CA Certification knowledge

With the increasing popularity of e-commerce and e-government, problems such as theft and tampering of important data and files during transmission, network fraud, and network attacks also emerge, only by establishing a network security assurance system can online activities be improved. The CA technology is the core technology to ensure network security.
(1) What is ca?
Ca-Certificate Authority (CA-Certificate Authority), as an authoritative, trusted, and impartial third-party organization, is responsible for issuing and managing digital certificates required by all entities involved in online transactions. As an authority, it effectively manages keys and associates public keys with a certain entity (consumer, merchant, or bank. Encryption technologies such as digital certificates, PKI, symmetric encryption algorithms, digital signatures, and digital envelopes can be used to establish encryption, decryption, and identity authentication systems with high security, ensure that electronic transactions are carried out in an effective and secure manner, so that information is not known to other parties except the sender and recipient (confidentiality), and that information is not tampered with during transmission (integrity and consistency ); the sender is sure that the recipient is not a fake (the authenticity of the identity and cannot be faked); the sender cannot deny his/her sending behavior (non-repudiation ).

(2) Ca Architecture
The main tool for CA authentication is the digital certificate issued by the CA center for online job subjects. From the perspective of the roles involved in the business process, including the certification authority, digital certificate library and blacklist library, key custody processing system, certificate catalog service, certificate approval and revocation processing system. The CA hierarchy can be divided into the authentication center (Root CA), Key Management Center (km), authentication subordinate Center (sub-Ca), and certificate approval Center (RA center) and certificate approval acceptance point (rat. According to the PKI structure, the Identity Authentication entity requires a pair of keys, namely the private key and the public key. The private key is confidential and the Public Key is public. In principle, the private key cannot be derived from the public key. To obtain the private key using the exhaustive method, it is impossible because of the current technology, computing tools, and time constraints. Keys of each entity are always paired, that is, a public key must correspond to a private key. The Information encrypted by the public key must be decrypted by the corresponding private key. Similarly, the signature made by the Private Key can only be decrypted by the paired public key.

(3) CA's Responsibilities
The CA center is primarily responsible for issuing and managing digital certificates. Its central task is to issue digital certificates and fulfill the responsibilities of user identity authentication. The CA center requires strict policies and procedures in terms of security responsibilities, operation security management, system security, physical security, database security, personnel security, and key management, A sound security mechanism is required. In addition, comprehensive security audit, operation monitoring, disaster tolerance backup, and rapid response to accidents should be implemented, powerful tools are also required for identity authentication, access control, and anti-virus protection. The certificate p-rocessor (CP) is responsible for preparing, issuing, and managing certificates for authorized applicants and undertaking all consequences arising from operational errors, this includes password loss and certificate issuance for non-authorizer. It can be handled by the audit business department or by a third party.
(4) RA
RA (registry authority), a digital certificate registrar. The RA system is an extension of CA certificate issuance and management. It is responsible for information entry, review, and issuance of certificates for certificate applicants. It also provides corresponding management functions for issued certificates. Issued digital certificates can be stored in IC cards, hard disks, floppy disks, and other media. The RA system is an essential part of the normal operation of the entire CA center. The complete illustration is as follows:

(5) Digital Certificate
In online electronic transactions, the merchant must confirm that the cardholder is the legal holder of a credit or debit card, and the cardholder must also be able to identify whether the merchant is a legal merchant, are you authorized to pay by credit or debit card of a certain brand. To address these key issues, a trusted institution must issue digital security certificates. The digital security certificate is the representative of the parties involved in online transaction activities (such as the cardholder, merchant, payment gateway) Identity, each transaction, the identity of each party must be verified through the digital security certificate.
A digital security certificate is a file digitally signed by the certificate authorization center that contains information about the public key owner and the public key. The simplest certificate contains a public key, name, and digital signature of the certificate authorization center. Generally, the certificate includes the key validity period, the name of the issuing authority (Certificate Authority), the certificate serial number, and other information. The Certificate Format complies with the itut X.509 international standard.
A standard X.509 digital security certificate contains the following content:
A. Version Information of the certificate book;
B. The serial number of the Certificate. Each certificate has a unique serial number;
C. Signature Algorithm Used by the certificate;
D. Name of the Certificate Issuer. The naming rules are generally in the X.500 format;
E. Validity Period of the Certificate. Currently, general certificates are generally in UTC time format;
F. Name of the certificate owner. The naming rules are generally in the X.500 format;
G. Public Key of the certificate owner;
H. The Certificate Issuer signs the certificate.

 

Reference Original:

Http://blog.csdn.net/net_flyfox/article/details/3993988

Http://www.co.ccpit.org/ca/Htm/menu-item-frame2-content4.htm