With the continuous deepening and progress of e-commerce and e-government business requirements, new applications such as mobile banking, online payment, and online trading are constantly emerging. Regardless of the application, in order to ensure the legality, correctness, and confidentiality of the identity of the parties involved in the online transaction, and to ensure that their online trading information will not be sneaked and falsified, and the two parties can not deny their information. At present, the most practical security system is CA. The means to achieve client security is a smart card based on PKI system, which meets this need.
In order to deepen the understanding of PKI related technologies, this article will further introduce the basic part of PKI.
1 Introduction
1.1 What is a PKI?
PKI (Public-Key Infrastruc-ture) is a collection of rules, procedures, people, facilities, software and hardware that can be used to issue, distribute and manage public key certificates. From a practical point of view, PKI establishes a trust system in a distributed environment by managing and controlling the use of keys and certificates. Without PKI management and authentication services, password-based security mechanisms cannot be used to support commercial applications.
1.2 How is PKI related to e-commerce?
In the online world, administrators are most concerned with the strategy of making rules and the process of e-commerce. All PKIs should be able to operate and manage according to rules established by specific business standards. Therefore, PKI is not just a technology, a software or a product; in essence, it is a rule in which all technologies, software and products are integrated according to this rule. Well-designed PKI products can support multiple business application frameworks.
1.3 How is PKI technology integrated into the application?
Most PKI components run as a service program on the network. The tool component for developers is an exception. Development tools help programmers deal with the underlying complex encryption services and protocols. Development tools combine software vendors and high-level interfaces that implement security standards, making it easy for any developer to integrate PKI into their applications.
1.4 Main market dynamics
* Growing online business applications constitute the basic business drivers for implementing PKI:
* Wireless and internet commerce
* Publishing of electronic content via the public network
* Online payments
* Intranet
For various organizations, when using these new applications to gain huge benefits, they also have to face serious security risks:
* Counterfeit legitimate users
* Refuse online transactions
* Tampering with data
* Eavesdropping data
* Unauthorized access
1.5 Security requirements for e-commerce
Online business operations have specific security needs. A well-designed PKI can meet all of these needs. PKI enables cryptography to play a role in business applications by managing relationships, keys, and certificates between entities.
Now, most of the views are that only the integration of PKI technology in the application can make better use of cryptography. In order to integrate PKI, applications must be able to access PKI resources, such as certificate authorities and certificate directories, as well as objects that often need to be exchanged with PKI, such as digital signatures and public key certificates.
PKI must meet the following requirements:
* Certification. To prevent counterfeiting, an entity (person, device, organization, and role) is authenticated before it conducts online transactions and accesses resources. If the application integrates a PKI, it can use digital signatures and public key certificates to verify the identity of individuals, servers, nodes, or other entities participating in the business process.
* Authorization. To prevent unauthorized activity, verify that an entity is licensed to participate in an activity or transaction, or is allowed to access resources. If the application integrates a PKI, it can cross-reference an entity authenticated by another entity through a priority list before authorizing (confirming or rejecting) an entity to participate in a transaction or access a resource.
* Non-denial. Prove that an entity has participated in an activity or accessed a resource. An application that integrates PKI can bind participants to his activities and when events occur, because applications can verify digital signatures, process public key certificates, and maintain an audit record.
* Privacy. Prevent eavesdropping and unauthorized access to data. Applications that integrate PKI also have the ability to encrypt data. Although PKI does not provide cryptographic services, it usually provides management and exchange key services.
* Integrity. Prevent data from being tampered with due to anomalies or human causes during the transmission and storage of data. Digital signatures are a good way to prevent data from being tampered with. If the digital signature passes verification, then the integrity of the transaction is considered guaranteed, otherwise the transaction's data is considered to be changed and the data should be discarded. Applications that integrate PKI can digitally sign transactions and verify digital signatures, so you can verify transaction integrity.
2 PKI technology and structure
A good PKI structure has open documentation, provides a clear application interface, and supports standards. PKI technology needs to implement the following features:
* End-Entity Application (EE)
* Registration Center (Registration Au-thority, RA)
* Certificate Center (Certification Au-thority, CA)
* PKI directory
2.1 Basic PKI structure and data flow
The main technical components and operation flow of PKI are shown in Figure 1.
2.1.1 What is a public key certificate?
A public key certificate is a data object that binds a public key to a set of information that identifies the owner of the key pair (an entity such as people, organizations, nodes, and websites). The public key in the certificate is related to the private key in the key pair. The owner of the key pair is called the "principal" in the certificate. Secure transactions rely on the exact identity (subject) and the public key contained in the certificate. Relying on a credible, accurate identity and public key, one participant can authenticate other participants before performing an online transaction. Figure 2 visually shows the contents of the certificate.
2.1.2 What is a digital signature?
As the name suggests, digital signatures are the electronic equivalent of traditional handwritten signatures. However, digital signatures are not like traditional signatures, and they are not intuitively recognized. Applications that integrate PKI can identify (create, store, transfer, and authenticate) digital signatures by accessing key management and password services. Figure 3 shows the general process of generating and verifying a digital signature.
Digital signatures and public key certificates provide two basic security services in PKI: data integrity and user authentication.
2.1.2.1 Data integrity in PKI
As noted above, in order to create a digital signature, both the transaction data to be signed and the user's private key are used as input to the signature process. In order to verify the digital signature, the signed data, the user's public key, and the digital signature itself are all input to the verification process. Since the transaction data itself is always included in the process of signing and verification, if the data is changed after the signature, the verification process will not succeed. Therefore, digital signatures have become the preferred method of ensuring transaction integrity.
