a digital certificate is a series of data that marks the identity information of all parties in network communication, and its function is similar to that of an ID card in real life. It is issued by an authoritative organization, and people can use it to identify each other in communication.
the simplest certificate contains a public key, a name and a
digital signature of a certificate authority. In general, the certificate also includes the valid time of the key, the name of the issuing authority (certificate authority), the serial number of the certificate and other information. The format of the certificate follows the international standard of ITUT X.59
a standard X.59 digital certificate includes the following contents:
version information of the certificate;
serial numbers of certificates, each certificate has a unique serial number;
the signature algorithm used by the certificate;
the name of the issuer of the certificate, and the naming rules generally adopt X.5 format;
the validity period of the certificate, now the universal certificate generally adopts UTC time format, and its timing range is 195-249;
the name of the certificate owner, and the naming rules generally adopt X.5 format;
the public key of the certificate owner;
the signature of the certificate issuer.
Using digital certificates, a strict identity authentication system is established by using symmetric and asymmetric cryptography, so as to ensure that information will not be stolen by others except the sender and receiver; Information is not tampered with during transmission; The sender can confirm the identity of the receiver through the digital certificate; The sender cannot deny his own information.
2. why use digital certificates?
Internet e-commerce system technology makes it extremely convenient for customers who shop online to obtain information about businesses and enterprises, but it also increases the risk of abusing some sensitive or valuable data. Both the buyer and the seller must ensure that all financial transactions conducted on the Internet are true and reliable, and that all parties to the transaction, such as customers, businesses and enterprises, have absolute confidence. Therefore, the Internet e-commerce system must ensure very reliable security and confidentiality technology, that is, it must ensure the four elements of network security, namely, the confidentiality of information transmission, the integrity of data exchange, the undeniable information sent and the certainty of traders' identities.
confidentiality of information
business information in transactions requires confidentiality. For example, if the account number and user name of a credit card are known, it may be stolen, and if the ordering and payment information is known by competitors, it may lose business opportunities. Therefore, encryption is generally required in the information dissemination of e-commerce.
the certainty of the trader's identity
The two parties in online transactions are likely to be strangers and thousands of miles apart. In order to make the transaction successful, we must first confirm the identity of the other party, the merchant should consider whether the client is a liar, and the customer will also worry that the online store is not a black shop playing fraud. Therefore, it is the premise of the transaction to confirm the identity of the other party conveniently and reliably. For banks, credit card companies and sales stores that provide services for customers or users, in order to carry out service activities safely, confidentially and reliably, identity authentication must be carried out. For the relevant sales stores, they don't know the number of the credit card used by customers, and the store can only hand over the confirmation of the credit card to the bank. Banks and credit card companies can use all kinds of confidentiality and identification methods to confirm whether the customer's identity is legal, and at the same time, they should also prevent the problem of refusal to pay and confirm the order and order receipt information.
non-repudiation
due to the ever-changing business conditions, once the transaction is reached, it cannot be denied. Otherwise, it will inevitably harm the interests of one party. For example, when ordering gold, the price of gold was low, but after receiving the order, the price of gold rose. If the acquirer can deny the actual time of receiving the order, or even the fact of receiving the order, the orderer will suffer losses. Therefore, all links in the communication process of electronic transactions must be undeniable.
non-modifiability
due to the ever-changing business conditions, once the transaction is reached, it should not be denied. Otherwise, it will inevitably harm the interests of one party. For example, when ordering gold, the price of gold is low, but after receiving the order, the price of gold has risen. If the acquirer can deny the actual time of receiving the order, or even the fact of receiving the order, the orderer will suffer losses. Therefore, all links in the communication process of electronic transactions must be undeniable.
digital security certificates provide a way to verify identity on the internet. The security certificate system mainly adopts public key system, and others include symmetric key encryption, digital signature and digital envelope.
We can use digital certificates to establish a strict identity authentication system by using symmetric and asymmetric cryptography, so as to ensure that information will not be stolen by others except the sender and receiver; Information is not tampered with during transmission; The sender can confirm the identity of the receiver through the digital certificate; The sender cannot deny his own information.
3. Principle of digital authentication
Digital certificates adopt public key system, that is, a pair of matching keys are used for encryption and decryption. Each user sets a specific private key (private key) which is only known to himself, and uses it to decrypt and sign; At the same time, a public key (public key) is set and made public by myself, which is enjoyed by a group of users and used for encryption and signature verification. When sending a confidential document, the sender uses the receiver's public key to encrypt the data, and the receiver uses its own private key to decrypt it, so that the information can reach the destination safely and correctly. The encryption process is guaranteed to be irreversible by digital means, that is, only the private key can be used to decrypt it.
RSA is a common public key cryptosystem. Its mathematical principle is to decompose a large number into the product of two prime numbers, and two different keys are used for encryption and decryption. Even if the plaintext, ciphertext and encryption key (public key) are known, it is computationally impossible to deduce the decryption key (private key). According to the current level of computer technology, it will take thousands of years to crack the 124-bit RSA key currently used. Public key technology solves the management problem of key distribution, and merchants can disclose their public keys while keeping their private keys. Shoppers can encrypt the sent information with a well-known public key, securely transmit it to merchants, and then the merchants can decrypt it with their own private keys.
if users need to send encrypted data, the sender needs to use the digital certificate (public key) of the receiver to encrypt the data, while the receiver uses its own private key to decrypt it, thus ensuring the security and confidentiality of the data.
In addition, users can realize the integrity and validity of data through digital signature, and only need to encrypt the data with a private key. Because the private key is only owned by the user, the uniqueness of the signed file can be guaranteed, that is, the data is signed and sent by the signer himself, and the signer cannot or cannot deny it; The data has not been modified during the period from issuing to receiving, and the issued document is true.
