Information security key management
Key classification
The keys are divided into primary keys, secondary keys and master keys.
Primary key
- Key used to encrypt and decrypt data
- Primary communication key: a key is only used once and has a short life cycle
- Primary file key: has the same long life cycle as the file it protects
- The primary key cannot be saved in clear text
Secondary key
- Used to protect primary keys
- Cannot be saved in clear text
Master key
The highest level key in the key management scheme is used to protect the secondary key. The lifetime of the master key is very long
Distribution method with confidentiality and certification
① A uses B’s public key to encrypt A’s identity and a one-time random number N1 and then sends it to B;
② B decrypts to obtain N1, and uses A’s public key to encrypt N1 and another random number N2 and sends it to A;
③ A uses B The public key of N2 is encrypted and sent to B;
④ A chooses a session key Ks, encrypts it with A’s private key, then encrypts it with B’s public key, and sends it to B. B uses A’s public key and B’s private key to decrypt Get Ks.
Key Management of Public Key Cryptosystem
- The key management of public key cryptosystems is essentially different from that of symmetric cryptosystems.
- The key of the symmetric cryptosystem is essentially a random number or random sequence, while the public key cryptosystem is essentially a one-way trapdoor function, based on a certain mathematical problem.
Public key management agency distributes public keys
It may become the bottleneck of the system, and the directory is vulnerable to crosstalk from the adversary.
Compare certificate and driver's license
Public key certificate
-
Users exchange their public keys through public key certificates without contacting the public key management agency
-
The public key certificate is established by the certificate authority CA (Certificate Authority) for users.
-
The form of the certificate is
T-time, public key of PKA-A, identity of IDA-A, private key of SKCA-CA
-
The time stamp T guarantees the freshness of the certificate and prevents the replay of the old certificate.
How to use the certificate
- "Client" -> "Server": Hello
- "Server" -> "Client": Hello, I am the server, here is my digital certificate
- "Client" -> "Server": Prove to me that you are the server, this is a random string
- "Server" -> "Client": This is the signature of a random string
After verifying the identity of the "server", the "client" generates a symmetric encryption algorithm and key for use in subsequent communication encryption and decryption. This symmetric encryption algorithm and key, the "client" will be encrypted with the public key and sent to the "server". It is useless if others intercept it, because only the "server" has the private key that can be decrypted. In this way, both the “server” and the “client” can use the symmetric encryption algorithm to encrypt and decrypt the communication content.