PKI security framework learning record
1.What is pki
The authoritative introduction given by Baidu Encyclopedia is as follows:
Public key infrastructure is a collection of hardware, software, personnel, policies and procedures used to implement public key cryptography based on Functions such as generation, management, storage, distribution and revocation of keys and certificates.
The PKI system is a combination of computer software and hardware, authoritative institutions and application systems. It provides basic security services for the implementation of e-commerce, e-government, office automation, etc., allowing users who do not know each other or are far apart to communicate securely through a chain of trust.
My personal understanding is that it is the online version of the personal ID card provided by an authoritative organization.
Of course, I think this article is very easy to understand.
https://zhuanlan.zhihu.com/p/30136885
2. 4 major features of pki
Confidentiality:
The channels for communicating with each other are secure and confidential.
Completeness:
The content has not been tampered with.
non-repudiation
It cannot be denied. Once it is sent, it is sent, and when it is received, it is received.
Authentication
Prevent third parties from illegally intercepting disguised communications.
3.Key classification
symmetric key
Both communicating parties use the same key to encrypt and decrypt data. Its advantage is that encryption and decryption are fast and suitable for encrypting large amounts of data, but key management is difficult.
Common algorithms: DES \ AES \ 3DES \ RC series
asymmetric key
A pair of keys completes the encryption and decryption operations respectively. One is released publicly, that is, the public key, and the other is kept secretly by the user, that is, the private key. The sender of information uses the public key to encrypt, and the receiver of the information uses the private key to decrypt. Public key mechanisms are flexible, but encryption and decryption are much slower than symmetric key encryption.
Common algorithms: RSA\ECC\SM domestic encryption algorithm
Application scenarios
a->b
a uses his private key to sign and send it to b, and b uses a’s public key to verify the signature;
a uses b’s public key encrypts the original text into ciphertext, and b uses his own private key to decrypt it and obtain the plaintext.
4. Domestic keys are compared with international keys
SM2–RSA
SM3–MD5\SHA-1
The digest function plays an important role in cryptography and is widely used in digital signatures, message authentication, data integrity detection and other fields. Abstract functions are generally considered to need to satisfy three basic properties: collision robustness, primitive root robustness and second primitive root robustness.
In 2005, Wang et al. proposed collision attack methods for the MD5 algorithm and SHA-1 algorithm. The MD5 algorithm and SHA-1 algorithm that are widely used today are no longer safe algorithms.
The SM3 password digest algorithm is China’s commercial password hash algorithm standard announced by the State Cryptography Administration of China in 2010. The SM3 algorithm is suitable for digital signature and verification in commercial cryptographic applications. It is an algorithm improved on the basis of SHA-256. The SM3 algorithm uses the Merkle-Damgard structure, the message packet length is 512 bits, and the digest value length is 256 bits.
The compression function of the SM3 algorithm has a similar structure to the compression function of SHA-256, but the design of the SM3 algorithm is more complex. For example, each round of the compression function uses 2 message words. So far, the security of the SM3 algorithm is relatively high.
SM4–3DES
5. Digital envelopes
is to use asymmetric encryption to encrypt the symmetric key and then send it.
a->b
a encrypts the symmetric key with b's public key. After b receives it, he decrypts it with his own private key to obtain the symmetric key. key, and then decrypt the ciphertext to obtain the plaintext.
The above is the preliminary study of pki security framework, the daily life of a small IT coder who is willing to share.