Close asymmetric key

This article is from my blog 《 Unified authentication in cloud computing ——SAML The basic chapter 》

New direction of cryptography

1976 year , Two distinguished scholars from Stanford University , After three years of cooperation , Published an article entitled 《 New Directions in Cryptography 》 The article . This paper introduces the concept of public key encryption protocol and digital signature for the first time . No one can think of , Just a few decades later , This article constitutes the cornerstone of modern Internet encryption protocols . These two handsome grandfathers and cute millet ！！！

chart 1 《 New Directions in Cryptography 》 author （ This is from the Internet ）

Unlike symmetric ciphers, which are based on a single shared key , Asymmetric passwords always appear in pairs ： Public and private keys . Data encrypted by any one of these keys can only be decrypted by the other key . namely , Data encrypted by the private key can only be decrypted by the public key , Data encrypted by the public key can only be decrypted by the private key . This characteristic of asymmetric cryptography makes it widely used in the field of key exchange and digital signature .

Inspiration for key exchange

In network communication scenarios that require encryption , The most common encryption method is symmetric encryption based on shared key . The communication process is as follows ：
The sender and receiver of the message agree on a symmetric key in advance K. then , The message sender uses the key K Encrypt the message to be sent , And send the encrypted result to the message receiver through the network . The message receiver uses the key K Decrypt the received content , And get the original message . chart 2 Use shared key encryption for data transmission

Due to shared key K Held only by the sender and receiver of the message . therefore , Even if the data is hijacked during transmission , The attacker has no key K, The original message content is also unavailable .

But the problem is , How to agree the key in advance ？ If the sender and receiver of the message are physically close , You can also agree on the key by meeting offline . But what if the two sides of the communication are eighteen thousand miles away ？ obviously , The way of offline agreement is unrealistic . So can we find a safe way , Let the communication parties agree to share the key based on the network ？ chart 3 There will always be only one truth

There will always be only one truth : Key exchange using asymmetric cryptography mechanism . The message receiver generates a pair of public and private keys in advance , And public key PubK Broadcast out , Private key PriK Keep it for yourself . With this premise , The symmetric key can be agreed securely . The process is as follows ：

The message sender obtains the information of the broadcast message receiver PubK, And use the PubK For the symmetric key to be transmitted K To encrypt , And the encrypted content is transmitted to the receiver through the network . The message receiver receives the encrypted content , Use the corresponding PriK Decrypt to get the symmetric key K. chart 4 Key exchange using asymmetric cryptography mechanism

because PriK Held only by the receiving party . therefore , Even if the data is hijacked during transmission , The attacker has no private key PriK, The original message content is also unavailable . In this way , This solves the problem of symmetric key transmission ！

Digital signature anti counterfeiting

In the process of key exchange , There is one step worth discussing ： The message sender obtains the information of the broadcast message receiver PubK. This involves a certification issue , How to prove one PubK Is the recipient's PubK Well ？ If hackers forge the recipient's PubK What do I do ？ Just like the following picture . chart 5 The hacker forges the public key of the receiver

There will always be only one truth : digital signature . So called digital signature , It is a credible authority that signs some data with its own private key ( Private key encryption is usually called signature ), To prove that these data can be trusted .

The authority uses its own private key to transfer the public key of the receiver PubK To sign , The message sender receives the signature , Decrypt the public key corresponding to the authority to verify the signature . If the verification passes , Describe the currently received PubK It's certified , Can be trusted . conversely , The attacker's public key is not authenticated , It's untrustworthy . chart 6 The authority signs the information with its private key

It is signed by the private key of the authority , To ensure the PubK Reliability of the source . So who is the authority ？ congratulations , You have grasped the essence of the problem . In the field of cryptography , There is always a problem of root trust . Is the most original trust , For example, the root certificate used in our browser is a typical example .

Digital certificates have many uses

Writing at this point , The concept of digital certificate is ready to come out ！ digital certificate , Also known as public key certificate , Used to prove that a public key is used by an entity （ Usually people 、 An organization or service ） Held by . This is like comparison. , Your house property certificate is used to prove that the house is owned by you . Empathy , Your public key certificate is used to prove that the public key is held by you .

A digital certificate contains the following basic information ： The version number of the certificate 、 Certificate serial number 、 The signature algorithm used 、 The identity of the issuer 、 The validity of the certificate 、 Public key 、 The identity of the public key holder . This information is used as signed data , Use the specified signature algorithm and CA The private key of , And add the result of the signature to the certificate . This constitutes a complete certificate . Typical structure of digital certificate ： chart 7 Typical structure of digital certificate

because CA The public key of the institution is advertised , Any organization or entity that uses CA The public key of the certificate verifies the validity of the signature in the certificate , Can prove that the current certificate is reliable . namely , The public key declared in the certificate is associated with the holder . meanwhile , The private key corresponding to the public key is uniquely held by the holder .

author ： Yizhen
link ：https://www.zhihu.com/question/366632381/answer/976426943
source ： You know
The copyright belongs to the author . Commercial reprint please contact the author for authorization , Non-commercial reprint please indicate the source .