1. Public Key Infrastructure
Public Key Infrastructure PKI (Public Key Infrastructure) is through the use of public key technology and digital certificates to provide information systems security services, and is responsible for verifying the identity of the digital certificate owners an architecture of. The PKI infrastructure uses a certificate to manage the public key. Through a third-party trusted certification center, the user's public key and the user's identity information are bound together. It is a universal security infrastructure and a set of service systems.
The function of PKI is to bind the identity of the certificate holder and the relevant public key by replying to the data certificate, providing a convenient way for users to obtain certificates, access certificates and revoke certificates. At the same time, digital certificates and related services (certificate issuance, blacklist issuance, etc.) are used to realize the identity authentication of the entities in the communication process, ensuring the confidentiality, integrity, non-repudiation and authentication of the communication data.
2. PKI system architecture
The PKI architecture consists of certificate applicants, registration agencies RA, certification center CA, and certificate revocation list CRL.
(1) CA ( Certification Authority ) : Responsible for issuing and revoking certificates (Revoke), receiving requests from RA, is the core part.
(2) RA (Registration Authority) : verify the identity of the user, verify the legality of the data, be responsible for registration, and send it to the CA after review.
(3) Certificate storage library: store certificates, mostly in X.500 series standard format.
The common operation process is that users register for a certificate through RA registration, provide identity and authentication information, etc .; after the CA audit is completed, the certificate is manufactured and issued to the user. If the user needs to revoke the certificate, he needs to send the application to the CA again.
3. Issuance of certificates
CA signing a certificate to a user is actually signing a user's public key, using the CA's private key to sign it , so that anyone can use the CA's public key to verify the validity of the certificate. If the verification is successful, the certificate is recognized. The content of the provided user public key realizes the safe distribution of the user public key.
There are two ways to issue user certificates. Generally, the CA can directly generate the certificate (including the public key) and the corresponding private key and send it to the user; the user can also generate the public key and private key by themselves, and then the CA signs the content of the public key.
There are two ways for PKI entities to apply for local certificates from CA: (1) Online application (2) Offline application
4. Revocation of the certificate
The certificate will be invalidated after the validity period expires. Users can also apply to the CA to revoke a certificate file. Because the CA cannot force the recovery of the issued digital certificate, in order to achieve the invalidation of the certificate, it is often necessary to maintain a certificate revocation list (Certificate Revocation List , CRL), used to record the revoked certificate serial number.
Therefore, under normal circumstances, when a third party verifies a certificate, it is necessary to first check whether the certificate is in the revocation list. If it exists, the certificate cannot be verified. If not, continue the subsequent certificate verification process.