公钥密码学 公钥基础设施_公钥密码学简介

公钥密码学 公钥基础设施

If you’re into software development, you have probably already been introduced to cryptography in one way or another. Signing messages, encrypting payloads, verifying signatures, and using certificates; these are all features we use every day even when we’re not aware of it.

如果您从事软件开发，那么您可能已经以一种或另一种方式被介绍给密码学。 签名消息，加密有效载荷，验证签名和使用证书； 这些都是我们每天都使用的功能，即使我们不知道也是如此。

Public-key cryptography, or asymmetric cryptography, is a topic of broad scientific research starting back in the mid-70s, as well as the target of numerous books and research papers to this day.

公钥密码术或非对称密码术是70年代中期开始的广泛科学研究的主题，也是当今众多书籍和研究论文的目标。

This piece is by no means an attempt to present cryptography in any level of scientific or academic detail.

这绝不是试图以任何水平的科学或学术细节介绍密码技术。

Instead, I’ll try to showcase the key functional concepts behind asymmetric cryptography and provide examples of how you can use it (while trying to avoid jargon as much as possible).

相反，我将尝试展示非对称加密背后的关键功能概念，并提供有关如何使用它的示例(同时尽量避免使用术语)。

In the following sections we’ll discuss:

在以下各节中，我们将讨论：

• Symmetric vs. asymmetric cryptography.
  对称加密与非对称加密。
• Key generation.
  密钥生成。
• Asymmetric encryption, or how to send encrypted messages.
  非对称加密，或如何发送加密的消息。
• Signing payloads.
  签署有效载荷。
• Certificates.
  证书。

对称加密与非对称加密 (Symmetric vs. Asymmetric Cryptography)

The differentiation of symmetric vs. asymmetric cryptography lies in the way in which keys are used to deliver the underlying cryptographic functions:

对称加密与非对称加密的区别在于使用密钥来交付基础加密功能的方式：

With symmetric encryption, one key is shared with one or more parties (image by author)

通过对称加密，一个密钥可以与一个或多个参与者共享(作者提供的图像)

In symmetric encryption, the same key is used both for encryption as well as for decryption. The key becomes a shared secret, shared between the participants.

在对称加密中，同一密钥既用于加密又用于解密。 密钥成为参与者之间共享的共享秘密。

Evidently, as the number of participants grows, the risk of having the secret key leaked grows too.

显然，随着参与者数量的增加，泄露密钥的风险也随之增加。

In the above figure, if e.g. Steve’s PC is compromised, anyone having obtained the secret key could also decrypt all messages sent to Alice, John, and Elizabeth.

在上图中，如果例如史蒂夫(Steve)的PC受到威胁，则获得密钥的任何人都可以解密发送给爱丽丝(Alice)，约翰(John)和伊丽莎白(Elizabeth)的所有消息。

So, once the shared secret is compromised in any single location, the security of the whole system becomes compromised. This very requirement of using a single shared key, as well as finding a secure way to propagate it, is what symmetric encryption’s major drawback is.

因此，一旦共享秘密在任何单个位置受到破坏，整个系统的安全性就会受到损害。 对称加密的主要缺点是使用单个共享密钥以及找到安全的方式来传播它的要求。

Symmetric encryption was the principal encryption mechanism used until the mid-70s, when researchers started suggesting a different approach for creating and, more importantly, propagating keys.

对称加密是直到70年代中期之前使用的主要加密机制，当时研究人员开始提出一种不同的方法来创建和传播密钥，更重要的是。

This is when asymmetric encryption was born:

这是非对称加密诞生的时候：

With asymmetric encryption, parties maintain key-pairs and exchange public keys (image by author)

使用非对称加密，各方可以维护密钥对并交换公共密钥(作者提供的图像)

In asymmetric encryption, each party is the owner of a pair of keys, a public and a private key.

在非对称加密中，每一方都是一对密钥(公共密钥和私有密钥)的所有者。

The major breakthrough was that the public key was not a shared secret that should be carefully kept hidden by two or more parties. Instead, participants could exchange public keys over untrusted networks and even share one’s public key with anybody else.

最大的突破是，公开密钥不是共享的秘密，应该由两个或多个参与者小心地隐藏起来。 相反，参与者可以在不受信任的网络上交换公钥，甚至可以与其他任何人共享一个人的公钥。

Symmetric encryption revolutionized the cryptography domain and it is nowadays the foundation of most large-scale encryption schemes; for example, the internet.

