Principles of PKI

Symmetric encryption Encryption
Asymmetric encryption asypolicric cryptographic
Key agreement/exchange
Hash Algorithm
Message authentication code MAC
Digital signature
Digital certificate digital ID/certificate
Certificate authority (certificate authority)
Public key Architecture
PK Public Key
SK Private Key
 
Public key encryption technology
PKI is built on the public key encryption technology. To understand PKI, you must first look at the public key encryption technology. Encryption is a scientific method to protect data. The encryption algorithm combines the input text data and an encryption key to generate encrypted data (ciphertext ). Using a good encryption algorithm and using ciphertext for reverse encryption, it is not that easy to generate the original text. a decryption key is required to perform the corresponding conversion. Cryptographic technology is divided into symmetric cryptography and asymmetric cryptography based on the same key used for encryption and decryption. The former uses the same key for encryption and decryption, the latter uses different keys for encryption and decryption, that is, a secret encryption key (signature key) and a public decryption key (verification key ). In traditional cryptographic systems, the keys used for encryption are exactly the same as those used for decryption. The two keys share information. The encryption algorithm used by this system is relatively simple, but it is efficient and fast, and the key is short and difficult to crack. However, key transmission and storage are a problem. For example, if both parties need to encrypt and decrypt the same key, first, distributing the key is a difficult problem. It is obviously inappropriate to distribute the key on an insecure network, if either party discloses the key, both parties must re-enable the new key.
　
In 1976, American cryptography experts Diffie and Hellman proposed a Key Exchange Protocol to solve the above-mentioned key management difficulties, allowing both Parties to exchange information on insecure media, securely obtain the same key for symmetric encryption. Based on this new idea, an asymmetric key cryptography system (PKI) emerged soon ). Several algorithms have been proposed since the first official public key encryption algorithm was proposed in 1976. Such as Ralph Merkle, Diffie-Hellman, RSA, and Merkle-Hellman. Currently, there are many specific applications that combine traditional and modern encryption algorithms, such as PGP and RIPEM, which are widely used in today's encryption and decryption software. The basic feature of the public key algorithm is that the encryption and decryption keys are different. One public key is used to encrypt data, and the other private key is used to decrypt data. These two keys are related to numbers, but even if many computers are used for collaborative computing, it is impossible to reverse calculate the corresponding private key from the public key. This is because the basic principle of two keys is based on a mathematical computing feature, that is, the multiplication of two pairs of prime numbers can easily obtain a huge number, however, it would take a long time for a supercomputer to break down this huge product into two prime numbers. In addition, any key pair can be used for encryption, and the other one is used for decryption. The key pair called a private key is only known to the owner of the key pair, so that people can take private keys as the identity characteristics of their owners. According to the Public Key algorithm, private keys cannot be exported. When using the public key, you must install the encryption program, set the private key, and generate a large public key by the program. The user sends a copy of the public key to the contact and asks them to use the same encryption program. Then others can send the Information encrypted with the public key to the original user. Only the user can decode the information, because decoding requires the user to know the password of the public key, which is a private key that only the user knows. In these processes, there are two ways for the information receiver to obtain the public key of the other Party: one is to directly contact the other party to obtain the public key of the other party; another method is to obtain the public key of the other party reliably from a third party (such as a Certification Authority or CA.

 
 
Now, we can see the definition of PKI: PKI (Public Key Infrastructure) is a universal security Infrastructure that uses asymmetric cryptographic algorithm principles and technologies to implement and provide security services, it is a standard-compliant public key encryption technology that provides a complete set of secure basic platforms for online e-commerce and e-government. PKI is a public key infrastructure. As the name suggests, PKI technology is an infrastructure that uses public key theory and technology to provide network information security services. The PKI management platform can provide key and certificate management for all users in the network who need to use encryption and digital signature and other cryptographic services. Users can use the security services provided by the PKI platform for secure communication.
PKI public key infrastructure enables applications to enhance the security of their data and resources, as well as the security in exchange with other data and resources. Using PKI security infrastructure is as simple as inserting an electrical appliance into a wall socket.
 
