Speaking of signature mechanism, we must first understand encryption and decryption, signature file is the process of encryption and decryption.
Encryption to decrypt
Encryption is the process of changing plaintext information into unreadable ciphertext content.
Decryption is the process of restoring the ciphertext to normal readable content through special objects. And in this process, we use the method, is encryption decryption algorithm.
Encryption is classified into symmetric encryption and asymmetric encryption (public-key encryption).
Symmetric encryption
Symmetric encryption is when encryption and decryption use the same set of keys
Common symmetric cryptographic algorithms are:
-
DES (Data Encryption Standard) is the most common symmetric Encryption algorithm. DES encrypts 64-bit plaintext into 64-bit ciphertext. The key length is 56 bits. In terms of specifications, the key length is 64bit, but a bit is set every 7 bits for error checking, so the key length is 56bit in essence.
DES encrypts only 64bit data at a time. When large data is encountered, DES encryption needs to be iterated (repeated). It can be cracked in a short period of time
-
3DES: A password algorithm obtained by repeating DES three times, also called triple DES, is still used by some banks and other institutions, but the processing speed is not high, and the security is gradually exposed
-
AES: A symmetric cryptographic algorithm that replaces DES as the new standard
The KEY length of AES is 128 bits, 192 bits, and 256 bits. In 2000, Rijindael algorithm was selected as the implementation of AES. Currently, AES has gradually replaced DES and 3DES as the preferred symmetric cipher algorithm
Symmetric encryption problems: key distribution problem
As shown in the figure below, the problem of key distribution will definitely occur when symmetric password is used. Suppose, Alice sends the message encrypted with symmetric password to Bob, and only when the key is sent to Bob, Bob can complete decryption. In the process of sending the key, Eve may steal the key, and finally Eve can complete decryption.
Asymmetric encryption algorithm
Encryption and decryption do not use the same key, that is, asymmetric encryption algorithm, also known as public-key encryption.
In public key Cryptography, there are two types of keys: encryption key and decryption key. They are not the same key. Public key Cryptography is also called Asymmetric Cryptography.
In public key cryptography:
The encryption key, which is usually public, is called a public key.
The decryption key is kept by the message receiver and cannot be made public. Therefore, it is also called a private key. A public key and a private key correspond to one another and cannot be generated independently.
- The ciphertext encrypted by the public key can be decrypted only by using the private key corresponding to the public key
- The ciphertext encrypted by the private key can be decrypted only by using the public key corresponding to the private key
This can solve the problem of secret key distribution, as shown in the following figure:
Analysis of the above picture:
1. Bob generates a public key and a key
2. Bob sends the public key to Alice. The key is kept by himself
Alice encrypts the message with Bob’s public key
Alice sends an encrypted message to Bob
5. Bob decrypts the message with his private key.
It if there is a third party eavesdropping, only step 2 and step 4 can monitor data, because Bob who can get the public key is open, so the second step also don’t have to worry about being who obtain, step 4 if data by a third party, so he saw is also encrypted data, since he had no Bob’s private key, so he couldn’t know the message content. And it doesn’t make any sense for him to tamper with the message.
Hybrid cryptosystem
Although asymmetric encryption solves the problem of key distribution, its encryption and decryption speed is slow. Here we summarize the advantages and disadvantages of symmetric and asymmetric encryption:
| The encryption algorithm | advantages | disadvantages |
|---|---|---|
| Symmetric encryption | The encryption and decryption speed is fast | The key distribution problem cannot be solved well |
| Asymmetric encryption | The encryption and decryption speed is slow | It can solve the key distribution problem well |
Hybrid cryptosystems are methods that combine the advantages of symmetric and public key cryptography:
It solves the problem of slow public key cryptography
The key distribution problem of symmetric cryptography is solved by public key cryptography
Mixed password – encryption
Session Key
Temporary key randomly generated for this communication; As a key for symmetric ciphers, it is used to encrypt messages and improve speed
Encryption step (send message)
First, the message sender has the public key of the message receiver. Generate the session key as the key of the symmetric cipher, encrypting the message; Encrypts the session key with the message receiver’s public key; Send the encryption result generated in the previous two steps to the receiver.