对称加密彻底改变了密码学领域，如今它已成为大多数大规模加密方案的基础。 例如，互联网。

密钥生成 (Key Generation)

The creation of public and private keys in asymmetric encryption depends on mathematical problems, in particular one-way functions.

非对称加密中公钥和私钥的创建取决于数学问题，尤其是单向函数。

One-way functions have the characteristic of being easy to be solved in one way (i.e. generating a key) but very computationally expensive to be calculated in inverse (i.e. finding the key when having an encrypted payload).

单向函数的特征是易于以一种方式解决(即生成密钥)，但计算起来却反过来非常昂贵(即在具有加密的有效载荷时找到密钥)。

As I promised at the beginning of this article, I won’t unnecessarily use technical jargon related to cryptography. However, let’s just keep this one thing in mind: not all keys are created equal.

正如我在本文开头所承诺的那样，我不会不必要地使用与密码学有关的技术术语。 但是，让我们牢记这一件事：并非所有键都是相同的。

The quality and strength of a key depend on the algorithm used to generate it as well as the number of bits it is comprised of.

密钥的质量和强度取决于生成密钥的算法以及密钥的位数。

The current key-size recommendation for keys generated using Diffie-Hellman algorithms is 2048 bits or larger, and approximately 1/10th of that for keys generated using Elliptic Curves algorithms.

当前使用Diffie-Hellman算法生成的密钥的密钥大小建议为2048位或更大，约为使用椭圆曲线算法生成的密钥的1/10。

So, time to create our first asymmetric encryption key-pair using the Swiss army knife of cryptography tools, LibreSSL (v2.8.3 — if you’re using OpenSSL, most of the commands below should work as well).

因此，是时候使用瑞士的加密工具军刀LibreSSL (v2.8.3-如果使用的是OpenSSL ，下面的大多数命令也应该可以)创建我们的第一个非对称加密密钥对。

创建一个加密的私钥 (Creating an encrypted private key)

openssl genrsa -des3 -out alice-privatekey.pem 2048openssl genrsa -des3 -out bob-privatekey.pem 2048

You have now successfully generated private keys for Alice and Bob. There are additional options in both LibreSSL and OpenSSL specifying properties of the key, including the use of an elliptic curve algorithm during generation.

您现在已经成功为Alice和Bob生成了私钥。 LibreSSL和OpenSSL中都有指定密钥属性的其他选项，包括在生成过程中使用椭圆曲线算法。

The private key should be kept, well... private and never be shared with anyone else.

私钥应该保持，好...私密，切勿与其他任何人共享。

从私钥中提取公钥 (Extracting the public key from the private key)

openssl rsa -in alice-privatekey.pem -outform PEM -pubout -out alice-publickey.pemopenssl rsa -in bob-privatekey.pem -outform PEM -pubout -out bob-publickey.pem

The public keys of Alice and Bob are now extracted and can be sent to any interested party as there is no sensitive information embedded in it.

现在，由于没有嵌入任何敏感信息，因此可以提取Alice和Bob的公钥并将其发送给任何感兴趣的方。

非对称加密，或如何发送加密的消息 (Asymmetric Encryption, or How to Send Encrypted Messages)

Asymmetric encryption works with public and private keys. To send an encrypted message, the public key of the recipient is used during encryption and the private key of the recipient is used during decryption, as depicted next:

非对称加密适用于公钥和私钥。 要发送加密的消息，在加密过程中使用接收者的公钥，在解密过程中使用接收者的私钥，如下所示：

Public-key encryption/decryption (image by author)

公钥加密/解密(作者提供的图片)

Here are the steps involved in the above scenario, where Alice wants to send an encrypted message to Bob:

以下是上述场景中涉及的步骤，其中Alice希望将加密的消息发送给Bob：

1. Alice obtains the public key of Bob.
   爱丽丝获得鲍勃的公钥。
2. Alice stores Bob’s public key for future usage.
   爱丽丝存储鲍勃的公钥以备将来使用。
3. Alice uses Bob’s public key together with the payload to be encrypted and passes them through her encryption software.
   爱丽丝将鲍勃的公钥与有效载荷一起使用，然后将其通过她的加密软件进行加密。
4. The encrypted payload is sent to Bob.
   加密的有效负载将发送到Bob。
5. Bob passes his private key and the encrypted message sent by Alice to his decryption software.
   鲍勃将自己的私钥和爱丽丝发送给他的解密软件的加密消息传递出去。
6. Bob gets the original payload Alice sent.
   Bob获得了Alice发送的原始有效负载。

So, let’s move to the practical part and use Bob’s public key to send him an encrypted file. Oh, wait… we can’t!

