We often see digital signatures and digital certificates. For example, when visiting some unsafe websites, the browser will prompt that the digital certificate of this website is unreliable. So what exactly are digital signatures and digital certificates? This article will introduce the concepts of digital signatures and digital certificates in a simple and easy-to-understand manner through a scenario!
Bob has two keys, one is called the Public Key and the other is called the Private Key.
Bob’s public key is public and can be obtained by anyone who needs it, but Bob’s private key is private. The key is used to encrypt information. A piece of plain text information that can be understood and read is encrypted with the key and turned into a piece of "garbled code". Therefore, only a person with the correct key can restore this encrypted information, that is, the 'garbled code', into real information that can be understood and read. Bob's two keys, the public key and the private key, can encrypt information, and the information can be decoded with the corresponding key. That is to say, if Bob's public key is used to encrypt information, then it can and can only be used Bob's private key decodes the information. On the contrary, if Bob's private key is used to encrypt the information, then Bob's public key can and only be used to decode the information!
So Bob can use his public key and private key to encrypt and transmit information!
For example, Susan wants to communicate with Bob. Considering the security of the information, Susan can use Bob's public key to encrypt the information to be transmitted. In this way, after Bob receives the message, he can use his private key to decode the message. Assume that someone steals the information that Susan sent to Bob at this time. However, since Bob does not have the private key, the information cannot be decoded, so even if the information is stolen, it cannot be read and understood.
However, although hackers cannot decode the information sent by Susan to Bob, they can tamper with the information and destroy the original information. In this way, after Bob receives the tampered information, he can then use his own private key to perform the decryption. Decoding will be inconsistent with the information Susan originally wanted to convey, which is equivalent to destroying the information transmission between Susan and Bob! Technically, we call this behavior destroying the integrity of the information! In layman's terms, even if I can't get the information, you can't get it either!
So, the question now is, how do we ensure the integrity of the information, that is, ensure that the information is not destroyed, or in other words, when the information is destroyed, the receiver can identify that the information at this time is If it has been damaged, throw it away.
Digital signatures can solve the above problems! According to the digital signature, after the receiver receives the information, it can determine whether the information has been damaged. If it has not been damaged, it can be decoded correctly. If it is damaged, it can be discarded directly.
Digital signatures can ensure that any tampering with information can be discovered, thereby ensuring the integrity of the information during transmission.
So how does a digital signature guarantee integrity? The key technology is hash, which is hash technology.
First, Bob hashes the information to be transmitted and obtains a string of unique characters. The content after the hash is usually called message digest. We all know that hashing is often irreversible, that is to say, we cannot infer the original text before hashing based on the content after hashing.
At the same time, different original texts will result in different hash results, and the differences in the results are huge or even irregular. In other words, no matter how subtle the modification is to the original text, the hashed content obtained will be very different from the hashed content of the unmodified original text. This ensures that any modifications made by hackers to the original text will be discovered!
Bob also encrypts the hashed information summary with his own private key. This ensures that only Bob’s public key can correctly decode the information summary. This ensures that the information summary must come from Bob's, which serves as a unique signature.
The encrypted information digest is actually the content of the digital signature.
Finally, Bob appends the digital signature to the back of the original message, thus forming a complete information message with a digital signature.
Bob transmits the digitally signed information message to Pat.
After Pat receives the information, he first uses Bob’s public key to decode the digital signature and obtains the information summary. If it is successfully decoded, it means that the digital signature is from Bob, because the digital signature is Bob’s own The private key is encrypted, and only Bob's public key can decrypt it. Then, Pat hashes the original text of the information to get his own hashed information summary, and then compares it with the information summary obtained by decoding the digital signature. If they are the same, it means that the original text information is complete and has not been tampered with. Otherwise, it is confirmed that the information has been destroyed. .
It seems that now, using public and private keys and digital signatures, we can guarantee the privacy and integrity of information during transmission. But there is still a problem, that is, the problem of public key distribution. What if we ensure that Bob's public key is correctly distributed to Susan, Pat, etc.? Suppose there is an intermediary who steals the public key that Bob sends to Pat, and then privately forges a fake public key and adds Bob's name to it, and sends it to Pat. This means that Pat is always talking to the intermediary. Communication, and Bob are actually communicating with the middleman, but they all think they are communicating with the other party. Therefore, the question now is, how does Pat confirm that the public key received is really Bob's public key and not forged by someone else!
This problem can actually be compared to a problem in real life. We know that public keys and private keys exist in pairs, that is, a person generally has a unique pair of public keys and private keys. Just like each of us has a unique ID card, we compare the public key to the real ID card. When we face a stranger, in order to trust the other person, we can generally check the other person's ID card. But at this time, there is a loophole similar to the middleman problem above, that is, what if the ID card given by the other party is a fake and forged ID card? That is, what if the other party gives a fake public key? How do we identify authenticity? In reality, we often have an ID card authenticity identifier, which is generally available in public security bureaus and other institutions. That is, we can use the ID card authenticity identifier to confirm the authenticity of the ID card. When we think about this mechanism carefully, we actually introduce an independent third-party mechanism. As an independent third party, the state creates an ID card for each of us. When we need to verify the authenticity of the ID card, we only You need to find the authenticity identification service provided by this independent third party to verify the authenticity of the ID card.
Therefore, similarly, our idea to solve the public key distribution problem is to introduce an independent and authoritative third-party organization.
Assume that there is an authoritative certification center for digital certificates. This center will create a digital certificate for Bob. This digital certificate includes some information about Bob and Bob's public key.
Then, at this time, people who want to communicate with Bob can check Bob’s digital certificate, and then go to the authoritative digital certificate certification center to verify whether this is the real Bob’s digital certificate. , if so, Bob's public key can be obtained from the digital certificate, and then secure communication can be carried out. At the same time, just like in real life, whenever we engage in any financial or security issues, we need to show our ID card, and the other party will verify the authenticity of your ID card. In other words, a person holding a fake ID card will People with ID cards or without identity information cannot gain the trust of others. Similarly, in network communication, if the information cannot be found in the certification center of the digital certificate, it means that the communicating party is unsafe and untrustworthy! On the other hand, digital certificates not only solve the problems of public key distribution and identity authentication, but also enhance security.
The detailed communication process using digital certificates is as follows:
The above-mentioned public key distribution and digital signature verification process seems very complicated, but in fact, it is just like verifying the authenticity of the ID card. We usually have a recognizer, and as long as we put the ID card on it, we can get the result. We often don’t need to care about the actual process behind it. The same is true in network communication. A friendly user interface is often provided if you want to verify the number. A signature or digital certificate is actually as simple as clicking a button!