数字签名概述
Tạo vào: 4 tháng 1, 2025
Tạo vào: 4 tháng 1, 2025
The content of the article at https: //www. youdzone. com/signature. html is as follows:
What is a Digital Signature?
An introduction to Digital Signatures, by David Youd
Bob
(Bob's public key)
(Bob's private key)
Bob has been given two keys. One of Bob's keys is called a Public Key, the other is called a Private Key.
Bob's Co-workers:
Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Pat Doug Susan
Bob's Public key is available to anyone who needs it, but he keeps his Private Key to himself. Keys are used to encrypt information. Encrypting information means "scrambling it up", so that only a person with the appropriate key can make it readable again. Either one of Bob's two keys can encrypt data, and the other key can decrypt that data.
Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his Private Key to decrypt the message. Any of Bob's coworkers might have access to the message Susan encrypted, but without Bob's Private Key, the data is worthless.
text"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"
With his private key and the right software, Bob can put digital signatures on documents and other data. A digital signature is a "stamp" Bob places on the data which is unique to Bob, and is very difficult to forge. In addition, the signature assures that any changes made to the data that has been signed can not go undetected.
textTo sign a document, Bob's software will crunch down the data into just a few lines by a process called "hashing". These few lines are called a message digest. (It is not possible to change a message digest back into the original data from which it was created.)
Bob's software then encrypts the message digest with his private key. The result is the digital signature.
Finally, Bob's software appends the digital signature to document. All of the data that was hashed has been signed.
Bob now passes the document on to Pat.
First, Pat's software decrypts the signature (using Bob's public key) changing it back into a message digest. If this worked, then it proves that Bob signed the document, because only Bob has his private key. Pat's software then hashes the document data into a message digest. If the message digest is the same as the message digest created when the signature was decrypted, then Pat knows that the signed data has not been changed.
Plot complication...
Doug (our disgruntled employee) wishes to deceive Pat. Doug makes sure that Pat receives a signed message and a public key that appears to belong to Bob. Unbeknownst to Pat, Doug deceitfully sent a key pair he created using Bob's name. Short of receiving Bob's public key from him in person, how can Pat be sure that Bob's public key is authentic?
It just so happens that Susan works at the company's certificate authority center. Susan can create a digital certificate for Bob simply by signing Bob's public key as well as some information about Bob.
Bob Info:
Name
Department
Cubical Number
Certificate Info:
Expiration Date
Serial Number
Bob's Public Key:
Now Bob's co-workers can check Bob's trusted certificate to make sure that his public key truly belongs to him. In fact, no one at Bob's company accepts a signature for which there does not exist a certificate generated by Susan. This gives Susan the power to revoke signatures if private keys are compromised, or no longer needed. There are even more widely accepted certificate authorities that certify Susan.
Let's say that Bob sends a signed document to Pat. To verify the signature on the document, Pat's software first uses Susan's (the certificate authority's) public key to check the signature on Bob's certificate. Successful de-encryption of the certificate proves that Susan created it. After the certificate is de-encrypted, Pat's software can check if Bob is in good standing with the certificate authority and that all of the certificate information concerning Bob's identity has not been altered.
Pat's software then takes Bob's public key from the certificate and uses it to check Bob's signature. If Bob's public key de-encrypts the signature successfully, then Pat is assured that the signature was created using Bob's private key, for Susan has certified the matching public key. And of course, if the signature is valid, then we know that Doug didn't try to change the signed content.
Although these steps may sound complicated, they are all handled behind the scenes by Pat's user-friendly software. To verify a signature, Pat need only click on it.
(c) 1996, David Youd
Permission to change or distribute is at the discretion of the author
Warning: You may be missing a few lines of text if you print this document. This seems to occur on pages following pages that have blank space near the bottom due to moving tables with large graphics in them to the next page so that the images are not split across pages. If this happens to you, simply print out document in sections. (Ex: I have the problem on page 4, so I print pages 1-3, then pages 4-5.)
Please use your experience and profound knowledge to enrich and deepen this article, including application scenarios, commonly used algorithms, current (24 years) best practices, applications in web development (Spring), etc. (yourself Grasp)...make it more complete, in-depth, and easy to read from a developer's perspective.