 
　
Contents of PKI
　
A complete PKI system must be composed of an authority (CA), a digital certificate library, a key backup and recovery system, a certificate revocation system, and an application interface (API.
　
1. Certificate Authority: CA, also known as the certification center, is the core component of PKI. It is the issuing authority for digital certificates. CA is the core of PKI and a authoritative, trusted, and fair third-party organization in PKI applications.
　
2. Digital Certificate Library: in the network environment using the public key system, the real validity of the public key must be proved to the public key user. Therefore, in the public key system environment, there must be a trusted institution to notarize the public key of any subject, to prove the identity of the subject and its matching relationship with the public key. At present, a better solution is to introduce the Certificate mechanism. (1) certificate. A certificate is a key management medium that discloses the key system. It is an authoritative electronic document, which is an ID card in the network environment. It is used to prove the identity of a subject and the legitimacy of its public key. (2) certificate store. The certificate library is a centralized place where certificates are stored. It is a public information library on the Internet for open query by the public. Access and query the certificate store to obtain the public key of the object to communicate. The certificate library is an integral part of the extended PKI system. The digital signature of CA ensures the legitimacy and authority of the certificate.
　
3. Key backup and recovery system: if a user loses the key, encrypted files cannot be decrypted and data is lost. To avoid this, PKI provides a key backup and recovery mechanism.
　
4. Certificate invalidation system: Sometimes the certificate needs to be stopped because the user's identity is changed or the key is lost, so the certificate invalidation mechanism is provided.
　
5. PKI application interface system: the PKI application interface system provides secure, consistent, and trustable interaction with PKI for various applications to ensure the security and credibility of the established network environment, and reduce management costs. Without the PKI application interface system, PKI cannot effectively provide services.
　
In the entire PKI system, only the CA will be in contact with common users, and all other parts will be transparent to users.

 

 
 
Why use asymmetric encryption algorithms?
 
If you understand the meaning of symmetric encryption algorithms, you understand the meaning of asymmetric encryption algorithms. You guessed it, the encryption key in the asymmetric encryption algorithm is different from the decryption key. It is not easy to find an asymmetric encryption algorithm. Ron Rivest, Adi Shamir, and Leonard Adleman finally proposed the RSA public key algorithm in 1978 (named after the first letter of the three names ), it is now the most widely used asymmetric encryption algorithm, which is very complex and slow in operation. It is mainly based on the principle that it is difficult to break down the product of two large prime numbers in mathematics. The reliability of the RSA algorithm has never been proved mathematical, but practice has proved that it is a tool we can rely on.
Why do we need this cumbersome, complex, and slow encryption algorithm when we have a high-speed algorithm like DES?
 
Imagine that your friends need to send very important and confidential information to you, and every channel between you and the outside world is monitored. It's not easy. Your friend encrypted the information with DES and sent it to you. He doesn't know what it means even if he is listened. But the problem is that you also need a key to view this information! You must know the keys your friends have encrypted to receive information! Your friends do not have a safe way to pass the key to you. If a friend who often communicates with you can have an appointment with you in advance, there is no way for so many people and organizations on the Internet to agree with you in advance. The role of a public key system (that is, an asymmetric encryption system) is to transmit the encryption key to your friends, let your friends use this encryption key to encrypt the information and send it to you. Then, you can use the decryption key to restore the plaintext of the information for reading, in this process, the decryption key will not be transmitted in any form, but only in your hands. That is to say, after your friend encrypts the information, he can no longer unlock it for verification. When the listener obtains an encryption key, but cannot obtain the decryption key, the listener cannot view the plaintext of the information.
 
The encryption key and decryption key are opposite. If encryption key is used, only the decryption key can be restored. If encryption key is used, only the encryption key can be decrypted, therefore, they are called key pairs. One of them can be sent and published on the network, and the other is called a public key. The other is only held by all people in the key pair. It is called a private key, the asymmetric public key system, also known as the public key system, is the cornerstone of our modern financial industry.
 
