新闻动态

轻迅科技-数字签名和数字证书的原理解读

2019-05-06 20:05:43 0

数字签名和数字证书的原理解读(图文)


数字签名和数字证书的区别是什么?数字证书是由权威机构CA证书授权中心发行的,能提供在Internet上进行身份验证的一种权威性电子文档。而数字签名是一种类似写在纸上的普通的物理签名,但是使用了公钥加密领域的技术实现,用于鉴别数字信息的方法。对于数字签名和数字证书的运用原理,相信有不少朋友还不清楚,下文将为大家解疑答惑。

数字签名和数字证书原理

1. 鲍勃有两把钥匙,一把是公钥,另一把是私钥。
数字签名和数字证书使用原理 

 

2. 鲍勃把公钥送给他的朋友们----帕蒂、道格苏珊----每人一把。
数字签名和数字证书使用原理 

 

3. 苏珊要给鲍勃写一封保密的信。她写完后用鲍勃的公钥加密,就可以达到保密的效果。
数字签名和数字证书使用原理 

 

4. 鲍勃收信后,用私钥解密,就看到了信件内容。这里要强调的是,只要鲍勃的私钥不泄露,这封信就是安全的,即使落在别人手里,也无法解密。
数字签名和数字证书使用原理 

 

5. 鲍勃苏珊回信,决定采用“数字签名”。他写完后先用Hash函数,生成信件的摘要(digest)。
数字签名和数字证书使用原理 

 

6. 然后,鲍勃使用私钥,对这个摘要加密,生成“数字签名”(signature)。
数字签名和数字证书使用原理 

 

7. 鲍勃将这个签名,附在信件下面,一起发给苏珊
数字签名和数字证书使用原理 

 

8. 苏珊收信后,取下数字签名,用鲍勃的公钥解密,得到信件的摘要。由此证明,这封信确实是鲍勃发出的。
数字签名和数字证书使用原理 

 

9. 苏珊再对信件本身使用Hash函数,将得到的结果,与上一步得到的摘要进行对比。如果两者一致,就证明这封信未被修改过。
数字签名和数字证书使用原理 

 

10. 复杂的情况出现了。道格想欺骗苏珊,他偷偷使用了苏珊的电脑,用自己的公钥换走了鲍勃的公钥。此时,苏珊实际拥有的是道格的公钥,但是还以为这是鲍勃的公钥。因此,道格就可以冒充鲍勃,用自己的私钥做成“数字签名”,写信给苏珊,让苏珊用假的鲍勃公钥进行解密。
数字签名和数字证书使用原理 

 

11. 后来,苏珊感觉不对劲,发现自己无法确定公钥是否真的属于鲍勃。她想到了一个办法,要求鲍勃去找“证书中心”(certificate authority,简称CA),为公钥做认证。证书中心用自己的私钥,对鲍勃的公钥和一些相关信息一起加密,生成“数字证书”(Digital Certificate)。
数字签名和数字证书使用原理 

 

12. 鲍勃拿到数字证书以后,就可以放心了。以后再给苏珊写信,只要在签名的同时,再附上数字证书就行了。
数字签名和数字证书使用原理 

 

13. 苏珊收信后,用CA的公钥解开数字证书,就可以拿到鲍勃真实的公钥了,然后就能证明“数字签名”是否真的是鲍勃签的。
数字签名和数字证书使用原理 

应用

下面,我们看一个应用"数字证书"的实例:https协议。这个协议主要用于网页加密。

 

1. 首先,客户端向服务器发出加密请求。
数字签名和数字证书使用原理 

 

2. 服务器用自己的私钥加密网页以后,连同本身的数字证书,一起发送给客户端。
数字签名和数字证书使用原理 

 

3. 客户端(浏览器)的“证书管理器”,有“受信任的根证书颁发机构”列表。客户端会根据这张列表,查看解开数字证书的公钥是否在列表之内。
数字签名和数字证书使用原理 

 

4. 如果数字证书记载的网址,与你正在浏览的网址不一致,就说明这张证书可能被冒用,浏览器会发出警告。
数字签名和数字证书使用原理 

 

