Knowledge about digital certificates and signatures

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Encryption means to convert a string of plain text into a string of ciphertext in some way.

Encryption involves symmetric encryption and asymmetric encryption. asymmetric encryption is the basis for understanding digital signatures and digital certificates.

In short, asymmetric encryption is used to generate a pair of key pairs, including the public key and private key. It can be understood as a string in presentation, we can use SSH keygen to generate such a pair of keys as follows:

The generated file is as follows:

First, let's look at the content of the private key file as follows:

We can use a file with the suffix. Pub as the public key. The content of the file is as follows:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNJHVPDKM9r/ZaqT+2Df0FhQzUUZqIngrMG1mco4IhHIffpw83rIzNQZVHD/H78bvgDhSGaTeZhB49CNVUrvILkl479RjmtsrTJHE1xUilNTDedvM8ASkmkPdxuNYyKIO3aNM5Jo+uEF2G//V1eCJBqm9flvb9v2djAmeFMJRSB7/rQlVbGqMkjdE+j5oTSu/IAB37y/72fPGt0eEvdksA2ByyYbv9KcU8AbSHrhSgSJbOyFRLUJejTZnj5uSfjrcdxFVysaqaduPxwRBGqGpSPTtks99Rqp/QZH34dm/BwTeqiXc1tva0c9z6Ap0P56d7xekyY8XWvWgQGeKd+VJQ== [email protected]

The above public and private keys produced by SSH keygen are generally used for logging on to a remote server through the SSH mechanism, for example, on the remote server of git, there is usually an SSH Public Key library to maintain our public key. This asymmetric encryption mechanism is used to verify our identity.

In fact, identity verification is to verify the signature, which is equivalent to signing a name on a piece of paper. Others want to prove that this is the same as what we signed.

In reality, if we sign on paper, then in the Internet communication process, it is a digital signature.

Digital Signature

Digital signature is actually the process of encrypting the content to be signed with our private key.

Why Can digital signatures play a role in the internet? This is based on its two features.

1) Tamper-proofing

For example, James uses his own private key to encrypt the content (signature) and then transmits it to Xiaohong. Xiaohong can use Xiaoming's public key for decryption to see the content.

In this process, although other people may also obtain James's public key to decrypt the data and then see the data content, there is no way to modify the data and then re-encrypt it, then I sent it to Xiaohong because there is no private key for James.

Therefore, the content signed by James must be transferred to Xiaohong, and cannot be tampered.

2) Anti-credit

The second problem is that once you sign your account, you can't make a mistake. Why?

As long as you can use your public key to parse the data, it means that the data must be encrypted with your private key. In theory, the private key is only available to you, then you must use the private key to encrypt it. That is the name you signed.

Digital Certificate

From the above situation, the digital signature is very reliable, but careful people will find that where can James take the public key?

Let James send the Public Key directly to Xiaohong? How does Xiaohong know if this is really James? Face to face? Directly Using a USB flash drive? === !!!

So we can only find a third-party organization that both of us trust to notarize us. This organization is the certificate center, also known as the CA.

If James applies for a digital certificate, the certificate will contain James's natural information, including his name, institution, and other public keys that James wants to provide for verification, the most important thing is that the certificate center signs the certificate so that we can sign the certificate.

Here, there is another conflict. Who should we go to verify whether the signature on this certificate is from the certificate center, the solution is to find another third-party organization to issue certificates to this organization ...., therefore, the certificate chain is formed.

However, there will always be an organization in the end. We have no way to verify its authenticity. We have to choose to trust it, so it becomes the root certificate.

The root certificate is the certificate that does not need and cannot be verified.

At this time, XiaoHong has a digital certificate issued by James, which can be connected to the information received by the so-called James for verification. If the verification passes, then it can be proved that Xiao Ming sent it to him. Next, we will have a pleasant play together.

Knowledge about digital certificates and signatures

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More