 
 
DES
Single-key password system: the same key is used for encryption and decryption, and the management and transmission of keys are insufficient.
SHA and MD5
Message Digest: a data block generates a digital fingerprint regardless of the size or length of the data block.
RSA
Public Key password: public encryption key, not public decryption key.
Digital signature DSA
Encrypt the digital fingerprint using RSA. There are two advantages: the sender cannot deny (how to ensure ?), The recipient can verify the correctness because the encryption key is public.
Digital signatures are signed using the private key.
 
PKI principles
PKI is a public key system. It uses the characteristics of public key algorithms to establish a certificate issuance, management, and use system to support and complete identity authentication, information encryption, and ensure data integrity and anti-Repudiation in the network system. The PKI system can have different architectures, implementation methods, and communication protocols.
The public (asymmetric) key algorithm uses an encryption algorithm and a pair of keys: A public key (public key, public key) and a private key (private key, private key ). The basic principle is: the Information Content encrypted by one key can only be decrypted by another key that is paired with it. The public key can be widely distributed to its own contacts, and the private key must be stored securely. In use, Party A can use Party B's public key to encrypt the data and transmit it to Party B. Party B can use its own private key for decryption. The Public Key is bound by the electronic Certificate and its owner's name, work unit, and email address. It is authenticated, issued, and managed by an Authority (CA, Certificate Authority. When the certificate is handed over to the other party, the Public Key is sent to the other party. Certificates can also be stored in a public place, allowing others to conveniently find and download certificates.
The public key method also provides a digital signature method: the signature party extracts the abstract of the data to be sent and encrypts it with its own private key; the recipient verifies the validity and identity of the signature certificate, decrypts and verifies the certificate with the signature public key, and confirms the integrity and anti-repudiation of the signed information.
The public key method uses symmetric keys (single keys) to encrypt files and data.
Currently, the RSA public key method is mainly used on the Internet. The key length is 512 or 1024 bits. It is the basis for secure communication protocols such as SSL/TLS and S/MIME, which are widely used.
 
