preface

Public-key encryption and digital signature do not guarantee that the public key actually comes from the sender of the message. Thus, even if the public key is maliciously replaced by a third party, the recipient will not notice. Digital certificate can solve this problem perfectly and ensure the correctness of public key.

Process diagram

A has the public key PA and the private key SA, and now wants to send the public key PA to B.

  • First of all, A needs to apply for the issuance certificate from the certification authority to prove that the public key PA is actually generated by itself.
  • The custodians in the certification authority prepare their own public key PC and private key SC.
  • A sends the public key PA and personal data containing email information to the certification Authority.
  • The certification center will confirm the received information and judge whether it is A’s own information. After the verification, the ca uses its own private key SC to generate A digital signature based on A’s data.
  • The ca puts the digital signature and the data in the same file.
  • And then, send this file to A
  • A’s digital certificate is as follows
  • A sends A digital certificate as A public key to B.
  • After receiving the digital certificate, B confirms that the email address in the certificate is indeed A’s address. B then obtains the public key of the authentication authority.
  • B Verifies the signature in the certificate to check whether it is the signature provided by the authentication center. The signature in the certificate can only be verified with the certification authority’s public key PC. If the verification results are not abnormal, it shows that the certificate is indeed issued by a certification authority.
  • After confirming that the certificate is issued by the certification authority and that the email address is A’s, B retrieves A’s public key PA from the certificate. The public key is then passed from A to B.

Security of digital certificates

Suppose X impersonates A and is about to send the public key PX to B.However, THERE is no need for B to trust a public key received in a non-certificate form.Suppose X, in order to impersonate A, is going to register his public key with the authentication authority. Then X can’t use A’s email address, so it can’t get A’s certificate.

The principle of analytic

With a digital certificate, the recipient of the message can identify the maker of the public key.

If B has obtained the public key from the certification authority, does it have to come from the certification Authority?

Since the public key itself cannot represent its maker, it is possible that it was generated by impersonating X in authentication. That said, there is also the public-key problem.In fact, the CA’s public key PC is delivered as a digital certificate that is signed by a higher level ca.For example, in the tree structure shown below, the top certification authority issues certificates for the bottom certification authority. So, how is this tree structure generated? Suppose there is A certification authority A that is widely recognized by the society. At this time, a newly established company B appeared. Although B wanted to carry out the business of certification center, it could not be recognized by the society.

Therefore, B applies to A for issuing A digital certificate. Of course, A will properly test whether B can carry out the certification center business. As long as A issues the certificate, Company B can show to the society that it has won the trust of Company A. Thus, the tree structure is established through the reliance of the large organization to the small organization.

The top certification authority is called the root certification Authority, which justifies itself. The certificate that authenticates the root authentication center is the root certificate. If the root certificate is not trusted, the entire organization cannot function. Therefore, root certification centers are mostly large enterprises, or government-related organizations that have gained social trust.

The use of digital certificates in websites

This is an example of delivering public keys between individuals, and digital certificates are also used for communication between websites. As long as you can receive a certificate from a website containing a public key, you can confirm that the website has not been impersonated by a third party.

The certificate here is called a “server certificate” and is also issued by a certification authority. An individual’s certificate corresponds to his mailbox information, and the server’s certificate corresponds to the domain name information. Therefore, we can also confirm that the domain name of the site and the server that stores the content of the site itself are managed by the same organization.

In this way, digital certificates are guaranteed by a certification authority to the maker of public keys, a set of technical specifications collectively known as “public key infrastructure”.

HTTPS digital certificate

When configuring HTTPS access to a website, you need to apply for a digital certificate from the relevant authority. After obtaining the digital certificate, add it to the project. We can use the browser to access the site through HTTPS, and the authority is officially granted by the browser, so the root node is the browser.

As you can see, a site with HTTPS enabled issues your certificate to an authority officially designated by the browser, so the browser will show that the connection is secure.

Write in the last

  • The pictures used in this article are from “my first algorithm book”, if infringement, please leave a message in the comment section, the author immediately delete the relevant pictures.
  • If there are any errors in this article, please correct them in the comments section. If this article helped you, please like it and follow 😊
  • This article was first published in nuggets. Reprint is prohibited without permission 💌