[Slightly abridged]
In order to achieve the popularity of the effect, I will try to use the more obvious, non-technical language to clear.
★ First to say a popular example
Considering the knowledge of the certificate system is more dull and obscure. Let me start with a popular example.
◇ General Letter of introduction
I suppose everyone has heard of the example of a referral? Suppose Mr. Zhang San of Company A is going to visit Company B, but everyone at company B doesn't know him. The usual method is to bring a letter of introduction from the company, said: "We have Mr. Zhang San to your company to handle business, please give contact
..." Cloudmonitor Then knock on the letter a company's official seal.
After Mr. Zhang San arrived at Company B, he handed the letter of introduction to the front desk of Company B, Miss John Doe. Miss Li saw a company's official seal on the letter of introduction, and a company is often and B company has business dealings, this Miss Li believes Mr. Zhang is not unjust.
Speaking of this, love contradicting's reunion asked: In case the official seal is forged, how to pinch? Here, I would like to first declare, in this example, first assume that the official seal is difficult to forge a drop, or my story can not be said to go bird.
◇ introduction of referral to intermediary agencies
OK, back to the topic. If and B company has business dealings with a lot of companies, each company's official seal are different, the front desk will know how to distinguish all kinds of seal, very troublesome. So, there is an intermediary company C, found this opportunity. C Company has opened a special "Agent seal" business.
In the future, a company's salesman to B Company, need to bring 2 letter of introduction:
Introduction 1
Contains the company's official seal and Company A's official seal. And specifically noted: C Company Trust a company.
Introduction 2
Only a company's official seal, and then write: We have Mr. Zhang San to your company to handle business, please give contact
... Cloudmonitor
Some of the non-enlightened reunion asked, this is not to increase the trouble? What good is it, pinch?
The main advantage is that, for the reception company's front desk, there is no need to remember the company's official seal is what the appearance of, he/she just remember the agency C's official seal can be. When he/she received two letters of introduction, the first "letter of introduction 1" of the C seal, Yue Heyue, after the confirmation, and then the "Letter of introduction 1" and "Letter of introduction 2" of the two a seal is consistent. If it is the same, then you can prove that "letter of introduction 2" can be trusted.
★ Explanation of relevant professional terms
A lot of saliva, finally said a I think more popular examples. If you hear this, or if you don't understand what this example is saying, then the content will not have to waste time listening:(
Below, I have the above example, the relevant nouns, to make some explanations.
◇ What is a certificate?
"Certificate" Foreign language is also called "Digital certificate" or "Public Key Certificate" (Professional explanation see "here").
It is used to prove that something is really something (is it like a tongue twister?) )。 In layman's words, a certificate is like an official seal in an example. Through the official seal, it can be proved that the letter of recommendation is actually issued by the corresponding company.
Theoretically, everyone can find a certificate tool and make a certificate of their own. How to prevent the bad guys from making their own certificates and cheating? See the introduction of subsequent CAs.
◇ What is CA?
The CA is the abbreviation for "Certificate Authority", also known as the Certificate Authority Center. (Professional explanation See "here")
It is a third-party organization responsible for managing and issuing certificates, as in the case of intermediary--c companies. In general, CAs must be trusted and recognized by all industries and by all the public. Therefore, it must be authoritative enough. Just like A, b two companies must trust C Company, will find C Company as the official seal of the intermediary.
◇ What is CA certificate?
The CA certificate, as its name implies, is the CA-issued certificate.
As already mentioned, everyone can find tools to make certificates. But the certificate you made out of a little brat is useless. Because you are not an authoritative CA, your own certificate is not authoritative.
This is like in the above example, a bad person himself carved a seal to cover the letter of introduction. But when others look at it, it is not the official seal of the trusted intermediary company that ignores it. The villain's conspiracy will not succeed.
The certificate referred to in the text, if no special instructions, refers to the CA certificate.
◇ What is the trust relationship between certificates?
In my example, the introduction of intermediaries, the salesman should take two letters of introduction at the same time. The first letter of introduction contains two official seal, and noted that the official Seal C Trust seal A. The trust relationship between certificates is similar to this one. is to use a certificate to prove that another certificate is authentic.