5. 如果这张数字证书不是由受信任的机构颁发的,浏览器会发出另一种警告。
数字签名和数字证书使用原理 

 

6. 如果数字证书是可靠的,客户端就可以使用证书中的服务器公钥,对信息进行加密,然后与服务器交换加密信息。
数字签名和数字证书使用原理 

 

linux 需要使用 openssl来生成密钥对

2019年02月17日 星期日 14:52:25

  • 命令

root@wyi:~# openssl version

OpenSSL 1.1.0g  2 Nov 2017

root@wyi:~# openssl list -cipher-commands

 

aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb                                                            

aes-256-cbc       aes-256-ecb       base64            bf                                                                     

bf-cbc            bf-cfb            bf-ecb            bf-ofb                                                                 

camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb                                                       

camellia-256-cbc  camellia-256-ecb  cast              cast-cbc                                                               

cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb                                                              

des               des-cbc           des-cfb           des-ecb                                                                

des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb                                                            

des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb                                                           

des-ofb           des3              desx              rc2                                                                    

rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb                                                                

rc2-ecb           rc2-ofb           rc4               rc4-40                                                                 

seed              seed-cbc          seed-cfb          seed-ecb                                                               

seed-ofb

root@wyi:~#

root@wyi:~/openssltest# openssl enc -aes-256-cbc -based64 -in msg

enc: Unknown cipher based64               

enc: Use -help for summary.               

root@wyi:~/openssltest# openssl enc -aes-256-cbc -base64 -in msg                      

enter aes-256-cbc encryption password:    

Verifying - enter aes-256-cbc encryption password:

U2FsdGVkX184C/ePYMBKM+zGR1iZh5BKbMRGsJgJlZKcvw6zXEcrWSZS2Zjv3

root@wyi:~/openssltest#

[root:name]openssl genrsa -out keypai.pem 2048

Generating RSA private key, 2048 bit long modulus

.................................................................+++                                                         

.................+++

e is 65537 (0x010001)

[root:name]

