公钥系统_数字签名_数字证书工作原理入门 （转）

公钥系统 / 数字签名 / 数字证书工作原理入门 （转）

 

译者按：
加密和解密使用同一个密钥的算法，称为对称加密算法；加密和解密使用的是不同的密钥，称为非对称加密算法，公钥系统即属于非对称加密算法。对于对称加密而言，需要着重保护的是对称密钥，对于公钥算法而言，需要着重保护的是私钥。
公钥加密算法，以及衍生出的数字签名、数字证书技术，不仅广泛应用于 Internet 通讯中，例如 HTTPS 协议中的 SSL/TLS ，在单机系统中也越来越受到重视，例如 Windows XP 的设备驱动程序、 .NET 的 GAC assembly 都要求数字签名。微软从 Windows98/NT4 起即提供了 Cryptograph API ，支持 DES ， RC2 ， RC4 ， IDEA 等对称加密算法和 RSA 公钥系统等非对称密算法，以及 MD5 ， SHA ， MAC 等摘要（ Digest ，也称为 Hash ，散列）算法。
本文译自：
http://developer.netscape.com/tech/security/ssl/howitworks.html

这是一篇生动浅显的文章，对了解公钥系统的工作原理很有帮助， CSDN 上已有一篇译文：

http://www.csdn.net/Develop/article/27/27524.shtm
但本人认为上文的关键地方不够准确，欠通顺。本译文在上篇译文的基础上，关键的术语采用了通用译法，少数地方采用了意译，而且附有英文原文，有翻译不当的地方大家可以对照原文。
希望能对公钥系统有兴趣的朋友们有所帮助。

BTW ：上面提到的所有对称加密和非对称加密，它们的加解密算法都是公开的，只要不知道密钥，算法的设计者有信心使加密结果不会被轻易破解，这点与 WAPI 截然不同：） 。

以下是中英文对照的译文：

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely. The private key is never distributed; it is always kept secret.
公钥加密是使用一对非对称的密钥加密或解密的技术。每一对密钥由公钥和私钥组成。公钥被广泛发布。私钥是隐密的，不公开。

Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful.
用公钥加密的数据只能够被私钥解密。反过来，使用私钥加密的数据只能用公钥解密。这个非对称的特性使得公钥加密很有用。

USING PUBLIC KEY CRYPTOGRAPHY FOR AUTHENTICATION
使用公钥加密法认证

Authentication is the process of verifying identity so that one entity can be sure that another entity is who it claims to be. In the following example involving Alice and Bob, public key cryptography is easily used to verify identity. The notation {something}key means that something has been encrypted or decrypted using key.
验证是一个核实身份的过程，以便一方能确认另一方的确是其所声称的那个身份。在下列例子中包括甲和乙，公钥加密会轻松地校验身份。符号 { 数据 } key 意味着 " 数据 " 已经使用 key 加密或解密。

Suppose Alice wants to authenticate Bob. Bob has a pair of keys, one public and one private. Bob discloses to Alice his public key (the way he does this is discussed later). Alice then generates a random message and sends it to Bob:

  A->B   random-message

Bob uses his private key to encrypt the message and returns the encrypted version to Alice:

B->A   {random-message}bobs-private-key

Alice receives this message and decrypts it by using Bob's previously published public key. She compares the decrypted message with the one she originally sent to Bob; if they match, she knows she's talking to Bob. An imposter presumably wouldn't know Bob's private key and would therefore be unable to properly encrypt the random message for Alice to check.
假如甲想校验乙的身份。乙有一对密钥，一个是公开的，另一个是私有的。乙透露给甲他的公钥。甲产生一个随机信息发送给乙。

甲 —— 〉乙： random message

乙使用他的私钥加密信息，把加密后的信息返回甲。

乙 —— 〉甲： {random-message} 乙的私钥

甲收到这个信息然后使用乙的前面公开的公钥解密。他比较解密后的信息与他原先发给乙的信息。如果它们完全一致，就会知道在与乙说话。任意一个中间人不会知道乙的私钥，也不能正确加密甲检查的随机信息。

BUT WAIT, THERE'S MORE
等一下，事情还没有完

Unless you know exactly what you are encrypting, it is never a good idea to encrypt something with your private key and then send it to somebody else. This is because the encrypted value can be used against you (remember, only you could have done the encryption because only you have the private key).
用私钥加密某些信息，然后发送给其他人不是一个好主意，除非你清楚知道这个信息的含义。因为加密后的信息可能被用来对付你（记住，别人知道该信息是你加密的，因为只有你有加密用的私钥）。

So, instead of encrypting the original message sent by Alice, Bob constructs a message digest and encrypts that. A message digest is derived from the random message in a way that has the following useful properties:

The digest is difficult to reverse. Someone trying to impersonate Bob couldn't get the original message back from the digest.
An impersonator would have a hard time finding a different message that computed to the same digest value.

