Eye view thousands of times → ear listen to thousands of times → better than manual √

: : : :Bo asked: :Flash memory: :New essays: :contact: :To subscribe to : :management: :
18 Essay :: 0 Article :: 188 Comment :: 0 citation

The announcement

All right



Eight years and three months



115



0
+ add attention

Archives of essays

  • October 2015 (1)
  • March 2014 (3)
  • March 2013 (1)
  • November 2012 (2)
  • April 2011 (3)
  • June 2010 (1)
  • January 2010 (1)
  • December 2009 (6)

The latest comments

  • 1. Re: Principles of digital certificates
  • One question for you: this blog post details the server identity authentication process in client-server mode. When is the identity of the client authenticated? Fool think is not in the follow-up symmetric encryption algorithm, complete the authentication process of customer identity? .
  • –0litost0
  • 2. Re: Principles of digital certificates
  • I really want to know where the blogger went. The first time I looked, I understood, and the second time I looked, I didn’t understand
  • –Captain_Li
  • 3. Re: Principles of digital certificates
  • JasonHe this is when you go to the corresponding CA to apply for a certificate. After you apply, there will be two files, one is the certificate and the other is the private key. If there is no private key can not be communicated, for example, you apply for the certificate in the security of Ali Cloud, choose the system to generate CRS, after the examination and approval……
  • –Captain_Li
  • Re: Principles of digital certificates
  • Hello, a few years later, I saw this post is very profitable, and there is only one thing I want to consult. 3.2 “Meanwhile, “SecureTrust CA” will also give us a private key of our Company” ABC Company”. Where is this private key stored in the server? .
  • –JasonHe
  • Re: Principle of digital certificates
  • The @shendi certificate does not prove “it is the server”. A certificate can only prove that the information on the certificate is true. What is the message? The most important information is what the subject’s (ABC Company) public key is. In other words, the most important function of the certificate is to prove that the public key of ABC is……
  • –mactep

Principles of Digital Certificates

This paper first explains some basic knowledge and concepts of encryption and decryption, and then illustrates the function of encryption algorithm and the role of digital certificate through an example of encryption communication process. This is followed by a detailed explanation of digital certificates, a discussion of managing digital certificates in Windows, and a demonstration of creating digital certificates using Makecert. If you find any mistakes in the article, or what is not clear enough, please point it out!

 

1. Basic knowledge

This section explains some concepts and terminology. It is best to understand this section first.

1.1 Public-key Cryptography

The public key cryptosystem is divided into three parts: public key, private key, encryption and decryption algorithm. Its encryption and decryption process is as follows:

  • Encryption: Encrypts the content (or plaintext) using an encryption algorithm and a public key to obtain ciphertext. The encryption process requires a public key.
  • Decryption: Decrypts ciphertext using a decryption algorithm and a private key to obtain plaintext. The decryption process requires decryption algorithms and private keys. Note that contents encrypted with a public key can only be decrypted by the private key, that is, contents encrypted with a public key cannot be decrypted without knowing the private key.

Public key cryptosystems both the public key and the algorithm are public (that’s why they’re called public key cryptosystems), and the private key is private. Everyone is encrypted using a public key, but only the owner of the private key can decrypt it. In practice, people who need them will generate a pair of public and private keys, release the public key to others, and keep the private key for themselves.

 

1.2. Symmetric Key Algorithms

In symmetric encryption algorithms, the key used for encryption is the same as the key used for decryption. That is, both encryption and decryption use the same key. Therefore, symmetric encryption algorithm to ensure security, the key to do a good job of confidentiality, only let the use of people know, not public. This is different from the public key cryptosystem. In the public key cryptosystem, public keys are used for encryption and private keys are used for decryption. In the symmetric encryption algorithm, the same key is used for encryption and decryption without distinguishing between public keys and private keys.

 

// The key, usually a string or number, is passed to the encryption/decryption algorithm during encryption or decryption. The public key and private key mentioned in the public key cryptosystem are keys. The public key is the key used for encryption, and the private key is the key used for decryption.

 
1.3. Asymmetric Key Algorithms

In asymmetric encryption algorithms, the key used for encryption is different from the key used for decryption. The public key cryptosystem mentioned above is an asymmetric encryption algorithm. Its public key and private key cannot be the same, that is to say, the key used for encryption and decryption is different, so it is an asymmetric encryption algorithm.

 

1.4 introduction to RSA

RSA is a public key cryptosystem that is widely used today. If you are interested in RSA itself, I will see if I have time to write a detailed introduction to RSA.

The RSA cryptosystem is a public key cryptosystem. The public key is public and the private key is private. Its encryption and decryption algorithm is public. Content encrypted by a public key can and can only be decrypted by a private key, and content encrypted by a private key can and can only be decrypted by a public key. That is, both the public and private keys of RSA can be used for encryption and decryption, and the contents encrypted by one party can be decrypted only by the other party.

