Let me tell a story first. This time, we don't need Bob and Alice. After listening to these concepts, the cliff suddenly realized.
Story background: This is 20 18 years. For the sake of communication security, suppose everyone has two locks, one is called lock A and the other is called lock B. These two locks are somewhat different from ordinary locks. Each lock has its own keyhole and the key of the other lock, so lock A and lock B are both locks and keys. Lock a and lock b are unique matches. After lock A is locked, only lock B can be opened. Similarly, after lock B is locked, only lock A can be opened. One of the locks is public, while the other lock is kept by itself, not public. Assume that the default A lock is public and the default B lock is private.
Story content: Xiaoming of Alibaba Children's Primary School wants to write a confession letter to Xiaohua in the next class. In order not to be seen by others, he put the letter in the mailbox and locked the mailbox with Xiaohua's A lock. Because Xiaohua's B lock (the same key as A lock) is only Xiaohua, and no one can see the letter except Xiaohua. Similarly, Xiaohua wants to write a letter to Xiao Ming and use Xiao Ming's A lock to protect the contents of the letter.
Xiao Ming and Xiaohua talked for a while, but later Xiaohua felt that it was almost enough and could enter the stage of showing love. He told Xiao Ming that in the future, writing letters should not be tm encrypted, nor is it a bank card password. What will people do if they see it? Don't change it after reading it. So after Xiao Ming wrote the letter, he pieced together the pinyin initials of each word in the letter and named it message summary. Then he just put the message digest in the mailbox and locked the mailbox with his own B lock. Although the letter itself was not put into a secure mailbox, Xiao Ming, as a master of love letters, has tens of thousands of words in any letter. If others make any changes to the contents of the letter, the character string composed of pinyin initials will almost certainly change, so after Xiaohua gets the letter, he first opens the mailbox with Xiaoming's A lock (the key of B lock) to get Xiaoming's abstract, and then Xiaohua does the same to the contents of the letter (that is, calculates the pinyin initials of each word in the letter, but actually does not use such a simple algorithm, but uses an irreversible hash algorithm. If the calculated string value is consistent with Xiao Ming's message summary, it means that Xiao Ming wrote this letter to himself and has not been tampered with by anyone.
Story climax: Things are not that simple. Xiaohua found that Xiao Ming was full of enthusiasm for himself in his letter. You don't even say hello when you meet at ordinary times, and you look like you don't know each other. Finally one day, Xiaohua couldn't help it. She confronted Xiao Ming, but Xiao Ming said, When did I write you a love letter? Be romantic ... so Xiaohua threw the love letter she just received yesterday in front of Xiao Ming: "Didn't you Xiao Ming sign it?" What happened? "Xiao Ming is indeed his own name, but I don't know if he wrote it? Xiao Ming gave Xiaohua his exercise book and asked his deskmate to do handwriting identification. Xiaohua found that the handwriting was really different. It seems that someone played a prank and pretended to be Xiaoming to write a love letter to himself. Oh, that's embarrassing. . .
After the story is finished, all the concepts involved at the beginning of the article are related to the safe transmission of information. It can be said that everything is for safety. Regarding communication security, we usually have three basic requirements.
Let's take the above story as an example to talk about these three security requirements. At first, Xiaoming and Xiaohua were encrypted with A lock (corresponding to public key), and the communication mode of B lock (corresponding to private key) was consistent with the first point. The content of the letter itself is encrypted, but because the public key and the private key are only paired, only the paired key can decrypt it, so it is difficult for a third person to crack it.
Later, in order to show their love, they adopted the communication mode of B-lock (private key) encryption and A-lock (public key) decryption, in which the string encrypted with private key is called digital signature, so that although the letter can be seen directly, it is easy to find that the data has been tampered with if it is tampered with. I thought I could communicate safely if I met the first and second rules, but I finally found out that Xiao Ming was not Xiao Ming at all! Why is there such a problem? Because "Xiao Ming" said he was Xiao Ming, Xiaohua thought he was Xiao Ming, and did not provide any authentication to prove that he was really Xiao Ming. Therefore, in order to communicate safely, an authoritative third-party institution is needed for identity authentication. This organization is a CA organization. After the certification is passed, CA will issue an authoritative certificate. With the certificate, we can prove our identity, so there will be no counterfeiting. In the authentication process, you need to provide your own identity information and private key to CA.
Symmetric encryption means that the keys used by two or more communication parties are the same. Encryption and decryption are fast, but not secure enough. Because once the key is leaked, anyone can decrypt the data. Of course, asymmetric encryption means that both parties use different keys. Public key and private key are a way of asymmetric encryption. More commonly used symmetric encryption algorithms, such as
AES, DES, SHA 256 and RSA are common asymmetric encryption.
Asymmetric encryption algorithm has two keys, a public key and a private key. Public and private keys must appear in pairs. A pair of public keys and a private key are collectively called a key, and multiple keys can be stored in the keystore, that is, multiple pairs of public keys and private keys.
If you use github, you should notice that there are two ways to link github. One is https and the other is ssh. You often need to enter a password through https, but you don't need it through ssh. Recall the steps of setting up ssh, generating a key pair locally, and uploading the public key to github. Every transmission is encrypted with an automatic local private key, and the server decrypts it with the public key you uploaded, so there is no need to manually enter the password.
Keytool and openssl are two kinds of certificate management tools. Keytool is a certificate management tool attached to java JDK. Keytool can be used to generate keys and create certificates. As long as the jdk is installed and the environment variables are set correctly, certificates can be managed by executing the keytool command from the command line.
Openssl is an open source secure socket layer password library with more functions than keytool.
The full name of PKCS is the public key cryptography standard, and PKCS has issued the 15 standard.
PKCS# 12 contains the binary format certificate form of public key and private key, and the suffix of the certificate file is pfx.
X.509 is a general certificate standard, which specifies what a certificate should contain. X.509 usually has two encoding methods, one is binary encoding and the other is base64 encoding.
X.509#DER binary format certificate, commonly used suffix cer.crt
X.509 # pemText format certificate, commonly used suffix. pcm
Because http is transmitted in clear text, which is very unsafe, ssl (Secure Sockets Layer) protocol is proposed, that is, an additional protocol is added to ensure safe transmission, which can be considered as https=ssl+http. Many people have just started to contact https, and after opening the console with the browser F 12. You may find that the data is still not encrypted. It should be noted that https is a transport layer encryption, and what you see in the browser F 12 console is still application layer data.
Because this article mainly talks about conceptual literacy, which is helpful for understanding, I won't introduce the specific details about this part.
. Keystore and. Jks and. A truststore is a file that java uses to store keys.
Private key file in. Key nginx
Different certificate file suffixes are used to distinguish different kinds of certificates, and there are mainly two classification dimensions.