Introduction to digital certificates and CA Literacy

★ First to say a popular example

Considering the knowledge of the certificate system is more dull and obscure. Let me start with a popular example.

　　◇ General Letter of introduction

I suppose everyone has heard of the example of a referral? Suppose Mr. Zhang San of Company A is going to visit Company B, but everyone at company B doesn't know him. The usual method is to bring a letter of introduction from the company, said: "We have Mr. Zhang San to your company to handle business, please give contact ..." Cloudmonitor Then knock on the letter a company's official seal.

After Mr. Zhang San arrived at Company B, he handed the letter of introduction to the front desk of Company B, Miss John Doe. Miss Li saw a company's official seal on the letter of introduction, and a company is often and B company has business dealings, this Miss Li believes Mr. Zhang is not unjust.

Speaking of this, love contradicting's reunion asked: In case the official seal is forged, how to pinch? Here, I would like to first declare, in this example, first assume that the official seal is difficult to forge, or my story can not be said to go bird.

　　◇ introduction of referral to intermediary agencies

OK, back to the topic. If and B company has business dealings with a lot of companies, each company's official seal are different, the front desk will know how to distinguish all kinds of seal, very troublesome. So, there is an intermediary company C, found this opportunity. C Company has opened a special "Agent seal" business.

In the future, a company's salesman to B company, need to bring 2 letter of introduction:

Introduction 1

Contains the company's official seal and Company A's official seal. And specifically noted: C Company Trust A Company.

Introduction 2

Only a company's official seal, and then write: We have Mr. Zhang San to your company to handle business, please give contact ... Cloudmonitor

Some of the non-enlightened reunion asked, this is not to increase the trouble? What good is it, pinch?

The main advantage is that, for the reception company's front desk, there is no need to remember the company's official seal is what the appearance of, he/she just remember the agency C's official seal can be. When he/she received two letters of introduction, the first 1 of the letter of the C seal, Yue Heyue, after confirmation, and then to the letter of introduction 1 and the letter of introduction 2 two a seal is consistent. If it is the same, then you can prove that the letter of recommendation 2 is trustworthy.

★ Explanation of relevant professional terms

A lot of saliva, finally said a I think more popular examples. If you hear this, or if you don't understand what this example is saying, then the content will not have to waste time listening:(

Below, I have the above example, the relevant nouns, to make some explanations.

　　◇ What is a certificate?

"Certificate" Foreign language is also called "Digital certificate" or "Public Key Certificate" (Professional explanation see "here").

It is used to prove that something is really something (is it like a tongue twister?) ）。 In layman's words, a certificate is like an official seal in an example. Through the official seal, it can be proved that the letter of recommendation is actually issued by the corresponding company.

Theoretically, everyone can find a certificate tool and make a certificate of their own. How to prevent the bad guys from making their own certificates and cheating? See the introduction of subsequent CAs.

　　◇ What is CA?

The CA is the abbreviation for Certificate Authority, also called the Certificate Authority Center. (Professional explanation See "here")

It is a third-party organization responsible for managing and issuing certificates, as in the case of intermediary--c companies. In general, CAs must be trusted and recognized by all industries and by all the public. Therefore, it must be authoritative enough. Just like A, b two companies must trust C Company, will find C Company as the official seal of the intermediary.

　　◇ What is CA certificate?

The CA certificate, as its name implies, is the CA-issued certificate.

As already mentioned, everyone can find tools to make certificates. But the certificate you made out of a little brat is useless. Because you are not an authoritative CA, your own certificate is not authoritative.

This is like in the above example, a bad person himself carved a seal to cover the letter of introduction. But when others look at it, it is not the official seal of the trusted intermediary company that ignores it. The villain's conspiracy will not succeed.

The certificate referred to in the text, if no special instructions, refers to the CA certificate.

　　◇ What is the trust relationship between certificates?

In my example, the introduction of intermediaries, the salesman should take two letters of introduction at the same time. The first letter of introduction contains two official seal, and noted that the official Seal C Trust seal A. The trust relationship between certificates is similar to this one. is to use a certificate to prove that another certificate is authentic.

　　◇ What is the certificate trust chain?

In fact, the trust relationship between certificates can be nested. For example, C Trust A1,A1 Trust A2,A2 Trust A3 ... This chain of trust is called a certificate. As long as you trust the chain of the first certificate, then the subsequent certificate, all can be trusted drip.

　　◇ What is a root certificate?

"Root certificate" foreign language called "Root certificate", professional explanation see "here". To clarify what the root certificate is all about, take a look at a slightly more complex example.

Assume that C certificates trust A and B, and then a trusts A1 and A2;b trust B1 and B2. Then they form a tree-like relationship (an inverted tree).