The content sent out includes
Message encrypted with session key (encryption method: symmetric cipher)
Session key encrypted with public key (encryption method: public key ciphers)
Mixed cipher-decryption
Decryption step (received message)
1 The receiver decrypts the session key using its own private key
2 Use the session key decrypted in Step 1 to decrypt the message
Sending process, encryption process
1. Mr. Bob forms a pair of public and private keys
2.Bob shares the public key with Alice
3.Alice randomly generates a session key (temporary key)
4.Alice encrypts the message to be sent with the session key (using symmetric cryptography)
5.Alice encrypts the session key with Bob’s public key (using public key cryptography, i.e. asymmetric cryptography)
6.Alice sends the encryption results of steps 4 and 5 to Bob
Reception process, decryption process
1.Bob decrypts the session key using his private key (using public key cryptography, also known as asymmetric cryptography)
2.Bob decrypts the sent message using the session key (using symmetric cipher decryption)
The above encryption algorithm solves the security problem of data transmission, so the integrity of the data can not be verified, that is, whether the data is changed or not, because the public key can be obtained by everyone, if there is an intermediary intercepting the message and changing the content. So how do we verify that this message has changed?
Monomial hash function
The one-way Hash function, also known as the one-way Hash function or Hash function, is a function that changes the arbitrary length of the input message string into a fixed length of the output string and it is difficult to get the input string from the output string. This output string is called the hash value of the message. Generally used to generate message digest, key encryption, etc
The length of the hash value is independent of the length of the message. Whether the message is 1bit, 10M, or 100G, the one-way hash function will calculate the fixed length of the hash value.
Characteristics of monomial hash functions
- A fixed-length hash value is calculated based on a message of arbitrary length
- Fast calculation speed, can quickly calculate the hash value
- The hash value varies from message to message
- Unidirectional
The one-way hash function is also called message Digest function. The hash value output by the hash function is also called Message Digest and fingerprint.
Several common monomial hash functions
MD4. MD5 generates a 128bit hash value. MD is short for Message Digest
Sha-1 produces a hash value of 160 bits, which is no longer secure
Sha-2 The hash length of SHA-256, SHA-384, and SHA-512 is 256, 384, and 512 bits respectively
Sha-3 new standard
How tamper-proof are monomial hash functions
Different data to generate the hash value is different, as long as you have to change a file, then its hash value will change, if you want to make sure our data if there is any change, hash values are not the same as long as compared to two times, we often do the login function, when user password by using one-way hash function generated values to save, Prevent third-party personnel from changing passwords in sequence.
Data tamper-proof technology we know, in the process of data transmission, we have data to generate a hash value, and send the data to be sent to the receiver, when the receiver to receive the data, it receives the data to regenerate the hash value, and then to receive the hash value, you can judge the data have been changed.
We here by mixing the confidentiality of the password technology to solve the transmission of data, through one-way hash function to determine the consistency of the data, but still not solve the problem of middlemen to intercept tampering with, because the hash function can regenerate a middleman, and then we will speak a digital signature, he can the authenticity of the message sender authentication.
A digital signature
Digital signature (also known as public key digital signature) is a digital string that can only be generated by the sender and cannot be forged by others. This digital string is also an effective proof of the authenticity of the message sent by the sender.
It is a common physical signature similar to writing on paper, but implemented using techniques from the field of public key encryption, used to authenticate digital information. A set of digital signatures typically defines two complementary operations, one for signing and one for verification. Digital signature is the application of asymmetric key encryption technology and digital digest technology.
In plain English, signing a message with the sender’s private key is a digital signature
In digital signatures, anyone can verify the signature using a public key
In digital signature technology, there are the following two behaviors:
The generation of the signature is done by the sender of the message through the signature key
The validation signature is done by the receiver of the message and is verified by the Validation key
Digital signature Because the private key of the message sender is used for signature, the private key of the message sender is only owned by himself, but not by others. Therefore, we sign the message through the private key, and others can determine the real identity of the message sender through the public key of the message sender.
