation process is carried out in a way that is between people and people, out of band;
5, Bob periodically queries the Ca server, I hope his certificate application process can be completed and can be retrieved;
6, the CA center creates and signs a certificate containing Bob's public key and personal information to ensure the key is true;
7, Bob queries the CA server and discovers that the certificate is ready,
8, Bob can now use the certificate to publish his public key. Others who use the Bob Certificate can verify the certificate's certainty by verifying the CA's signature (verifying that the CA's signature requires the CA's public key).
/////////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////One, public key private key
1, the public and private keys appear in pairs
2, the public key is called the public key, only you know the private key
3, the data encrypted with the public key can only be decrypted by the corresponding private key
4, the data encrypted with the private key can only be decrypted by the corresponding public key
5, if the public key can be decrypted, it must be the corresponding private key plus the secret
6, if the private key can be decrypted, it must be the corresponding public key plus the secret
I see? Let's say I've looked for two numbers, one is 1, the other is 2. I like the number 2, I keep it, I don't tell you, and then I tell you that 1 is my public key. I have a file that I can't let anyone else see, I'm using 1 encryption. Others found this file, but he did not know that 2 is the decryption of the private key ah, so he cannot solve, only I can use the number 2, is my private key, to decrypt. So I can protect the data. my good friend X encrypted the character A with my public key 1, encrypted it into B, and put it on the Internet. Others stole this file, but others can not open, because others do not know that 2 is my private key, only me to decrypt, after decryption to get a. In this way, we can transfer encrypted data. now that we know to encrypt with the public key and then decrypt it with the private key, we can solve the problem of secure transmission. If I encrypt a piece of data with the private key (only I can encrypt it with the private key, because I know that 2 is my private key), and all the people see my content because they know my public key is 1, what is the use of this encryption? but my good friend X said someone was impersonating me and sending him a letter. What do we do? I sent my letter, the content is C, with my private key 2, encryption, the content of the encryption is D, to X, and then tell him to decrypt to see is not C. He decrypted it with my public key 1 and found that it was c. At this point, he would think that the data that can be decrypted with my public key must be encrypted with my private key. Only I knew I had the private key, so he could confirm that it was really my hair. So we can confirm the sender's identity. This process is called a digital signature. Of course, the specific process is slightly more complicated. Use the private key to encrypt the data, which is the digital signature. OK, let's review:
1, a pair of public key keys appear
2, private key only I know
3, you can use my public key to send me an encrypted letter.
4, everyone use my public key to decrypt the contents of the letter, to see if it can be untied, to untie, the explanation is after my private key encryption, you can confirm that I sent the. To summarize the conclusion:
1, encrypt data with public key, decrypt data with private key
2, encrypt the data with the private key (digital signature), and use the public key to verify the digital signature. in the actual use, the public key does not appear alone, always appears as a digital certificate, this is for the security and validity of the public key. Two, SSL
I and my good friend X, want to make secure communication. This kind of communication can be QQ chat, very frequent. Encrypting the data with my public key is not going to work because:
1, my good friend X does not have a public key pair, how can I send him encrypted message ah? (Note: In practice, both parties can have a public private key pair)
2, with the public private key encryption operation is time-consuming, very slow, affecting the effect of QQ. OK, good friend X, find a number 3, with my public key 1, encrypted and sent to me, said, we will use this number to encrypt information. After I untied it, I got the number 3. In this way, only two of us know the secret number 3, no one else knows, because they don't know what number x picked up, the encrypted content they can not untie, we call this secret number of the session key. Then, we choose a symmetric key algorithm, such as DES, (symmetric algorithm is that the encryption process and decryption process is symmetric, with a key encryption, you can use the same key to decrypt.) The algorithm using the public private key is a non-symmetric encryption algorithm) to encrypt the communication between us. Others are unable to decrypt because they do not know that 3 is our session key. OK, review it:
1,ssl for Secure Communication
2, both sides of the communication use the public key of a party or both to pass and contract the session key (this process is called handshake)
3, both parties use the session key to encrypt the communication content of both parties
It says the principle. You may find it more complicated than it is in practical use. Fortunately, the good pioneers implemented the layer in the operating system or related software, and a nasty name called SSL, the Secure Socket layer.
Public key, private key, certificate