1557144885638261.png

1557144931698591.png


keypai.pem不止有私钥,还包括公钥,但是使用cat还是vim,只能看到private.key

使用openssl rsa 命令就可以看到公钥和私钥了

[root:name]cat keypai.pem //只能看到私钥 private key

-----BEGIN RSA PRIVATE KEY-----

MIIEowIBAAKCAQEAs+2*******nmdceL3e+C5fmMVv9TmR                                                             

NZ3eXKoCRmmyrFyr6kvu4y63wefojNM7Sqiw0WtckiWIi1AdWAfoHS65nZNnM7w/                                                             

Q5bc9wkLzEKyrXtY0/ZotUaTqSjtfZy7IORmqmdoZ/oCvhbfQ86Q1Cy261mvqBSh                                                             

SWUu+o81qcqAHEO7apaoxRsvc0lLXQetO7RkbtfVvqfvdIxnG49RUQBVtJdTfvRN                                                             

eM5mObMD6YDCy0udPSOtAM28wvadPxEBXmRrWpWm6DPeZTJstcOfebAR/o8nDJa5                                                             

iMvWESfEI/RLvzgqZZlKzjAvHHDDZ87Y5oDCpQIDAQABAoIBAFYzlLs7RZyZYGfu                                                             

jI9X8WVWAMdawqjlUDIwlTBF11rzzG2qBN2xIqU2dhyR6x4Uz/BSLML+0N6/YnSF                                                             

hrSAGSZbz1/dR4um+EgCkbvZdOf/hMQOfii9kGNyHAriMYRXwfja5tNiWsACcbVq                                                             

b2SUyHL/U8/swX+cqZ5syoo8We5qnRy/R4IkmfgGdVtwaJxXNoTWtA0P9J8v5F/V                                                             

myZVhpFvNEkF6+J5Ae8O/i9SbCJ61LKIxaaCH17xfwsU+vv8Q+XD4Hnv3ExIyE7a                                                             

0MjoGtDvvAE7lTvm+mWrrdgbyeO+4v0QffDP1II18H/IkVIEB7/j9eAwypZVPiyi                                                             

wfJCOMECgYEA6PXOKkvzYJol1MjZ1rUQrlwsz5MQckPNprWcBDilrLvVadMVY3LH                                                             

Lx2hELkVGFVce5VwBjTWE9y9J++oVILbZ5XM9iHBV1AsWDAMvMvMXuw0rok4UcuF                                                             

6mTGrDJVooxezB/rlel80s11PjcXwUuE9CcBTHTJz+cCjgAPcIihuxkCgYEAxbkj                                                             

ID4h83P+GemVpzpsJnpnO2m+7nBdCfheFb74oX93MlbSBZIYJtICTKyXR9Vlq/RM                                                             

wJgAKpDfw4LWovIqUdkLKcEGYI4gtQYezUp2OwcFoNg+PXe83L+YpryJZhsnQACd                                                             

rYjKdeaVAInBrLEAo2tCpVROhmrWKP8uWq1RAW0CgYBZDP1ONdJG7yXe/RgodvZ1                                                             

cE7A2lrDEyAdxfZptq2+Jd8ioMngRhPV8uGK3vUtZBQCOdGkzbW3yf2UsowKIit0                                                             

oVLEE4swsTkCTPvRf6YT8v8AaPvaaI48V2GKmYMaq8XhCaKon6RTgK58pdqyzQd5                                                             

vR9F9q7ehlP3rBY60j/goQKBgBSwvPZAyji5qJt5kAmB2ZNlN6xF8o7s/y9t6BqK                                                             

c2Yi+owv/aZLlW9qhocTgHkp4YvO8sEspsfNhTzmUiOXB8qs1bg21L4B4XZP/6Un                                                             

55thrrsYJds0znSjMAwyqoYezUqrRdTE/bq8uFboE3ZIx3JSZRT774OtZl+/5E/k                                                             

1xc5AoGBANXUvBBLXsbtTZ/DzC5ItEUTKBj7Fct4Nzq4FuKsXQj4NVhMP7o1JzNa                                                             

x3b/A0rOl/HDw6Srh6s9MIIuHh6TpaJKdj/G1nisplaKI+gbROC6D+LGZoXwn7ZN                                                             

h0AwYX6*******wQX0PAm4GNU0WQPFjSR2JMkvLrzE

-----END RSA PRIVATE KEY-----

[root:name]vim keypai.pem


[root:name]openssl rsa -in keypai.pem -text                                                                           

Private-Key: (2048 bit)                                                                                                      

modulus:                                                                                                                     

    00:b3:ed:a1:3f:7b:77:27:0b:e5:55:31:c1:87:23:

    68:74:8e:4f:6……

publicExponent: 65537 (0x10001)       

                                                                                      

privateExponent:       

    56:33:94:bb:3b:45:9c:99:60:67:ee:8c:8f:57:f1:

    65:56:00:c7:5a……

 prime1:

    00:e8:f5:ce:2a:4b:f3:60:9a:25:d4:c8:d9:d6:b5:

    10:ae:5c:2c:cf……

prime2:

    00:c5:b9:23:20:3e:21:f3:73:fe:19:e9:95:a7:3a:

    6c:2……

exponent1:                                                                                                                   

    59:0c:fd:4e:35:d2:46:ef:25:de:fd:18:28:76:f6:                                                                            

    75:70:4……

exponent2:

    14:b0:bc:f6:40:ca:38:b9:a8:9b:79:90:09:81:d9:

    93:6……

coefficient:

    00:d5:d4:XXXXXX:9f:c3:cc:2e:48:

    b4:45:1……

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

……

-----END RSA PRIVATE KEY-----

 

 


-modulus
:打印公钥信息。

-text:打印所有信息。

 