The certificate in the topmost root location is the root certificate . In addition to the root certificate, other certificates rely on a certificate of the previous level to prove themselves. So who's going to prove that "root certificate" is a reliable squeeze? In fact, the root certificate itself proves itself to be reliable (or in other words, the root certificate is not required to be proven).

Smart classmates should be aware at the moment that root certificates are fundamental to the security of the entire certificate system. Therefore, if a certificate system has a problem with the root certificate (no longer trusted), then all other certificates that are trusted by the root certificate are no longer trusted. The consequences are quite serious (and can be disastrous), as described in the next post.

　★ What is the use of certificates?

CA Certificate has a lot of role, I want to save saliva, only list a few commonly used.

　　◇ Verify that the website is trustworthy (for HTTPS)

In general, if we visit certain sensitive Web pages (such as a user's login page), the protocol will use HTTPS instead of HTTP. Because the HTTP protocol is clear, once a bad person is spying on your network communication, he/she can see the contents of the network communication (such as your password, bank account number, etc.), while HTTPS is an encrypted protocol that can guarantee your transmission process, the villain cannot peep.

However, do not think that the HTTPS protocol is encrypted, you can rest easy. Let me cite an example to illustrate that the light is not enough to be encrypted. Suppose there is a bad guy, make a fake online silver site, and then trick you on this site. Suppose you are more simple, a inattention, you put your account, password entered. The villain's plot will prevail.

To prevent the bad guys from doing this, the HTTPS protocol has a mechanism for certificates in addition to the encryption mechanism. The certificate ensures that a site is indeed a site.

With the certificate, when your browser accesses an HTTPS website, it verifies the CA certificate on that site (similar to the official seal of the Certification Letter of introduction). If the browser discovers that the certificate is not a problem (the certificate is trusted by a root certificate, the domain name bound on the certificate is consistent with the domain name of the website, the certificate is not expired), then the page opens directly; For the sake of image, here is a screenshot of IE and Firefox:

Most well-known websites, if the HTTPS protocol is used, their certificates are trustworthy (and there is no such warning). So, in the future if you go to a well-known website, you find the browser out of the above warning, you should be careful!

　　◇ Verify that a file is trustworthy (tampered)

In addition to validating a Web site, a certificate can be used to verify that a file has been tampered with. In particular, the digital signature of the file is made by a certificate. The process of making a digital signature is too professional for me to say. The following specifically tells you how to verify the digital signature of the file. Considering that most people use Windows, I take windows as an example.

For example, I have a Firefox installation file (with a digital signature) on hand. When I look at the properties of the file, I see the following interface. A good-looking classmate will notice that there is a " digital signature " tab on it. If this tab does not appear, the file does not have a digital signature attached.

Select the tab and see the following screen.

By the way, some digital signatures do not contain "e-mail Address", then this item will be "not available"; Similarly, some digital signatures do not contain "timestamps", and "unavailable" is also displayed. Don't be nervous, the "unavailable" shown here is not the same as the validity of the digital signature.

In general, there is only one signature in the signature list. Select it and click the Details button. Jump out of the following interface:

Usually this interface will display a line of words: " the digital signature is normal " (The red circle marked in the figure). If there is this line of words, it means that the file from the factory to your hands, Midway has not been tampered with (is the original drip, is pure drop).

If the file has been tampered with (for example, infected with a virus and is injected into a trojan), a warning appears in the dialog box that " the digital signature is invalid " (The red circle is marked in the figure). The interface is as follows:

Whether your signature is normal or not, you can click the "View Certificate" button. At this point, the dialog box will jump out of the certificate. As follows:

From the latter interface, you can see the certificate trust chain I just said. The chain of trust in the figure is 3 layers:

The 1th tier is the root certificate (Thawte Premium Server CA).

The 2nd layer is a certificate Thawte specifically used to sign.

The 3rd layer is Mozilla's own certificate.

Most well-known companies (or organizations) currently have digital signatures for published executables (such as software installation packages, drivers, security patches). You can go and see for yourself.

We recommend that you first see if you have a digital signature before installing the software. If there is one, follow the steps above to verify it. Once the digital signature is bad, don't pretend to.

　　★ Summary

For a half-day, the concept of CA certificate is introduced in general. If you want to know more about this knowledge, you can find some information security or cryptography, and continue to delve into the study.

If any of the students think I have the wrong place, or have something to add, please write to me ([email protected]).

*******

Copyright notice

All original articles of this blog, the author retains the copyright. Reprint must contain this statement, keep this article complete, and in the form of hyperlinks annotated author programming Caprice and this article original address:

Http://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html

http://kb.cnblogs.com/page/194742/

Introduction to digital certificates and CA Literacy (EXT)