 

1.5. Signature and Encryption

When we say encryption, we mean that some content is encrypted, and the encrypted content can be restored through decryption. For example, we encrypt an email, and the encrypted content is transmitted on the network. After receiving it, the recipient can restore the real content of the email through decryption.

Here is the main explanation of the signature, signature is at the back of the information plus a paragraph of content, can prove that the information has not been modified, how can achieve this effect? Generally, you hash the information to get a hash value. Note that this process is irreversible, that is, you cannot hash out the original content of the information. The hash value is encrypted and sent as a signature when the message is sent. After receiving the message, the recipient recalculates the hash value of the message and compares it with the hash value attached to the message (after decryption). If the hash value is the same, it indicates that the content of the message has not been modified. The hash calculation ensures that different contents will get different hash values. The hash value calculated based on the content of the message changes. Of course, someone up to no good could change the contents of the message as well as the hash value to make them match. To prevent this, the hash value is usually encrypted (that is, signed) and sent with the message to ensure that the hash value is not altered. As for how someone can decrypt the signature, this process involves concepts such as digital certificates, which we will discuss later, but you need to understand the concept of signatures first.

 

2. Evolution of an encrypted communication process

Let’s look at an example. Now assume that the “server” and “client” are communicating over the network, and they intend to use RSA(see the introduction to RSA above) to encrypt the communication to keep the conversation secure. Because RSA is used as a public key cryptosystem, the server needs to publish the public key (the RSA algorithm is known to all) and keep the private key. The customer has somehow obtained the public key published by the Server, and the customer does not know the private key. How does the customer obtain the public key? We will explain later. Let’s look at how the two parties communicate confidentially:

 

2.1 Round 1:

Customer -> Server: Hello

Server -> Client: Hello, this is server

Customer > Server: ????

Because messages travel over the network, someone can impersonate themselves as a “server” to send messages to clients. For example, the above message can be intercepted by hackers as follows:

Customer -> Server: Hello

Server -> Client: Hello, this is server

“Client” -> “hacker” : hello // The hacker intercepts the information sent by “client” to the server on a router between “client” and “server”, and then impersonates himself as “server”

Hacker -> Client: Hello, this is the server

Therefore, after receiving the message, the “client” cannot be sure that the message is sent by the “server”, and some “hackers” can also pretend to be “server” to send this message. How do you know if the message is sent from the server? There is a solution, because only the server has a private key, so if only you can verify that the other party has a private key, then the other party is a “server.” Therefore, the communication process can be improved as follows:

 

2.2 Second Round:

Customer -> Server: Hello

Server -> Client: Hello, this is server

Client -> Server: Prove to me that you are the server

“Server” – > “customer” : hello, this is the server} {hello, I’m server [private key | RSA]

/ / note Means this agreement, {} said the content after the RSA encryption, [|] said what kind of encryption key and the algorithm, the back of the sample in this way, such as the above} {hello, I’m server/private key | RSA means with the private key for “hello, I’m server” will be encrypted in a result.

To prove to the client that it is the server, the server encrypts a string with its private key and sends the plaintext and encrypted ciphertext to the client. For example, here is the string “hello, I am a server” and the string with the private key encrypted content} {hello, I’m server private key | RSA to clients.

After the client receives the message, she decrypts the ciphertext with her own public key and compares the ciphertext with the plaintext. If the ciphertext is the same, the message is indeed sent from the server. That is to say, “customer”} {hello, I’m server [private key | RSA] this content is decrypted with the public key, and then “hello, I’m server”. Because the contents encrypted by the “server” with the private key can be decrypted by and only by the public key, the private key is only held by the “server”, so if the decrypted content is legible, it means that the information must be sent from the “server”.

Suppose the hacker wants to impersonate the server:

Hacker -> Client: Hello, this is the server

Client -> Hacker: Prove to me that you are the server

“Hacker” – > “customer” : hello, I am a server} {hello, I’m server [????? | RSA] / / hackers cannot pretend to be here, because he didn’t know the private key, can’t use the private key to encrypt a string of backwardness to customer to verify.

Customer -> Hacker: ????

Since the “hacker” does not have the “server” private key, so it sends past content, the “client” can not be decrypted through the server’s public key, so can assume that the other party is an impostor!