[wyi]$openssl rsa -in XXXXXX.com.key -pubout -out  public.pem                                                                 

writing RSA key

[wyi]$ls

XXXXX.com.key  enc  msg  public.pem

[wyi]$openssl rsa -in XXXXXX.com.key -out  prvivate.pem      //没有-pubout参数默认输出private key

writing RSA key

[wyi]$ls

XXXXXX.com.key  enc  msg  prvivate.pem  public.pem

[wyi]$

[wyi]$head -3 prvivate.pem

-----BEGIN RSA PRIVATE KEY-----

MIIJKQIBAAKCAgEAyzc23jn8RlSTqZdhj4U3f+fV6t3/+4yRkQO4tW53e5aY9kyX                                                             

L98aRNDsRWmVd1Wy5cxrL2F31TDPVXBhjH/XEpATWErpSC1NXOj1sSdggRo82uiU                                                             

[wyi]$

[wyi]$

[wyi]$head -3 public.pem

-----BEGIN PUBLIC KEY-----

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyzc23jn8RlSTqZdhj4U3                                                             

f+fV6t3/+4yRkQO4tW53e5aY9kyXL98aRNDsRWmVd1Wy5cxrL2F31TDPVXBhjH/X

 

加密

[wyi]$ls

XXXXXX.com.key  msg  prvivate.pem  public.pem

[wyi]$cat msg

i have two apple !

[wyi]$openssl rsautl -encrypt -in msg -out enc -inkey public.pem -pubin           //使用公钥加密,私钥解密

-pubin:表明我们输入的是一个公钥文件,默认输入为私钥文件。                                           

[wyi]$

[wyi]$ls

XXXXXX.com.key  enc  msg  prvivate.pem  public.pem

[wyi]$cat enc

'#.Kr?(6xɗ.nH)jBQs}}WpjJ*ɯ[

                           w@^j@^֊X|B2<bո22zdm8_r

YCS

   3=V0ؖ| kZ]߮g-,!EUFpQg3!LyWۣDyqXVLҙf,T᦮nP3E;;@LN֟*yK692Le=t@80UKvVD@uc:V

                                                                             0ݱEh%00@    8hXtf?7@R+}MN"/C\'-v

IڌKHt?[bKQ׹zPLNtY.v[H0ỦBI4PO&

o3ғz#c                          _Y5:

      f0In'`q(C*<C[wyi]$

 

解密

[wyi]$openssl rsautl -decrypt -in enc -out den-msg -inkey public.pem                         不能用公钥解密                                 

unable to load Private Key

140389739999680:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY

[wyi]$

[wyi]$openssl rsautl -decrypt -in enc -out den-msg -inkey prvivate.pem          //解密用私密解密                                              

[wyi]$ls

XXXXXX.com.key  den-msg  enc  msg  prvivate.pem  public.pem

[wyi]$

[wyi]$cat den-msg

i have two apple !

[wyi]$

 

 

签名和验证,使用 private key 签名,使用 public key 验证签名

[wyi]$openssl rsautl -sign -in msg -out singed -inkey XXXXXX.com.key                    使用private key 签名

[wyi]$

[wyi]$ls

XXXXXX.com.key  den-msg  enc  msg  prvivate.pem  public.pem  singed                                                           

[wyi]$

[wyi]$head -1 singed

sy'bjk36H5@@CȚj%*hFm

                    ~n4^

                        - f\>r!R3]"D}Ƽj`0MʻըgZjAϓ˖:X8U5yJ>OL߀

                                                             ½3uD%@_ORܞwui$=ȇ6R-ʺbnQQ?@+t,1ra(/EyHa*5d`-X@|@j|I`#TI^f`I߽Pn?UgxV Ok|/c

          -*BYϏ k\^25[.mb7=mT}*eAGp4

^=#0qu8y7oM*eIN[wyi]$               ܠ<|d#Axz|b4nRF~.

[wyi]$

[wyi]$openssl rsautl -verify -in singed -out verifiedFile -inkey public.pem         //没有指定输入类型是public key那么默认是private 类型,所以出错                                            

unable to load Private Key

140410636493248:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY

[wyi]$

[wyi]$openssl rsautl -verify -in singed -out verifiedFile -inkey public.pem -pubin     //验证用公钥验证签名                                        

[wyi]$ls

XXXXXX.com.key  den-msg  enc  msg  prvivate.pem  public.pem  singed  verifiedFile                                             

[wyi]$

[wyi]$cat verifiedFile

i have two apple !

[wyi]$

[wyi]$openssl rsautl -verify -in singed -out verifiedFile22 -inkey prvivate.pem -pubin                                       

unable to load Public Key

[wyi]$