PKI培训海外(英文版).ppt

1 1为了安全为了安全 总是握奇总是握奇2009年1月14日Security payment and trusted Security payment and trusted compute productions linecompute productions linePKI introduction2 2为了安全为了安全 总是握奇总是握奇ContentInformation Security BackgroundPKI FoundationA Whole PKI SystemStandards and reference3 3为了安全为了安全 总是握奇总是握奇the primary target of the information securityassure the sender is himselfdefend the document be readed/writed without the authenticationdefend the amend for document without the authenticationsender dont denied the documentsthe arbitration authority4 4为了安全为了安全 总是握奇总是握奇the essence and countermeasure of the security threatssecurity threatscountermeasuresLawlessly access system for operating documentsAccess control/operation controlWiretap the information or leakdocument encryptForgery transaction or deliver documentauthentication the documents sourcedocuments be sophisticated or deleteddocument integralitySender or receiver deny the documentsundeniable5 5为了安全为了安全 总是握奇总是握奇PKI(Public Key infrastructure)Public Key Infrastructure(PKI)Supply the solutions for the security of electronic world6 6为了安全为了安全 总是握奇总是握奇ContentInformation Security BackgroundPKI FoundationA Whole PKI SystemStandards and reference7 7为了安全为了安全 总是握奇总是握奇PKI？InfrastructureInfrastructure based on Public Key Supply security basic architecture by public key principle and technology8 8为了安全为了安全 总是握奇总是握奇symmetrical Key encrypt/decrypt processtwo parts use the same key9 9为了安全为了安全 总是握奇总是握奇problems about the symmetrical Key manage the keys and assure confidentiality are the important problems1010为了安全为了安全 总是握奇总是握奇public Key encrypt principlepublic Key encrypt(asymmetrical Key)a pair of keys(private Key and public key)instead of the symmetrical keysended information is encrypted by public key,receive part use the private key decrypt informationpublic key may spread freely private and public key do the digital signature and validate the signatureAssure the integrality and authentication sender1111为了安全为了安全 总是握奇总是握奇asymmetrical key encrypt processone public key and one private key 1212为了安全为了安全 总是握奇总是握奇compare about two encrypt typessymmetrical keyasymmetrical keykey countsSingle key A pair of keys（private and public Keys）statementKey must secrecyA public key and a private keymanagementsimple and difficulty for management need digital certification and trusted third partencrypt velocityquicklyslowlyapplicationmass data informationsmall data information1313为了安全为了安全 总是握奇总是握奇Digest arithmeticverify the information be not sophisticatedoutput result is computed by the digest arithmeticThe result have the same length,usually is 128 bits or 160 bits,now we have the 32*8 bits-different input,the same output-every bit does hashthe files with same hash results is impossibleAny change will have the different hash result1414为了安全为了安全 总是握奇总是握奇Digital Signature OperationDataMD5SHA1SHA2561515为了安全为了安全 总是握奇总是握奇Termssignatureprivate key encryptvalidate signaturepublic key decryptasymmetrical encryptpublic key encryptasymmetrical encrypt decryptprivate key decrypt1616为了安全为了安全 总是握奇总是握奇ContentInformation Security BackgroundPKI FoundationA Whole PKI SystemStandards and reference1717为了安全为了安全 总是握奇总是握奇Scenetwo people(parts)小明jack小华harryevent小明写信给小华jack write the information to harryKeys type1818为了安全为了安全 总是握奇总是握奇1919为了安全为了安全 总是握奇总是握奇2020为了安全为了安全 总是握奇总是握奇asymmetrical Key mechanical is enough?we also do these:information security policy-define the rule of key mechanical operationgenerate Key、store and managehow to generate the Key and digital certificate,how to issue and use.2121为了安全为了安全 总是握奇总是握奇The target of PKIconfidentialitytransaction information secrecyintegralitytransaction information integrityrealityidentity is reality and may be verifiedundeniabletransaction behavior is undeniable2222为了安全为了安全 总是握奇总是握奇Modules in the PKI System信息安全政策information security policy；注册管理中心(Registration Authority,RA)证书管理中心(Certificate Authority,CA)；证书发布系统(Directory Service,DS)PKI应用系统PKI application system2323为了安全为了安全 总是握奇总是握奇Registration Authority,RARA is the middle interface between users and CA,it accept and authenticate the users documents and bring forward the application for certification.2424为了安全为了安全 总是握奇总是握奇CA(certificate Authority)CA is the basement of PKI systemThe digital certificate life cycle,CA include:Issue the digital certificate with users ID、Public Key、Digital certificateavailable data of certificateCA may abolish the certification according the CRL(Certificate revocation List)2525为了安全为了安全 总是握奇总是握奇about digital certificatecontents in certification:private informationCA informationPublic key of usersAvailable dataDigital signature for certification contents by CA 2626为了安全为了安全 总是握奇总是握奇X.509 Digital certificate format2727为了安全为了安全 总是握奇总是握奇Digital certificate sketch map2828为了安全为了安全 总是握奇总是握奇Digital certificate and ID CardName:Brian LiuSerial number:484865Issued by:ABC corp CAIssue date:1997 01 02Expiration date:1999 01 02Public key:38ighwejb38ighwejbDigital Signature:hwefdsafhwefdsaf2929为了安全为了安全 总是握奇总是握奇Digital certificate life cycle 3030为了安全为了安全 总是握奇总是握奇Certificate Issuehow to get the certificateRA or the application(smartcardusbkey)generate the public and private keysRA transfer a certificate request with public key to CA(RA validate the identity of user)CA issue the certificate to userapplication or smartcard or usbkey store the certificateCA release the certificate3131为了安全为了安全 总是握奇总是握奇Certification Authenticationverify the validity of certificate:小华取得小明的证书?application performance process get jacks certification and CAs root certificationcompute the hash of jacks certificate by CAs root public keyget the hash of jacks certificatecompare two hash datacheck out the time3232为了安全为了安全 总是握奇总是握奇Certificate issue systemCertificate can be issued by multiple styles under the PKI frameworkUser self or LDAP(目录服务)3333为了安全为了安全 总是握奇总是握奇PKI applicationsPKI applications include:communication between web service and browserE-mailElectronic Data Interchange,EDIonline taxonline bankVirtual Private Network,VPN3434为了安全为了安全 总是握奇总是握奇ContentInformation Security BackgroundPKI FoundationA Whole PKI SystemStandards and reference3535为了安全为了安全 总是握奇总是握奇Standards and reference for PKI1、Certificates X.509 v32、PKCS Public Key cryptographic standards3、CSP Cryptographic service providerhttp:/ 总是握奇总是握奇Thanks！