Let’s look at digital signatures versus public key ciphers:
| The private key | The public key | |
|---|---|---|
| Public key cryptography | Used when the receiver decrypts | Sender encryption is used |
| A digital signature | Used when the signer generates a signature | Used when verifying a signature |
| Who holds the key? | People hold | Anyone can have it as long as they need it |
Digital signature process:
In the figure above, the message Alice is going to send is encrypted with its own private key and sent to Bob, who decrypts the message with Alice’s public key. In fact, there is a bad point here, that is, if Alice sends a large message, such as a 1GB video file, the signing process is too slow, and the speed of asymmetric encryption itself is relatively slow.
Here’s an improved version:
Here we are going to send a message with a fixed size hash value, and then sign it so that the signature file is much smaller, and then we send the message with the signature to Bob, and Bob decrypts the comparison with the public key, and so on.
Here are some points about digital signatures:
What will happen if someone tampers the contents of the file or signature? The result: signature verification failed, proof of tampering
Does a digital signature not guarantee confidentiality? The purpose of a digital signature is not to guarantee confidentiality, but merely to identify whether the content has been tampered with
3 Functions of digital signatures
- Verify the integrity of the message
- Identify whether the message has been tampered with
- Prevent message sender denial
A digital signature can identify the sender of a message, provided you make sure that the public key you obtain is the sender of the message. If the public key you obtain is forged by a middleman, then you cannot verify the authenticity of the message sender, as shown below:
A ask B to the public, M from listening to the middle, send the public key to A blocked by M B and save, M gave his own public key to A, A thought that this public key is B, A message is encrypted with the public key to B, M intercept and then used his private key to decrypt, modify the message content, and the message is sent with save the public key encryption to B, B to decrypt the message. Both A and B think they are communicating normally, but the message is not the same message. How can we determine whether the public key is valid? How do you know that the public key is B’s?
Now we’re going to talk about certificates, and we’re going to introduce a third party authority to verify that the public key is B’s. So let’s see.
certificate
CA is the issuing authority of certificates and the core of Public Key Infrastructure (PKI). CA is responsible for issuing certificates, certifying certificates, and managing issued certificates.
The CA has a certificate (containing public and private keys). Public users on the Internet trust CA by verifying CA’s signature. Anyone can get CA’s Certificate (including Public key) to verify the Certificate issued by it. In cryptography, the full name is public-key Certificate (PKC). Similar to a driver’s license, it contains personal information such as name and email, as well as the person’s public key; And by the Certificate Authority (CA) digital signature.
As is clearly shown in the figure, the sender first registers its certificate with the CA, and then anyone who gets the sender’s public key can verify the authenticity of the public key with the CA.
Signature mechanism in iOS
First of all, what does iOS signature do?
Ensure that all apps installed on users’ phones are approved by Apple
There are a number of complex steps developers need to go through, whether it’s commissioning a real phone or launching an APP:
1 generation CertificateSigningRequest. CertSigningRequest file
2 Obtain the iOS_development. cer\ iOS_distribution. cer certificate file
3 Register the device and add the App ID
4 Obtain the. Mobileprovision file
The general picture is as follows:
1, we on your own computer to generate a pair of public and private keys, operation is to generate CertificateSigningRequest. We through the key string certSigningRequest file
2. Sign the App with the private key on our MAC.
3. Upload our public key file to the Apple background
Apple uses its private key behind the scenes to sign our public key
5, let’s select this device list appID permissions etc
6. Sign the selected items and the signature generated in step 4 again with the Apple background private key to generate the description file Mobileprovision
7. When our app is installed or running on our mobile phone, first of all, our mobile phone has built-in public key of Apple background
First, the Apple background public key in the mobile phone to verify mobileprovision documents, after the completion of the sixth step of the information, and then the Apple public key to verify the fourth step of the information, this step is completed, it will be the public key on the computer when we develop
9. Use Mac public key to verify App signature.
Conclusion:
1. CerSigningRequest file: Mac public key
Cer file: uses Apple private key (CA) to generate a digital signature for the Mac public key
3,. Mobileprovision: use Apple private key, digital signature to [. Cer certificate + devices + AppID + entitlements]
If there is any mistake above, welcome to correct. Please indicate the source of reprint.