Order
Recent work has been around the digital certificate, the understanding of CA certificate is a little bit, but not so deep, now to use this aspect of things, obviously still a little lacking, then from this beginning, I will my own study, work history with everyone to share, I hope to understand the CA The certificate of the children's shoes is helpful.
Obviously, this article is mostly a theoretical introduction, followed by a number of relevant examples. Do not like to see the theory of children's shoes, you can directly skip this chapter, directly read the following articles.
Profile
This article, I mainly want to talk about the CA certificate working principle, digital signature, certificate format and several more important concepts. Because these concepts are used in subsequent articles, and you want to make your own certificates, these concepts must be understood.
What is a digital certificate
A digital certificate is a string of information that marks the identity of all parties in an Internet communication, providing a way to verify the identity of a communication entity on the Internet, which acts like a driver's license or an identity card in everyday life. It is issued by an authority--CA agency, also known as the Certificate Authority (Certificate Authority) center, where people can use it to identify each other's identities online.
A digital certificate is a file that is digitally signed by the Certificate Authority center that contains public key owner information and a public key. The simplest certificate contains a public key, a name, and a digital signature for the Certificate Authority Center. An important feature of digital certificates is that they are only valid for a specific period of time.
Principle
Digital certificates contain a lot of numbers and English, when using digital certificates for identity authentication, it will randomly generate 128-bit identity code, each digital certificate can generate a corresponding but not the same every time the same digital, so as to ensure the confidentiality of data transmission, that is equivalent to generate a complex password.
Digital certificates bind the public key and its holder's true identity, it is similar to real-life identity card, the difference is that the digital certificate is no longer a paper license, but a piece of information containing the identity of the certificate holder and the Certification Center audit issued by the electronic data, can be more convenient and flexible use in e-commerce and e-government.
Issued
The digital certificate issuance process is generally: the user first produces their own key pair, and the public key and some personally identifiable information to the certification center. Certification Center after verifying the identity, the necessary steps will be taken to make sure that the request is actually sent by the user, and then the certificate authority will send the user a digital certificate containing the user's personal information and his public key information, along with the signature information of the certificate authority.
Users can use their own digital certificates for various activities related to them.digital certificates are issued by a separate certificate issuer. Digital certificates vary, and each certificate can provide different levels of confidence. You can obtain your own digital certificate from the certificate issuer.
Working principle
The digital certificate adopts the public key system, which uses a pair of matching keys to encrypt and decrypt. Each user sets a specific private key (private key) that is only known to me, decrypts and signs it, and sets a public key (public key) to be shared with a group of users to encrypt and verify the signature.
when a confidential file is sent, the sender encrypts the data with the receiver's public key, and the receiver decrypts it with its own private key, so that the information can arrive at the destination safely and without error. The encryption process is ensured by means of a digital process, that is, only the private key can be decrypted.
in the public key cryptosystem, the RSA system is commonly used. Its mathematical principle is to decompose a large number into two prime numbers, and encrypt and decrypt two different keys. Even if plaintext, ciphertext, and encryption keys (public keys) are known, it is computationally impossible to derive the decryption key (The secret key).
according to the current level of computer technology, to crack the currently adopted 1024-bit RSA key, requires thousands of years of computing time. Public key technology addresses the management of key publishing, where merchants can expose their public keys while preserving their private keys. Shoppers can encrypt the information they send with a publicly known public key and securely deliver it to the merchant, which is then decrypted by the merchant with its own private key.
Digital Signatures
The user can also use their own private key to the information processing, because the key is only for me, so that the others can not generate files, also formed a digital signature. With digital signatures, you can confirm the following two points:
- The guarantee information is sent by the signer's own signature, and the signer cannot deny it or is difficult to deny.
- The warranty information has not been modified since it was issued and the documents issued are real documents.
The message is calculated by the hash algorithm agreed by both parties to obtain a fixed-digit message digest. Mathematically guaranteed: As long as any change in the message, the recalculation of the digest will be the value of the original value does not match. This guarantees the non-change of the message.
the digest value of the paper is encrypted with the sender's private key (there is no problem in decrypting the plaintext, an unreadable "plaintext" is obtained), which is then sent to the receiver along with the original message, and the "encrypted" message is called a digital signature.
after receiving the digital signature, the same hash algorithm is used to calculate the digest value of the original message, and then to decrypt the digital signature with the sender's public key (the original signature has been encrypted, and now the decryption can be restored) to the value of the digest to be compared. If equal, the message does come from the alleged sender.
because only signers who have private keys can generate signatures through a "decryption" digest, they are secure and non-repudiation.
then why is the digest to be encrypted instead of encrypting the original message? This is because RSA plus decryption is time-consuming, the larger the encrypted message, the more time it takes, so smart humans encrypt its digest (because the digest is much smaller than the original message), it can still play the same role. This is why a message digest is more.
Certificate Format
The current format for digital certificates is generally based on X.509v3 international standards, and a standard one-time digital certificate contains some of the following:
- The version information of the certificate;
- The serial number of the certificate, each certificate has a unique certificate serial number;
- The signature algorithm used by the certificate;
- The name of the issuer of the certificate, the naming convention generally adopts X.500 format;
- The validity period of the certificate is now commonly used in UTC time format, and its timing range is 1950-2049;
- The name of the certificate owner, the naming convention generally adopts X.500 format;
- The public key of the certificate owner;
- The certificate issuer's signature on the certificate.
A certificate that exists as a file typically has these types of forms:
- A certificate with a private key is defined by the public key Cryptography standards #12, PKCS#12 standard, which contains the form of a certificate in the binary format of the private key and the secret key, with PFX as the certificate file suffix.
- There is no private key in the binary-encoded certificate certificate, DER encodes a certificate file in binary format, and a CER is used as the certificate file suffix name.
- The BASE64 encoded Certificate certificate does not have a private key, BASE64 a certificate file in encoded format, and is also a CER as the certificate file suffix name.
It can be seen that only a digital certificate in the PFX format is a digital certificate in CER format that contains a private key, only the public key does not have a private key. Of course, the digital certificate that we often use is the CER format, for example, 12306 of the digital certificate issued, that is, in this format, before purchasing a ticket, you need to install the certificate on your own computer to ensure that our clients can communicate with the correct server.
Of course, as stated above, CA certificates can be generated on their own, except that their own generated certificates are not identifiable to the operating system because the issuing authority does not exist in the operating system to generate the certificate. However, this does not preclude our normal use of the certificate.
Conclusion
I think, through these theories, you've been able to figure out what a digital certificate is, what its characteristics are, how it works, and so on. So, the next step is to prepare for the certificate generation. I'll see you next time ...
Java Generation digital Certificate Series (i) Understanding digital certificates