Http://www.cnblogs.com/1-2-3/archive/2007/09/17/colloquialism-digital-certificate-part1.html
Summary
This series is easy to read, so you can understand the basic principles of digital signatures and how to apply them (even if you are an enterprise boss who is not computer savvy, you can read this article). Then we step into the technical details, and finally will give a B/s information system using the digital signature demo.
Because the digital signature is based on asymmetric encryption, we need to go over the symmetric and asymmetric encryption techniques.
Symmetric encryption
What is encryption? Encryption is a technique of "messing up data". Encryption technology involves 4 kinds of things:
plaintext: Data that can be identified by a person or program. For example, a text file, a piece of lyrics, a Word document, a MP3, a picture file, a video, and so on.
Encryption Algorithm: A way to confuse data.
Key (password):A string that you give when you encrypt the operation, so that the encryption algorithm not only "mess up" the plaintext, but also disorderly "different." This way, even if someone else had the decryption algorithm, it would be impossible to decrypt it without the password that was used to encrypt it.
Ciphertext: The plaintext is encrypted by the encryption algorithm and the key after the result. It looks like a bunch of garbled characters, and no one or program can tell what it means.
As an example of encryption, I'll demonstrate the encryption process using the "Jing Replacement encryption Algorithm" I invented.
Clear text: Good good study, day.
Key: Google
Jing Replacement encryption algorithm: Replaces all the letters "D" in clear text with a key.
Ciphertext: "Good good study, day to up." All the letters "D" in the Replace with "Google", you get Ciphertext "Googoogle googoogle Stugoogley, Googleay googleay up." Is this cipher going to be okay? The average person sees certainly does not know what it means.
So what is decryption? Decryption is the process of turning ciphertext back into clear text.
For example, the Jing substitution decryption algorithm replaces all strings in the ciphertext with the same key as "D".
Ciphertext: Googoogle googoogle Stugoogley, Googleay Googleay up.
Key: Google
Jing Replace decryption algorithm: Replace all ciphertext with the same string as the key to "D".
PlainText: "Googoogle googoogle Stugoogley, Googleay googleay up." All "Google" in the "D", you get the plaintext "good good study, day.".
You must have noticed that the keys we use for encryption and decryption have to be the same, for example, in the example above, the same key "Google" must be used for both encryption and decryption. So, like the "Jing Replacement encryption algorithm," This is calledSymmetric encryption Algorithm。 Currently the most popular symmetric encryption algorithm is DES and AES, in addition, the symmetric encryption algorithm also has idea, FEAL, LOKI, Lucifer, RC2, RC4, RC5, Blow fish, GOST, CAST, SAFER, seal and so on. The WinRAR file encryption feature is the AES encryption algorithm used.
Asymmetric Encryption
Asymmetric encryption algorithm is a kind of unique encryption algorithm, its key is not 1, but 2 (a pair), we first call them the key K1 and key K2. The characteristic of asymmetric encryption algorithm is that if the key K1 is used to encrypt, there is and only the key K2 can decrypt, conversely, if the key K2 is encrypted, then only the key K1 can decrypt it. Note that "there is only" meaning-if the key K1 is encrypted, it cannot be decrypted with the key K1; Similarly, if the key K2 is encrypted, it cannot be decrypted with the key K2. This is a very important feature, as for how to use this feature in practice, see below.
I want to send Clark a little AV movie and be afraid of being discovered by his wife ...
Say I got a very good av small movie, want to send to Clark through the network, but also afraid of his wife found (because Clark's wife is a super hacker, she can use sniffer technology to interceptanyData sent to Clark via a network cable. Don't tell me to use a VPN, it's beyond the scope of this article), how to do? Yes, we need a technology called "messing up the data"--encryption technology. I first use WinRAR to compress the small movie, and then add the password "TSWCBYYQJSJHFL" (remember?) The WinRAR file encryption function uses a symmetric encryption algorithm called AES. Next, the encrypted file is sent to Clark via QQ. Then, excitedly, call Clark's cell phone:
Feed Clark, huh? Long time no see, hehe ... I sent you a good thing yo, on QQ, received? ...... Password is TSWCBYYQJSJHFL, yes, is born I will be useful, the daughter of the first letter, the first and the last letter to capitalize yo ... "
But, Clark, I really don't know your wife is just around you! And as you know, I've always been a big fan of phone calls ... Woo-hoo ...
After Clark knelt all night on the board, we all understand that if it is a file that has been saved on its own hard drive, encryption using symmetric encryption is no problem, and if two people transfer files over the network, symmetric encryption is dangerous-because the decryption key must also be transmitted while the ciphertext is being transmitted. We need a different encryption algorithm, a cryptographic algorithm that does not need to pass the decryption key. Asymmetric encryption just fits our needs. The basic idea is this: first, generate a pair of key pairs (key K1 and key K2) that satisfy the asymmetric encryption requirements. Then, the key K1 is posted online, anyone can download it, we call this already public key K1Public KeyThe key K2 to keep it for himself, not to let anyone know, we call this only the key that we know K2private Key。 When I wanted to send a small movie to Clark, I could use Clark's public key to encrypt the little movie, and then I couldn't decrypt the cipher. There is only one person in the world who can decrypt the cipher, and this person is Clark, who has a private key.
later ...