因此，让我们进入实际部分，并使用Bob的公钥向他发送加密文件。 哦，等等……我们不能！

混合加密 (Hybrid encryption)

There’s nothing wrong with the theoretical part presented above as it works exactly as advertised. However, there’s a “catch” with asymmetric encryption: the size of your to-be-encrypted payload must (almost) match the size of the public key you’re using for the encryption.

上面介绍的理论部分没有任何问题，因为它的工作原理与广告宣传完全一样。 但是，存在不对称加密的“陷阱”：要加密的有效负载的大小必须(几乎)与用于加密的公钥的大小匹配。

So, for sending Bob a photo of approximately 1MB, you’d need Bob to have a public key of at least 8 million bits. That’s eight million 1s and 0s, one after the other. Probably not that practical — if even achievable, to generate such a key.

因此，要向Bob发送大约1MB的照片，您需要Bob拥有至少800万比特的公共密钥。 那是八百万个1和0，一个接一个。 生成这样的密钥可能不那么实际-即使可以实现。

Although you could create a construct in which asymmetric encryption is used in block mode to encrypt large payloads, by encrypting the payload in smaller bits close to the size of the available public key, in practice, that’s something nobody is using. It’s inefficient in terms of space used, and it’s going to be very slow.

尽管您可以创建一种结构，在该结构中以块模式使用非对称加密来加密大型有效负载，但是通过以接近可用公共密钥大小的较小比特来加密有效负载，实际上，这是没人在使用的东西。 就使用的空间而言，它效率很低，而且会非常慢。

To alleviate the key size restriction of asymmetric encryption, the current practice is to use hybrid encryption:

为了减轻非对称加密的密钥大小限制，当前的做法是使用混合加密：

Hybrid encryption (image by author)

混合加密(作者提供的图像)

In hybrid encryption, a random symmetric key is created to encrypt the payload and the public key is used to encrypt the random symmetric key. Let’s see how this works:

在混合加密中，将创建一个随机对称密钥来加密有效负载，并使用公共密钥来加密随机对称密钥。 让我们看看它是如何工作的：

1. Bob sends his public key to Alice.
   鲍勃将他的公钥发送给爱丽丝。
2. Alice generates a shared symmetric key.
   爱丽丝生成共享的对称密钥。
3. Alice encrypts the symmetric key with Bob’s public key.
   爱丽丝用鲍勃的公钥加密对称密钥。
4. Alice encrypts the message with the shared key created in (2).
   爱丽丝使用(2)中创建的共享密钥对消息进行加密。
5. Alice sends to Bob the encrypted message and the encrypted shared key.
   爱丽丝将加密的消息和加密的共享密钥发送给鲍勃。
6. Bob decrypts the shared key using his private key.
   鲍勃使用他的私钥解密共享密钥。
7. Bob decrypts the encrypted message using the shared key.
   鲍勃使用共享密钥解密加密的消息。

The above scenario is lengthy and tedious if performed manually. However, there are well-established tools and standards automating the process of securely exchanging messages and files, such as OpenPGP and its incarnation in PGP and GPG.

如果手动执行，上述情况将是冗长而乏味的。 但是，有完善的工具和标准可以自动安全地交换消息和文件，例如OpenPGP及其在PGP和GPG中的化身。

使用GPG加密(GNU Privacy Guard) (Encrypting with GPG (The GNU Privacy Guard))

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).

GnuPG是RFC4880 (也称为PGP)定义的OpenPGP标准的完整和免费实现。

GnuPG allows you to encrypt and sign your data and communications and features a versatile key management system, along with access modules for all kinds of public key directories.

