basic knowledge
Basic knowledge mainly includes
public key cryptography algorithm, digital signature, PKI technology, authentication protocol , you can search and watch by yourself.
System solutions
The system mainly includes the design of three parts: system key generation, certificate issuing system and node communication system . First, we will introduce the design idea of the system scheme; then introduce the composition of the system and the design process of the main functional modules in detail, and describe the use process of the functional modules.
System Design Thought
This is the basic framework of the authentication system in this paper. When the network is initialized, we will establish a CA to prepare for subsequent key management and node communication. First, each node will generate its own public-private key pair, upload it to the central management system, and manage the key (including storage, update, and revocation). Subsequently, the node uploads the request file (including the applicant's public key and necessary identity information), requests a certificate from the CA, and this identity information will be stored in the management module.
This method will complete the issuance of certificates to ordinary nodes and authenticate their identities. Finally, we implement a secure communication system between nodes to realize encrypted communication.
Function module introduction
Central Management System
The central management system can manage keys and node information (including storage, update, and revocation). In addition, it can also establish a CA, issue certificates for nodes, and perform two-way authentication. Details will be introduced in subsequent chapters.
Inter-Node Secure Communication System
In order to ensure security, both sides of the communication between nodes must first perform identity authentication. Subsequently, the two negotiate the encryption algorithm, exchange signature information to verify whether the two nodes have the private key information corresponding to their public key, and whether the content has been tampered with. Finally, the message information is obtained according to the decrypted key information.
System function module design and implementation
Central Management System
As shown in the figure above, correspondingly we need two modules: key and information management module, CA authentication module
Key and information management module : mainly responsible for the storage, update, destruction and revocation of node keys under the CA file
CA authentication module : certificate issuance, identity authentication
Establishment of CA and issuance of certificates
We analyze the modules that the central management system needs to implement according to the process of nodes applying for certificates from CA and performing two-way authentication:
- Create a CA and generate the required directories and files of the CA;
- Generate CA's private key and self-signed certificate;
- Node request certificate: generate public-private key pair, generate request file
- The CA issues the certificate;
- The node receives the certificate.
Design ideas :
CA authentication: Before establishing a CA, the system inputs parameters such as the version number, CA identity, and certificate validity period. The system constructs keys and certificates based on these parameters, and the key information is mainly based on the RSA algorithm.
Assuming that a client needs to request a certificate, it sends its own public key and request file to obtain the certificate. At this time, the CA returns the certificate after receiving it, and manages the certificate and key information.
server interface
client interface
Operation process :
- The client fills in the CA logo, or fills in the IP address of the CA server and the corresponding service port number, selects its own public key to request a certificate file, clicks on the certificate application, and sends the certificate application to the CA;
- The CA that receives the client's application request calls the certificate signing function according to its certificate application information, signs with the CA's private key, saves its public key and certificate information in the directory file, and returns the certificate;
- After the client receives the complete certificate, it combines its own private key, the public key of the CA, and the returned certificate to obtain the final complete certificate
function test
The main function of this module is to build a server-side CA and issue certificates for nodes. The validity of the signature can be verified through the public key of the system. If the project requirements are met, a certificate with the name of the node representation is generated on the client side, and the signature is verified through the system public key to be legal.
Secure Communication System Between Nodes
After the CA certification system in the central management system issues a certificate for the application node, the nodes in the network can use the certificate to authenticate their identity and carry out key negotiation.
Assuming that A and B are two nodes in the network, then A sends information to B, and the specific scheme for B to receive A's information is as follows: Client A description:
At the
client, A generates a random key K, using the selected encryption mode , encrypt the message M, where the message M represents the identity information of A; then, A obtains the public key certificate of node B from the CA, and reads the public key; then, encrypts the key K with the public key, and uses its own private key Sign B's certificate, information and key, and send the signed message and signed content to B.
Client B description :
B decrypts the signature S, and then compares it with the signature information to judge the correctness of the signature and verify whether the message comes from A; after that, B decrypts the encryption key K with the private key, decrypts the encrypted message, and obtains the original Information M.
References :
AD-HOC end-to-end authentication system design