The result is answered in Chinese
数字签名简介,作者:David Youd
在当今数字化时代,信息的安全性和完整性至关重要。数字签名作为一种有效的安全技术,广泛应用于各种场景中,如电子邮件、软件发布、金融交易和法律文件等。本文将深入探讨数字签名的概念、应用场景、常用算法、当前最佳实践以及在Web开发(特别是Spring框架)中的应用。
数字签名是一种用于验证信息来源和完整性的技术。与传统的手写签名不同,数字签名基于密码学原理,确保签名的唯一性和不可伪造性。
数字签名依赖于一对密钥:公钥和私钥。
生成签名:
验证签名:
通过数字签名,发送者可以确保邮件内容未被篡改,并验证邮件的来源。
开发者在发布软件时使用数字签名,用户可以验证软件的完整性和来源,防止恶意篡改。
银行和金融机构使用数字签名来确保交易的安全性和合法性,防止欺诈行为。
数字签名在电子合同和法律文件中用于确认各方的同意和身份,具有法律效力。
哈希算法将任意长度的数据映射为固定长度的哈希值,常用的哈希算法包括:
用于生成公钥和私钥对,常用的非对称加密算法包括:
常用的数字签名算法包括:
选择安全性高、抗碰撞的哈希算法,如SHA-256或SHA-3,避免使用已被破解的算法(如MD5、SHA-1)。
通过受信任的证书颁发机构(CA)获取数字证书,确保证书的真实性和有效性,防止中间人攻击。
结合多种认证方式(如密码、指纹、硬件令牌)提升系统的安全性,确保只有授权人员能访问私钥。
定期审计密钥使用情况,监控异常活动,及时发现和应对潜在的安全威胁。
在现代Web开发中,数字签名在确保数据传输的安全性和完整性方面发挥着重要作用。以Spring框架为例,以下是数字签名的常见应用场景和实现方法。
通过数字签名对API请求进行签名,确保请求的来源可信,防止请求被篡改。
实现步骤:
JWT广泛用于身份验证和授权,通过数字签名确保令牌的真实性和防篡改。
实现步骤:
在文件上传和下载过程中使用数字签名,确保文件的完整性和来源的可信性。
实现步骤:
在Spring应用中集成数字证书管理,确保应用之间的通信安全。
实现步骤:
以下是一个使用Java和Spring框架进行RSA数字签名的简单示例:
javaimport java.security.*; import java.util.Base64; public class DigitalSignatureUtil { // 生成密钥对 public static KeyPair generateKeyPair() throws NoSuchAlgorithmException { KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); keyGen.initialize(2048); return keyGen.generateKeyPair(); } // 生成签名 public static String sign(String data, PrivateKey privateKey) throws Exception { Signature signer = Signature.getInstance("SHA256withRSA"); signer.initSign(privateKey); signer.update(data.getBytes("UTF-8")); byte[] signature = signer.sign(); return Base64.getEncoder().encodeToString(signature); } // 验证签名 public static boolean verify(String data, String signature, PublicKey publicKey) throws Exception { Signature verifier = Signature.getInstance("SHA256withRSA"); verifier.initVerify(publicKey); verifier.update(data.getBytes("UTF-8")); byte[] sigBytes = Base64.getDecoder().decode(signature); return verifier.verify(sigBytes); } // 示例使用 public static void main(String[] args) throws Exception { KeyPair keyPair = generateKeyPair(); String data = "Hello, this is a secure message!"; String signature = sign(data, keyPair.getPrivate()); System.out.println("Signature: " + signature); boolean isValid = verify(data, signature, keyPair.getPublic()); System.out.println("Signature valid: " + isValid); } }
在Spring Boot应用中,可以将上述数字签名功能集成到服务层,以确保数据传输的安全性。
javaimport org.springframework.stereotype.Service; @Service public class SignatureService { private final KeyPair keyPair; public SignatureService() throws NoSuchAlgorithmException { this.keyPair = DigitalSignatureUtil.generateKeyPair(); } public String signData(String data) throws Exception { return DigitalSignatureUtil.sign(data, keyPair.getPrivate()); } public boolean verifyData(String data, String signature) throws Exception { return DigitalSignatureUtil.verify(data, signature, keyPair.getPublic()); } }
在Controller中调用SignatureService
进行签名和验证:
javaimport org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; @RestController @RequestMapping("/api/signature") public class SignatureController { @Autowired private SignatureService signatureService; @PostMapping("/sign") public String sign(@RequestBody String data) throws Exception { return signatureService.signData(data); } @PostMapping("/verify") public boolean verify(@RequestBody VerificationRequest request) throws Exception { return signatureService.verifyData(request.getData(), request.getSignature()); } } class VerificationRequest { private String data; private String signature; // getters and setters }
数字证书由受信任的证书颁发机构(CA)签发,绑定公钥与实体身份信息,确保证书持有者的身份真实性。
信任链是指通过一系列证书,建立起信任关系。根证书(Root Certificate)位于信任链的顶部,所有其他证书通过其颁发建立信任。
当证书或私钥被泄露或不再信任时,CA可以吊销证书。被吊销的证书会被记录在吊销列表(CRL)或通过在线证书状态协议(OCSP)进行查询。
随着技术的进步和应用需求的增加,数字签名技术也在不断发展:
数字签名作为保障信息安全和完整性的关键技术,广泛应用于各行各业。通过理解其基本原理、应用场景和实现方法,开发者可以有效地在项目中集成和应用数字签名技术,提升系统的安全性和可靠性。在Web开发中,尤其是在使用Spring框架时,合理应用数字签名不仅能够确保数据传输的安全,还能增强用户对系统的信任。
随着技术的发展,数字签名的应用将更加广泛和深入,开发者需要持续关注最新的算法和最佳实践,以应对不断变化的安全需求。
© 1996, David Youd
修改和分发权限由作者自行决定
警告:如果您在打印本文档时可能会遗漏几行文本,通常发生在页面底部有空白区域时。解决方法是分段打印文档(例如:先打印1-3页,然后打印4-5页)。