At this point, the “client” can confirm the identity of the “server” and can safely communicate with the “server”, but there is a problem, the content of the communication is still not confidential on the network. Why can’t it be kept secret? Can’t the communication process be encrypted with public and private keys? RSA private key public key RSA private key public key RSA private key public key

 

2.3 Round 3:

Customer -> Server: Hello

Server -> Client: Hello, this is server

Client -> Server: Prove to me that you are the server

“Server” – > “customer” : hello, this is the server} {hello, I’m server [private key | RSA]

“Customer” – > “server” : {my account is aaa, the password is 123, the balance of information sent to me I see} [public key | RSA]

The “server” – > “customer” : {your balance is RMB 100} [private key | RSA]

Note that the above information {your balance is RMB 100} [private key], this is the “server” with the private key encrypted content, but we have said before, the public key is released out, so all the people know that the public key, so in addition to the “customer”, other people can use the public key of {your balance is RMB 100} / private key to decrypt. So if the “server” uses a private key to encrypt and send it to the “client”, the information cannot be kept secret because the public key can decrypt the content. However, the “server” cannot encrypt the message with a public key, because the “client” does not have a private key, and the “sending client” cannot decrypt the message.

So the problem comes up again, and how do you solve it? In the actual application process, it is generally through the introduction of symmetric encryption to solve this problem, see the following demonstration:

 

2.4 Round 4:

Customer -> Server: Hello

Server -> Client: Hello, this is server

Client -> Server: Prove to me that you are the server

“Server” – > “customer” : hello, this is the server} {hello, I’m server [private key | RSA]

“Customer” – > “server” : {behind our communication process, use symmetric encryption for, here is a symmetric encryption algorithm and the key} [public key | RSA] / / blue font part is, the specific content of the symmetric encryption algorithm and key customer send them to the server.

“Server” -> “Client” : {OK, copy! } [key] | symmetric encryption algorithm

“Customer” – > “server” : {my account is aaa, the password is 123, the balance of information sent to me I see} [key] | symmetric encryption algorithm

“Server” – > “customer” : {your balance is RMB 100} [key] | symmetric encryption algorithm

During the communication, after confirming the identity of the server, the client selects a symmetric encryption algorithm and a key, encrypts the symmetric encryption algorithm and the key with the public key, and sends the symmetric encryption algorithm and the key to the server. Note that since the symmetric encryption algorithm and key are encrypted using public keys, even if the encrypted content is intercepted by the “hacker”, since there is no private key, the “hacker” will not know the contents of the symmetric encryption algorithm and key.

Since it is encrypted with a public key, only the private key can be decrypted, which ensures that only the server can know the symmetric encryption algorithm and key, and no one else can (the symmetric encryption algorithm and key are chosen by the “client”, so of course the “client” knows how to decrypt the encryption). This allows the “server” and the “client” to encrypt the content of the communication using symmetric encryption algorithms and keys.

 

To sum up, RSA encryption algorithm plays two main roles in this communication process:

  • Because the private key is owned only by the server, the client can determine whether the other party is a server by determining whether the other party has a private key.
  • Under the cover of RSA, the client securely negotiates a symmetric encryption algorithm and key with the server to ensure the security of the content in the following communication process.

If you understand why RSA is not used to encrypt the communication process, but to determine a symmetric encryption algorithm to ensure the security of the communication process, then you have understood the previous content. (If not, please refer to 2.3 and 2.4. If not, we should make this clear and you can leave a comment.)

At this point, the “client” can confirm the identity of the “server” and the communication between the two sides can be encrypted so that no one else can decrypt the intercepted communication. Indeed, it seems that the communication process is more secure.

 

But there is still a problem. From the beginning, we said that the “server” needs to publish the public key. How does the “server” send the public key to the “client”? The first two things that might come to mind are:

A) Place the public key at a download address somewhere on the Internet and give it to the “customer” in advance.

B) The server sends the public key to the Customer each time it communicates with the Customer.

But there are problems with both methods,

For method a), the “client” cannot determine whether the download address is issued by the “server”, why do you believe that the download address is issued by the “server” and not forged by others, what if a fake download? It is also unrealistic for all “clients” to download public keys before communicating.

There is also a problem with the B) method, because anyone can generate a pair of public and private keys by sending their own private key to the “client” and impersonating the “server.” The schematic diagram is as follows:

“Client” -> “hacker” : Hello // Hackers intercept messages from “client” to “server”

“Hacker” -> “client” : Hello, I am the server, this is my public key // The hacker himself generates a pair of public and private keys, sends the public key to “client”, keeps the private key

Client -> Hacker: Prove to me that you are the server

“Hacker” – > “customer” : hello, I am a server} {hello, I’m server [hacking their private key | RSA] / / customer received “hackers” information that is encrypted with the private key, is “hackers” can be used to your public key to decrypt, so as to be mistaken for “hacker” is the “server”

Therefore, the “hacker” only needs to generate a pair of public and private keys, and then send the public key to the “client” and keep the private key. In this way, since the “client” can use the public key of the hacker to decrypt the contents encrypted by the private key of the hacker, the “client” will believe that the “hacker” is the “server”, resulting in security problems. The root of the problem here is that everyone can generate public and private key pairs, and there is no way to know whose public key pair belongs to. If you can determine who owns the public key, you won’t have this problem. For example, if you receive a public key from a “hacker” posing as a “server”, after some kind of check, it would be nice to find that the public key is not the “server”.

