Chapter 15 PKI

1.PKI name , Function and composition

name ：Public Key Infrastructure Public key infrastructure

effect ： Ensure the security of information through encryption technology and digital signature

form ： Public key cryptography , digital certificate ,CA,RA

2. Three elements of information security

Confidentiality

integrity

Authentication / Non repudiation of operation

3. be used PKI Of IT field

1）SSL/HTTPS

2)IPsecVPN

3) Partial remote access VPN

4. Public key cryptography

effect ： Realize the encryption of information , Digital signature and other security

encryption algorithm ：

1） Symmetric encryption algorithm

      The encryption and decryption keys are consistent

        DES 3        DES         AES 

x+5=y（ Symmetric encryption algorithm ）

x It's the original data / original text

y It's ciphertext

5 It's the key

2） Asymmetric encryption algorithm

        Each communication party needs a pair of public and private keys  

        Both parties exchange public keys

        Public key and private key are mutually encrypted

        Public and private keys cannot be pushed against each other

        RSA        DH        

 3） The hash algorithm （ Irreversible algorithm , Verify integrity ）

        It mainly uses MD5,SHA

  In the asymmetric encryption algorithm, the unencrypted ciphertext will be hash Work out hash Value and then send it together after the encrypted ciphertext , Decryption also needs to take out the later hash Value and then decrypt , After decryption hash, If you take out hash Value and decryption hash Of hash The same value indicates that the file has not been tampered . Post upgrade directly to ciphertext hash.

The threat is ： If someone changes the ciphertext during transmission , And delete the following hash value , Re hash Put it in the tail , Then the receiver will think that the ciphertext has not been tampered with

upgrade ： Pair generated hash Value is encrypted again , As shown in the figure above hash Value to use RSA And silly private key cba Encrypt again and put it at the end , Then two fools use the public key they get （abc） Decrypt hash value

 5. digital signature

        To ciphertext hash Then use your own private key encryption algorithm to hash Value encryption , This is digital signature

6.CA And RA

. CA Used to issue a certificate , and RA Used to verify the identity of the applicant , There is only one subject who verifies the right body ,CA To issue a certificate .. ordinary DV The certificate may only need to verify the ownership of the domain name , and EV/OV The certificate also needs to verify the identity of the subject （ Like ID card 、 Business license and so on ）.. Therefore, the work of the verification subject is very cumbersome , difficult , Unable to automate , Therefore, it is necessary to separate RA Come out and undertake this complex work .. From the actual structure , Maybe one. CA Corresponding multiple RA Many at this time RA After completing the principal validation , Submit the certificate issuance request to CA Generate Certificate .. A simpler case may also be caused by CA Undertake the function of verification , At this time, he is CA, It's also RA

In the information transmission of big silly and two silly , Right between the two CA Intervention .