>> Your browser is instructed to go to www.
Citibank.
com.
>>你的浏览器被引导到www.Citibank.com。
And immediately the Citibank web server gives a digital certificate to your browser.
花旗银行web服务器立即向您的浏览器提供数字证书。 (吐槽:一切的源头从把证书给浏览器开始的,如果是博彩网,流氓网给浏览器的证书呢,会发生浏览器拒绝一切恶意机构的证书吗?期待以后遇到相关的上下文。)
Your browser comes up with a pseudorandomly-generated symmetric key based
on recent mouse movements and key presses.
根据最近的鼠标移动和按键,浏览器会生成一个伪随机生成的对称键。
The browser encrypts the symmetric key with Citibank's public key,
which is a field in the digital certificate.
浏览器使用花旗银行的公钥加密对称密钥,公钥是数字证书中的一个字段。
Citibank's private key decrypts the symmetric key.
花旗银行的私钥解密对称密钥。
Now both sides have a shared secret.
现在双方都有一个共同的秘密。
Your browser and the Citibank web server now use that same symmetric key
to encrypt and decrypt in both directions.
您的浏览器和Citibank web服务器现在使用相同的对称密钥在两个方向上进行加密和解密。
We've just gotten the best of both symmetric and asymmetric encryption; in other words,
we now have the speed of symmetric encryption
but we haven't exposed the shared secret over an insecure medium.
我们刚刚得到了对称加密和非对称加密的最佳组合;换句话说,我们现在有了对称加密的速度,但还没有在不安全的介质上公开共享密钥。
It was encrypted with the public key of Citibank.
它是用花旗银行的公钥加密的。
And Citibank is the only entity with the antidote
In fact, this is most common usage of asymmetric encryption -- not to encrypt actual data,
but rather a shared symmetric secret.
花旗银行是唯一有解药的实体事实上,这是最常用的非对称加密——不是加密实际数据,而是共享的对称秘密。
But wait a minute, how do we know that it is really Citibank's public key?
Well, we did say that the certificate authority signed the digital certificate.
但是等一下,我们怎么知道它真的是花旗银行的公钥呢?
我们确实说过,证书颁发机构签署了数字证书。
But wait a minute, how do we know that the signature itself is valid?
If we can validate that the CA is really the CA and really did sign the certificate,
we can feel safe and secure that the public key
of Citibank really is the public key of Citibank.
但是等一下,我们怎么知道签名本身是有效的呢?
如果我们能够验证CA确实是CA,并且确实签署了证书,我们就可以放心地认为,花旗银行的公钥确实是花旗银行的公钥。
Of course, all this validation happens before the symmetric key is encrypted
by the browser with the public key of Citibank.
当然,所有这些验证都是在使用花旗银行的公钥由浏览器加密对称密钥之前进行的。
Here's the final piece of the story.
这是故事的最后一部分。
The CA hash the public key of Citibank and encrypted it
with their -- the CA's -- private key.
CA对花旗银行的公钥进行哈希,并使用其(CA的)私钥对其进行加密。
That's a field on the digital certificate.
这是数字证书上的一个字段。
In fact, that's the actual digital signature we've been talking about all along.
事实上,这就是我们一直在讨论的数字签名。
Your browser retrieves the CA's digital certificate
from the browser's trusted root certificate store -- stored locally on your machine --
and decrypts the encrypted hash with the CA's public key.
您的浏览器从浏览器的受信任根证书存储区(存储在您的计算机上)检索CA的数字证书,并使用CA的公钥解密加密的散列。
Your browser also hashes Citibank's public key itself.
您的浏览器还会散列花旗银行的公钥本身。
If the two hashes match, it could only have been encrypted by the CA.
如果两个散列匹配,则只能由CA加密。
Because if the hash decrypts with the CA's public key,
it could only have been encrypted with their private key.
因为如果哈希用CA的公钥解密,那么只能用它们的私钥加密。
If the CA's private key was stolen, they would have revoked it
and it would have been all over the news.
如果CA的私钥被盗,他们就会撤销它,这就会成为新闻的焦点。
Furthermore, your browser does actually check
to see if root certificates from the CA's are still valid.
此外,浏览器实际上会检查CA的根证书是否仍然有效。
Now that we trust the CA is really the CA, we can trust that Citibank is really Citibank.
现在我们相信CA就是CA,我们可以相信花旗银行就是花旗银行。
扫一扫
83
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