To solve this problem, digital certificates have emerged, which can solve our problem above. A digital certificate contains the following details:

  • Certificate issuing authority
  • Validity of certificate
  • The public key
  • Certificate Owner (Subject)
  • The algorithm used for the signature
  • Fingerprints and fingerprint algorithms

A digital certificate can ensure that the public key in the certificate is the owner of the certificate, or that the certificate can be used to confirm the identity of the other party. That is, we get a digital certificate, and we can figure out who the digital certificate belongs to. How this is determined will be explained later when we discuss digital certificates in detail. Now change the previous communication process using digital certificates to the following:

 

2.5 Round 5:

Customer -> Server: Hello

“Server” -> “Client” : Hello, I am the server, this is my digital certificate // this uses the certificate instead of the public key

Client -> Server: Prove to me that you are the server

“Server” – > “customer” : hello, this is the server} {hello, I’m server [private key | RSA]

Notice that in the second communication above, the “server” sent its certificate to the “client” instead of sending the public key. The client can verify that the certificate belongs to the “server”, that is, that the owner of the certificate is “server”, and that the public key in the certificate is indeed “server”. At the back of the process is the same as before, “customers” to the “server” to prove their identity, “server” a content together with the clear text is encrypted with the private key to the “customer”, “customer” after the encrypted content using the public key to decrypt the digital certificate and clear contrast, if is consistent, then the other party is indeed a “server”, The two parties then negotiate a symmetric encryption to ensure the security of the communication process. At this point, the whole process is complete, let’s review:

 

2.6 Complete Process:

Step1: the client sends a communication request to the server

Customer -> Server: Hello

  

Step2: the “server” sends its own digital certificate to the customer. The certificate has a public key to encrypt information, and the private key is held by the “server”

“Server” -> “Client” : Hello, I am the server, here is my digital certificate

 

Step3: after the “client” receives the certificate of “server”, it will verify whether the digital certificate belongs to “server” and whether there is any problem with the digital certificate. If there is no problem with the digital certificate, it means that the public key in the digital certificate really belongs to “server”. After check the digital certificate, “customer” will send a random string to the “server” that is encrypted with the private key to server the encryption result is returned to the “customer”, “customer” use public key to decrypt the return result, if the decryption results agree with the generated random string before, that means the other party is, indeed, the private key holder, Or that it is indeed a server.

“Client” -> “server” : Prove to me that you are the server. This is a random string.

“Server” – > “customer” : {a random string} [private key | RSA]

 

Step4: After verifying the identity of “server”, “client” generates a symmetric encryption algorithm and key for subsequent communication encryption and decryption. The symmetric encryption algorithm and key will be encrypted by the “client” with the public key and then sent to the “server”. It is useless for others to intercept, because only the “server” has the private key that can be decrypted. In this way, both the “server” and the “client” can use symmetric encryption algorithms to encrypt and decrypt the communication content.

“Server” -> “client” : {OK, we have received your symmetric encryption algorithm and key! What can I do for you? } [key] | symmetric encryption algorithm

“Customer” – > “server” : {my account is aaa, the password is 123, the balance of information sent to me I see} [key] | symmetric encryption algorithm

“Server” – > “customer” : {hello, your balance is RMB 100} [key] | symmetric encryption algorithm

… // Continue other communications

 

2.7 Other Issues:

The above procedure is very close to the real COMMUNICATION process of HTTPS. You can follow this procedure to understand the working principle of HTTPS. But for the sake of explanation, there are some details that I haven’t covered, so if you’re interested, you can take a look at this. You can skip it. It doesn’t matter.

 

【 Question 1】

After checking the certificate, the client sends a random string to the server to encrypt with the private key in order to determine whether the client really has the private key. But there is a problem, “hackers” can also be sent to the “server” to encrypt a string and get the encrypted content, such as for the “server” is not secure, because hackers can send some simple regular string for the “server” encryption, so as to find the rule of encrypted could threaten the safety of the private key. Therefore, it is not secure for a “server” to randomly encrypt an unsolicited string with a private key and send the result to the other party.

[Solution]

Each time the server receives a string to be encrypted from the client, instead of actually encrypting the string itself, it hashes the string and sends it to the client, encrypting the hash value of the string instead of the original string. The client decrypts the hash value and computes the hash value of the string itself and compares it to see if it is consistent. That is, instead of encrypting the received string directly, the “server” encrypts a hash value of the string, which avoids encrypting regular strings and reduces the chance of cracking. The client sends the string itself, so it can calculate the hash value of the string itself, and then compare the encrypted hash value sent by the server with its own hash value to determine whether it is the server.

