What does a digital certificate do? Seek an answer
Its encryption technology based on digital certificate can encrypt and decrypt the information transmitted on the network, carry out digital signature and verification signature, and ensure the confidentiality and integrity of the information transmitted on the network. With a digital certificate, even if the information you send is intercepted by others online, or even if you lose your personal account, password and other information, you can still ensure the security of your account and funds. It can provide an authoritative electronic document for identity verification on the Internet, and people can use it to prove their identity and identify each other in Internet communication. Of course, CA, as an authoritative, fair and reliable third party, plays an important role in the process of digital certificate authentication. How to judge whether the status of digital certificate certification center as an impartial third party is authoritative and credible? The Ministry of Industry and Information Technology has successively issued professional qualification certificates to 30 related institutions such as Tianwei Integrity Digital Certification Center in a qualified and compliant manner. Internet e-commerce system technology makes it easy for customers who shop online to obtain information about businesses and enterprises, which also increases the risk of abusing some sensitive or valuable data. In order to ensure the security and confidentiality of online electronic transactions and payments, and prevent fraud in the process of transactions and payments, it is necessary to establish a trust mechanism on the Internet. This requires that both buyers and sellers involved in e-commerce must have legal identities and can be effectively and correctly verified online. Characteristic security (1) In order to avoid the security risks such as certificate loss caused by improper use in the traditional digital certificate scheme, Alipay creatively launched a dual-certificate solution: when Alipay members apply for digital certificates, they will get two certificates at the same time, one for verifying Alipay accounts and the other for verifying the computers currently used by members. (2) The second certificate cannot be backed up, and members must apply for a new certificate for each computer. In this way, even if a member's digital certificate is illegally stolen by others, he can still ensure that his account will not be lost. (3) Payment Shield is a physical security tool similar to USB flash drive. Its built-in micro smart card processor can block various risks and keep your account in a safe environment all the time. Uniqueness (1) Alipay digital certificate gives corresponding access rights to network resources according to user identity. (2) After applying for using the digital certificate, if other computers log in to the Alipay account and do not import the digital certificate backup, they can only query the account and can't do anything. This is equivalent to having a digital certificate similar to a "key", which enhances the security of account use. Convenience (1) Apply as soon as you open it, and use it as soon as you open it. (2) Tailor-made ways to maintain digital certificates, such as SMS, security issues, etc. (3) Users can easily master digital certificates without any knowledge. The process of issuing digital certificates is generally as follows: the user first generates his own key pair and sends the public key and some personal identity information to the authentication center. After authentication, the authentication center will perform some necessary steps to ensure that the request is indeed sent by the user. Then, the authentication center will issue a digital certificate to the user, which contains the user's personal information and his public key information, as well as the signature information of the authentication center. Users can use their own digital certificates for various related activities. Digital certificates are issued by independent certification authorities. Digital certificates are different, and each certificate can provide different levels of credibility. You can get your own digital certificate from a certificate authority. Related Effects The technology of Internet-based e-commerce system enables customers who shop online to obtain business and enterprise information very conveniently and easily, but it also increases the risk of abusing some sensitive or valuable data. In all financial transactions conducted on the Internet, buyers and sellers must be authentic and reliable, and customers, businesses, enterprises and other trading parties must have absolute confidence. Therefore, the Internet e-commerce system must ensure very reliable security technology, that is, it must ensure the four elements of network security, namely, the confidentiality of information transmission, the integrity of data exchange, the undeniability of sending information and the certainty of the identity of traders. Confidentiality of information Commercial information in transactions needs to be kept confidential. If you know the account number and user name of the credit card, you may be stolen. If the information of ordering and payment is known by competitors, you may lose business opportunities. Therefore, in the information dissemination of e-commerce, encryption is generally needed. The certainty of the trader's identity. The two sides of online transactions are probably strangers, thousands of miles apart. In order to make the transaction successful, we must first be able to confirm the identity of the other party. For merchants, it is necessary to consider that the client can't be a liar, and customers will worry that the online shop is not a black shop playing tricks. Therefore, it is the premise of the transaction to confirm the identity of the other party conveniently and reliably. For banks, credit card companies and sales stores that provide services to customers or users, in order to carry out service activities safely, confidentially and reliably, identity authentication must be carried out. For the relevant sales stores, they don't know the card number of the credit card used by customers, and the stores can only give the credit card confirmation to the bank. Banks and credit card companies can use all kinds of confidentiality and identification means to confirm whether the customer's identity is legal, and at the same time, they should also prevent the problem of refusal to pay, and confirm the order and order collection information. Non-repudiation Due to the ever-changing business environment, once the transaction is reached, it cannot be denied. Otherwise, it will inevitably harm the interests