Encryption
　
The technical implementation of data encryption is divided into two aspects: software and hardware. Based on different functions, data encryption technology is mainly divided into four types: data transmission, data storage, data integrity identification, and key management technology.
　
Network applications generally adopt two types of encryption: symmetric keys and public keys. Which encryption algorithm should be used in combination with the specific application environment and system, rather than simply making judgments based on the encryption strength. In addition to the encryption algorithm itself, key distribution, encryption efficiency, and the combination of existing systems, as well as input-output analysis, should be taken into account in the actual environment.
　
Encrypt symmetric keys. The common encryption standard is DES. When DES is used, users and recipients use 64-bit keys to encrypt and decrypt packets. When there are special security requirements, IDEA and triple DES should be adopted. As a widely used encryption technology in traditional enterprise networks, secret keys are highly efficient. KDC is used to centrally manage and distribute keys and authenticate identities based on these keys, but it is not suitable for Internet environments.
　
Public key systems are used in the Internet. That is, public key encryption. Its encryption key and decryption key are different. After each user generates a key pair, one of them is made public as the public key, and the other is saved as the private key by the owner. Common public key encryption algorithms are RSA Algorithms with high encryption strength. The specific method is to combine digital signatures and data encryption. The sender must add a Data signature when sending data. In this way, use its own private key to encrypt a piece of data related to the sent data as a digital signature, and then use the receiver key to encrypt the data together with the sent data. After the ciphertext is received by the receiver, the receiver decrypts the ciphertext to obtain the sent data and the digital signature of the sender. Then, the receiver decrypts the digital signature with the public key published by the sender, if the request succeeds, it is determined that the request is sent by the sender. The digital signature is also related to factors such as the transmitted data and time. Because of the high encryption strength and does not require both parties to establish a trust relationship or share a secret in advance, it is very suitable for Internet use.
　
　
　
Conventional Key Cryptography
　
The so-called conventional key and password system means that the encryption key is the same as the decryption key.
　
In the early general key cryptography system, there were typical password replacement methods. The principle can be illustrated using an example:
　
The letters a, B, c, d ,..., The natural order of w, x, y, and z remains unchanged, but it is consistent with that of D, E, F, G ,..., Z, A, B, and C correspond respectively (that is, the difference is 3 characters ). If the plaintext is student, the corresponding ciphertext is VWXGHQW (in this case, the key is 3 ).
　
Because the frequency of occurrence of letters in English letters has already been counted, it is easy to decrypt the replace password in the letter frequency table.
　
Data Encryption Standard DES
　
The DES algorithm was developed by IBM from 1971 to 1972 to protect product confidentiality. It was then selected as a Data Encryption Standard by the US National Bureau of Standards and National Security Administration and promulgated and used in 1977. ISO also uses DES as the Data Encryption Standard.
　
DES encrypts 64-bit binary data and generates 64-bit ciphertext data. The key used is 64-bit, and the actual length of the key is 56-bit (eight-bit for parity ). The decryption process is similar to the encryption process, but the key order is the opposite.
　　
The confidentiality of DES only depends on the confidentiality of the key, and the algorithm is public. The complex structure of DES is the root cause why there is no way to crack shortcuts. DES can now be implemented by software and hardware. AT&T first uses an LSI chip to implement all DES working modes. This product is called DEP, a Data Encryption processor.
　
Public key cryptography
　
The public key password system emerged in 1976. The primary feature of CMK is that different keys are used for encryption and decryption. Each user stores a pair of CMK and private key SK. Therefore, this system is also called a dual-key or asymmetric key cryptography system.
　
In this system, PK is public information and used as an encryption key, and SK needs to be kept confidential by the user and used as a decryption key. Both the encryption algorithm E and the decryption algorithm D are public. Although SK and PK appear in pairs, SK cannot be calculated based on PK. The Public Key algorithm has the following features:
　
1. Use the encryption key PK to encrypt plaintext X, and then use the decryption key SK to decrypt it to restore the plaintext
Write: DSK (EPK (X) = X
2. the encryption key cannot be used for decryption, that is, DPK (EPK (X) =x
3. It is easy to generate a pair of PK and SK on the computer.
4. SK cannot be exported from a known PK.
5. the encryption and decryption operations can be reversed, that is, EPK (DSK (X) = X
　
In the public key cryptography system, the most famous one is the RSA System. It has been recommended as the Public Key Data Encryption Standard by the ISO/TC97 data encryption technology sub-committee SC20.
　
Digital Signature
　
Digital signature technology is one of the core technologies to achieve transaction security. Its implementation is based on encryption technology. Here, we will introduce the basic principles of digital signatures.
　
In the past, letters or documents were signed or stamped to prove their authenticity. But how should we stamp the packets transmitted in the computer network? This is the problem to be solved by the digital signature. The following must be ensured for digital signatures:
　
The receiver can verify the sender's signature to the message. The sender cannot offset the signature to the message afterwards. The receiver cannot forge the signature to the message.
　　
There are many methods to implement digital signatures, but the public key algorithm is easier to implement than the conventional algorithm. This digital signature is introduced below.
　
Sender A uses its secret decryption key SKA to calculate message X and sends the result DSKA (X) to receiver B. B uses the public encryption key of known A to obtain EPKA (DSKA (X) = X. No one except A can have A's decryption key SKA, so no one except A can generate A ciphertext DSKA (X ). In this way, message X is signed. Use the private key to encrypt and send data to the other party. The other party can only open it with its own public key. To verify the sender's signature to the message.
　
If A is to deny A packet sent to B. B can present X and DSKA (X) to a third party. It is easy for A third party to confirm that A actually sends the message X to B using the ka. Otherwise, B cannot present DSKA (x') in front of a third party '). This proves that B has forged the packet. It can be seen that the digital signature is also used to identify the message source.
　　
However, the preceding process only signs the packets. The transmitted packet X itself is not kept confidential. Because anyone who captures the ciphertext DSKA (X) and knows the sender's identity can obtain the public key of the sender through the query manual, and thus can understand the message content. You can implement both private communication and digital signatures. SKA and SKB are the secret keys of A and B respectively, while ka and PKB are the public keys of A and B respectively.
　
Key Management
　
A critical weakness of symmetric key encryption is its key management difficulty. Therefore, it is difficult to be widely used in e-commerce practices. At this point, the public key encryption method has an absolute advantage. However, no matter which solution is implemented, key management should be considered. This is especially true when the network is larger and more users are added. CyArdoin, president of Cypress Consulting, a security Consulting firm, said: "In all encryption schemes, keys must be managed ."
　
Currently, it is recognized that the key distribution center (KDC) is used to manage and allocate public keys. Each user only saves his/her own secret key and KDC's public key PKAS. You can obtain the public key of any other user through KDC.
　
First, A applies to KDC for A public key and sends the information (A, B) to KDC. The information returned by KDC to A is (CA, CB), where CA = DSKAS (A, ka, T1), CB = DSKAS (B, PKB, T2 ). CA and CB are known as certificates and contain the public keys of A and B respectively. KDC uses its decryption key SKAS to sign CA and CB to prevent forgery. Timestamp T1 and T2 are used to prevent replay attacks.
　
Finally, A sends the certificate CA and CB to B. B obtains the Public Key PKS of A and can also test its own public key PKB.
 