 

【 Question 2】

In the course of communication between the two parties, the “hacker” can intercept the encrypted content sent, although he cannot decrypt the content, he can disrupt the process, for example by sending the message many times intact.

[Solution]

You can add a serial number or a random value to the content of the communication. If the “client” or “server” receives a message with a serial number or a random value that has appeared before, it means that someone resends the message content to make trouble in the communication process, and the two sides will immediately stop the communication. One might ask, what if someone keeps being disruptive? Isn’t there no communication? The answer is yes, for example, someone who controls your router to the Internet can target you. But some important applications, such as the military or government’s internal networks, do not use the public network we normally use, so the average person will not disrupt their communications.

 

【 Question 3】

During the communication between the two parties, the hacker can not only send the intercepted message repeatedly, but also modify the intercepted ciphertext and then send it. Although the modified ciphertext cannot completely control the decrypted message content, the decrypted ciphertext is still damaged. Therefore, if the hacker modifies the ciphertext during transmission, the client and the server cannot determine whether the ciphertext is modified. It may not work, but hackers can keep taking chances.

[Solution]

Each time a message is sent, a hash value is calculated for the message content and encrypted with the hash value. The recipient decrypts the received message to obtain the plaintext and hash value. Then the recipient performs a hash calculation on the received message and compares it with the received hash value to check whether the received message matches. If a match is found, the message has not been modified during transmission. If no, it indicates that the encrypted data is deliberately modified during the call. Interrupt the call immediately and perform other processing.

 

3. Composition and principle of certificates
3.1 Composition and principles of certificates

What constitutes a certificate has been outlined before, but not described in detail. Here is a detailed description of the contents of the certificate. When viewing a certificate in Windows, the interface looks like this. Let’s focus on the Details Tab, which is quite long. After scrolling through the Details Tab, I grab three images to display the complete information:

Version, Serial Number, Signature Algorithm, etc.

 

◆Issuer (Certificate Issuer)

Specify the organization that issued the certificate, that is, specify the company that created the certificate (just create the certificate, not the user of the certificate). In the case of the certificate above, this means “SecureTrust CA”.

 

◆Valid from, Valid to (Certificate validity period)

This is the validity period of the certificate, or the validity period of the certificate. After the expiration date, the certificate becomes invalid and cannot be used.

 

◆Public key

Public keys are used to encrypt messages, and are often used in the examples in Chapter 2. The public key of the digital certificate is 2048 bits, and its value can be seen in the dialog box in the middle of the figure, which is a long string of numbers.

 

◆Subject

Who is the certificate issued to, or the owner of the certificate, usually a person or a company name, the name of the organization, the address of the company website, etc. For the certificate here, the owner is Trustwave, a company.

 

◆Signature algorithm

Is the encryption algorithm used for the digital signature of the digital certificate, so that the fingerprint can be decrypted according to the algorithm using the public key in the certificate issuer certificate. The result of fingerprint encryption is a digital signature (which is explained in Section 1.5, p.

 

Thumbprint algorithm

This is used to ensure the integrity of the certificate, that is, to ensure that the certificate has not been modified. This is similar to question 3 in 2.7. Its principle is to issue a certificate, the publisher (a hash algorithm) based on fingerprint algorithm calculate the hash value of the whole certificate (fingerprint) and certificate together, when users open the certificate, also according to the certificate of fingerprint algorithm to calculate the hash value (fingerprint), if the first value, to a means that the certificate has not been modified, After the content of the certificate is modified, the hash value (fingerprint) calculated based on the content of the certificate will change. Note that the fingerprint is encrypted with the private key of the certificate authority “SecureTrust CA” using a Signature algorithm.

 

Note To ensure security, when a certificate issuing authority issues a certificate, the fingerprint and fingerprint algorithm of the certificate are encrypted and released together with the certificate, in case someone modifies the fingerprint and forges the corresponding digital certificate. Here comes the question again, what encryption is used for the fingerprint of the certificate and the fingerprint algorithm? They are encrypted with the certificate issuer’s private key. The fingerprint and the fingerprint algorithm can be decrypted using the public key of the ca. That is, the CA has its own certificate in addition to issuing certificates to others. Where does the certificate issuing authority get its certificate?? The certificate issuer’s digital certificates (usually generated by the issuer itself) are already installed by Microsoft (or other operating system developers) when our operating system is installed (such as Windows XP). Microsoft and other companies will select some reputable certificate issuing organizations that have passed certain security certifications according to the evaluation of some authoritative security organizations, and install the certificates of these certificate issuing organizations in the operating system by default, and set them as digital certificates trusted by the operating system. These certification authorities themselves hold a private key corresponding to their own digital certificates, and they use this private key to encrypt the fingerprints of all the certificates they issue as digital signatures.