of one party. For example, when ordering gold, the price of gold is low, but after receiving the order, the price of gold rises. If the acquirer can deny the actual time of receiving the order, or even the fact of receiving the order, then the orderer will suffer losses. Therefore, all links in the communication process of electronic transactions must be undeniable. Documents that cannot be modified can't be modified, such as the gold order mentioned in the above example. After receiving the order, the supplier found that the price of gold rose sharply. If the contents of the document can be changed and the order number is changed from 1 ton to 1 gram, it will benefit greatly and the ordering unit may suffer losses. Therefore, electronic transaction documents should also be irrevocable to ensure the seriousness and fairness of the transaction. While lamenting the great potential of e-commerce, people have to think calmly about how to ensure the fairness and security of transactions and the authenticity of the identities of both parties when conducting transactions and operations on the computer Internet where people do not meet each other. There is a mature security solution in the world, which is to establish a security certificate architecture. Digital security certificate provides a way to verify identity on the Internet. The security certificate system mainly adopts public key system, and others include symmetric key encryption, digital signature and digital envelope. We can use digital certificates and establish a strict identity authentication system by using symmetric and asymmetric encryption technologies to ensure that information will not be stolen by others except the sender and receiver; Information is not tampered with during transmission; The sender can confirm the identity of the receiver through the digital certificate; The sender cannot deny his information. CA, also known as Certificate Authority Center, as a trusted third party in e-commerce transactions, is responsible for verifying the legitimacy of public keys in public key systems. The CA Center issues a digital certificate to each user who uses the public key. The function of digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate. The digital signature of CA makes it impossible for attackers to forge and tamper with certificates. It is responsible for the generation, distribution and management of digital certificates required by all individuals participating in online transactions, so it is the core link of secure electronic transactions. Therefore, the construction of certification center is a necessary step to develop and standardize the e-commerce market. In order to ensure the security, authenticity, reliability, integrity and non-repudiation of information transmitted between users on the Internet, it is necessary not only to verify the authenticity of users' identities, but also to have an authoritative, impartial and unique institution responsible for issuing and managing e-commerce security certificates that meet domestic and international standards for secure electronic transactions. [Edit this paragraph] Working principle Digital certificate adopts public key system, that is, a pair of matching keys are used for encryption and decryption. Each user sets a specific private key that only he knows, and uses it to decrypt and sign; At the same time, a public key is set to be made public by myself and enjoyed by a group of users for encryption and signature verification. When sending confidential documents, the sender uses the public key of the receiver to encrypt the data, and the receiver uses its own private key to decrypt the data, so that the information can reach the destination safely and correctly. The encryption process is guaranteed to be irreversible by digital means, that is, only the private key can be used for decryption. RSA is commonly used in public key cryptosystems. Its mathematical principle is to decompose a large number into the product of two prime numbers, and encrypt and decrypt them with two different keys. Even if the plaintext, ciphertext and encryption key (public key) are known, the decryption key (private key) cannot be deduced by calculation. According to the current level of computer technology, it will take thousands of years to crack the RSA key of 1024. Public key technology solves the management problem of key distribution, and merchants can disclose their own public keys while retaining their private keys. Shoppers can encrypt the sent information with a well-known public key and transmit it safely to merchants, who can then decrypt it with their own private keys. Users can also use their own private key to process information, because the key is only owned by themselves, resulting in files that others cannot generate, thus forming a digital signature. Using digital signature, we can confirm the following two points: the guarantee information is sent by the signer himself, and the signer cannot or cannot deny it; Ensure that the information has not been modified from publication to receipt, and that the published file is true. There are many numbers and English in the digital certificate. When a digital certificate is used for identity authentication, it will randomly generate a 128-bit identity code. Each digital certificate can generate a corresponding number that can't be the same every time, which ensures the confidentiality of data transmission and is equivalent to generating a complex password. Digital certificate binds the public key and the real identity of the holder, similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but electronic data that contains the identity information of the certificate holder and is examined and issued by the certification center, which can be used in e-commerce and e-government more conveniently and flexibly. [Edit this paragraph] Digital signature calculates the message according to the hash algorithm agreed by both parties, and obtains a message digest with a fixed number of digits. Mathematically, as long as any bit in the message changes, the recalculated message digest value will not match the original value. This ensures the invariance of the message. Encrypt the message digest value with the sender's private key, and then send it to the receiver together with the original message. The generated message is called digital signature. After receiving the digital signature, the receiver uses the same hash algorithm to calculate the message digest value, and then compares it with the message digest value decrypted by the sender's public key. If they are equal, it means that the message really comes from the claimed sender. [Edit this paragraph] Classification is based on the application perspective of digital