Summary
Through easy-to-understand explanations, this series allows you to easily understand the basic principles and application methods of digital signatures. (even if you are a computer-less enterprise boss, I can also read this articleArticle). Then we will gradually go deep into the technical details. Finally, we will provide a demo of using digital signatures in the B/S information system.
Because the digital signature is based on asymmetric encryption technology, we need to comment on symmetric encryption and asymmetric encryption technologies first.
Symmetric encryption
What is encryption? Encryption is a technology that disconnects data. Encryption technology involves four types of stuff:
Plaintext: Can be attacked orProgramRecognized data. For example, a text file, a piece of lyrics, a Word document, an MP3 file, an image file, and a video.
EncryptionAlgorithm: How to mess up data.
Key (password ):A string you provide during encryption operations, so that the encryption algorithm will not only "mess up" the plaintext, but also be "different ". In this way, even if someone else has implemented the decryption algorithm and does not have the password used for the original encryption, they will not be able to perform the decryption operation.
Ciphertext: Result of plaintext encryption algorithm and key encryption. It looks like a bunch of garbled characters, and no one or program can know what information it actually represents.
As an example of encryption, I will demonstrate the encryption process by using the "Jing's replacement encryption algorithm" created by me.
Plaintext: Good good study, day up.
Key: Google
Jing's replacement encryption algorithm: replaces all the letters "D" in the plain text with the key.
Ciphertext: replace all the letters "D" in "good study, day up." with "google", you will get the ciphertext "googoogle stugoogley, googleay up .". This ciphertext is messy, right? The average person may not know what it means.
So what is decryption? Decryption is the process of changing the ciphertext to the plain text.
For example, "King's password replacement decryption algorithm" is to replace all strings in the password with "D ".
Ciphertext: googoogle stugoogley, googleay up.
Key: Google
King's password replacement decryption algorithm: replace all strings with the same key in the password with "D ".
Plaintext: replace all "google" in "googoogle stugoogley, googleay up." with "D", the plaintext "Good good study, day up." is obtained .".
You must have noticed that the keys used for encryption and decryption must be the same. For example, in the preceding example, the same key "google" must be used for encryption and decryption ". Therefore, it is calledSymmetric encryption algorithm. Currently, the most popular symmetric encryption algorithms are des and AES. In addition, symmetric encryption algorithms include idea, FeAl, Loki, Lucifer, RC2, RC4, RC5, blow fish, GOST, cast, safer, and seal. The file encryption function of WinRAR is the AES encryption algorithm.
Asymmetric encryption
Asymmetric encryption algorithms are a unique type of encryption algorithms. Their keys are not one, but two (one-to-one). Let's name them keys K1 and K2 first. The asymmetric encryption algorithm is characterized by key K1 encryption, only key K2 can be used for decryption. If key K2 is used for encryption, only key K1 can be decrypted. Note that "only" means that key K1 cannot be used for decryption if it is encrypted. Similarly, if it is encrypted with key K2, you cannot use the key K2 for decryption. This is a very important feature. For how to use this feature in practice, see the following.
I want to send Clark an AV movie for fear of being discovered by his wife ......
I got a very good AV movie and wanted to transfer it to Clark through the Internet, but I was afraid of being discovered by his wife (because Clark's wife is a super hacker, she can use sniffer technology to interceptAnyData transmitted to Clark over a network cable. Don't tell me how to use VPN. It is beyond the scope discussed in this article.) What should I do? By the way, we need a technology to "mess up data"-encryption technology. I first use WinRAR to compress small movies, and then add the password "tswcbyyqjsjhfl" (remember? The file encryption function of WinRAR uses the symmetric encryption algorithm called AES ). Then, the encrypted file is sent to Clark via QQ. Then, we were excited to call Clark's mobile phone:
"Hello? Clark? I haven't seen you for a long time, huh, huh... I sent you a great stuff. On QQ, did you receive it ?...... The password is tswcbyyqjsjhfl. Yes, it is natural for me to use it. The first and last letters must be capitalized ......"
But Clark, I really don't know that your wife was just by your side! And you know, I always like to make a loud call ......
After clarke squatted for a night, we all knew that, if it was a file already saved on our hard drive, it would be okay to encrypt it using symmetric encryption technology; if two people transmit files over the network, it is dangerous to use symmetric encryption-Because encryption keys must also be transmitted while transmitting ciphertext data. We need a unique encryption algorithm that does not need to transmit decryption keys. Asymmetric encryption can meet our needs. The basic idea is as follows: first, generate a pair of key pairs (Key K1 and key K2) that meet the asymmetric encryption requirements ). Then, publish the key K1 on the Internet. Anyone can download it. We call this public key K1Public KeyThe key K2 is kept by ourselves, so that no one knows it. We call this key K2 only known by ourselvesPrivate Key. When I want to send a small movie to Clark, I can use Clark's public key to encrypt the small movie. Then, I cannot even decrypt the ciphertext. Only one person in the world can decrypt the ciphertext. This person is Clark with a private key.
Later ......
