date
July 22, 2005
Author
gauss
Types of
safety certificate
content
CA certification
CA
Certification learning notes
One,
noun:
1.
Public key infrastructure (PKI)
:
Public Key Infrastructure
PKI
It is to ensure system information security and responsible for verifying a system of digital certificate holder identity by using public key technologies and digital certificates. For example, a company can establish a public key infrastructure (
PKI
The system controls access to its computer network. In the future, companies can also pass public key infrastructure (
PKI
System to complete access control of delivery systems entering the enterprise gate and buildings.
PKI
Let individuals or companies are safely engaged in their business behavior. Enterprise employees can safely send emails on the Internet without having to worry about the information illegal third parties (competitors, etc.). Enterprises can build their interior
Web
Site, only send information on its trust.
PKI
Use each participant trust one by one
CA
(Certification Center), by this
CA
To check and verify the trust mechanism of the identity of each participant. For example, many individuals and companies trust legal driver's license or passport. This is because they all trust the same institution to issue these documents.
-
The government, so they trust these documents. However, a student's student card can only be verified by the school of this certificate. Digital certificate is the same.
Through the public key infrastructure (
PKI
), The transaction, may be a certification center trusted to issue its digital certificate with its customers or employers and their employees.
CA
). Typical is the application software using digital certificates and
CA
Trust has the same mechanism. For example, the client browser contains its trust in the list of roots.
CA
The root certificate, when the browser needs to verify the legality of a digital certificate (if you want to perform online security transactions), this browser first finds the authentication center of the authentication center of the digital certificate from its root certificate, if The Certification Center Root Certificate exists in the browser's root certificate list and verified, the browser recognizes the web page with legal identity and display this site. If the authentication center, the root certificate does not have trust
CA
In the list of root certificates, the browser displays the warning information and asks if this new authentication center is to be trusted. Typically, the browser will pop up the options for providing permanent trust, temporary trust or or does not believe the option dialog box for the certification center to choose from customer. Because as a customer, they have the right to try to trust which certification centers, and trust processing work Finished by application software (in this example is done through the browser).
2.
How to achieve encryption:
Encryption technology is a process that makes data unreadable. There are many different (and complex) methods for chaos and recover information.
On the Internet, encryption technology has two main purposes. One is to access the security of the server certificate
Web
Site (such as online shopping), is called server-side encryption technology. Another is used to receive and send encrypted emails. The encryption processing methods in both uses include the exchange public key process.
During the encryption process, encrypt the information using the public key or private key, and it is decrypted using the private key or public key that matches it. This looks like a key to lock with another key. For example, when accessing a security
Web
When the site, the client computer receives this
Web
The public key of the site (public key is stored in the certificate), the client computer is
Web
Information sent by the site
Web
The public key of the site is encrypted, the only way to decrypt this information is
Web
Site uses their private key.
The same processing method is also applicable to secure email. Before sending encrypted information to others, you need to get a digital certificate containing its public key, email application uses its public key to encrypt information, after sending, the recipient is encrypted using their private key, not Moving the other party of the recipient private key cannot complete the decryption of this information. From this, you can send your digital certificate to people who want to send you mail. It is worth noting that you must protect your private key because it is used to decrypt information sent to you. 3.
digital signature:
Digital signature is another type of application for public key encryption technology. Its main way is that the sender of the message generates a message from the text text.
128
Bit has a hash value (or message summary). The sender uses its own private key to encrypt this hash value to form a digital signature of the sender. This digital signature will then be sent to the receipt of the packet as the attachments and packets of the packet. The recipient of the message first calculated from the received original packet.
128
The bit hash value (or packet summary), then decrypt the number of digital signatures added to the message with the sender's public key. If the two hash values are the same, the recipient can confirm that the digital signature is the sender. The authentication and unrecognizedness of the original packet can be achieved by digital signatures.
When using a program to digitally sign the information, at least the public part of the digital certificate and other information can be confirmed to confirm the integrity of the message information.
Before the mail information and the digital certificate are sent, the information is to be encrypted by the hash algorithm, which is an arithmetic process to generate a feature sequence through an arithmetic process. This sequence can only be generated by the original text. The resulting sequence is called a summary.
It must be known that the hasxist algorithm can only run unidirectional, but it is difficult to reverse the original text. That is to say, email programs can quickly generate unique information summary through the hash algorithm. However, if there is only information summary, it is necessary to decrypt the original text.
After the program generates information abstract, it is especially important to encrypt information using the sender's private key. If you only send email and information summary, others can easily modify the original text, re-generate a summary, and send out your identity.
If only the mail is digitally signed without encryption, email applications will send digital certificates and signatures as an attachment as an attachment, so that others can still read the contents of information (effective solution is in signature Adding encryption options later).
