Digital signatures and Ca certificates

1. The functions that digital signature should realize

（1） Message authentication ： The receiver needs to be sure that the message is sent by the sender , Others cannot forge signatures

（2） Message integrity ： Confirm that the received and sent messages are consistent

（3） Undeniable? ： The sender cannot deny the message he sent afterwards

1. The realization of digital signature ：

• The above process ： Only signature and verification signature are realized .

A Encrypt with private key ---> adopt D operation （ It's called signature ）-----> Generating ciphertext ---->B Received the ciphertext ----> adopt A The public key ---> adopt E operation （ attestation ）---> Get clear text

• B Think only A Have A The private key , therefore B Think this news is A The hair , This is message authentication
• if A Deny that you sent this message , therefore B Can put plaintext X And ciphertext Dsk Send it to a third party , Third party institutions can prove that this is indeed for B Of , This is undeniable

2. Digital signature with confidentiality

2. certificate

• In order to prevent ：B The user owns A The public key ,B Disguised as a C Send a message to A, There is a Certification Center CA：CA It's for Bind specific device and public key ----> The device will get CA certificate ： There is a public key , Identifier of the owner （IP Or a person's name ） 
• certificate = Public key + digital signature

1. Application scenario of certificate ：

Digital certificates and CA Detailed explanation _ The blog of boiled soybeans in brine -CSDN Blog _ca certificate List of articles 1. certificate 1.1 Application scenario of certificate 1.2 Certificate Standard Specification X.5091.2.1 Certificate specification 1.2.2 Form of certificate 1.2.3 CA certificate 1.3 Public key infrastructure （PKI）1.3.1 What is public key infrastructure 1.3.2 PKI User authentication authority （CA） Warehouse 1.3.3 All kinds of PKI2.Fabric - ca2.1 brief introduction 2.2 Basic components 2.3 install 2.4 initialization & Quick start 2.5 Server configuration file parsing 2.6...https://blog.csdn.net/lk2684753/article/details/100160856?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165889436316782425122649%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165889436316782425122649&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-100160856-null-null.185^v2^control&utm_term=CA%E8%AF%81%E4%B9%A6%E6%8B%BF%E5%88%B0%E7%9A%84%E6%B5%81%E7%A8%8B&spm=1018.2226.3001.4450

1.  Bob Generate key pair ：Bob Generated a pair of public and private keys
2. Bob In the certification body Trent Register your own public key ：(1)Bob Then the public key is sent to the certification authority Trent (2)  Confirm whether the received public key is Bob I own
3. Certification body Trent Use your own private key for Bob The public key of the system imposes a digital signature and generates a certificate
4. Alice Get a certificate with a certification authority Trent Digital signature of Bob The public key （ certificate ）
5. Alice Use a certification authority Trent Public key verification digital signature , confirm Bob The legitimacy of the public key
6. Alice use Bob The public key encrypts the message and sends it to Bob
7. Bob Decrypt the ciphertext with your own private key to get Alice The news of

1,2,3 Not every time

2. Certificate standards

• Version number (Version Number）： Version number of the specification , The current version is 3, The value is 0x2;
• Serial number （Serial Number）： from CA Maintain a column number assigned to each certificate it issues , Used to track and revoke certificates . As long as you have the issuer information and serial number , You can uniquely identify a certificate , The maximum can not be over 20 Bytes ;
• Signature algorithm （Signature Algorithm）： The algorithm used in digital signature , Such as ：

sha256-with-RSA-Encryption
ccdsa-with-SHA2S6;

• Issued by the （Issuer）： Identification information of certificate issuing unit , Such as ” C=CN,ST=Beijing, L=Beijing, O=org.example.com,CN=ca.org.example.com ”;
• The period of validity (Validity): The validity of the certificate is very long , Including start and end time .
• The main body (Subject) : The identity of the certificate owner （Distinguished Name）, Such as ：" C=CN,ST=Beijing, L=Beijing, CN=person.org.example.com”;
• The public key information of the subject (SubJect Public Key Info）： Information about the protected public key ：
• Public key algorithm (Public Key Algorithm） The algorithm used by the public key ;
• Principal public key （Subject Unique Identifier）： The content of the public key .
• The unique number of the issuer （Issuer Unique Identifier）： Unique information on behalf of the issuer , only 2、3 Versioning support , Optional ;
• Subject unique number （Subject Unique Identifier）： Represents the unique information of the entity that owns the certificate , only 2,3 Versioning support , Optional ：
• Expand （Extensions, Optional ）: Optional extensions . May include ：

Subject Key Identifier： Entity's secret key identifier , Multiple pairs of secret keys that distinguish entities ;
Basic Constraints： Indicate whether it belongs to CA;
Authority Key Identifier： The public key identifier of the certificate issuer ;
CRL Distribution Points: The issuing address of the revocation document ;
Key Usage： Information about the purpose or function of the certificate .

• Besides , The certificate issuer also needs to use its own private key to add a signature to the certificate content , To prevent others from tampering with the contents of the certificate .

3 CA certificate

CA yes Certificate Authority Abbreviation , Also called “ Certificate Authority Center ”.

CA certificate , seeing the name of a thing one thinks of its function , Namely CA Certificate issued .

• Certificate trust chain

1. such as ,C trust A1,A1 trust A2,A2 trust A3… This is called the certificate chain of trust . As long as you trust the first certificate on the chain , The subsequent Certificate , All can be trusted .

hypothesis C Certificate trust A and B; then A trust A1 and A2;B trust B1 and B2. Then between them , Make up a tree relationship as follows （ An upside down tree ）.

 2.  The certificate at the root of the top tree , Namely “ Root certificate ”

4 Public key infrastructure （PKI）

Public key infrastructure （Public-Key infrastructure） It is the general name of a series of specifications and specifications formulated to make more effective use of public key . Public key infrastructure is generally abbreviated to... According to its English abbreviation PKI.

 

• The operation performed by the user who registers the public key （ Public key registrant ）

  • Generate key pair （ It can also be generated by the certification authority ）
  • Register the public key with the certification authority （ user Bob Give the public key to the certification authority ）
  • Apply to the certification body for a certificate
  • Apply for cancellation of the registered public key as required
  • Decrypt the received ciphertext
  • Digitally sign messages

• The operation performed by the user who has registered the public key （ Public key user ）

  • Download tape Bob Certificate of public key
  • Verify the digital signature
  • Get Bob The public key
• after Alice Get Bob The public key , Encrypt to Bob Send a message ,Bob Decryption with public key

3. Message summary