 

3.2 How can I Apply for a Certificate from a Certificate Issuing Authority

Just to give you an example, let’s say that our Company, ABC Company, has paid $1,000 to a certificate issuer, a SecureTrust CA, for our own Company, ABC Company, and notice, The certificate issuer “SecureTrust CA” is a recognized and accepted certificate issuer. Our operating system has installed the “SecureTrust CA” certificate. When the SecureTrust CA issues certificates to us, the Issuer,Public key,Subject,Valid from, and Valid to information are written into the certificates in plain text. Then a fingerprint algorithm is used to calculate a fingerprint of the contents of the certificates. The fingerprint and the fingerprint algorithm are encrypted with their own private key, and then distributed with the contents of the certificate, and the “SecureTrust CA” will also give us a private key of our Company” ABC Company”. The content of the certificate we bought for 1000 yuan is as follows:

Contents of the certificate start ××××××××××××××××× ×××

Issuer : SecureTrust CA

Subject : ABC Company

Valid from: indicates a date

Valid to: indicates a date

Public Key: a long string of numbers

… Other certificate content…

{certificate fingerprint and the fingerprint algorithm of fingerprint used} [SecureTrust CA private key | RSA] / / this is “SecureTrust CA” a digital signature of this certificate, the certificate is, indeed, he said, what’s the problem he will be responsible for (received us $1000, If something goes wrong, you must be responsible.

Contents of certificate End ××××××××××××××××× ××××

// Remember the previous agreement? {} said the content after the RSA encryption, [|] said what kind of key and algorithm encryption

 

After we “ABC Company” apply for the certificate, we put it into use. We will send the certificate to the other party at the beginning of the communication process. How does the other party check that the certificate is indeed legal and that it is the certificate of our “ABC Company”? The Issuer of the certificate is “SecureTrust CA”. Then, the application program (such as Internet Explorer and OUTLook) will look for the certificate of “SecureTrust CA” in the certificate of the trusted publisher in the OPERATING system. If the certificate cannot be found, That means the issuer of the certificate is a gray market issuer, the certificate may have a problem, the program will give an error message. If the “SecureTrust CA” certificate is found in the system, the application will extract the “SecureTrust CA” public key from the certificate, and then decrypt the fingerprint and fingerprint algorithm in our “ABC Company” certificate using this public key. Then use this fingerprint algorithm to calculate the fingerprint of the certificate of “ABC Company” and compare this fingerprint with the fingerprint in the certificate. If the fingerprint is consistent, the certificate of “ABC Company” must have not been modified and the certificate is issued by “SecureTrust CA”. The public key in the certificate must belong to ABC Company. The other party can then safely use the public key to communicate with us “ABC Company”.

★ This section is very important to understand, you can review the previous two chapters “1, Basics” and “2, the Evolution of an encrypted Communication process” to understand this section. If you’ve read this section a few times and still don’t understand how the certificate works, you can leave a comment pointing out what I haven’t clarified so I can fix it.

 

3.3 Certificate Issuing Authority

We have already given an initial introduction to the certificate issuer, but we will discuss it in more detail here.

In fact, all companies can issue certificates. We can also register a company to issue certificates to others. But obviously, our own certification company will not be recognized by international authorities, so how do people know if you are a shit-bag company? Therefore, Microsoft does not trust the certificate issuer in its operating system. When the application checks the certificate issuer, it will throw an error message when it sees that the certificate issuer is not the trusted issuer of the operating system. That is to say, the Windows operating system will not pre-install the certificate of our certificate issuer, and we do not trust the issuer.

  

The hazards of untrusted certificate issuing authorities

Why does it matter whether a certification authority is trusted or not? Let’s take an example. Let’s say we start a bullshit company that issues certificates for other people, and I have an affair with Microsoft, who set me up as a trusted certificate issuer in their operating system. Now if a small company called Wicrosoft pays me $10 to apply for a certificate for their company, and the company grows and the certificate is used more and more widely. Then, a dishonest business Company JS Company wanted to pretend to be Wicrosoft, so they gave me ¥10000 and asked me to issue a certificate for them, but the name of the certificate (Subject) should be Wicrosoft. If I really gave the certificate to them for ¥10000, They can then use this certificate to impersonate Wicrosoft in the future.

If you are a good certificate issuer, for example, and you are applying for a certificate called Wicrosoft, it will ask you to provide a lot of information that you can actually represent Wicrosoft, which means that it will go back and verify your identity. The certificate issuing agency should bear legal responsibility for the certificate issued by him.