The main purpose of PKI is to automatically manage keys and certificates to establish a secure network running environment for users, this allows you to conveniently use encryption and digital signature technologies in a variety of application environments to ensure the confidentiality, integrity, and effectiveness of online data.
 
Data confidentiality means that data cannot be peeked at by unauthorized users during transmission.
Data Integrity means that the index data cannot be illegally tampered during transmission.
The validity of the data is that the index data cannot be arbitrarily denied.
 
An effective PKI system must be secure and transparent. When users obtain the encryption and digital signature services, they do not need to know in detail how PKI manages certificates and keys.
 
A key is a value used to encrypt or decrypt information. Even if the algorithm is public, its security will not be compromised because data cannot be read without a key.
 
PKI is a new security technology. It consists of public key encryption technology, digital certificates, certificate issuing authority (CA), registered Authority (RA) and other basic components.
 
Digital Certificates are used for user authentication on internet intranet exists.
 
A ca is a trusted entity that is responsible for publishing, updating, and revoking certificates based on the CA issuing policy.
 
RA, a registered authority, accepts user requests and is responsible for archiving and filing user application information, and storing it in the database for review, send the approved certificate request to the Certificate Authority. RA shares part of CA tasks and makes management easier.
 
Relatively mature symmetric encryption DES 3DES IDEA
 
Features of asymmetric encryption
Keys appear in pairs. The two keys are different from each other. The two keys can be mutually confidential and decrypted.
One key cannot be used to calculate another key.
The Public Key is made public to the public. Only the owner of the private key can know the private key.
The private key should be properly kept by the Key Holder
 
The receiver generates a pair of keys (Public Key and Private Key), and transmits the public key to the public.
The sender of the public key uses the public key of the receiver to encrypt the information and send it to the receiver.
After receiving the information, the receiver decrypts the information with its own private key.
 
Asymmetric encryption algorithms have good confidentiality and eliminate the need for end users to exchange keys. However, encryption and decryption take a long time and are slow. Therefore, they are not suitable for file encryption, it is only suitable for encrypting a small amount of data. Because, in actual application, asymmetric encryption and symmetric encryption are used together.
 
The sender uses symmetric encryption to encrypt the file and then send it to the other party.
The sender then encrypts the symmetric key (that is, the key that the sender and receiver should have together) through asymmetric encryption and then transmits it to the other party
The receiver decrypts the key to obtain the symmetric key.
Use Symmetric Key decryption to interpret symmetric encryption ciphertext to obtain plaintext Information
 
The accepted asymmetric encryption algorithm is RSA.
 
The person I sent. Make sure that it is not obtained by others. Is the use of encryption algorithms
For me. I'm sure it was from this person. A digital signature is used. Non-Repudiation
 
The HASH algorithm is also called the HASH algorithm, which is a simple irreversible process. The HASH algorithm can also be used to ensure file integrity and Non-modification.
 
