Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Digital certificate study notes

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Pki

Public key infrastructure, encryption method standard

Application: example: https://

Encryption technology:

Symmetric encryption:

The encryption key and the decryption key are the same key (key), which is not suitable for use in the network, because the key must be sent by the encrypting party to the decrypting party and may be intercepted.

The amount of key maintenance is large, because any two communication objects need a key. N* (nMur1) / 2

The advantage is the high efficiency of encryption.

Asymmetric encryption:

The public key and private key are used in pairs, one side encrypts, the other decrypts. The public key cannot derive the private key, but it is mathematically related, and they are generated by a random number using different function formulas.

Each user only needs one key pair, which is suitable for Internet use.

The disadvantage is that the encryption efficiency is low.

Security is determined by key length

It takes 3.5 or 21 minutes to crack a 56-bit key

128-bit key cracking takes 5.4 to 10, 18 times per year

Safety standards:

1. Cost standard: cost is higher than benefit

two。 Time validity: data is cracked after invalidation

Asymmetric encryption details:

Sender:

Encrypt file data with a symmetric key (efficient) and encrypt a symmetric key with a public key. Send it to the receiver as well.

Recipient:

Decrypt the symmetric key with the private key and decrypt the file data with the symmetric key.

Advantages: high efficiency and good security

Digital signature:

Function: prevent the signer from repudiating, the receiver is sure of the source of the information, and the content of the information cannot be changed.

Details: private key signature, public key confirmation

Hash the file to be transferred and get a fixed hash value (also known as "digest"), or "fingerprint" of the file. The sender encrypts (signs) the digest with its own private key and sends the encrypted digest, public key and file data to the receiver (it does not guarantee that the information is encrypted, but it can guarantee who sent the confirmation message).

After receiving it, the receiver uses the hashing algorithm to get the "summary" of the received file, and decrypts the encrypted summary with the received public key. Compared with the two, if it is unanimously stated that the received file is indeed sent by the sender and the content has not been tampered with.

If you have the other party's public key, you can send the encrypted file to the other party (encrypted with the other party's public key). No, you can't.

Only when you have a private key can you sign digitally. The purpose of digital signature is not to keep the contents of the document secret, but to verify who the sender is, that the content of the message cannot be changed and cannot be denied.

Both signed and encrypted:

Encrypt the encrypted digest, your own public key and file data with the public key of the other party (receiver)

Encrypting with one's own private key plays the role of digital signature. The three are encrypted with each other's public key to achieve the purpose of encryption.

Certificate authority CA: public identity, does not participate in commercial organizations, not for profit, it has its own public and private keys

In computers, asymmetric keys exist in the form of digital certificates.

The unit may send an application to the CA institution with its own data, and the CA institution shall verify the authenticity of the data of the unit. After confirming that it is correct, the CA institution sends to the applicant a digital certificate (public key and private key) signed by the CA institution. At this time, the digital signature of the CA institution is always kept in the public key and private key of the applicant. When it encrypts a file or abstract with its own private key, it always carries the digital signature of the CA institution. The receiver can verify whether the sender's public key is true or legal by holding the public key of the CA institution.

Therefore, using the public key of CA to verify the private key signature of CA in the sender's public key (to determine whether the sender's public key is true) is the premise of trusting the sender.

Digital certificate

Content

CRL distribution point: is a list of revoked certificates. The client can access the revocation certificate list of the institution to determine whether the sender's certificate has been declared revoked (invalid). If it has been revoked, the sender is no longer trusted!

Topic: is the user's information

Generally speaking, what the issuing authority issues to the user is the key pair and the signature of the CA institution attached to it, and the CA institution is searchable on the Internet.

Type of CA:

Enterprise CA: issue certificates to users and computers in a domain in a domain environment. No administrator issue is required. The issuer is online!

Independent CA: issued for users and enterprises on the Internet, open. The root authority can be offline. The CA that provides the certificate revocation list must be online.

Root CA: generally issue certificates to sub-CA

Sub-CA: issue certificates to users.

How to use PKI technology to achieve security in an enterprise:

The enterprise CA can be used as the sub-CA of the independent CA (the enterprise applies for certification from the independent CA), and the enterprise CA issues certificates to the internal departments of the enterprise, as long as the departments trust the independent CA, and the departments can also send data to the departments outside the enterprise with this CA, and the departments outside the enterprise can trust the independent CA.

Force refresh group policy:

Run gpupdate / force

Signed and encrypted messages can only be sent using the mailbox that was bound when applying for a digital certificate. Otherwise, it cannot be signed or encrypted.

When exporting a digital certificate, you must export the private key to prevent the machine from reinstalling the system or damaging the certificate.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report