When the acceptor receives the message, verify the information summary with the sender's digital certificate (public key). Then the program uses the same hash algorithm to calculate the information summary of the message and compare the results. If the information summary and the information contained in the message are the same, then the message is not tampered with during the transmission process, thereby ensuring that the information is indeed by the public key corresponding to the verification (certificate hold Send it.
4.
Digital certificate:
The digital certificate is a file containing the public key owner information and the public key with the digital signature of the certificate authorization center.
Digital certificates, sometimes referred to as a digital ID, is an electronic file that meets a certain format to identify the true identity of the electronic certificate holder. Some software programs use digital certificates to other people or corporate certificates the identity of the certificate holder. Here is two ordinary examples:
When using an online banking system, banks must confirm the true identity of the customer, through the identity-by-verification customers to enter the relevant page of the online banking, such as: transfer, query the account. This is like a driving license or a passport, the digital certificate confirms your true identity to the online bank.
When you want to send important emails to others, email programs are signed with your digital certificate. There are two functions of digital signatures: It is easy to prove that the email is sent by you, and it can also prove that the email is not tampered at the time of transmission.
A digital certificate generally includes the following: 1)
Your public key
2)
Your name and email address
3)
Effective period of public key
4)
Name of the initiator
5)
Digital certificate serial number
6)
Digital signature of the issuing body
5.
Digital certificate key pair:
When communicating with other individuals or businesses through the network environment, a secure exchange information channel is required to ensure that there will be no third-party illegal user intercept and read information. Now the most advanced encrypted data is by using the key pair. the way. The key pair contains a public key and a private key. We can compare the keys of the unlocked key. Different are the key is a key, one for locks to ensure safety, that is, encryption; and other terms open the door, that is, decrypt.
Application software uses a key to a key to encrypt the document. You must use another key that matches it to decrypt information. But how can I guarantee that the information is safely sent to the information acceptor and is not intercepted by others?
The above problem can be solved by using a key pair. When applying for a digital certificate, the browser generates a private key and a public key. The private key is only used by the certificate applicant, and the public key will become part of a digital certificate. The browser will ask you to provide a password when you access the private key, this password is only known to know itself, this is very important (password should not be your birthday or others to easily guess the number or letters).
After receiving and installing the digital certificate, send the digital certificate to anyone who needs to send information. A public key for encryption information is included in the digital certificate. Others will use your public key to encrypt information when sending you information. Because only you have a private key that matches it, only you can decrypt information encrypted with your public key.
Similarly, when you want to send encrypted information to others, you must first get their public key. You can serve in the directory (general,
CA
The system will publish the certificate to the public directory server to find their digital certificates in the issuance of the certificate. If you only have a signature-processed email, your email application usually saves the sender's digital certificate.
6.
SLL
:
SSL
Is a safety sleeve
(Secure Sockets Layer)
abbreviation of. Information on the network in the source
-
Other computers are passed during the delivery process. In general, the intermediate computer does not listen to the information. However, it is possible to monitor when using online banking or credit card transactions, resulting in a disclosure of personal privacy. due to
Internet
with
Intranet
The reason for the architecture, there is always some people to read and replace the information sent by the user. With the continuous development of online payment, people's requirements for information security are getting higher and higher. therefore
Netscape
The company proposed
SSL
Agreement is designed to achieve an open network
(Internet)
The purpose of safely transmitting information security, this agreement
Web
Get a wide range of applications. after that
Ietf (www.ietf.org)
Correct
SSL
It has been standardized, namely
RFC2246
And call it
TLS
(
TRANSPORT LAYER SECURITY
), From the technical statement,
TLS1.0
versus
SSL3.0
The difference is very small.
7.
Server certificate:
Server certificate is installed in you
Web
On the server, you can treat the server certificate as a digital certificate that allows the visitor to use the web browser to verify the real identity of the website, and can have through the server certificate.
SSL
Encrypted communication process.
The server certificate is one of the digital certificates, similar to the driver's license, passport and the electronic copy of the business license. Prove that your identity or indicate you have access to online services by submitting a digital certificate. Server certificate passes through the client browser and
Web
Building a server
SSL
The security channel guarantees the security of both parties, and the user can verify that the website he visited is truly reliable through the server certificate.
The server certificate can be divided into two types:
40
Bits and
128
Bit (here is
SSL
Generate the length of the encryption key during the session, the longer the key, the less easy to crack) the certificate
8.
Identification and encryption:
1)
SSL server identification
Let the user confirm the identity of the web server. Software with SSL features (such as web browser programs) will follow the list of trusted certification centers in such programs, whether the digital certificate from the motion verification server is valid, and is through the appropriate certification center (such as ITrusChina) The release. Identifying server identity in a secure electronic trading environment, a very important ring for users. For example, when the user wants to send its own credit card information to the website server, you will first confirm the true identity of the server.