Later, Clark decided to apply for a digital certificate. The process is as follows: first, log on to the website of the local digital certificate Certification Center, fill in the form-> present the original and photocopy of the valid individual certificate-> payment-> wait for the digital certificate certification center to prepare a digital certificate-> receive a digital certificate. If your company needs to apply for a large number of digital certificates, you can also consult with the sales staff of the Certification Center, first get a free trial version of the digital certificate for technical staff to try.
Later, I got another bad cartoon in an electronic version. Of course, I thought of Clark again. I first downloaded Clark's Public Key Certificate (a file containing Public Key Information) from the digital certificate Certification Center and encrypted the bad cartoon using asymmetric encryption algorithms, then send the ciphertext to Clark through QQ. Then, I rushed to Clark's cell phone:
"Hello? Clark? I haven't seen you for a long time, huh, huh... I sent you a great stuff. On QQ, did you receive it ?...... Your public key has been used for encryption. You can use your private key to decrypt it. ^_^"
Clark rushed to insert his private key (forgot to say, the private key is not a file, but a USB device, and its shape is the same as that of a USB flash drive. Why, I will talk about it in the next article), decrypt it, and then start watching cartoons. I don't even notice that his wife is behind me ......
Clark, I have a tight hand this month ......
Alas, I have bought too many books this month and won't open it until the end of the month. It happened that Clark was on QQ:
1-2-3: "Clark, I need 200 silver lines. Can I lend it to me ?"
CLARK: "No problem. I will transfer money to you. Please give me a loan ."
1-2-3: "Thank you very much. I will use word to write a loan for you ."
Then, I create a new word document, write a loan, and save the disk. Then, what should we do? I cannot directly send an borrow key to Clark for the following reasons:
1. I cannot guarantee that Clark will not change "Silver 200 two" to "Silver 2000 two" after receiving the loan ".
2. if I keep my account, Clark cannot prove that this loan is written by me.
3. Common Word documents cannot be used as evidence of litigation.
Fortunately, I have already applied for a digital certificate. I first encrypted the debit key with my private key, and then sent the encrypted ciphertext to Clark using QQ. After Clark receives the ciphertext of the debit, he downloads my public key from the website of the digital certificate Certification Center and decrypts the ciphertext using my public key, I found that what I did write is "borrow silver 200 two", Clark can lend me the silver with confidence, and I will not worry that Clark will tamper with my loan, because:
1. Clark cannot modify it because I sent the ciphertext to Clark. Clark can modify the decrypted debit key, but Clark does not have my private key and cannot imitate the way I encrypt the debit key. This is called Tamper-proofing .
2. Because I use my private key for encryption, only my public key can be decrypted. In turn, the debit key that can be decrypted using my public key must be encrypted using my private key, and only I have my private key, in this way, Clark can prove that this loan is written by me. This is called Anti-credit .
3. If I keep paying for it, Clark will take me to court. The Word document encrypted with my private key can be used as a Cheng Tang certificate. Because China has published the Electronic Signature Law of the People's Republic of China, which makes digital signatures legally effective.
You must have noticed that I used my private key to encrypt the debit key, which has the tamper-proofing and anti-Repudiation features and can be used as a Cheng Tang certificate, this is the same effect as I have "Signed" the debit card. By the way, the process of "using my private key to encrypt the debit card" is called Digital Signature . (Because the speed of the digital signature algorithm is relatively slow, the process of actually signing a file is slightly more complex than the method mentioned above. I will discuss it later in the next article ).
I am 1-2-3, I am really 1-2-3, I am really 1-2-3
As you already know, Clark's wife is a super hacker-someone who can use computers to do everything. This is not the case. Not long ago, She easily intruded into the QQ database and downloaded the IDs, passwords, and chat records of all Clark's friends. Then, from time to time, Clark's friends disguised as Clark chatted with Clark, making Clark always nervous and suspicious recently. No, I met Clark on QQ yesterday:
1-2-3: "Clark, is it okay recently? I got another good stuff. Do you want ?"
CLARK: "48475bbt556"
Clark is not crazy, and the "48475bbt556" is not a hacker between me and Clark. This "48475bbt556" is what Clark means by hitting it on the keyboard. I immediately pasted "48475bbt556" into the Word file, encrypted it with my private key, and then sent the Word file to Clark. Clark used my public key to decrypt the Word document and opened it. He found that it was written as "48475bbt556" and he knew that QQ was actually me. Because I am the only one who owns my private key in this world. Clark's wife and adults cannot imitate it even if they are all magical. This is a digital signature.VerifyFunction.
By the way, not only can a person apply for a digital certificate, but also a device (such as a web server) can apply for a digital certificate (called a device certificate ). Using the digital signature verification function, you can verify the identity of the server. This is the ultimate solution to anti-phishing.
Questions
If Clark sends me the same string (for example, "1234") each time, instead of randomly typing some characters on the keyboard, clark's wife will use Clark's laziness to imitate me and chat with Clark. Why?
This article ends with the introduction of electronic signature technology products and devices.
Http://www.cnblogs.com/1-2-3/archive/2007/09/17/colloquialism-digital-certificate-part1.html