  

At this point, you might be thinking, f * * k, can’t we just issue certificates ourselves? You have to pay to apply? Of course not, we can also set up a certificate issuing agency, but need to pass some security certification and so on, just a little trouble. In addition, if the digital certificate is only for internal use, the company can generate a certificate for itself and set this certificate on all the machines in the company to be the certificate issuer trusted by the operating system. In this way, the certificates issued by the company can be verified on all machines in the company. When issuing certificates, set the Issuer of these certificates to the Subject of our own certificates. However, this is only for internal applications, because only our company’s own machine is set to trust our so-called certificate issuing authority, and other machines do not trust our certificate issuing authority in advance, so on other machines, we issued certificates can not pass the security verification.

 

4. Manage digital certificates in Windows
4.1 Viewing, Deleting, and Installing digital Certificates

As we mentioned in the previous chapter, there are some certification authority certificates that are pre-installed on our operating system. Let’s look at how to find these certificates in Windows.

1) Start menu -> Run, type MMC, press Enter

2) In the displayed window, choose File-> Add/Remove snap-in…

3) Then on the Standalone Tab page in the displayed dialog box, click Add… button

4) Select Certificates in the pop-up dialog box and click the Add button

The specific steps are shown in the figure below:

 

After the above steps, a dialog box will pop up with three radio buttons as follows:

  • My user account
  • Service account
  • Computer account

You can select the first or third option to view the current user’s certificate or the certificates installed in the entire calculation. We will choose the first option by default, usually when installing the certificate will be installed for all users, so select the first option and the third option will see the same certificate. In the navigation tree on the left, select Trusted Root Certificate Authorities and click On Certificates below to see the Certificates of all Trusted Certificate Authorities in the area on the right.

Note that in the picture above, the certificate issuer “SecureTrust CA” selected on the right is the certificate issuer we applied for in section 3.2 of Chapter 3. Since the certificate issuer issued the certificate, So when the application checks the issuer of our certificate (checking the signature of our certificate to confirm that it issued the certificate), it will find that it is a trusted issuer and will trust the authenticity of our certificate.

Deleting digital certificates is easy, just right-click in the list on the right and delete them.

The installation of digital Certificate is also relatively simple. Double-click the digital Certificate file directly, the digital Certificate will be opened, and there will be an Install Certificate button at the bottom of the dialog box. Click it and you can Install it according to the wizard, as shown below:

This Certificate is a test Certificate generated by myself. In the Certificate Import wizard, it will let you choose where to import the Certificate. If it is a Certificate issued by our own trusted certification authority, just import it to Certificate Authorities. Trusted Root Certificate Authorities, Intermediate Certification Authorities, The Third Party Root Certification Authorities (PVD) is the Third Party Root Certification Authorities. The Third Party Root Certification Authorities (PVD) is the Third Party Root Certification Authorities. When installing, you can generally use the default options to “next” all the way through.

 

4.2 How do I Create a Certificate

Each certificate issuer has its own tool for creating certificates. Of course, I don’t know exactly how they create a certificate. Different types of certificates have certain formats and specifications, and I haven’t studied this part in detail. Microsoft provides a tool for creating certificates, makecert.exe, which will be installed when You install Visual Studio. If you don’t have one, go to the next one and search for Makecert. You can download it directly from my blog. Here’s the link.

It is usually charged to apply for a certificate from a legitimate certificate issuer (because someone will take the time to check your identity, make sure you have a certificate with the same name, etc.), so here’s how to create a certificate yourself in preparation for configuring Https in IIS later.

We used makecert tool, Microsoft has a very detailed help, I only make a simple explanation, detailed parameters and use of MSDN makecert help. However, some parameters are not clear enough, and there are omissions. Please refer to my explanation later as a supplement.

 

Let’s take a look at the easiest way to use Makecert:

makecert.exe test.cer

The command above generates a digital certificate file named test.cer in the same directory as makecert.exe. You can double-click the certificate to open it and see the contents of the certificate as follows:

The issuing authority of the certificate is “Root Agency” and the subject of the certificate (to whom the certificate will be issued) is “Joe’s -software-Emporium “. Since we didn’t specify who to issue the certificate to, Makecert himself generated a random company name for us. Public keys, signature algorithms (used to decrypt signatures), fingerprints, and fingerprint algorithms are also specified.

Note that because this certificate is generated by Microsoft tools, strictly speaking, it doesn’t release, so Microsoft virtual is called the “Root Agency” publishing institutions, by default, Windows is installed inside the so-called certificate issuing Agency certificate, but this certificate is not trusted by default, the reason is very simple, In this way, anyone can use Makecert to create a legitimate digital certificate. We can also set it to be trusted if we want to.

