1. The basic function of digital certificate A digital certificate is a digital file signed by a certificate authority, which contains public key owner information, public key, issuer information, validity period and some extended information. From the purpose of certificate, digital certificate can be divided into signature certificate and encryption certificate. Signing certificate is mainly used to sign user information to ensure the integrity of information and the undeniable behavior; Encryption certificate is mainly used to encrypt the information transmitted by users to ensure the confidentiality of information. The following describes the basic functions of digital certificates in principle. Authentication in various application systems, it is often necessary to complete the user's identity authentication to determine who is using the system and what kind of operation authority can be given to the user. Up to now, identity authentication technology has developed into a mature technical system, in which the use of digital certificates to complete identity authentication is one of the safest and most effective technical means. To complete identity authentication with a digital certificate, the authenticated party (a) must first apply for a digital certificate in the relevant digital certificate operation organization, and then submit the certificate to the application system authenticator (b) to complete identity authentication. The identity authentication process that usually uses digital certificates is shown in the following figure: the authenticated party (a) encrypts the random number with its own signature private key; The authenticated party (a) sends its signature certificate and ciphertext to the authenticated party (b); B verify the validity period and certificate chain of the signature certificate provided by A, and complete the blacklist check, and give up if it fails; After the validity period, certificate chain and blacklist are verified, Party B decrypts the ciphertext provided by Party A with Party A's signature certificate, which successfully indicates that it can accept the identity stated in the signature certificate submitted by Party A.. In the above process, step 3 describes the verification of the certificate itself, and verifies the validity period, certificate chain and blacklist in turn. If one step of verification fails, the verification process will be terminated immediately, and there is no need to carry out the next verification. At the same time, the order of validity, certificate chain and blacklist is the most reasonable order, which can make the verification process achieve the best performance. After passing the verification in the third step, the certificate submitted by Party A can be verified, but this is not necessarily related to whether Party A itself is equal to the entity mentioned in the certificate, and Party A must show that it is the owner of the unique private key corresponding to the signed certificate. Therefore, when step 4 is successfully executed, that is, the signature certificate can be decrypted, it means that Party A has the private key, thus completing the authentication of the identity declared by Party A. What is specifically described above is one-way authentication, that is, only B authenticates the identity of A, while A does not authenticate the identity of B. One-way authentication is not a perfect security measure, and an honest and reliable user A may be deceived like a "phishing website". Therefore, in the application environment that needs high security, it is also necessary to realize two-way authentication. That is, Party B also needs to provide Party A with its signature certificate, and Party A will complete the above verification process to confirm Party B's identity. As shown below. Digital signature Digital signature is one of the important application functions of digital certificate. The so-called digital signature refers to the data obtained by the certificate user (a) encrypting the message digest obtained by hashing the original data with his own signature private key. The information receiver (b) obtains the message digest by decrypting the digital signature attached to the original information using the signature certificate of the information sender, and calculates the message digest of the received original data by using the same hash algorithm. By comparing them, we can verify whether the original information has been tampered with. Digital signature can protect the integrity of data and the undeniable nature of data transmission. To use digital certificate to complete the digital signature function, it is necessary to apply for a digital certificate with digital signature function from the relevant digital certificate operation organization before using the digital certificate signature function in the business process. Usually, the signing and verification process of digital certificate signature is as shown in the figure: the signature sender (a) uses hash algorithm to calculate the abstract of plaintext to be sent; A encrypts the abstract with its signature private key to obtain ciphertext; A sends ciphertext, plaintext and signature certificate to signature verification party B; Otsuichi decrypts the ciphertext sent by A through the signature certificate of A, and gets a digest. On the other hand, he uses the same hash algorithm to calculate the digest of plaintext. B Compare the two abstracts, and if they are the same, you can confirm that the plaintext has not been changed during transmission, and the information was sent by the entity that declared its identity in the certificate. If you need to confirm whether A's identity is consistent with that stated in the certificate, you need to perform the authentication process as described in the previous section. In the above process, the digital signature function can be completed by using the signature private key combined with the hash algorithm. In the process of digital signature, it can be clear whether the data integrity is destroyed in the transmission process and whether the data sending behavior is the behavior of the identity stated in the signing certificate, providing the functions of data integrity and behavior non-repudiation. The identity confirmation of digital certificate and A needs to be clarified through the identity authentication process. Digital envelope Digital envelope is another important application function of digital certificate, and its effect is similar to that of ordinary envelope. Ordinary envelopes are bound by law to ensure that only the recipient can read the contents of the letter; Digital envelopes use cryptographic technology to ensure that only the designated recipients can read the contents of the letter. Symmetric encryption and public key encryption are used in digital envelopes. The sender (a) encrypts the information with a randomly generated symmetric key, and then encrypts the symmetric key with the public key of the receiver (b), which is symmetric after encryption.