2)
Encrypted
SSL
Online
All information transmitted between the client and the server is encrypted by the transfer end software, and the acceptable end software is decrypted. This can protect information will not be intercepted on the network. In addition, all
SSL
The information transmitted in the online needs to verify the information integrity.
SSL
It will automatically detect whether there is a risk of modification during transmission. In this way, users can safely pass personal information (such as credit card information) to the website, and trust
SSL
Mechanism protects the privacy and security of this information
9.
How to operate the server certificate:
1)
The user is connected to your Web site, which is protected by the server certificate. (Can be distinguished by viewing the beginning of the URL to "https:", or the browser will provide you related information).
2)
Your server responds and automatically transmits your website's digital certificate to the user, used to identify your website.
3)
The user's web browser program generates a unique "session key code" to encrypt all communication processes between the website.
4)
The user's browser encrypts the conversation key code with the public key of the website so that only let your website can read this conversation key code.
5)
Now, the communication process with security has been established. This process takes only a few seconds in a few seconds, and the user does not need any action. According to different browser programs, the user will see a key icon to become complete, or the icon of a door plug is turned to the upper lock, which is used to indicate the current working phase is secure.
10.
Differences between public digital certificates and private digital certificates:
The private digital certificate is issued by the private certification center within the company, and all private digital certificates are with their roots.
CA
The public key is joined together to identify the hierarchy of the mechanism in the management certificate. When you buy a certificate server and start working, you can build your own root.
CA
Public key. However, you must take the root
CA
The public key is sent to all software that can receive and identify private digital certificates. This is used
S / MIME
The format safety email generates a big problem, because everyone in almost enterprises have an opportunity to send emails in the outside world, and these companies' external email recipients do not have the root of your company.
CA
Public key. Therefore, private digital certificates are more suitable for enterprises that focus on internal contacts.
Under
iTruschina
Proxy
Verisign
The root of the public digital certificate
CA
The public key is embedded in the main application that supports the certificate, including web browsers and email programs for web view companies and Microsoft companies, and nearly forty web server vendors. Common digital certificates are suitable for applications where it is necessary to support companies that need to contact outside. by
iTruschina
Digital certificates issued by the issuing center have the same root card in all customers in the country, so it can be easily certified to each other, compare the application environment for enterprises that need to be associated with the outside world. For example, secure email is an example because the user is also required to send an email in the outside in addition to sending a message within an enterprise.
iTruschina
Security
(Onsite) Exclusively provides choices for customers to use public digital certificates or private digital certificates. Private digital certificates are like a certificate server, which allows companies to fully control their authentication mechanisms and the standards for issuing certificates, and the internal circulation is easy. The public digital certificate not only allows customers to fully grasp the content of their certificates and decide the certificate application qualifications, but also
iTruschina
All the advantages of the public digital certificate. In other words, when you use a public digital certificate to send an email to other enterprises, the recipient will know that the sender is, it will also get a certificate of the certificate and
iTruschina
Representing a third party with credibility
)
Confirmation and guarantee of the identity of the sender. Because of our professional and high visibility in network security, the recipient will be more assured to your email. This unique feature is only
iTruschina
Security
(Onsite)
This product is only available.
two,
use
1.
Why do you need a digital certificate:
Virtual malls, e-banking, and other electronic services are becoming more common. However, you will also worry about the security of online applications, so that you will be able to get convenient and fast service. Digital certificates can help you solve security issues.
Alternatively, your company has established a new internal network that requires you to use a digital certificate in your work. Because you will use this new technology in your work, you need to use a digital certificate quickly.
In order to ensure that the data passed between the Web site and the client network application system is not read, you need to use a digital certificate. Although encryption is a powerful tool, only encryption technology is not enough to protect the security of information transfer.
Encryption technology cannot prove your identity or send encrypted information to your sender identity. For example, securities companies in an online transaction have their own sites and send encrypted information to customers through their web pages. This site will ask users to enter their usernames and passwords. These usernames and passwords are extremely easy to be intercepted and cannot be used to prove the identity of the user. Without other safety measures, illegal third parties can pretend to be legally online users and defraud the user's account or other effective private information.
Digital certificates provide an electronic verification identity, providing a more complete solution to verify the true identity of each participant in the transaction process.
Digital certificates provide a "undeniable" function that fundamentally prevents someone from denying the information he sent. For example, when you use a credit card, you must sign on the receipt payable. Because signing in receipts is essential. So, you can prove that others stealing or use your credit card by comparing the signature. When sending a payment confirmation instruction on the network, the "Authorization Signature" is automatically generated by undeniable functions, and the customer's private key is used during the signature process. If someone wants to generate your "Authorized Signature" unless he has your private key and the password used to protect the private key, you can not generate your "Authorization Signature". That's why I can't tell anyone of your private key protection password, this is an important thing.