所以，取代直接加密甲发来的原始信息，乙创建一个信息摘要并且加密该摘要。信息摘要由任意信息运算而来，并具有以下有用的特性：

1. 从这个摘要值难以还原出原始信息。任何人即使伪装成乙，也不能从摘要值得到原始信息；

2. 不同的信息很难计算出相同的摘要值；

By using a digest, Bob can protect himself. He computes the digest of the random message sent by Alice and then encrypts the result. He sends the encrypted digest back to Alice. Alice can compute the same digest and authenticate Bob by decrypting Bob's message and comparing values.
使用摘要，乙能够保护自己。他计算甲发出的任意信息的摘要，加密摘要值，然后发送加密的摘要值给甲。甲能够计算出相同的摘要值并且解密乙的信息，最终认证乙。
（译者注：摘要（ Digest ）算法又称为散列 (Hash) 算法）

GETTING CLOSER
进一步的讨论

The technique just described is known as a digital signature. Bob has signed a message generated by Alice, and in doing so he has taken a step that is just about as dangerous as encrypting a random value originated by Alice. Consequently, our authentication protocol needs one more twist: some (or all) of the data needs to be originated by Bob.

A->B  hello, are you bob?
B->A    Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

When he uses this protocol, Bob knows what message he is sending to Alice, and he doesn't mind signing it. He sends the unencrypted version of the message first, "Alice, This Is Bob." Then he sends the digested-encrypted version second. Alice can easily verify that Bob is Bob, and Bob hasn't signed anything he doesn't want to.

刚刚讨论的技术称为数字签名。乙直接在甲产生的信息上签名，这样做和加密甲产生的任意信息是同样危险的。因此我们的验证协议还需要加一些技巧：某些或全部信息需要由乙产生：

甲 —— 〉乙：你好，你是乙么 ?
乙 —— 〉甲：甲，我是乙 { 摘要 [ 甲，我是乙 ] } 乙的私钥

使用这个协议，乙知道他发送给甲的信息的内容，他不介意在上面签名。他先发送不加密的信息， " 甲，我是乙 " ，然后发送该信息的加密后的摘要。甲可以非常方便地核实乙就是乙，同时，乙还没有在他不想签名的信息上签名。

HANDING OUT PUBLIC KEYS
分发公钥

How does Bob hand out his public key in a trustworthy way? Let's say the authentication protocol looks like this:

A->B   hello
B->A  Hi, I'm Bob, bobs-public-key
A->B prove it
B->A Alice, This Is bob  { digest[Alice, This Is Bob] } bobs-private-key

那么，乙怎样以可信的方式提交他的公钥呢？看看如下所示的验证协议：

甲 —— 〉乙：你好
乙 —— 〉甲：嗨，我是乙，乙的公钥
甲 —— 〉乙：请证明
乙 —— 〉甲：甲，我是乙 { 摘要 [ 甲，我是乙 ] } 乙的私钥

With this protocol, anybody can be Bob. All you need is a public and private key. You lie to Alice and say you are Bob, and then you provide your public key instead of Bob's. Then you prove it by encrypting something with the private key you have, and Alice can't tell you're not Bob.
使用这个协议，任何人都能够成为 " 乙 " 。只要你有一对公钥和私钥。你欺骗甲说你就是乙，只要提供你的公钥，而不是乙的公钥。然后，你发送用你的私钥加密的信息，证明你的身份。甲并不能发觉你并不是乙。

To solve this problem, the standards community has invented an object called a certificate. A certificate has the following content:

The certificate issuer's name
The entity for whom the certificate is being issued (aka the subject)
The public key of the subject
Some time stamps

The certificate is signed using the certificate issuer's private key. Everybody knows the certificate issuer's public key (that is, the certificate issuer has a certificate, and so on...). Certificates are a standard way of binding a public key to a name.

为了解决这个问题，标准化组织发明了证书。一个证书有以下的内容：

       证书发行者的名称
       被发给证书的实体（也称为主题）
       主题的公钥
       一些时间戳

证书使用发行者的私钥加密。每一个人都知道证书发行者的公钥（就是说，每个证书的发行者也拥有一个证书，以此类推）。证书是一个把公钥与一个名称绑定的标准方式。

By using this certificate technology, everybody can examine Bob's certificate to see whether it's been forged. Assuming that Bob keeps tight control of his private key and that it really is Bob who gets the certificate, then all is well. Here is the amended protocol:

A->B   hello
B->A Hi, I'm Bob, bobs-certificate
A->B prove it
B->A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key

Now when Alice receives Bob's first message, she can examine the certificate, check the signature (as above, using a digest and public key decryption), and then check the subject (that is, Bob's name) and see that it is indeed Bob. She can then trust that the public key is Bob's public key and request Bob to prove his identity. Bob goes through the same process as before, making a message digest of his design and then responding to Alice with a signed version of it. Alice can verify Bob's message digest by using the public key taken from the certificate and checking the result.

