Knowledge about digital certificates and signatures

Source: Internet
Author: User
Tags begin rsa private key asymmetric encryption ssh keygen

Encryption means to convert a string of plain text into a string of ciphertext in some way.

Encryption involves symmetric encryption and asymmetric encryption. asymmetric encryption is the basis for understanding digital signatures and digital certificates.

In short, asymmetric encryption is used to generate a pair of key pairs, including the public key and private key. It can be understood as a string in presentation, we can use SSH keygen to generate such a pair of keys as follows:


The generated file is as follows:


First, let's look at the content of the private key file as follows:

-----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAtNJHVPDKM9r/ZaqT+2Df0FhQzUUZqIngrMG1mco4IhHIffpw83rIzNQZVHD/H78bvgDhSGaTeZhB49CNVUrvILkl479RjmtsrTJHE1xUilNTDedvM8ASkmkPdxuNYyKIO3aNM5Jo+uEF2G//V1eCJBqm9flvb9v2djAmeFMJRSB7/rQlVbGqMkjdE+j5oTSu/IAB37y/72fPGt0eEvdksA2ByyYbv9KcU8AbSHrhSgSJbOyFRLUJejTZnj5uSfjrcdxFVysaqaduPxwRBGqGpSPTtks99Rqp/QZH34dm/BwTeqiXc1tva0c9z6Ap0P56d7xekyY8XWvWgQGeKd+VJQIBIwKCAQEAhlMQavwD7AHFCbHqRbWtk3TOT1fnLL4x32tTtBKQGU8J9y8SE/TPrhnm7kVPznC1hdTEnC7xNcGQCFHIE3l+cBSCi+01RTnbs9w0zI27JO1w5cHdlChIT4E+sEBaZuZz1GayCQ2tEiOAr2kkFP8teefpvgnAfvssHUhXF44kJLfL8mq3bEkCQUk7XcYlnafgdsfNbYTb9IlHWDOqTJtc/wQnqTeCFD+VuYWga6KGYjBFp4udZS0RBW8+Z5QdgPlITKlpvKhq86NdWFplUwbTgnPB1k8s2UezeVEkEADMLtdF8v4Fv0rM40ELbnlbw2UJxc9dw8BoEjrdQuG2zRDTcwKBgQDbFTqoRs74ANCA+NRKu3V59Bl9rjJCObFtY11vGUo1P5HzheCAG8HLxLHSHj1LzZDBPTo1C78ruyMn8YwUTxcn6GbFdPRMWJ1yFWnwkKl85Arj+Cwa9ol9CZrY6WOCqwnsPDPcN9QkaMWeWTADt5c2KWMzQPao5rU9SuFLCZWMHwKBgQDTSodewgpC2ZXHRDstfdNffDIqu6ZpTv2VXk3Tko1F8c6T9Swdw+KastpnXkVDC/e5MJ3BRHRG1Uq2SKYK4PSnIkKsn1QW9V9NRnOEXJpPfcvg9j5mnv9slQgNL13lJbVJFOOzfvFelYKtnMzIHDfeiP0ZaDZp1FOqb8kYH+52OwKBgFFfqBKd9RpJcgQEpp9qMvLIYT1PVH7/fGp1XTfk0muMo+y8sni52kRfADgZ3EC6ETHU6bvua5PmbCTHboszUb5dooPa+6dUHTkAo7EfyeyPNz67Q5T8fDXBvSv+6nJcySvb2L+Cc137B5KWJ8bdynMz8aVSpMJkUfIxwWUDj1FNAoGBAMc3pDTFlKVuEOBziEDVuKp8adCFCp3OIksBJM7MAYsXMHzf2SNg65ksSkQ0T+7CJBUB89N7DovtrNfA1xGSRcInnfM3I2YajQ5YXkmZI8dKuOoMvn4DoF8QLCmwUTcjjatONcZ/ANWFpxi4aU72CMqBKSaVdSH0FF7ebSVf73bJAoGBAIr8sYR/6zJex/oFoY5R/s2KfLZXglc7k5k9lsWNpWbCTP1A7UjlOEqwwtK11oH4W5FDScTn//uGv6kehMgnHMIjZbacHhcJ0JF6Av2Utxl49CqYzSRerC0ixOAEeVAAqSsO+zuprFb20wKCEqN290uz7SheRFZ81TYWoIJfYeeH-----END RSA PRIVATE KEY-----