GnuPG允许您对数据和通信进行加密和签名，并具有通用的密钥管理系统以及用于各种公钥目录的访问模块。

Let’s now try sending an encrypted file from Alice to Bob using GPG:

现在，让我们尝试使用GPG将加密文件从Alice发送到Bob：

1. Both Alice and Bob need to create GPG key-pairs:

   爱丽丝和鲍勃都需要创建GPG密钥对：

   Both Alice and Bob need to create GPG key-pairs:gpg --gen-key

   爱丽丝和鲍勃都需要创建GPG密钥对： gpg --gen-key

2. Bob should export his public key and send it to Alice:

   鲍勃应导出其公共密钥，并将其发送给爱丽丝：

   Bob should export his public key and send it to Alice:gpg --output bob.gpg --export bob@bob.com

   鲍勃应导出其公钥并将其发送给爱丽丝： gpg --output bob.gpg --export bob@bob.com

3. Once Alice receives Bob’s public key, she should import it into her local key-database:

   爱丽丝收到鲍勃的公钥后，应将其导入到本地密钥数据库中：

   Once Alice receives Bob’s public key, she should import it into her local key-database:gpg --import bob.gpg

   爱丽丝收到鲍勃的公钥后，应将其导入本地密钥数据库： gpg --import bob.gpg

4. Alice creates an unencrypted message:

   爱丽丝创建未加密的消息：

   Alice creates an unencrypted message:echo "Hello Bob" > bob.msg

   爱丽丝创建未加密的消息： echo "Hello Bob" > bob.msg

5. Alice encrypts the message and sends the encrypted messages together with the encrypted shared key to Bob:

   爱丽丝对消息进行加密，并将加密的消息与加密的共享密钥一起发送给鲍勃：

   Alice encrypts the message and sends the encrypted messages together with the encrypted shared key to Bob:gpg --output bob.msg.gpg --encrypt --recipient bob@bob.com bob.msg

   爱丽丝对消息进行加密，然后将加密的消息与加密的共享密钥一起发送给鲍勃： gpg --output bob.msg.gpg --encrypt --recipient bob@bob.com bob.msg

6. Bob receives the encrypted message and decrypts it by decrypting the shared key and with it decrypting the encrypted message:

   Bob接收到加密的消息，并通过解密共享密钥并解密解密的消息来解密它：

   Bob receives the encrypted message and decrypts it by decrypting the shared key and with it decrypting the encrypted message:gpg --output bob.msg --decrypt bob.msg.pgp

   Bob接收到加密的消息，并通过解密共享密钥并解密解密的消息来解密它： gpg --output bob.msg --decrypt bob.msg.pgp

GPG and PGP are both widely used and already incorporated in many of the products we daily use, such as in email clients, so you rarely have to perform the above sequence manually.

GPG和PGP都已被广泛使用，并且已经包含在我们日常使用的许多产品中，例如电子邮件客户端，因此您几乎不必手动执行上述顺序。

签署有效载荷 (Signing Payloads)

Sometimes, it may not be necessary to encrypt the content of the message, however, we may still want to be sure of the identity of the sender. Other times, the content needs to be encrypted and the sender’s identity needs to be validated too. In both cases, this is where we use digital signatures.

有时，不一定需要加密消息的内容，但是，我们可能仍要确保发送者的身份。 其他时候，内容需要加密，发送者的身份也需要验证。 在两种情况下，这都是我们使用数字签名的地方。

Before we see how a digital signature is generated and how it can be helpful to validate the content, as well as the identity of the sender, let’s make an important distinction here — something I often see people use interchangeably: digital signatures are not electronic signatures.

在我们看到数字签名的生成方式以及如何对内容进行验证以及对发件人的身份进行验证之前，让我们在这里进行重要的区分-我经常看到人们可以互换使用：数字签名不是电子签名。

电子签名 (Digital signature)

A digital signature is just a mathematic proof for verifying the authenticity of digital messages.

数字签名只是用于验证数字消息的真实性的数学证明。

It allows the recipient of a message, with a very high degree of certainty, to believe that a specific message was created by a known sender and that the message was not altered in transit.

它允许邮件的接收者以非常高的确定性相信特定的邮件是由已知的发件人创建的，并且该邮件在传输过程中没有被更改。

电子签名 (Electronic signature)

An electronic signature carries the intent of a physical signature, very often implemented using digital signatures.

电子签名带有物理签名的意图，通常使用数字签名来实现。

In many countries, an electronic signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under.

在许多国家/地区，电子签名只要符合其所依据的特定法规的要求，就可以提供与手写签名相同的法律地位。

A digital signature is produced by the sender using a private key, and validated by the recipient using the sender’s public key:

发送者使用私钥生成数字签名，接收者使用发送者的公钥验证数字签名：

Verifying a message with a digital signature (image by author)

验证带有数字签名的消息(作者提供的图像)

1. Alice sends her public key to Bob.
   爱丽丝将她的公钥发送给鲍勃。

2. Alice creates a message and produces a digital signature using her public key. The digital signature is, often, produced on a calculated hash of the message, for example, on a resulting SHA-256.