Enter an unfixed-length string, and return a string of fixed-length values, also known as HASH values)
 
Each message input function generates a hash value, which ensures the uniqueness of the input message (different hash values indicate different input messages)
 
If the hash value of a message transmitted through an insecure transmission channel is the same as that of a message after transmission, it can be considered that the received information is the same as the sent message at a high probability, thus ensuring the integrity of the transmitted message.
 
In a specific period of time, you cannot find the original message that generates a specific HASH value after the HASH operation.
You cannot find two messages with the same HASH value generated after the HASH operation.
 
Common HASH algorithms include SHA and MD5.
 
Data Encryption can only ensure the confidentiality of the sent data, and does not fully guarantee data integrity and non-repudiation, that is, it cannot be ensured that the data is not tampered with or impersonated.
 
The digital signature provides authentication and data integrity so that the recipient can confirm the sender's identity and confirm that the message is not tampered with during delivery. This prevents the sender of a message from attempting to send a message by replacing the identity of another user.
 
If a message is signed by the sender, it cannot be denied or hard to be denied by the signer.
The message has not been modified since it was issued to accept, and the issued message is authentic.
 
The digital signature page can be used to sign the message sending time at the same time. You can use the private key to sign a message and generate a timestamp to confirm that the message exists for a certain period of time. A digital signature can also be used to confirm that a public key belongs to someone. When a message is digitally signed, a message digest representing the message can be generated. The message digest is encrypted by the sender's private key. The receiver can use the sender's public key for decryption.
 
When the sender signs a message, a message digest is created (using the HASH algorithm)
The sender uses his/her own private key to encrypt the message digest.
Send a message abstract as an attachment to the message and send it to the receiver together.
When the receiver receives the message, it uses the public key of the sender to decrypt the message digest.
At the same time, the receiver decrypts the message with the sender's public key, creates a new message digest using the same algorithm, and compares it with the decrypted message digest.
If the two message digests match each other, the integrity can be ensured, and the signature will be considered valid.
 
Process
 
Sender
 
1 original text + random key (symmetric) -- encrypt original text with random key
 
2 Original Text + HASH algorithm-message digest
 
3 random key (symmetric) + Public Key of the receiver-only the private key of the receiver can be opened to obtain the symmetric key
 
4. Message Digest + sender's private key-the receiver uses the sender's public key to unbind the digest message
 
The above four processes finally generate encrypted data and encrypted abstract messages
 
Recipient
 
1. First, use your own private key to unbind the encrypted symmetric key.
 
2. Obtain the symmetric key to unbind the encrypted original text.
 
3. unbind the encrypted message digest with the sender's public key
 
4. Use the same HASH algorithm to calculate a message digest.
 
5. Compare whether the message digest sent by the sender matches the message digest of the currently accepted article. If the match is found, the information has not been modified.
 
The asymmetric public key and the HASH algorithm are used.
 
Data is encrypted. If you want to unlock the data, you must have the recipient's private key. However, the private key is not transmitted. Therefore, it is difficult to crack data. However, this encryption is encrypted using the recipient's public key. The Public Key is public. Therefore, someone can use the receiver's public key to forge the data part. In this way, it is sent to the receiver together with the data summary. Because it is encrypted by the receiver's public key. Therefore, the receiver can open the tampered data. However, the tampered data cannot be the same as the sent message digest through the HASH algorithm. This proves to be tampered with or damaged. The message digest is encrypted by the sender's private key. The sender's private key is required for forgery. The sender's private key is not transmitted over the network. In this way, only the private key of both parties can be forged.
 
Digital signatures generally do not use asymmetric encryption algorithms such as RSA. Instead, the sender changes the entire data to get a value and uses it as the message digest and signature. The receiver uses the sender's public key to decrypt the message digest. If the result is consistent with the original abstract, the digital signature is valid to prove that the identity of the other party is true. Generally, the encryption algorithms used in digital signatures include HASH algorithms and secure HASH algorithms. In the HASH algorithm, MD5 is the most frequently used.
 
The recipient must also have a mechanism to ensure that the key pair belongs to the real sender. It does not belong to an imitator without a sender. This is done through a trusted third-party certificate that confirms the identity of the public key owner.