We can use a file with the suffix. Pub as the public key. The content of the file is as follows:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNJHVPDKM9r/ZaqT+2Df0FhQzUUZqIngrMG1mco4IhHIffpw83rIzNQZVHD/H78bvgDhSGaTeZhB49CNVUrvILkl479RjmtsrTJHE1xUilNTDedvM8ASkmkPdxuNYyKIO3aNM5Jo+uEF2G//V1eCJBqm9flvb9v2djAmeFMJRSB7/rQlVbGqMkjdE+j5oTSu/IAB37y/72fPGt0eEvdksA2ByyYbv9KcU8AbSHrhSgSJbOyFRLUJejTZnj5uSfjrcdxFVysaqaduPxwRBGqGpSPTtks99Rqp/QZH34dm/BwTeqiXc1tva0c9z6Ap0P56d7xekyY8XWvWgQGeKd+VJQ== [email protected]

The above public and private keys produced by SSH keygen are generally used for logging on to a remote server through the SSH mechanism, for example, on the remote server of git, there is usually an SSH Public Key library to maintain our public key. This asymmetric encryption mechanism is used to verify our identity.

In fact, identity verification is to verify the signature, which is equivalent to signing a name on a piece of paper. Others want to prove that this is the same as what we signed.

In reality, if we sign on paper, then in the Internet communication process, it is a digital signature.

Digital Signature

Digital signature is actually the process of encrypting the content to be signed with our private key.

Why Can digital signatures play a role in the internet? This is based on its two features.

1) Tamper-proofing

For example, James uses his own private key to encrypt the content (signature) and then transmits it to Xiaohong. Xiaohong can use Xiaoming's public key for decryption to see the content.

In this process, although other people may also obtain James's public key to decrypt the data and then see the data content, there is no way to modify the data and then re-encrypt it, then I sent it to Xiaohong because there is no private key for James.

Therefore, the content signed by James must be transferred to Xiaohong, and cannot be tampered.

2) Anti-credit

The second problem is that once you sign your account, you can't make a mistake. Why?

As long as you can use your public key to parse the data, it means that the data must be encrypted with your private key. In theory, the private key is only available to you, then you must use the private key to encrypt it. That is the name you signed.

Digital Certificate

From the above situation, the digital signature is very reliable, but careful people will find that where can James take the public key?

Let James send the Public Key directly to Xiaohong? How does Xiaohong know if this is really James? Face to face? Directly Using a USB flash drive? === !!!

So we can only find a third-party organization that both of us trust to notarize us. This organization is the certificate center, also known as the CA.

If James applies for a digital certificate, the certificate will contain James's natural information, including his name, institution, and other public keys that James wants to provide for verification, the most important thing is that the certificate center signs the certificate so that we can sign the certificate.

Here, there is another conflict. Who should we go to verify whether the signature on this certificate is from the certificate center, the solution is to find another third-party organization to issue certificates to this organization ...., therefore, the certificate chain is formed.

However, there will always be an organization in the end. We have no way to verify its authenticity. We have to choose to trust it, so it becomes the root certificate.

The root certificate is the certificate that does not need and cannot be verified.

At this time, XiaoHong has a digital certificate issued by James, which can be connected to the information received by the so-called James for verification. If the verification passes, then it can be proved that Xiao Ming sent it to him. Next, we will have a pleasant play together.


Knowledge about digital certificates and signatures

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.