[page]
4. How are digital certificates issued?
a digital certificate is issued by a certification center. Root certificate is the basis of establishing trust relationship between certification center and users. Users must download and install digital certificates before they can use them.
a certification center is a management organization that can issue digital certificates to users to confirm their identities. In order to prevent the forgery of digital certificates, the public key of the authentication center must be reliable, and the authentication center must publish its public key or provide a electronic certificate from a higher-level authentication center to prove the validity of its public key. The latter method leads to the emergence of multi-level authentication centers.
the process of issuing digital certificates is as follows: the user generates his own key pair and sends the public key and some personal identification information to an authentication center. After verifying the identity, the authentication center will perform some necessary steps to make sure that the request is indeed sent by the user. Then, the authentication center will issue a digital certificate to the user, which contains information such as the user and his key, as well as a digital certificate confirming the public key of the authentication center. When users want to prove the legitimacy of their public keys, they can provide this digital certificate.
5. Encryption technology
Because data may be eavesdropped by intruders during transmission, encryption technology is the main security measure and the most commonly used security measure in e-commerce. Encryption technology is to use technical means to turn important data into garbled (encrypted) transmission, and then restore (decrypt) by the same or different means after reaching the destination.
encryption includes two elements: an algorithm and a key. An encryption algorithm is the step of combining ordinary text (or understandable information) with a number (key) to produce incomprehensible ciphertext. Keys and algorithms are equally important for encryption.
keys are an algorithm used to encode and decode data. In security and secrecy, the information communication security of the network can be ensured through appropriate key encryption technology and management mechanism. The cryptographic system of key encryption technology can be divided into symmetric key system and asymmetric key system.
accordingly, data encryption techniques can be divided into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). Symmetric encryption is represented by Data Encryption Standard (DNS) algorithm, and asymmetric encryption is usually represented by RSA(Rivest Shamir Ad1eman) algorithm. The encryption key and decryption key of symmetric encryption are the same, but the encryption key and decryption key of asymmetric encryption are different. The encryption key can be made public and the decryption key needs to be kept secret.
6. Symmetric encryption technology
Symmetric encryption adopts symmetric cryptographic coding technology, which is characterized by using the same key for file encryption and decryption, that is, the encryption key can also be used as the decryption key. This method is called symmetric encryption algorithm in cryptography. Symmetric encryption algorithm is simple and fast to use, with short key and difficult to decipher. In addition to data encryption standard (DNS), another symmetric key encryption system is International Data Encryption Algorithm (IDEA), which is better than DNS in encryption and does not require so high computer functions. IDEA encryption standard is used by PGP(Pretty Good Privacy) system.
There are several problems with symmetric encryption algorithm in the process of e-commerce transactions:
(1) It is required to provide a secure channel for the two communication parties to negotiate a * * * identical key during the first communication. Direct face-to-face negotiation may be unrealistic and difficult to implement, so both parties may need to resort to other relatively unsafe means such as mail and telephone to negotiate;
(2) The number of keys is difficult to manage. Because each collaborator needs to use different keys, it is difficult to adapt to a large number of information exchanges in the open society;
(3) Symmetric encryption algorithm can't provide information integrity identification generally. It cannot verify the identity of the sender and the receiver;
(4) The management and distribution of symmetric keys is a potentially dangerous and cumbersome process. Symmetric encryption is realized on the basis of keeping secret. Both trading parties using symmetric encryption technology must ensure that they use the same key, ensure that the exchange of keys between them is safe and reliable, and at the same time set up procedures to prevent key leakage and change keys.
7. Asymmetric encryption technology
In 1976, American scholars Dime and Henman proposed a new key exchange protocol to solve the problems of public information transmission and key management, which allowed communication parties on insecure media to exchange information and safely reach an agreed key, which was called "public key system". Compared with symmetric encryption algorithm, this method is also called asymmetric encryption algorithm.
unlike symmetric encryption algorithm, asymmetric encryption algorithm needs two keys: publickey and privatekey. The public key and the private key are a pair. If the data is encrypted with the public key, it can only be decrypted with the corresponding private key. If the data is encrypted with a private key, it can only be decrypted with the corresponding public key. Because encryption and decryption use two different keys, this algorithm is called asymmetric encryption algorithm.
The basic process for traders to exchange confidential information by using this asymmetric encryption algorithm is as follows: Trader A generates a pair of keys and discloses one of them to other traders as a public key; The trader B who obtained the public key uses the key to encrypt confidential information and then sends it to the trader A; Party A decrypts the encrypted information with another private key saved by itself. Party A can only decrypt any information encrypted by its public key with its private key.
asymmetric encryption algorithm has good confidentiality, which eliminates the need for end users to exchange keys, but encryption and decryption take a long time and are slow, so it is not suitable for encrypting files, but only suitable for encrypting a small amount of data.
in the security architecture of Microsoft's Window NT, the public key system is mainly used to encrypt the private key. If each user wants to encrypt data, he needs to generate a pair of his own keypair. The public key and asymmetric encryption and decryption algorithm in the key pair are public, but the private key should be properly kept by the owner of the key.
The actual process of encrypting files using public keys includes four steps:
(1) The sender generates its own private key and encrypts it with the public key of the receiver, and then transmits it to the receiver through the network;
(2) The sender encrypts the file to be transmitted with its own private key, and then transmits the encrypted file to the receiver through the network;
(3) The receiver decrypts with its own public key to obtain the private key of the sender;
(4) The receiver decrypts the file with the private key of the sender to obtain the plaintext form of the file.
because only the receiver has its own public key, even if others get the encrypted private key of the sender, the security of the private key is guaranteed because it cannot be decrypted, thus ensuring the security of the transmitted file. In fact, the above two files are realized in the file transfer process.