通过使用证书技术，每个人都可以检查乙的证书，判断其是否被伪造。假设乙控制好他的私钥，并且他确实是得到证书的乙，就万事大吉了。下面是修订后的协议：

甲 —— 〉乙：你好
乙 —— 〉甲：嗨，我是乙，乙的证书
甲 —— 〉乙：请证明
乙 —— 〉甲：甲，我是乙 { 摘要 [ 甲， 我是乙 ] } 乙的私钥

现在当甲收到乙的第一个信息，他能检查证书，核查证书上的签名（如上所述，使用摘要和公钥解密），检查证书中的主题（这里是乙的姓名），确定是乙。他就能相信公钥就是乙的公钥，然后要求乙证明自己的身份。乙通过前面描述过的过程，制作一个信息摘要，用一个签名版本答复甲。甲可以通过使用从证书上得到的公钥检验乙的信息摘要，并对比结果。

A bad guy - let's call him Mallet - can do the following:

A->M hello
M->A Hi, I'm Bob, bobs-certificate
A->M prove it
M->A   ????

But Mallet can't satisfy Alice in the final message. Mallet doesn't have Bob's private key, so he can't construct a message that Alice will believe came from Bob.

假设有一个坏小子，我们称他为 H ，他可以这么做：

甲 —— 〉 H ：你好
H—— 〉甲：你好，我是乙，乙的证书
甲 —— 〉 H ：请证明
H—— 〉甲：？？？

H 不能满足甲的最后一个信息，他没有乙的私钥，因此他不能建立一个令甲相信是来自乙的信息。

EXCHANGING A SECRET
交换密钥（ secret ）

Once Alice has authenticated Bob, she can do another thing - she can send Bob a message that only Bob can decode:

A->B   {secret}bobs-public-key

The only way to find the secret is by decrypting the above message with Bob's private key. Exchanging a secret is another powerful way of using public key cryptography. Even if the communication between Alice and Bob is being observed, nobody but Bob can get the secret.

一旦甲已经验证乙后，他就可以做另外的事情了 -- 发送给乙一个只有乙可以解密、阅读的（另一个）密钥：

甲 —— 〉乙： { secret } 乙的公钥

只有使用乙的私钥才能解密上述信息，得到 secret （另一个密钥）。交换（额外的）密钥是公钥密码术提供的另一个强有力的手段。即使在甲和乙之间的通讯被侦听，只有乙才能得到密钥。

This technique strengthens Internet security by using the secret as another key, but this time it's a key to a symmetric cryptographic algorithm (such as DES, RC4, or IDEA). Alice knows the secret because she generated it before sending it to Bob. Bob knows the secret because Bob has the private key and can decrypt Alice's message. Because they both know the secret, they can both initialize a symmetric cipher algorithm and then start sending messages encrypted with it. Here is a revised protocol:

A->B  hello
B->A  Hi, I'm Bob, bobs-certificate
A->B  prove it
B->A  Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
A->B ok bob, here is a secret {secret} bobs-public-key
B->A some message}secret-key
 
How secret-key is computed is up to the protocol being defined, but it could simply be a copy of secret.

使用 secret 作为另一个密钥增强了网络的安全性，但是现在这个密钥将用于对称加密算法的（例如 DES 、 RC4 、 IDEA ）。（译者注：公钥算法在加密大信息量时开销比较大，所以在加密大信息量时一般采用对称加密算法，常规通讯使用公钥系统是不堪重负的。所以本文在身份验证后要利用公钥系统的可靠性交换一个对称加密的密钥，以后的通讯就采用对称加密算法进行保护。）因为是甲在发送给乙之前产生的密钥，所以甲知道这个密钥。乙也知道密钥，因为乙有私钥，能够解密甲的信息。由于他们都知道密钥，他们就都能够初始化一个对称加密算法，从开始发送（用对称加密算法）加密后的信息。下面是修定后的协议：

甲 —— 〉乙：你好
乙 —— 〉甲：嗨，我是乙，乙的证书
甲 —— 〉乙：请证明
乙 —— 〉甲：甲，我是乙 { 摘要 [ 甲，我是乙 ] } 乙的私钥
甲 —— 〉乙：你好乙，这里是密钥