Working Principle and encryption and decryption process of CA Based on PKI

ToPKIBasicCAWorking Principle andEncryption and decryption Processes

650) This. width = 650; "width =" 555 "Height =" 415 "Title =" pki.jpg "style =" width: 701px; Height: pixel PX; "alt =" wkiol1pcqkcz_vzjaag9jh9do8377.jpg "src =" http://s3.51cto.com/wyfs02/M01/43/CA/wKioL1PcqKCz_VzJAAGo9JH9dO8377.jpg "/>

PKI (Public Key Infrastructure) is a key management platform that complies with established standards, it can provide cryptographic services such as encryption and digital signatures and the necessary key and certificate management systems for all network applications. In short, PKI is an infrastructure that uses public key theory and technology to provide security services. PKI is the core of information security technology and the key and basic technology of e-commerce.

A typical, complete, and effective PKI application system should have at least five parts:
1) the CA is the core of PKI. Ca is responsible for managing certificates for all users (including various applications) under the PKI structure, bind the user's public key with other information of the user and verify the user's identity on the Internet. The CA is also responsible for blacklisting and publishing the user certificate. A detailed description of the CA is provided later.
2) The X.500 Directory Server X.500 Directory Server is used to publish user certificates and blacklist information. Users can use the standard LDAP protocol to query their own or others' certificates and download the blacklist information.
3) The secure WWW Server Secure Socket Layer (SSL) protocol with high-strength cryptographic algorithms (SSL) was initially developed by Netscape enterprises and has become a network used to identify websites and web page viewers, and the global standard for encrypted communication between browser users and web servers.
4) Web (Secure Communication Platform) has two parts: Web Client and Webserver, which are respectively installed on the client and server, the SSL protocol with high-strength cryptographic algorithms ensures the confidentiality, integrity, and authentication of client and server data.
5) self-developed security application systems refer to various specific application systems developed by various industries, such as banking and securities application systems. The complete PKI includes the establishment of certification policies (including the following technical standards, the relationship between the CA's superiors or peers, security policies, security levels, service objects, management principles and frameworks), authentication rules, establishment of operating systems, content of the legal relationships of all parties involved, and technical implementation.

A complete PKI system must have basic components such as an authoritative ca, a digital certificate library, a key backup and recovery system, a certificate revocation system, and an application interface (API, building PKI will also focus on these five systems.

The CA provides the following functions: certificate issuance, certificate update, certificate revocation, and certificate verification. The core function of CA is to issue and manage digital certificates, which are described as follows:
(1) receive an application to verify the digital certificate of the end user.
(2) determine whether to accept the application for Digital Certificate of the end user-certificate approval.
(3) Issue or reject the issuance of a digital certificate-certificate to the applicant.
(4) receive and process the digital certificate update request of the end user-certificate update.
(5) receive the query and revocation of the digital certificate of the end user.
(6) Generate and publish a certificate abolition list (CRL ).
(7) archiving digital certificates.
(8) Key archiving.
(9) archiving historical data.

In actual application, CA must do the following:
1) Verify and identify the certificate applicant.
2) ensure the quality of the asymmetric key that ca uses to sign the certificate.
3) ensure the security of the entire visa process and the security of the signature private key.
4) Manage the certificate information (including the public key certificate serial number and Ca ID.
5) determine and check the validity period of the certificate.
6) Ensure the uniqueness of the certificate subject identity and prevent duplicate names.
7) Publish and maintain the list of expired certificates.
8) log the entire certificate issuance process.
9) send a notice to the applicant.

 

PKI has the following advantages:

1. The public key and password technology is used to support digital signatures that can be publicly verified and cannot be counterfeited, so as to have irreplaceable advantages in support of pursued services. This accountability Service also provides a higher level of guarantee for the integrity of the original data. Support for public verification, or any third party, to better protect vulnerable individuals and improve the equality of information and accountability of operations between network systems.

2. Due to the adoption of cryptographic technology, protecting confidentiality is the most advantageous advantage of PKI. PKI not only provides confidentiality services between known entities, but also provides security support for communications between unfamiliar users.

3. Since digital certificates can be verified independently by users and do not require online queries, the principle can ensure unlimited expansion of the service scope, this makes PKI an infrastructure that can serve a large user base. PKI uses digital certificates for service, that is, certificates issued by a third party prove the keys of the End Entity, rather than online query or online distribution. This key management method breaks through the restrictions that security verification services must be online in the past.

4. PKI provides a certificate revocation mechanism so that its application fields are not restricted by specific applications. The Revocation Mechanism provides remedial measures in case of accidents, so that users can be more assured in various security environments. In addition, because of the withdrawal technology, whether it is a permanent identity or a role that is often changed, you do not have to worry that your identity or role is permanently voided or maliciously stolen. Providing users with "correct mistakes" or "regret" is a necessary part of good engineering design.

5. PKI is highly interconnected. Both superior-subordinate leadership and equal third-party Trust, PKI supports various forms of interconnection based on the trust of the human world, so that PKI can effectively serve large network information systems that conform to human habits. The combination of various interconnection technologies in PKI makes it possible to build a complex network trust system. The interconnection technology of PKI provides sufficient technical support for eliminating the island of trust in the online world.

 

Encryption and decryption Processes

650) This. width = 650; "width =" 1161 "Height =" 314 "Title =" image004.png "style =" width: 727px; Height: 251px; "alt =" wkiom1pc1_xqn_ffaaijsvrysn0318.jpg "src =" http://s3.51cto.com/wyfs02/M00/43/CA/wKiom1PcrjXQN_ffAAIjsvrySN0318.jpg "/>

Bob encryption process

1) extract the signature from the data, encrypt the data using one-way encryption technology, and generate a signature. This ensures data integrity.

2) use Bob's private key to encrypt the generated signature.

3) Bob encrypts all data with one-time symmetric encryption.

4), and then use Alice's public key to encrypt the data with one-time symmetric encryption.

Alice decryption process:

1) Use Alice's private key to decrypt symmetric encryption and obtain the symmetric encryption password.

2) use a symmetric encryption password to decrypt one-time symmetric encryption.

3) use a one-way encryption algorithm to encrypt the data decrypted in the previous step.

4) use Bob's public key to decrypt the signature and obtain the signature code sent on Bob.

5) compare whether the signatures in step 3 and Step 3 are consistent. Complete data verification.

 

This article is from the Gentoo blog, please be sure to keep this source http://linuxgentoo.blog.51cto.com/7678232/1534213