Later, Clark had a bitter lesson and decided to apply for a digital certificate. The process is this: first, log in to the local digital certificate Certification Center website, fill in the form of the original and photocopy of your valid ID and copy----Wait for digital certificate Certification Center to produce digital certificate--Receive digital certificate. If your company needs to apply for a large number of digital certificates, you can also consult with the sales staff of the certification center to receive a free trial version of the digital certificate for the technician to try.
Later, I got an electronic version of the bad comic, of course, I thought of Clark. I first downloaded Clark's public key certificate (which is a file containing public key information) in the digital certificate Authentication center, using the asymmetric encryption algorithm to encrypt the bad comic, and then send the cipher to Clark via QQ. Then I excitedly dialed Clark's cell phone:
Feed Clark, huh? Long time no see, hehe ... I sent you a good thing yo, on QQ, received? ...... has been encrypted with your public key. Just use your private key to decrypt it. ^_^"
Clark excitedly inserted his private key (forgot to say, the private key is not a file, but a USB device, the shape of the same as the U disk, as for why this, the next article), decryption, and then began to read comics, completely unaware of his wife adult is behind ...
Clark, I'm a little tight this month .
Alas, I bought too many books this month and has run to the end of the month. Happened to meet Clark on QQ:
"Clark, I need 2002 gilt silver, can I borrow it?" he said. ”
Clark: "No problem." I'll send you the transfer. Please give me a piece of IOU. ”
1-2-3: "Thank you so much, I'm going to use Word to write a IOU for you." ”
Then, I create a new Word document, write a good IOU, save the disk. Then, what then? I can't send IOU directly to Clark for the following reasons:
1. I cannot guarantee that Clark will not change "gilt silver 2002" to "Gilt silver 20,002" after receiving IOU.
2. If I deadbeat, Clark cannot prove that this IOU was written by me.
3. Normal Word documents cannot be used as evidence of litigation.
Fortunately, I have already applied for a digital certificate. I first use my private key to encrypt the IOU, and then send encrypted ciphertext with QQ sent to Clark. Clark received IOU's ciphertext, downloaded my public key on the website of the digital certificate certification authority, and then decrypted it with my public key, found that it was "borrowing gilt silver 2002", and that Clark could lend me the silver at ease, and I wouldn't worry that Clark would tamper with my IOU because:
1. Since I sent Clark a cipher, Clark cannot make any changes. Clark can modify the decrypted IOU, but Clark doesn't have my private key, and I can't copy my IOU encryption. This is calledTamper Proof。
2. Because of the IOU encrypted with my private key, there is only my public key that can be decrypted. In turn, the IOU that can be decrypted with my public key must be encrypted with my private key, and only I have my private key, so Clark can prove that this IOU is what I wrote. This is calledAnti-repudiation。
3. If I kept my money, Clark sued me in court, and the Word document, which was encrypted with my private key, could be used as court evidence. Because China has promulgated the "People's Republic of China electronic signature law", so that the digital signature has the legal effect.
You must have noticed that this use of my private key to encrypt the IOU, with anti-tamper, anti-repudiation features, and can be used as a court certificate, and I have a "signature" of this IOU effect is the same. By the way, the "encrypt IOU with my private key" process is calledDigital Signatures。 (because of the slow speed of the digital signature algorithm, the actual process of signing the file is slightly more complicated than the method mentioned above, which is discussed in the next article).
I was 1-2-3, I really was 1-2-3, I was really a
As you already know, Clark's wife is a super hacker--the legendary person who can do anything with a computer. No, not long ago, she easily hacked into the QQ database and downloaded all of Clark's friends ' IDs and passwords, as well as chat history. And then, every now and then, as Clark's best friend and Clark chatted, Clark has always been a nervous, paranoid. This is not, yesterday I met Clark on QQ:
"Clark, how are you doing?" I got a good thing, don't you? ”
Clark: "48475bbt556"
Clark is not crazy, and that "48475bbt556" is not the secret code between me and Clark. This "48475bbt556" was Clark's random knock on the keyboard, but I knew what Clark meant. I immediately pasted "48475bbt556" into Word, then encrypted the Word document with my private key and sent the Word document to Clark. Clark is over there with my public key to decrypt the Word document, open, found that it is written "48475bbt556", I know that QQ is really the real me. Because the person who owns my private key is the only one in this world, Clark's wife is no longer able to imitate, this is the digital signatureValidationFunction.
Incidentally, not only can a person apply for a digital certificate, but a device (such as a Web server) can also request a digital certificate (called a device certificate). With the digital signature verification feature, you can verify the identity of the server, which is the ultimate anti-phishing solution.
Study Questions
If Clark sends me the same string (for example, "1234") every time, instead of randomly typing some characters on the keyboard every time, Clark's wife uses Clark's laziness to imitate me chatting with Clark about QQ.
The end of this article, the next article will introduce the electronic signature technology products & equipment.
Vernacular digital Signature (1)--Fundamentals (NEW!) symmetric encryption digital signature with asymmetric encryption