Use. NET and X509 certificates for security

 

 

Use. NetAndX509Certificate Security

Overview

Mainly for the currentXxxData Exchange Platform Design for secure data exchange;This solution is approvedPKITechnical implementation of message encryption,Signing and certificate management to achieve functional requirements for data exchange security.

Introduction to PKI technology

PKIYes"Public Key Infrastructure"Stands"Public Key Infrastructure"Is an asymmetric password.AlgorithmUniversal security infrastructure based on principles and technologies.PKIThe digital certificate is used to identify the key holder. through standardized management of the key, organizations can establish and maintain a trusted system environment, it transparently provides various necessary security guarantees for application systems, such as identity authentication, data confidentiality and integrity, and anti-repudiation, to meet the security requirements of various application systems. Simply put, PKIIt is a system that provides public key encryption and digital signature services. It aims to automatically manage keys and certificates and ensure the confidentiality, authenticity, integrity, and non-repudiation of online digital information transmission.

Why PKI

With the development of network technology, especiallyInternetInternet-based applications, such as e-government and e-commerce, have developed rapidly. Networks are gradually becoming an integral part of people's work and life. Because of the openness and universality of the Internet, all information on the internet is open to everyone, so the application system puts forward higher requirements on information security.

( 1 ) Requirements for identity validity Verification
The usernames and passwords stored and transmitted in plain text are intercepted, decrypted, and many other security risks. At the same time, there are disadvantages of inconvenient maintenance. Therefore, a secure, reliable, and easy-to-maintain user identity management and legitimacy verification mechanism are required to ensure the security of the application system.
( 2 ) Data confidentiality and integrity requirements
Data in enterprise application systems are generally in plain text. In network-based systems, such plain text data is easily leaked or tampered with. Effective measures must be taken to ensure data confidentiality and integrity.
( 3 ) Transmission Security Requirements
Data transmitted over the Internet in plaintext mode is easily intercepted or leaked, and the communication channel must be encrypted and protected. The traditional method of using the communication leased line is far from meeting the needs of the development of modern network applications. We must seek a new method to ensure the transmission security requirements based on Internet technology.
( 4 ) Digital signatures and undeniable requirements
Non-Repudiation: in order to prevent the event initiator from denying the event afterwards, it plays a major role in standardizing the business and avoiding legal disputes. Traditional Non-repudiation is achieved through manual signatures. In network applications, a mechanism with the same function is required to ensure non-repudiation, that is, the digital signature technology.
PKI Based on the Asymmetric public key system, the digital certificate management mechanism can transparently provide the above security services for online applications, greatly ensuring the security of online applications.

Function module

Certificate Management Console:

The Certificate Authority (CA) is used to apply for and issue certificates.

Certificate generation tool (makecert.exe) generates X.509 certificates for testing purposes only. It creates a public key and private key pair for digital signature, and stores it in the certificate file. This tool also associates the key pair with the name of the specified issuer and creates an X.509 Certificate that binds the user-specified name to the public part of the key pair.

The certificate console is used to manage certificates installed on local computers.

Security pipeline:

Certificate reader to read the Certificate Information installed on the local computer.

The encryption/Decryption component encrypts/decrypts packets based on the information provided by the certificate.

The signing/verification component allows you to sign/verify packets based on the information provided by the certificate.

 

Certificate Management Process

The key exchange and signature are achieved through X.509 certificates; the signature is signed with your own certificate (including the Private Key), and the encryption and signing process is carried out with other people's Certificate (Public Key;

1. Generate a certificate. The purpose of this certificate can be used for signature or decryption (exporting the public key of the certificate to another computer and encrypting it using the public key). There are two ways to generate a certificate:
   1. Apply for a certificate from an external CA Certificate Authority
   2. Use the. NET makecert.exe tool to create a certificate through the command line (the certificate generated in this way cannot verify the validity and availability of the certificate)
2. Import the obtained certificate to the Certificate Management container of the Local Computer, as shown in 1.

3. For a certificate to be decrypted, You need to export the public key to another computer so that the other party can use this public key for encryption. For a signed certificate, you need to export the public key to another computer, use the public key to verify whether your identity and packets are tampered.
4. Copy the exported public key file to Remote Computing 2 by copying the file.

5. After obtaining the public key file from Remote Computing, it is directly imported to the Certificate Manager's other persons directory 3. During encryption, the Local Computer \ other people must be read) certificate encryption and signature verification under

Encryption/signing process

The client needs to send encryption/signature packets to the server.

Prerequisites

There are encrypted server certificates and signed client certificates in the Certificate Manager.

