PublicKey,private key and CA Certificate
PublicKey,private key and CA Certificate
At first we use symmetric encryption when connecting with each other. If A communicates with B, A sends a secret key to B, so they encryt data using this key. symmetric encryption is efficient because the key's bits are less than 256——the smaller the bumber of bits, the faster the encryption/decryption speed.
But the key may be stolen by hackers(man-in-middle attack) so this way is not much secure. Consequently asymmetric encryption comes.
Public key and Private key
Each host can generate a pair of keys. Everyone keeps a key for himself called private key, and give anthor one a key called public key. A public key can be sent to many hosts so that it is called public key. One public key corresponds to one private key, and vise versa. If I communicate with another host, it will give me its public key and its data will be encryted by its private key. After I recieved its data, I can use its public key to decrypt the data, as only his public key can do it. If I have no its public key or I have a fake key then I can't get its decrypted data. So the private key is called "digital signature". By public key and private key, we can prove the identity of the other party and keep the data security.
Common asymmetric encryption algorithms are RSA and DSA.
But how server gives its public key to client securely? By certificate.
Certificate and signature
Because of the man-in-middle attack, we can't get server's public key directly.Public key may not be security if someone forges the public key. How to prove the public key is security? Only the trusted institution provide the public key.So we must do it by Certificate Authority.
The data which consits of the sever's public key and other key information is called "digital certificate".The server must firstly apply for a certificate from CA,it put its public key and other important information in the cert. however, the public key may still be tempered with between the CA and client. So after CA get the certificate, it will add its digital signature on it to prevent hackers from tempere with the cert information.
| cert serial number | AB:CD:EF:GH |
|---|---|
| Orgnaztion | tatakai |
| DNS | www.tatakai.com |
| Public key | xxxxxxxxxxxxxx |
| Expiration time | 2022-12-24 |
| CA name | RSA Data Security |
| CA signature | Bill Gates |
| Digest Algorithm | MD5 |
Above is the main information about the certificate, which is provided by the server. And CA uses the information with digest algorithm to generate a fixed-length number called digest. Then CA uses its private key to encrypt the digest to generate the CA digital signature. CA digital signature is included in the digital certificate, then the cert is sent to client.
Why we need CA digital signature? To prevent the contents of t he certificate from being tampered with, we attach the digital signature to it. It's secure because one is that the digital signature is encrypted by CA's private key so that we can use CA's public key to decrypt it,which proves that the signature is generated by CA but not other hackers, another one is that we can use the same digest algorithm to generate digest from the certificate and compare the two digest if they are consistent.
By the way, how we solve the man-in-middle attack between CA and the client? The CA public key is included in the Root CA certificate, which is saved on the system and trusted by the system and can't be modified. So the client own the CA public key at the beginning that the CA public key can't be hacked.
Notice:
1. Although whatever is encrypted by the private key is called digital signature, commonly the digital signature is "digital signature generated from CA".
In fact, most problem in IT can be solved by building intermediaries, **as Certificate is**. 2. CA is a trusted man in middle.
公钥、私钥和证书 - videNote - 博客园 (cnblogs.com)
Digest algorithm
Digital signature technology relies on asymmetric encryption and digital digest technology.Why does the digital technology is needed ? Becasue asymmetric encryption spends much more time than symmetric encryption, if CA encrypts all the data, it will spend much time. After the client get the certificate, it will also spend much time to decrypt the cert so that it can't be checked immediately.
So we use digest algorithm to generate a fixed-length bits of number from original data, which can do encryption faster. The original data is corresponded with the digest number, just like a key-value pair. MD5 is a commonly used digest algorithm.
High recommend :18 张图彻底弄懂 HTTPS 的原理! (baidu.com)
