Digital signatures Digital signature (also known as public key digital signature, electronic seal) is a kind of common physical signature written on paper, but it uses the technology of public key cryptography to identify the digital information method. A set of digital signatures typically defines two complementary operations, one for signing and the other for validation.
Signature?signature is an application of asymmetric encryption that encrypts data using a private key, which is the signature of the data?signature is the data through the operation of the signature information, the signature of the data any change even if the change is very small, and can not obtain the same signature information. Signature Verification? The process of verifying a signature is the process of decrypting and validating the data that is encrypted with the public key ? Signature data are compared with the original signature information by using the same algorithm to obtain the signature information
hash algorithm/Digest algorithm/hash
? is the arbitrary length of the input (also known as pre-mapping), through the hashing algorithm, transformed into a fixed-length output, the output is the hash value. This conversion is a compression map, that is, the space of the hash value is usually much smaller than the input space, the different inputs may be hashed to the same output, but not from the hash value to uniquely determine the input value. Simply, a function that compresses messages of any length to a message digest of a fixed length.
Common algorithms? SHA-1, SHA-256 , MD5, MD2
Characteristics? Unable to reverse hash algorithm restore original plaintext ? the resulting digest will not tell any information about the original plaintext ? same plaintext with the same hash algorithm, the resulting value is unique
PKI?PKI(Public keyinfrastructure) is"Public Key Infrastructure"is a key management platform that follows established standards? To put it simply, PKI technology is the use of public key theory and technology to establish the provision of information security services infrastructure.
Certification Authority CA
? CA is a PKI the core Executive Body, is PKI The main component, often referred to as the Certification center. ? Broadly speaking, the certification center should also include the certificate Application Registration Authority RA ( Registration Authority ), which is the application for registration of digital certificates, certificate issuance and regulatory authorities.
Key backup and Recovery
? Key Backup and recovery is the main content of key management, the user for some reason will decrypt the data key loss, so that the encrypted ciphertext can not be solved. ? to prevent this from happening, PKI provides a key backup and key recovery mechanism: When a user certificate is generated, the encryption key is CA Backup Storage (Backup in KM when recovery is needed, the user only needs to CA make an application, CA the user will be automatically restored.
Updates to keys and certificates
? The validity period of a certificate is limited, which is theoretically based on the current asymmetric algorithm and the decryption of the key length of the analysis, in practice is due to the long-term use of the same key has been deciphered the risk, therefore, in order to ensure security, the certificate and key must have a certain frequency of replacement. ? PKI there must be a replacement for the issued certificate, which is known as a "key update or certificate Update".
Certificate History Archive
? from the above key update process, it is not difficult to see, after a period of time, each user will form a number of old certificates and at least one current new certificate. ? This series of old certificates and corresponding private keys make up a historical archive of user keys and certificates. It is important to record the entire key history. For example, data that a user encrypts with his or her public key years ago or that other people encrypt with their public key cannot be decrypted with the current private key, then the user must find the private key from his key history file to decrypt the data a few years ago.
Client software
? to facilitate customer operation, to solve PKI application problems, in the customer installed client software, to achieve digital signature, encrypted transmission of data and other functions. ? The client software is also responsible for querying the revocation information of certificates and related certificates, for processing certificate paths, for providing timestamp requests for specific documents, etc. during the authentication process.
Cross-Certification
? Cross-certification is multiple PKI interoperability between domains. ? Cross-certification is implemented in a number of ways: one is bridging CA , that is, with a third-party CA as a bridge, combine multiple CA connected to become a trusted unity. ? Another approach is to have multiple CA the root CA ( RCA ) to issue root certificates to each other so that when different PKI the end users in the domain can achieve mutual trust when they authenticate to the root along different authentication chains.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
PKI (Public Key Infrastructure) Basics Note