Table of contents

1. Message Encryption

Message exchange in networks

• unencrypted
  • send message all in plaintext
  • not safe, easy to be read by others, not friendly to confidential data
  • example: HTTP
• encrypted
  • example: HTTPS

2. Symmetric encryption vs. Asymmetric encryption

With synmetric encryption

Procedure

• A and B shared a trustworthy key together(made agreement outside network before use it)
• A encrypt message M with key K, and sent
• B get encrypted message and decode with key K

Pain point

• Need a shared key outside network

With asymmetric encryption

A small intro to Asymmetric encryption

• machanism
  • a key pair including a public key and a private key
  • text encrypted by public key can only be dencrypted by private key, vice versa.

Procedure

• A send A.pub to B, and B send B.pub to A
• if A wants to talk to B, A use B.pub to encrypt message M, got M/B.pub
• B get M/B.pub, and use B.pri to dencrypt, got M
• if B wants to reply, B use A.pub …
• In this way, message in network are all M/X.pub and can’t be dencryted unless you have private key, which is impossible.

Pain point

• public key still need to be shared by network without encryption, thus cause Man-In-The-Middle attack.

http://www.360doc.com/content/15/0330/11/2664229_459253274.shtml
Man in the middle解释，看道格盗取鲍勃的public key。

3. CA and Digital Signature

Purpose

• To avoid man-in-the-middle, provide trustful public key associate with trustful subject

Digital Signature

A identification of an object, just like id card. Generated by trustful authority called CA(certificate authority).

Format

X509 Certifiation is a public accepted format.

Usage

• A trust CA, B trust CA, both of them have CA.pub
• A apply for a Digital Signature
  • A send A.information and A.pub to CA
    • bundle: A.information + A.pub
  • CA verify the information(example 通过访问A上是否有和信息相符的验证文件来确定A不是被冒充申请的证书)
  • CA add CA.expiredTime and CA.information
    • bundle: A.information + A.pub + CA.expiredTime +CA.information
  • CA hash on bundle and encrypt it with CA.pri, and that’s Digital Signature/A+CA
  • Certificate = A.information + A.pub + Digital Signature/A+CA
• A send request to B with Certificate
  • B use CA.pub to dencrypt the Digital Signature/A+CA
  • B hash plaintext, compare with Digital Signature after hash
  • B then build a trust connetion

好文章
https://zhuanlan.zhihu.com/p/267047441

Certificate Authority

CA chain

https://sectigo.com/resource-library/what-is-x509-certificate

https://www.ssl.com/faqs/what-is-an-x-509-certificate/

Other

1. 网络加密通信的应用

   link_to_page

Update on 8/14/23

Common seen Abbreviation

1. RFC(Requests for Comments): Specifications & Contracts & Documents
2. IETF(Internet Engineering Task Force): Organization

Mind map

1. To prevent data to be steal while transmitting, all data package should be encrypted.