certificates. Digital certificates can be divided into the following categories: server certificates. The server certificate is installed on the server device to prove the identity of the server and encrypt communication. Server certificates can be used to prevent fake websites. Digital Certificate Issuance Flowchart After installing the server certificate on the server, the client browser can establish an SSL connection with the server certificate, and any data transmitted on the SSL connection will be encrypted. At the same time, the browser will automatically verify whether the server certificate is valid and whether the site visited is a fake site. Websites protected by server certificates are mainly used for password login, order processing and online banking transactions. The world-famous server certificate brand is verisign. , Thawte, geotrust, etc. SSL certificate is mainly used for data transmission link encryption and identity authentication of the server (application), binding website domain names, and different products require different identity authentication for different values of data. There is no difference in release time between ultra-real SSL and ultra-fast SSL. The main difference is that ultra-fast SSL only verifies the domain name ownership, and the company name is not displayed in the certificate; However, surreal SSL needs to verify domain name ownership, business license and third-party database verification. Certificate shows company name: E-mail certificate E-mail certificate can be used to prove the authenticity of the e-mail sender. It does not prove the authenticity of the certificate owner's name identified by the CN item on the digital certificate, but only proves the authenticity of the e-mail address. After receiving an e-mail with a valid electronic signature, we can not only believe that the e-mail is indeed sent from the designated mailbox, but also make sure that the e-mail has not been tampered with since it was sent. In addition, using the received mail certificate, we can also send encrypted mail to the recipient. Encrypted mail can be transmitted on an insecure network, and only the holder of the receiver can open the mail. Client Personal Certificates Client certificates are mainly used for authentication and electronic signature. The security client certificate is stored in a dedicated usbkey. The certificate stored in the key cannot be exported or copied. When using the key, you need to enter the protection password of the key. To use this certificate, you need to physically obtain its storage medium usbkey and know the protection password of the key, which is called two-factor authentication. This authentication method is one of the safest authentication methods on the Internet at present. There are many kinds of keys, such as fingerprint identification, third key confirmation, voice reading, special usbkey with display screen and ordinary usbkey. At present, digital certificates can be roughly divided into: personal digital certificate, company digital certificate, company employee digital certificate, server certificate, VPN certificate, WAP certificate, code signing certificate certificate and form signature certificate. [Edit this paragraph] Certificate format At present, the international standard X.509 V3 is widely used in the format of digital certificates. The contents include serial number of certificate, name of certificate holder, name of certificate issuer, validity period of certificate, public key, digital signature of certificate issuer, etc. CA certification bodies in various places are: Shandong CA| Ningxia CA | Henan CA | Shaanxi CA | Fujian CA | Jiangsu CA | Anhui CA | Shanxi CA | Guangxi CA | Tianjin CA | Liaoning CA | Jiangxi CA | Sichuan CA | Hebei CA | Hunan CA | legally qualified institutions Henan Digital Certificate Co., Ltd. Shenzhen E-commerce Security Certificate Management Co., Ltd., Ltd. Tianjin Electronic Authentication Service Center Shandong Digital Certificate Authentication Management Co., Ltd. China Financial Authentication Center Co., Ltd. Western Security Authentication Center Co., Ltd. (Ningxia) Beijing Tianwei Chengxin E-commerce Service Co., Ltd. Shaanxi Digital Certificate Certification Center Co., Ltd. SDIC Anxin Digital Certificate Certification Co., Ltd. Guangdong E-commerce Certification Co., Ltd. Guangdong Digital Certificate Certification Center Co., Ltd. Shanghai Digital Certificate Certification Center Co., Ltd. Liaoning Digital Certificate Certification Management Co., Ltd. Hubei Digital Certificate Certification Management Center Co., Ltd. Yixin Technology Co., Ltd. Jiangsu certificate in electronic commerce Certification Center Co., Ltd. Dongfang Zhongxun Digital Certificate Certification Co., Ltd. Zhejiang Digital Security Certificate Management. Li Co., Ltd. Fujian Digital Security Certificate Management Co., Ltd. Xinjiang Digital Certificate Certification Center (Co., Ltd.) Beijing Guofu E-commerce Security Certification Co., Ltd. Anhui E-certification Management Center Co., Ltd. Hebei E-commerce Certification Co., Ltd. [Edit this paragraph] Generally speaking, users should bring relevant certificates to various certificate acceptance points for processing. Or go directly to the issuing agency, that is, CA Center, and fill out the application form for identity verification. After verification, you can get the relevant media (disk or key) of the certificate and the password envelope of the password. How to Use Users must prepare storage media with certificates when conducting online operations that require certificates. If users operate on their own computers, they must install the CA root certificate before the operation. If the general access system needs to use a digital certificate, a prompt box for installing the root certificate will automatically pop up, and the user can directly choose to confirm; Of course, you can also directly log on to the website of CA Center and download and install the root certificate. During operation, the general system will automatically prompt the user to show the digital certificate or insert the certificate medium (IC card or key). After the user inserts the certificate media, the system will ask the user to enter the password. At this point, the user needs to enter the password in the password envelope obtained when applying for the certificate. After the password is verified correctly, the system will automatically call the digital certificate for related operations. After use, users should remember to take out the certificate medium and keep it properly. Of course, according to different systems, the use of digital certificates will be different, but the system will generally have a clear prompt, which is more convenient for users to use.