◇ What is the certificate trust chain?
In fact, the trust relationship between certificates can be nested. For example, C Trust A1,A1 Trust A2,A2 Trust A3 ... This chain of trust is called a certificate. As long as you trust the chain of the first certificate, then the subsequent certificate, all can be trusted drip.
◇ What is a root certificate? "Root certificate" foreign language called "Root certificate", professional explanation see "here". To clarify what the root certificate is all about, take a look at a slightly more complex example.
Assume that C certificates trust A and B, and then a trusts A1 and A2;b trust B1 and B2. Then they form a tree-like relationship (an inverted tree).
The certificate in the topmost root location is the root certificate . In addition to the root certificate, other certificates rely on a certificate of the previous level to prove themselves. So who's going to prove that "root certificate" is a reliable squeeze? In fact, the root certificate itself proves itself to be reliable (or in other words, the root certificate is not required to be proven).
Smart classmates should be aware at the moment that root certificates are fundamental to the security of the entire certificate system. Therefore, if a certificate system has a problem with the root certificate (no longer trusted), then all other certificates that are trusted by the root certificate are no longer trusted. The consequences are quite significant (and can be disastrous).
★ What is the use of certificates?
CA Certificate has a lot of role, I want to save saliva, only list a few commonly used.
◇ Verify that the website is trustworthy (for HTTPS) in general, if we visit certain sensitive Web pages (such as a user's login page), the protocol will use HTTPS instead of HTTP. Because the HTTP protocol is clear, once a bad person is spying on your network communication, he/she can see the contents of the network communication (such as your password, bank account number, etc.), while HTTPS is an encrypted protocol that can guarantee your transmission process, the villain cannot peep.
However, do not think that the HTTPS protocol is encrypted, you can rest easy. Let me cite an example to illustrate that the light is not enough to be encrypted. Suppose there is a bad guy, make a fake online silver site, and then trick you on this site. Suppose you are more simple, a inattention, you put your account, password entered. The villain's plot will prevail.
To prevent the bad guys from doing this, the HTTPS protocol has a mechanism for certificates in addition to the encryption mechanism. The certificate ensures that a site is indeed a site.
With the certificate, when your browser accesses an HTTPS website, it verifies the CA certificate on that site (similar to the official seal of the Certification Letter of introduction). If the browser discovers that the certificate is not a problem (the certificate is trusted by a root certificate, the domain name bound on the certificate is consistent with the domain name of the website, the certificate is not expired), then the page opens directly; For the sake of image, here is a screenshot of IE and Firefox:
Most well-known websites, if the HTTPS protocol is used, their certificates are trustworthy (and there is no such warning). So, in the future if you go to a well-known website, you find the browser out of the above warning, you should be careful!
◇ Verify that a file is trustworthy (tampered) The certificate can also be used to verify that a file has been tampered with, in addition to being used to authenticate a Web site. In particular, the digital signature of the file is made by a certificate. The process of making a digital signature is too professional for me to say. The following specifically tells you how to verify the digital signature of the file. Considering that most people use Windows, I take windows as an example.
For example, I have a Firefox installation file (with a digital signature) on hand. When I look at the properties of the file, I see the following interface. The students with good eyes will notice that there is a "
Digital Signaturestab of the page. If this tab does not appear, the file does not have a digital signature attached.
Most well-known companies (or organizations) currently have digital signatures for published executables (such as software installation packages, drivers, security patches). You can go and see for yourself.
We recommend that you first see if you have a digital signature before installing the software. If there is one, follow the steps above to verify it. Once the digital signature is bad, don't pretend to.
★ summed up the cost of a half-day breath, the general introduction of CA certificate-related concepts. If you want to know more about this knowledge, you can find some information security or cryptography, and continue to delve into the study.
If any of the students think I have the wrong place, or there is a need to add content, welcome to this message.
Original address
Http://program-think.blogspot.com/2010/02/introduce-digital-certificate-and-ca.html
[Repost] digital certificate and CA's literacy introduction