1. obtain the plaintext to be encrypted/signed. For encryption, the certificate information under the other persons directory of the Local Computer is read. For signature operations, the certificate under the Local Computer or individual must be read. The certificate name required for encryption/signing is obtained through the configuration file. 4. Certificate content

2. call the encryption/signing algorithm to encrypt/sign packets. net standard class library implementation; encrypted document structure 5

   Encryption Algorithm Description

   the encryptedxml class is.. NET Framework. XML encryption is a standard-based and interoperable method to encrypt all or part of XML documents or any data .. Net Framework XML Encryption Class implements the World Wide Web Federation (W3C) XML encryption standards located in the http://www.w3.org/TR/xmldsig-core. You can use the encryptedxml class whenever you need to share encrypted XML data with Programs or organizations in a standard way. Any data encrypted using this type can be decrypted by any implementation that complies with W3C XML encryption specifications. XML encryption replaces any plaintext XML element or document with the element, which contains the encrypted (or ciphertext) Representation of plaintext XML or any data. you can select the information about the key used to decrypt the ciphertext and the information about which encryption algorithm is used to encrypt the plaintext. In addition to encrypting keys used to decrypt the element values, the element is similar to the element in terms of style and usage. Note that the element and element never contain unencrypted keys. Use one of the following methods to exchange key information:

• Does not contain any key information. If this option is selected, both parties must make the same algorithm and key before exchanging encrypted data.
• Include the key location in the Uniform Resource Identifier (URI) attribute of the <retrievalmethod> element. Both parties must first agree on the key location and keep the location confidential.
• Contains a string name mapped to the key in the <keyname> element. Both parties must make the key name ing consistent before exchanging encrypted data and keep the ing confidential.
• The <encryptedkey> element contains the encryption key. Both parties must obtain the same key on which the encryption key is decrypted before the encrypted data is exchanged. You can selectively include the name or location of the key to be decrypted in the <encryptedkey> element.

Signature Algorithm Description

The signedxml class is the main class used for XML Signature and verification (xmldsig) in. NET Framework. Xmldsig is a standard-based and interoperable method used to sign and verify all or part of XML documents or other data that can be searched by uniform resource identifiers (URIs .. The Net Framework xmldsig class implements the WWW Federation (W3C) Specification for XML signatures and verification that can be obtained from the http://www.w3.org/TR/xmldsig-core.

The signedxml class can be used whenever you need to share signed XML data in a standard way between applications or organizations. Any data using such signature can be verified by any implementation that complies with the W3C specifications of xmldsig.

Xmldsig creates a <signature> element that contains digital signatures for XML documents or other data that can be searched through Uris. <Signature> elements can selectively contain information about where to find the key used to verify the signature and which encryption algorithm is used for signature.

Using the signedxml class, you can create the following three types of XML Digital Signatures:

signature type	description
encapsulated signature	This signature is included in the signed XML document.
encapsulation signature	signed XML is contained in the element.
Separate Signature	The signature is located in a separate document different from the signed data.

Use one of the following methods to exchange key information:

• Does not contain any key information. If you select this option, both parties must obtain the same algorithm and key before the digital signature is exchanged.
• The <encryptedkey> element contains the public key.
• The URI attribute of the <retrievalmethod> element contains the location of the key. Both parties must first agree on the key location and keep the location confidential.
• The <keyname> element contains the string name mapped to the key. Both parties must make the key name ing consistent before exchanging encrypted data and keep the ing confidential.

1. The generated ciphertext. the ciphertext contains the encrypted certificate information and the information in the plus certificate, which is provided to the server for decryption and signature verification.
2. Send to destination

 

Decryption/signature verification process

The server receives the decryption/verification packets, and implements control and security management of the client transmission through the encryption/signing of packets and the management of certificates. This ensures that packets are not tampered with or intercepted during transmission.

Prerequisites

The Certificate Manager contains the decrypted server certificate and the client certificate for signature verification.

1. After receiving the encrypted/signed packets, the intermediate certificate information (including the Certificate Name) is extracted first)
2. After the Certificate Name is obtained, it will match the local computing results. This certificate stores the Certificate for signature verification in the directory of the Local Computer \ others, the decrypted certificates are stored in the Local Computer \ personal directory. If the corresponding certificate is not found, an exception is thrown to terminate the process.
3. Call. netSignedxmlThe class library verifies the validity of the message-whether the client identity is tampered with and confirmed during transmission. If the verification fails, for example, if the client identity is tampered with, the system throws an exception and terminates the process.
4. Call. net for the packets to be decrypted after the verification is passedEncryptedxmlThe class library is decrypted and eventually becomes plaintext for subsequent processing.