Turn: https: //www.cnblogs.com/jerain6312/p/8572841.html
Foreword
Public Key Infrastructure (PKI), Chinese called the public key infrastructure, that is, the use of public key mechanism set up infrastructure. But if so to explain, in the end is something we must have no way to understand.
Now everyone's many important activities are carried out through the network, has brought with security issues is very important. Meanwhile, many security mechanisms are based on PKI, if you are due to various reasons (exams? Proposal? Curious?) Want to know what the various PKI Yes. So through this article, you absolutely know what is 5 minutes PKI.
PKI reasons not well understood is that this concept includes a lot of different skills and knowledge, but also because the concept is very large, people feel unable to start. However, this concept does not seem so complicated in fact, let us begin illustrate it!
First minute - the core of PKI is to issue a certificate of identity
The main purpose of a PKI is to issue "certificates of identity", because everyone on the network can not meet, so a false identity is a very easy thing. Because to verify the identity on the network, so the network identity certificate becomes very important.
When communicating with each other, if they can confirm the identity of each certificate, then we know they are in communication with the right people.
However, he was doing the identification card can not be used as proof, like life, if a private citizen ID card can be lawfully made, then the ID card also lacks credibility. The online world, we need to trust the issuing authority to issue a certificate of identity, at the same time they have to take good care of their own identity certificate, just like the police station sent you a citizen identity card, they have to take good care of the same.
PKI world, this identification card, called "certificate." Authorities issued "certificate" is called "certification authorities." There is a unified certificate management certificate "archives." These three things together, is the main constituent elements of PKI.
The first 2 minutes - only three elements that constitute PKI
As noted earlier, in general, constitute the main elements of a PKI is the following three concepts
- certificate
- Certificate Authority
- Certificate Store
After all, PKI refers to a mechanism for the production and distribution of certificates. Under the protection of the premise of this mechanism, a reliable network communications. Namely secure network communications security mechanism.
In fact, the certificate is stored in the hard disk or IC card inside. Construction certificate file is specified in the X.509 protocol called. On the other hand, the certification authority also is actually a web application.
Certificate store for some reason, in fact, is the file system only, will be stored together in a network certificate. These things can be obtained by downloading. Or, for some reason, certificates distributed directly, eliminating the certificate store this link.
The first three minutes - certificate inside key
Once the use of certificates confirm the identity of the simultaneous, encrypted communication will be realized. why? Certificate which contains the encrypted key is used.
For example, you want to communicate with a man claiming to be Bill's. The man claiming to be Bill, will be at the beginning of communication, the network will send you a certificate, then by this certificate, it is confirmed that he is Bill.
Then, you use the "certificate in the key", you will be sent to encrypt the contents of the Bill and send it to Bill.
With a "certificate of key" encrypted content, only with another Bill have their own "private key" to decrypt. In this case, if you send to the content of the Bill is to steal the words of others, others can not be decrypted.
As long as Bill only protect your own good "private key", then if someone with a "certificate in the key" Bill wants to misbehave, then it is impossible. Because with the "certificate in the key" encrypted content, only Bill have their own "private key" to decrypt.
So that way, PKI certificates can be used to provide identification and communication encryption. While achieving these two important functions.
4 minutes - What is the "public key" and what is "private key"
For Bill, as long as ensure that "private key" I do not stolen, is included in the "certificate in the key" to how many people does not matter. In other words, people want to communicate with Bill, the Bill must have a certificate, use Bill "certificate in the key" to encrypt the contents of the communication. In order to allow other people can easily access Bill certificate, the certificate becomes necessary the library.
In the PKI mechanism, on the "certificate inside key" can be arbitrarily freely distributed, where the "certificate in the key" called "public key (Public Key)". On the other hand, I keep that "private key" to do "private key (Private Key)".
就像前文提到的,公开密钥是放在证明书里面的,所有用什么样的方式去分发证明书都没有关系。放到U盘里给别人,或者放到网上让人任意下载,或者用邮件发送,都是可以的。
第5分钟 - “拿什么去信任你?我的证明书”
先前说到,用包含在证明书里的公开密钥去给通信内容加密,这个过程大家已经知道。但是PKI提供的证明书真的可以被信任吗?说到底,证明书也就是普通的文件而已。不像货币那样,本身有着特殊的材质或者物理上的防伪措施。
这么想是完全对的,因为实际上,认证机关所用的证书生成器说到底也就是一个软件而已,如果搞到这个软件,谁都可以发行证明书。所以说,在技术上,伪造证明书是非常简单的。所谓假的证明书,比如说有一个所谓的“比尔的证明书”,但是里面含有的公开密钥是史提芬的公开密钥。那么,别人发给比尔的信息,史蒂芬可以解密,反而比尔自己不能解密。
这样看来,这个认证机关就至关重要了,认证机关的可信度,直接与证书的可信度挂钩,也就是与整个PKI机制的可信度息息相关。
关于认证机关的权威性和可信度的问题,其实是一个社会基础设施建设的话题了。
在很多国家认证机关都是由政府在主导建设,常常被视作一个社会性基础设施的一个环节。如同建设各种社会机构,比如医院,银行,学校等等。