   爱丽丝创建一条消息，并使用她的公共密钥生成数字签名。 通常，在消息的计算出的哈希值上，例如在所得的SHA-256上，产生数字签名。

3. Bob receives the original, unencrypted message and Alice’s digital signature for that message.
   Bob收到了原始的未加密消息以及该消息的Alice的数字签名。
4. Bob re-calculates the digital signature of the original, unencrypted message using Alice’s public key and compares it with the signature Alice sent.
   Bob使用Alice的公钥重新计算了原始未加密消息的数字签名，并将其与Alice发送的签名进行了比较。
5. If both signatures match, Bob knows it was Alice who sent the original message and that the content of the message hasn’t been changed.
   如果两个签名都匹配，则Bob知道发送原始消息的是Alice，并且消息的内容没有更改。

Let’s see next how to create a digital signature and how the recipient can verify that the received message has not been tampered with.

接下来，让我们看看如何创建数字签名，以及收件人如何验证收到的邮件是否未被篡改。

签发签名 (Issuing a signature)

openssl dgst -sha256 -sign alice-privatekey.pem -out bob.msg.sign bob.msg

The above command uses Alice’s private key to calculate a digital signature on the SHA-256 output for the file bob.msg. Alice then sends the bob.msg as well as the bob.msg.sign files to Bob.

上面的命令使用Alice的私钥为文件bob.msg在SHA-256输出上计算数字签名。 然后，爱丽丝将bob.msg以及bob.msg.sign文件发送给Bob。

验证签名 (Verifying a signature)

openssl dgst -sha256 -verify alice-publickey.pem -signature bob.msg.sign bob.msg

Bob receives the two files from Alice and proceeds with verifying the signature using Alice’s public key. The above command returns Verified OK or Verification Failure according to the digital signature validation outcome.

鲍勃(Bob)从爱丽丝(Alice)接收了两个文件，并继续使用爱丽丝(Alice)的公钥来验证签名。 上面的命令根据数字签名验证结果返回“ Verified OK或“ Verification Failure 。

证明书 (Certificates)

A certificate, otherwise also known as a digital certificate, an identity certificate, or a public key certificate, is an electronic document proving the ownership of a public key.

证书，也称为数字证书，身份证书或公钥证书，是证明公钥所有权的电子文档。

The most common format for certificates is defined by X.509 and it contains, fundamentally, a public key, a digital signature for that public key, as well as information about the identity of the owner of the public key.

证书的最常用格式由X.509定义，它从根本上包含一个公共密钥，该公共密钥的数字签名以及有关公共密钥所有者身份的信息。

Certificates may be used for a variety of purposes, therefore, different certificate profiles exist.

证书可用于多种目的，因此，存在不同的证书配置文件。

The public key corresponds to the owner of the certificate. However, for anyone else to be able to verify the identity of the owner, a trusted third-party entity is required.

公钥对应于证书的所有者。 但是，要使其他任何人都能够验证所有者的身份，则需要一个受信任的第三方实体。

This is where certificate authorities come in. A certificate authority is a party responsible for signing certificates and, usually, is a trusted, well-known company or organization.

这就是证书颁发机构的用处。证书颁发机构是负责签署证书的一方，通常是受信任的知名公司或组织。

To perform this role effectively, a certificate authority needs to have its own root certificate trusted by as many users as possible. However, a certificate authority may also provide cross-signature, thus signing the root certificates of other certificate authorities.

为了有效地执行此角色，证书颁发机构需要拥有自己的根证书，并由尽可能多的用户信任。 但是，证书颁发机构也可以提供交叉签名，从而对其他证书颁发机构的根证书进行签名。

This may sound confusing at first, so let’s try to go through it with an example:

刚开始时这听起来可能令人困惑，所以让我们尝试通过一个示例来解决它：

A certificate validation chain of trust (image by author)

证书验证信任链(作者提供的图片)

