Only the private key can decrypt the data encrypted with the public key. On the contrary, only the public key can decrypt data encrypted with the private key. It is this asymmetry that makes public key cryptosystems so useful. Authentication using public key cryptosystem is a process of verifying identity, the purpose of which is to convince an entity that the other party is who he claims to be. Let's use a simple example to describe how to use public key cryptosystem to easily verify identity. Note: The key below indicates that some content has been encrypted or decrypted with the key key.
1. Prototype of encryption and decryption
Suppose A wants to authenticate B, and B has a key pair, that is, a public key and a private key, and B reveals his public key to A (how he does it will be discussed later). Then, A generates a random message and sends it to B .. a->; Brand-Message B encrypts this message with its private key, and then returns the encrypted message to A .. b->; The -private-Key A of AB receives this message and decrypts it with the public key sent by B.. She compares the decrypted message with the original message, and if they match, she knows that she is communicating with B. An intruder should not know B's private key, so he can't encrypt the random message that A wants to check correctly.
2. Digital signature
Unless you know exactly what you are encrypting, it is never a good thing to encrypt something with your private key and then send it to others. This is because encrypted data may betray you (remember, only you can encrypt it because only you have the key). Therefore, instead of encrypting the original message sent by A, B constructs a message digest and encrypts it. Message digest is extracted from random messages in a certain way, which has the following characteristics:-the digest is difficult to reverse, and anyone who impersonates B can't get the original message from the digest-the impersonator can't find different messages with the same digest. By using the abstract, B can protect itself. He first calculates the digest of the random message sent by A and encrypts it, and then returns the encrypted digest to A. A can calculate the same digest, and B's identity can be authenticated by decrypting B's message and comparing it. This process is the legendary digital signature. a-& gt; Hello, are you B? b-& gt; A a, this is b {digest [a, this is b]} b's s s-private-key. When B uses this protocol, he knows what message he sent to A and doesn't mind signing it. He first sends the unencrypted message "A, this is B", and then sends the encrypted digest. A can easily tell that B is B, and B didn't sign anything he didn't want to sign.
3. Distribute public keys and certificates
B how to distribute your public key reliably? Let's assume that the authentication protocol is like this: a-> b hello b-> A Hi, I'm B, B's-public key A-> Prove it b-> A a, this is b {digest [a, this is b]} b's -private-key. If you use this protocol, anyone can be B. All you need is a public key and a private key. You lied to A that you were B, then you changed B's public key into your own public key, and then you used something encrypted with your private key to prove it, so that A could not tell that you were not B. In order to solve this problem, ISO invented something called a certificate. A certificate includes the following contents:-the name of the certificate issuer-the community to which the certificate is sent-the public key of the subject-some certificates with time stamps are signed with the private key of the certificate issuer, and everyone knows the public key of the certificate issuer (that is, the certificate issuer has a certificate and so on). ). A certificate is the standard way to bind a public key to a name. Using the certificate technology, we can judge whether B is forged by looking at B's certificate. Assuming that B strictly controls its private key, it is indeed B who gets the certificate, then everything is fine. The following is the compensation agreement: a-> B hello b-> A Hi, I'm B, B's-certificate A-> Prove it b-> A a, this is b {digest [a, this is b]} b's s s-private-key. When A receives B's first message, she can check the certificate, verify the signature (as above, using abstract and public key encryption), and then verify the subject (B's name) to judge whether it is true or not. In this way, she thinks that the public key is B's public key, and then asks B to prove her identity. B repeats the same process above, calculates the message digest, signs it and sends it to A. A can check B's message digest with the public key obtained from the certificate, thus judging B's identity.
4. Prevent data tampering and message verification code
Suppose there is a bad guy H. Although he can't discover the secrets exchanged between A and B, he can interfere and destroy their conversation. For example, if H is between A and B, he can choose to return most messages and continue to transmit messages that have not changed, but have destroyed specific bits. a-& gt; Hello, h-> B hello b-> Hello, I'm B, B's certificate H-> A Hi, I'm B, B's-certificate A-> Prove it h->; Prove it b-> H A, this is B{ digest[A, this is B]} B's-private key h->; A A, this is B{ digest[A, this is B]} B's-private key A->; Ok, here is a secret B's public key H->; Ok, here is a secret public key B->; The secret key of a message h->; Agable [{some message} secret-key] h lets the data pass unchanged until A and B share a secret. Then H enters this mode by changing the message sent by B to A. At this time, A believes B, so she may believe this changed message and act accordingly. Note that H doesn't know the secret-all he can do is destroy the data encrypted with the secret key. He may not be able to use this agreement to generate effective information, but next time, he may be lucky. In order to prevent this damage, A and B introduced Message Authentication Code (MAC) into their protocols. The MAC is calculated according to the key and the transmitted data, and the characteristics of the above summarization algorithm can be used to construct the anti-H MAC function. Mac: = digest [Some message, secret] Because H doesn't know the key, it is impossible to calculate the correct value of this digest. Even if H randomly changes the message, if the summary data is large, his chances of success are small. For example, by using MD5, A and B can send a MAC value of 128 bits in their messages. H The probability of guessing this correct MAC value is18,446,744,073,709,551,665438+ 1. The following is a sample agreement, which has been revised: a-> B hello b-> A Hi, I'm B, B's-certificate A-> Prove it b-> A {digest [a, this is b]} b's -private-key ok b, here is a secret B's -public-key {some news, MAC} secret-key h is in trouble now. H can change any message, but the calculation of MAC will expose his fraud. A and B can find the forged MAC value and stop the conversation, so H can't forge B's message. But that doesn't stop H parrots from parroting. If H recorded the conversation, he might not know the content of the conversation, but he could replay it. In fact, H can do some very dirty things between A and B.