The composition of PKI

PKI Public Key Infrastructure is a system or platform that provides public-key cryptography and digital signature services to manage keys and certificates. An organization can establish a secure network environment by using the PKI framework to manage keys and certificates.

PKI mainly consists of four parts: Certificates in the form of X-V3 and certificate revocation List CRL (V2), CA operation Protocol, CA Management Protocol, CA policy development. A typical, complete and effective PKI application system should have at least the following five parts;

1) Certification Center CA CA is the core of PKI, CA is responsible for the management of all users under the PKI structure (including various applications) certificate, the user's public key and the user's other information bundled together, in the online authentication user identity, CA also responsible for the user certificate blacklist registration and blacklist publishing, followed by CA Detailed description of the.

2) X.500 directory server X.500 directory server is used to publish the user's certificate and blacklist information, the user can use the standard LDAP protocol to query their own or other people's certificates and download blacklist information.

3) Security WWW Server Secure Socket Layer (SSL) protocol with high-strength cryptographic algorithm (SSL) was originally developed by the Netscape Enterprise and has now become the network to identify the site and web browser identity, and the globalization standard for encrypted communication between browser users and Web servers.

4) The Web (Secure communication platform) Web has two parts: Web Client side and Web server side, which are installed on client and server side, and guarantee the confidentiality, integrity, authentication of client and server side data through SSL protocol with high strength cryptographic algorithm.

5) Self-developed safety application system self-development security application system refers to the various industries from the development of a variety of specific application systems, such as banking, securities application system. A complete PKI includes the formulation of the certification policy (including the technical standards to be followed, the subordinate or sibling relationships among the CAs, security policies, security, service objects, management principles and frameworks, etc.), certification rules, the formulation of operational systems, the content of the legal relations of the parties involved, and the realization of the technology.

A complete PKI system must have an authoritative certification authority (CA), a digital certificate library, a key backup and recovery system, a certificate revocation system, an application interface (API) and other basic components, the construction of PKI will be around the five systems to build hands.

The basic technology of PKI includes encryption, digital signature, data integrity mechanism, digital envelope, double digital signature and so on. A typical, complete, and effective PKI application system should have at least the following parts: • Public key password certificate management. Blacklist release and management. Backup and recovery of keys. Automatically update keys. Automatic management of historical keys. Cross-certification is supported.

Certification authority (CA): That is, the application of digital certificate and issuing authority, CA must have authoritative characteristics;

Digital Certificate Library: Used to store the issued digital certificate and public key, the user can obtain the required other user's certificate and public key;

Key backup and Recovery system: if the user loses the key used to decrypt the data, the data will not be decrypted, which will result in legitimate data loss. To avoid this situation, PKI provides a mechanism for backing up and recovering keys. It should be noted, however, that the backup and recovery of the key must be done by a trusted authority. Also, key backup and recovery can only be addressed to the decryption key, and the signature private key is not backed up to ensure its uniqueness.

Certificate Revocation system: Certificate revocation processing System is a necessary component of PKI. As with all kinds of identity documents in daily life, it may be necessary to void the certificate within the validity period, due to loss of key media or change of user identity. To achieve this, the PKI must provide a series of mechanisms for invalidating certificates.

Application Interface (API): The value of PKI is to enable users to easily use encryption, digital signature and other security services, so a complete PKI must provide a good application interface system, so that a variety of applications can be in a secure, consistent and reliable way to interact with the PKI, Ensure the integrity and ease of use of the secure network environment.

Typically, a CA is the issuing authority for a certificate, which is the core of a PKI. As we all know, the core content of building password service system is how to realize key management. Public key system involves a pair of keys (that is, private key and public key), the private key is only controlled by the user independently, without transmission on the Internet, and the public key is public, need to be transmitted on-line, so the key management of public key system is mainly for public key management problem, the better solution is the digital certificate mechanism.

The composition of PKI