PKI and Certificate Services application
-What is PKI:
Public key Infrastructure, key Infrastructure
PKI is composed of public key cryptography, digital authentication, certificate issuing structure (CA), registration Authority (RA) and so on: Digital certificate is used for user's authentication; CA is a trusted entity responsible for publishing, updating and revoking certificates; RA accepts user requests and other functions
The functions that PKI system can realize are: identity authentication, data integrity, data confidentiality, non-repudiation of operation
Public key and private key (private key)
The key is generated in pairs, the two keys are different, two keys can be encrypted and decrypted with each other, not according to one key to derive another key, public key public, private key only the holder of the private key is known, the private key should be properly kept by the holder of the private key.
-Data encryption:
The sending method encrypts the data with the public key of the receiver, and when the receiver uses its own private key to decrypt the data, the data encryption guarantees the confidentiality of the data being sent.
-Digital Signature:
The sending method is encrypted with its own private key, the receiver uses the sender's public key to decrypt it, the authentication, the integrity of the data, and the non-repudiation of the operation.
-What is a certificate:
L Certificate of digital certificate in PKI system
It binds the public key and the identity information (such as name, e-mail, number, etc.) of the principal that owns the corresponding private key.
L The subject of the certificate can be a user, computer, service, etc.
L certificates can be used in many ways: Web user authentication, Web server authentication, secure e-mail, Internet Protocol security (IPSEC)
L digital certificates are issued by a competent and impartial third-party organization, namely CA
The certificate contains the following information: The user's public key value, the user identification information (such as name and e-mail address), the validity period (the validity time of the certificate), the issuer identification information, the issuer's digital signature
The role of-CA:
The core function of CA is to issue and manage digital certificates, which are described as follows: processing the certificate request, authenticating the applicant's eligibility to receive the certificate, issuing the certificate, updating the certificate, receiving the query and revocation of the end user's digital certificate, generating and publishing the Certificate revocation list (CRL), archiving the digital certificate, and key archiving ; Historical data archiving.
-The issuance process of the certificate:
1. Certificate application: The user fills in the information of the application certificate and submits the certificate request information according to the personal information.
2. RA confirms the User: in the intranet, the general use of manual verification method, so as to ensure the security and authenticity of user information
3. Certificate policy processing: If the authentication request succeeds, then the system-specified policy is applied to the request, such as the constraint of the name, the constraint of the key length, etc.
4. RA submits the user request information to Ca:ra to sign the user request information with its own private key, to ensure that the user request information is RA submitted to the CA
5. The CA generates a key pair for the user, signs the user's public key and user information ID with the CA's signing key, and generates an electronic certificate: so that the CA binds the user's information to the public key, and the CA publishes the user's digital certificate and the user's public key to the directory
6. The CA transmits the electronic certificate to the RA that approves the user
7. RA transmits the electronic certificate to the user (or the user proactively retrieves)
8. The user verifies the certificate issued by the CA: ensures that its information is not tampered with during the signature process, and that the certificate is verified by the CA's public key and is indeed issued by a trusted CA authority
PKI and Certificate Services application