CA authentication principles

With the increasing popularity of e-commerce and e-government, problems such as theft and tampering of important data and files during transmission, network fraud, and network attacks also emerge, only by establishing a network security assurance system can online activities be improved. The CA technology is the core technology to ensure network security.
About ca

1. What is ca?
Recognize
Ca-Certificate Authority (CA-Certificate Authority), as an authoritative, trusted, and impartial third-party organization, is responsible for distributing and managing all entities involved in online transactions.
Digital Certificate. As an authority, it effectively manages keys, issues certificates to prove the effectiveness of keys, and associates public keys with a certain entity (consumer, merchant, bank.
With
The emergence of Certification centers (or Ca centers) can solve the security problems of open networks. Using digital certificates, PKI, symmetric encryption algorithms, digital signatures, digital envelopes and other encryption technologies, you can establish
Encryption, decryption, and identity authentication systems with extremely high security level are established to ensure that electronic transactions are carried out effectively and securely, so that information is not known to other parties except the sender and recipient (confidentiality ); ensure that data is not merged during transmission
(Integrity and consistency); the sender is sure that the recipient is not fake (authenticity and non-pseudo); the sender cannot deny his/her sending behavior (non-repudiation ).
2. Ca Architecture
CA
The main tool for certification is the digital certificate issued by the CA for online job subjects. The CA architecture includes the PKI structure, high-intensity anti-attack public encryption and decryption algorithms, digital signature technology, identity authentication technology, and operational security.
Management Technology and reliable trust responsibility system. From the perspective of roles involved in the business process, including certification bodies, digital certificate libraries and blacklist libraries, key custody processing systems, certificate catalog services, certificate approval and Cancellation
Management System. The CA hierarchy can be divided into the authentication center (Root CA), Key Management Center (km), authentication subordinate Center (sub-Ca), and certificate approval Center (RA center) certificate approval
Point (rat) and so on. In general, the CA center should issue a certification system statement, and solemnly declare the CA policy, security measures, service scope, service quality, responsibilities, and operational procedures to the service target.
.
According to the PKI structure, the Identity Authentication entity requires a pair of keys, namely the private key and the public key. The private key is confidential and the Public Key is public. In principle, no
The private key can be pushed and exported from the public key. The restriction of the current technology, computing tool, and time is impossible to obtain the private key. Keys of each entity are always paired, that is, a public key must correspond to a private key. Public Key Addition
Only the corresponding private key can decrypt the encrypted information. Similarly, the signature made by the Private Key can only be decrypted by the paired public key. The Public Key is sometimes used to transmit symmetric keys, which is a digital envelope technology. Key Management
The policy is to bind the public key to the entity. The CA center makes the entity information and the public key of the entity into a digital certificate. The certificate must end with a digital signature from the CA center. Because the digital signature of the CA center is not allowed
Therefore, the digital certificate of an entity cannot be forged. After the CA passes the physical identity qualification review of the entity, it issues a digital certificate to the applicant to match the entity's identity with the digital certificate. Because entity
All trust the CA center that provides third-party services. Therefore, the entity can trust other entities that issue digital certificates from the CA center and operate and trade online with confidence.

3. CA's Responsibilities
CA
The center is mainly responsible for issuing and managing digital certificates. Its central task is to issue digital certificates and fulfill the responsibilities of user identity authentication. The CA center has scattered security responsibilities, operational security management, system security, and physical security
Strict policies and procedures are required for security, database security, personnel security, and key management. A complete security mechanism is required. In addition, comprehensive security auditing, operation monitoring, disaster tolerance backup, and quick accident troubleshooting are required.
Measures should be implemented to provide powerful tool support for identity authentication, access control, anti-virus and attack prevention. The certificate approval business department of the CA is responsible for the qualification review and decision of the certificate applicant.
Do you agree to issue a certificate to the applicant and bear all consequences arising from the issuance of the certificate to the applicant who is not qualified due to an incorrect review, it shall be the responsibility of the institution capable of assuming these responsibilities
Certificate processor (CP) is responsible for preparing, issuing, and managing certificates for authorized applicants, and undertaking
All consequences, including password loss and issuance of certificates to non-authorized persons, can be handled by the audit business department itself or by a third party.
4. Ra
RA (Registration Authority ),
A digital certificate registrar. The RA system is an extension of CA certificate issuance and management. It is responsible for information entry, review, and issuance of certificates for certificate applicants. At the same time, it manages the issued certificates accordingly.
Function. Issued digital certificates can be stored in IC cards, hard disks, floppy disks, and other media. The RA system is an essential part of the normal operation of the entire CA center.
5. Digital Certificate
A digital security certificate is a series of data that marks the identity information of network users. It is used to identify the identities of all parties in network communication, that is, to solve the question of who I am on the Internet, just as in reality, each of us needs an ID card or driver's license to prove our identity or certain qualifications.
　
In online electronic transactions, the merchant needs to confirm that the cardholder is a valid holder of a credit or debit card, and the cardholder must also be able to identify whether the merchant is a legal merchant and whether the merchant is authorized to accept a certain brand of credit card.
Or debit card payment. To address these key issues, a trusted institution must issue digital security certificates. A digital security certificate is used by all parties involved in online transaction activities (such as the cardholder, merchant, and payment network ).
Identity representatives, each transaction must pass the digital security certificate to verify the identity of all parties. A digital security certificate is issued by an authoritative and impartial third-party organization, namely the CA center.
After the center approves the certificate, the certificate will be issued to the applicant through the registration service organization.
A digital security certificate is a digital signature that contains information about the public key owner and the public key.
. The simplest certificate contains a public key, name, and digital signature of the certificate authorization center. In general, the certificate also includes the key validity period, the name of the issuing authority (Certificate Authority ),
Serial number and other information. The certificate format follows the itut X.509 international standard.
A standard X.509 digital security certificate contains the following content:
The version of the certificate;
The serial number of the Certificate. Each certificate has a unique serial number;
The signature algorithm used by the certificate;
The name of the Certificate Issuer. The naming rules are generally in the X.500 format;
The validity period of the Certificate. Currently, general certificates are generally in UTC time format;
Name of the certificate owner. The naming rules are generally in the X.500 format;
Public Key of the certificate owner;
The certificate issuer's signature for the certificate.