First, use digital certificates.
In the "digital signature" example above, we all acquiesced in a prerequisite: the goddess does have your public key. What if the goddess' public key has been changed by someone else? Continue the above example: If the public key of the goddess is changed by one of your opponents, when you send the confession and digital signature to the goddess, the opponent intercepts the information, rewrites the confession after interception, and sends it to the goddess with your own private key to generate a digital signature (repeat your operation, but the content has been changed to the opponent's). At this time, the goddess did not know that "you" had been changed into a rival in love. At this time, the digital certificate comes into play. A digital certificate is to prove the identity of the sender to the goddess.
2. The content of digital certificate
In real life, in order to prove our identity, the public security organs will issue an ID card to everyone. In the information world, a digital certificate is the other party's ID card. Similarly, digital certificates also have a special issuing authority, CA for short. The digital certificate issued by the issuing authority contains the following basic contents:
1. Certification Authority
2. Certificate holder name/server domain name
3. The validity period of the certificate
4. Certificate signature algorithm (digest algorithm and encryption algorithm)
5. Certificate signature value
6. Certificate owner encryption algorithm
7. The public key of the certificate owner
Second, how to verify the digital certificate
In reality, to verify a person's identity, we must first check the validity of this person's ID card, and then check whether my appearance is consistent with the photos on the ID card. Digital certificate is also the same verification idea:
1. Verify the validity of the digital certificate.
The digital certificate contains the digital signature of the issuing authority on the certificate, and the public key of the issuing authority is built into the browser by default (temporarily). After obtaining the public key, the digital signature of the certificate is decrypted to get the certificate digest, and then the browser recalculates the certificate digest with the certificate digest algorithm, and finally compares whether the two values are equal. If they are equal, it proves that the digital certificate is indeed a valid certificate issued by the issuing authority.
Third, verify the "appearance"
How to verify that the owner of the certificate is the website that the browser is talking to?
The digital certificate contains one or more domain names of the website server, and the browser will verify whether the domain name matches the domain name of the server in the dialogue (to prevent MITM).
Four, the cascade of digital certificates
The institutions that issue certificates can have a cascade relationship, that is, institution A can designate institution B to issue certificates, and institution B can also designate institution C to issue certificates. If the certificate of the website is issued by C, then you need to use the certificate of B to verify the certificate issued by C. Similarly, you need to use the certificate of institution A to verify the certificate issued by B. This process is recursive, and the certificate of institution A is called "root certificate". The "root certificate" is configured on our computer and is secure by default.
If the user's problem cannot be solved, you can ask for help through the website link of wosign official website Customer Service. For website users who choose wosign ssl certificate, wosign can provide one-to-one ssl certificate technology deployment support website links for free, so as to avoid worries.