• In the above example, Bob connects to Alice’s website and wants to verify that it is really Alice who operates it.
  在上面的示例中，Bob连接到Alice的网站，并想验证操作它的人确实是Alice。
• Bob obtains a certificate while visiting Alice’s website. The certificate contains Alice’s public key together with a digital signature from certificate authority CA1.
  Bob在访问爱丽丝的网站时获得了证书。 该证书包含Alice的公钥以及来自证书颁发机构CA1的数字签名。
• Since Bob doesn’t know nor trust CA1, he examines the certificate chain embedded into the certificate.
  由于Bob不知道也不信任CA1，因此他检查嵌入到证书中的证书链。
• By tracing back the available cross-signatures, Bob arrives at certificate authority CA3 that he trusts. He now knows that Alice’s website can be trusted to be operated by Alice.
  通过追溯可用的交叉签名，Bob到达了他信任​​的证书颁发机构CA3。 现在，他知道爱丽丝的网站可以信任由爱丽丝运营。

Of course, all of this process takes place behind the scenes by your internet browser under Transport Layer Security (TLS) on the HTTPS protocol.

当然，所有这些过程都是由Internet浏览器在后台通过HTTPS协议的“传输层安全性( TLS )”进行的。

The fact that the verification of a certificate’s identity is based on a commonly trusted parent certificate authority is also one of the main criticisms of certificates.

证书身份验证基于共同受信任的父证书颁发机构这一事实，也是对证书的主要批评之一。

What if that parent certificate authority is compromised or goes rogue?

如果该父证书颁发机构被破坏或流氓该怎么办？

Although certificates are used predominantly for website privacy, identification, and content reliability, they can also be used for client identification.

尽管证书主要用于网站隐私，标识和内容可靠性，但是它们也可以用于客户端标识。

If you’re interested in operating your own certificate authority, you can try one of the various open-source implementations available, such as OpenCA, EJBCA, or OpenXKPI.

如果您对自己的证书颁发机构感兴趣，则可以尝试使用各种可用的开源实现之一，例如OpenCA ， EJBCA或OpenXKPI 。

David CARELLA, David CARELLA ， Wikipedia, Wikipedia ， CC BY-SA 4.0) CC BY-SA 4.0 )

Of course, take into account that since your own certificate authority’s root certificate will not be trusted by your internet browser, or anyone else really, you will need to manually insert it into your trusted certificates store as per your operating system’s instructions.

当然，请考虑到由于您自己的证书颁发机构的根证书不会被Internet浏览器或其他任何人信任，因此您将需要按照操作系统的说明将其手动插入到受信任的证书存储中。

The same goes for the machines of all your users using certificates from your own certificate authority.

使用您自己的证书颁发机构颁发的证书的所有用户的计算机也是如此。

And no, it’s not an option to have one of the large, known root certificate authorities cross-signing your own certificate authority’s root certificate.

不，不是一种选择是让大型的已知根证书颁发机构之一对您自己的证书颁发机构的根证书进行交叉签名。

结论 (Conclusion)

Public-key cryptography, or asymmetric encryption, is a cryptographic system based on pairs of keys, a public and a private key. The main use cases of asymmetric encryption are encrypting communications, providing message validation, and authenticity.

公钥密码术或非对称加密是一种基于密钥对，公钥和私钥的加密系统。 非对称加密的主要用例是加密通信，提供消息验证和真实性。

In this article, I tried to present the basic concepts behind asymmetric encryption, albeit only scratching the surface of such a complicated topic. Cryptography is a fascinating area with active research to this day with abundant amounts of information for inquisitive minds.

在本文中，我试图介绍非对称加密背后的基本概念，尽管只是从头开始讨论了这样一个复杂的话题。 密码学是一个引人入胜的领域，迄今为止，它一直在进行积极的研究，并为好奇的人们提供了大量的信息。

Before you leave, if you need encryption in your project, keep the encryption golden-rule in mind: Don’t roll your own crypto.

在离开之前，如果您需要在项目中进行加密，请牢记加密的黄金法则： 不要使用自己的crypto 。

There are plenty of libraries and already-implemented strong, secure, battle-tested algorithms out there. Do your research and pick the ones already satisfying the needs of your project.

那里有许多库以及已经实施的强大，安全，经过考验的算法。 做您的研究并选择那些已经满足您的项目需求的研究。

Thank you for reading this piece. I hope to see you in the next one.

感谢您阅读本文。 我希望在下一个见到你。

翻译自: https://medium.com/better-programming/an-introduction-to-public-key-cryptography-3ea0cf7bf4ba

公钥密码学 公钥基础设施