 

For example, if we want to generate a certificate myca.cer for the website www.jefferysun.com, let’s say we put makecert.exe on disk C:. The command line is as follows:

C:\> makecert.exe — pe-r — n “CN=www.jefferysun.com” -ss my-sr LocalMachine -a SHA1-len 2048 myca.cer

Explain what makecert’s common parameters mean:

  • -n Specifies the Name of the subject, which has a fixed format, CN= the Name of the subject, CN should be the abbreviation of Certificate Name. The name of my theme here is the IP of the machine on which our IIS is located. Here you can specify some additional information about the topic, such as O= *** for organizational information, and so on.
  • -r Creates a self-signed certificate. That is, when the certificate is generated, the issuing authority of the certificate is set to itself.
  • – PE Marks the generated private key as exportable. Note that when the server sends the certificate to the client, the client can only obtain the public key from the certificate, but not the private key. If we specify this parameter, after the certificate is installed on the machine, we can also export the private key from the certificate, which is not possible by default. It is not possible to export a private key from a certificate issued through a formal way.
  • -b – e Indicates the validity period of the certificate
  • -ss Specifies the storage name of the certificate. It is the directory name of the Windows certificate store. If the certificate store does not exist, create one.
  • -sr Specifies the location where the certificate is stored. The value can only be currentUser (the default value) or localmachine.
  • -sv Specifies the file to save the private key. The file contains the certificate as well as the private key. This file is confidential and is used in server configuration.
  • The CN=10.30.146.206 must correspond to your own server. Otherwise, an error may occur during HTTPS configuration
  • -a Specifies the signature algorithm. The value must be MD5 or RSA1. (Remember how the signature algorithm works? See section 1 of Chapter 3 for an introduction to signature algorithms.)
  • -in Specifies the name of the certificate issuer
  • -len specifies the number of bits in the public key. The larger the number, the safer it is. The default value is 1024 and 2048 is recommended. I tried it out, and it doesn’t have to be a multiple of 1024.

After the certificate is generated, you can install it. For details, see Section 4.1.

All right
The editor
collection

< Prev
1
2



comments

# 101 building

gifisan
 
Support (1)
Against (0)



# 102 building

The j10
 
Support (0)
Against (0)



# 103 building

Red fish
 
Support (0)
Against (0)



# 104 building

Cause and effect are known in the world
 
Support (0)
Against (0)



# 105 building

youngerbrotherya
 















Support (0)
Against (0)



# 106 building

aabababab
 





















Support (0)
Against (0)



# 107 building

In the east.
 







Support (0)
Against (0)



# 108 building

wz_software
 
Support (0)
Against (0)



# 109 building

zyqhi
 
Support (0)
Against (0)



# 110 building

The fog around the mountains
 
Support (0)
Against (0)



# 111 building

Renlonol
 
Support (0)
Against (0)



# 112 building

Blue words on the
 






























Support (0)
Against (0)



# 113 building

Small cnblogs ou
 



Support (1)
Against (0)



# 114 building

Hit the cocoa
 
Support (0)
Against (0)



# 115 building

hiwangzi
 



Support (0)
Against (0)



# 116 building

powerzone
 
Support (0)
Against (0)



# 117 building

aaron0610
 
Support (0)
Against (0)



# 118 building

o_____o
 
Support (0)
Against (0)



# 119 building

sylyw
 
Support (0)
Against (0)



# 120 building

mactep
 
@



Support (0)
Against (0)



# 121 building

mactep
 
@









Support (0)
Against (0)



# 122 building

mactep
 
@









Support (0)
Against (0)



# 123 building

mactep
 
@









Support (0)
Against (0)



# 124 building

JasonHe
 
Support (0)
Against (0)



# 125 building

Captain_Li
 
@



Support (0)
Against (0)



# 126 building

Captain_Li
 
Support (0)
Against (0)



# 127 building

0litost0
 






Support (0)
Against (0)



< Prev
1
2

Refresh the comments
Refresh the page
Return to the top
More than 500,000 VC++ source: large industrial control, configuration, simulation, modeling CAD source code 2018!



Hangzhou Cloud Habitat ·2050 Conference – Chasing the Sun at 7 or 8 am – Source point



[Recommended] wechat applet one-stop deployment and template customization in multiple scenarios




Latest IT News



When we talk about ransomware, what do we talk about?



Big acquisition probe, Momo can find the blue ocean after the live broadcast period?



Bill Gates: I don’t think Chinese AI can overtake on corners



Xiaomi executive: the company attaches importance to the American market and is preparing service resources



The average price of a home near Apple’s new headquarters is $1.16 million



More news…

Latest Knowledge Base articles



Dating a Programmer



Learning to learn



The management trap of excellent technical people



How important math is to you as a programmer



Practice of domain driven design in Internet business development



More knowledge base articles…