Certification (authentication) means that the user must provide proof of who he is, an employee, an agent of an organization, a software process (such as a stock trading system or a software process for a Web ordering system). The standard method of authentication is to figure out who he is, what characteristics he has, and what he knows to identify his things. For example, the system stores his fingerprints, and when he accesses the network, he must provide his fingerprints on an electronic fingerprint connected to the network (which prevents him from using fake fingerprints or other electronic information spoofing systems) and allows him to access the system only if the fingerprint matches. More common is through the retinal blood vessel distribution map to identify the same principle and fingerprint recognition, sonic pattern recognition is also a commercial system used in a recognition. The way the network identifies by what the user has, it is generally a smart card or other special form of logo that can be read from the reader connected to the computer. As for "What he knows", the most common is the password, the password has the property of sharing secret. For example, to enable the server operating system to identify users who want to access the network, users must send their username and password to the server. The server will still compare it with the username and password in the database, and if it matches, pass the authentication and can access the Internet. This password is shared by the server and the user. More secure authentication can be a combination of several methods. Examples include ATM cards and PIN cards. One of the weakest aspects of security is the eavesdropping of the procedures Analyzer, if the password is in plaintext (unencrypted) transmission, access to the online Procedures Analyzer will be entered into the account and password when the user records it, anyone who can access this information to work online. Two encryption methods if the password is transmitted in an unsecured channel, the password must be encrypted, and there are two cryptographic methods: Public key encryption and private key encryption. Private key encryption is symmetric, that is, the encryption key can also be used as decryption. The most famous private key encryption system is the data Encryption Standard (DES), which is now administered by the U.S. National Security Service and the National Standards and Technology Bureau. Another system is the International Data Encryption Algorithm (IDEA), which is better than DES, and the computer function required is not strong. Idea Encryption Standard is used by PGP (Pretty-Privacy) system. Public key encryption uses two different keys, so it is an asymmetric encryption system. One of its keys is public, and the basic functions of the system are accessible to people with public keys, which can be saved in the system directory or in unencrypted e-mail messages. Its other key is private, it is used to encrypt the information, but the public key can decrypt it, and it can decrypt the information that the public key encrypts. With the same security, the system of private key encryption is faster. Because the private key is shared by both parties, there is no way to determine which party originated information, whichLeft a gap in the legal controversy. The authentication process for the private key and public key is the same, and the main problem is key distribution. How to keep the key at hand or in mind (people, computers, software modules will have the key, we will call them key holders), in use without the listener intercepted? The most used private key authentication system is Kerberos, it needs to have a secure server to hold the master key that communicates with all key holders, the key holder wants to authenticate or decrypt, and the conversation with other key holders is to release the secret key to communicate with them. Kerberos only partially implements the OSF distributed computing Environment (DCE) specification. Kerberos is also part of the Windows NT 5.0 security system, and Kerberos based systems are not yet widely used. Public key encryption does not have a key distribution problem, it can be placed in the directory, the Yellow Pages (commercial telephone) or bulletin board. The problem with a public key is the ability to trust the key holder who uses the key because anyone can get a public key. Currently using the third version of the ITU X. The 509 standard defines a compatible digital certificate module, whose main module is the name of the key holder, the public key information of the key holder, and the digital signature of the certificate Management (CA) (Digital signature Guarantee certificate is not modified, nor can 姳 ring loop?). The 509 V3 digital certificate also includes the name of the certificate issuer, the issuer's unique identifier, the unique identifier of the key holder and the serial number of the certificate and the version number and signature algorithm of the certificate. Users using the Novell Directory Service, Lotus Notes, and PGP use digital certificates, but they do not use X. 509 standard. Obstacles to implementing a public key Infrastructure certificate management is a very old and intuitive mechanism that not only publishes digital certificates, it also establishes maintenance certificate cancellation manifests (CRLs). If your private key is lost or stolen, or if you are fired, or if you find a new job that does not require access to current things, then there must be a way to invalidate your original valid certificate. Therefore, a process for verifying the validity of a digital certificate is required to check whether the certificate manager's public key is valid, verify that the certificate was modified, verify that the certificate expired, and verify that the certificate was canceled. Information security people are very concerned about the scalability of CRLs, if the validity period is too long, the CRL will continue to increase, you need more computer resources to search it, if the certificate update too fast, and management trouble. Another issue with certificate management is how they interact. For example company X on certificate management, which is mutually certified with Company Y, and Company y also on certificate management. But do I want to trust a certificate management (CA) that wants to do business with me on the internet? or whether the trust can be passed: if CAy Trust Caz and CAx Trust Cay, can cax automatically trust Caz? If this is reasonable, can I find a closed link between the CA I trust and the CA I don't know? If you can get such a chain of trust, are their extensions acceptable, or will they cost too much to calculate and cause delays? The X. 509 standard provides a so-called reverse certificate, which includes the authenticated key of other CAs, which provides flexible cross-validation, but does not solve the architectural problem of identifying and implementing the chain of trust. Certificate and Key Management certificate has a certain lifetime, from the release, distribution to cancellation, it can to its period, and then updated. Of course, any CA database must be backed up effectively and ready for any eventuality. A policy should be developed for the CA, if possible, to indicate the validity of the certificate, evidence of the connection to the key holder's key pair, and steps to take to prevent employees who are hiring but not trusted. The CA system should have minimal performance and high confidentiality. In an interoperable public key architecture, a compromised key can break many trust chains and leave the security of a particular CA user out. Access to private keys is like password protection, and the way to process forgotten passwords is worth considering, and other people cannot access them with a private key other than the key holder. The key used for encryption also needs to be backed up, otherwise the key is lost or changed, data encrypted with this key is also lost (but a digitally signed key cannot be backed up by the tool, because if someone loses a private key for digital signatures, a new private key can be generated that works with the original public key). It is another issue that differs from a key backup when the key is saved with a third party. In general, there is one or more third party tools or partial key tools that hold the key, and all third party key holders can generate a complete tool together. Another good way to do this is to periodically update the key, just like the original public/private key pair, the update key will also cost the CPU cycle, the better idea is to stagger the date of the update. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Original: Authentication and encryption return to the network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.