2.1.2.2 User Authentication in PKI
The public key certificate ensures that the public key used to verify the digital signature belongs to the user who generated the signature. As described above, the certificate contains both the user's public key and identity. Therefore, if the signature verification is successful, the verifier will also know the exact identity of the signer, because the CA that issued the public key certificate guarantees the identity of the user.
2.2 The main technical components of PKI
The following are the main technical components of PKI: * End User Application (EE). Its features include:
* Generate, store, and access the user's public key pair
* Complete, sign and submit the first certificate request
* Complete, sign and submit an update request for the certificate
* Complete, sign and submit a void request for a certificate
* Search and obtain certificates and void information
* Verify the certificate and get the contents of the certificate
* Generate and verify digital signatures
* Registration Center (RA). Fully compatible with EE and CA and interoperable, supporting the same basic functions, including key generation, storage, access, and digital signature and certificate processing. In PKI, RA is usually able to support multiple EEs and CAs. His main purpose is to support the special tasks of RA users, such as:
* User registration. The process of registering a user as a potential participant in a PKI. The RA creates user objects in a dedicated database. Depending on the registration rules, the user object can include any number of user attributes, such as name, occupation, and email address.
* Identity survey. Through this process, the RA verifies the identity of the first certificate applicant (subject), thereby confirming that a specific public key (to be placed in the certificate) belongs to the applicant.
* Approve an end user's application. The RA will approve or reject the end user's request, such as the first request for a certificate or the request to update an expired certificate.
* The certificate is void. Through this behavior, the RA commands the CA to invalidate a user's certificate. According to the PKI certificate invalidation rule, RA may provide the reason for invalidation or not.
* Certificate Center (CA). CA is a highly trusted signature engine. Based on pre-defined conditions, the CA is responsible for issuing certificates, issuing invalid applications, and handling other transactions. CA plays a central role in PKI. In fact, CA is responsible for the following functions:
* Key authentication. The CA signs the principal's public key and issues a certificate.
* Certificate update. When the subject's current certificate expires, a new certificate is issued.
* The certificate is void. Make the certificate illegal from this moment.
* Certificate is released. PKI users can search for and obtain the certificate.
* Maintain a certificate void list. Keep the timeliness of the invalid list in the PKI.
* Publish the void list. Enable PKI users to access the obsolete list.
* PKI directory. The PKI Directory is an online database where all PKI participants can search and obtain certificates, obsolete information and policy information. Only dedicated users and components have permission to rewrite and delete. In general, directories are mostly based on the IETF's LDAP protocol. The directory structure consists of two main parts: an LDAP client (usually implemented in EE) and an LDAP server - a web server that stores directory information and handles requests initiated by authorized users in the PKI such as search, read, write, delete, and update. . These processes are shown in Figure 4.
2.2.1 PKI Toolbox
If you can't integrate with the application, PKI has no value in business. Therefore, a good PKI design should focus on the application interface. The best approach is to design the application interface and standards into a development toolbox. The toolkit supports seamless integration with applications with minimal resource requirements. Although the toolbox is transparent to users and administrators, it plays an important role in the implementation and maintenance of PKI, and is therefore a key technology component of PKI.
Universal PKI Toolbox: The development toolkit includes all PKI libraries and interfaces to support third-party applications using PKI. Ideally, all other components in the PKI (EE, RA, CA) are also developed using the same toolkit. This structure guarantees compatibility between PKI components and can quickly add and modify new features. With support standards, it is possible to integrate PKI components from different vendors. The general PKI toolbox design is shown in Figure 5.
2.3 Application Protocols Used in E-Commerce
Some application protocols support e-commerce. These protocols are not e-commerce applications themselves, but rather general-purpose protocols that are widely used in various e-commerce. Table 1 lists the protocols that are frequently used and the standards they depend on. These standards all require PKI support.
* WTLS (Wireless Transport Layer Security) is able to authenticate the parties involved in the communication and encrypt WML (Wireless Markup Lan-guage) data during transmission.
* SSL (Secure Sockets Lay-er) and TLS (Transport Layer Secu-rity) are similar to WTLS, except for Web-based transactions.
* IPSec (Internet Protocol Security) is mainly used to establish VPN (Virtual Private Networks) to support intranets and external networks. The protocol implements encryption and integrity checks at the IP packet layer and authenticates the sending and receiving network devices in the communication session.
* S/MIME (Secure/Multi-purpose Internet Mail Extensions) is used to encrypt, send/receive emails.
* There are many other technologies that are used to securely publish content. There are many different types of content, including music, books, pictures and software. But PKI can support these applications to securely publish and manage user permissions.
Application protocol standard (PKI support)
WML WTLS? Acupoint WAP-199-
WTLS-20000218-A? Snow
HTML SSL and TLS
Email S/MIME
VPN IPSEC
Table 1 frequently used application protocols and corresponding standards
3 PKI strategy
There are two main strategies that determine the operation and technical implementation of PKI: CP (Certificate Policy) and CPS (Certification Practice Statement).
3.1 CPS
CPS defines the extent to which a user can trust a PKI certificate. As mentioned earlier, the strategy of controlling business rules is also a strategy that PKI must support. These policies will control how PKI participants create, manage, use, and access keys and certificates. CPS defines these strategies. The CPS may cover the registration process for users and administrators, the operational procedures and security controls of the CA, and the obligations of the principal and CA. The CPS must define the level of information for the PKI that is at least as good as the value level of the business transaction that depends on the PKI. In an e-commerce environment, the trust level must be greater than or equal to the value level. CPS is a method of definition and verification.
3.2 CP
Online commerce and the PKI that supports them are not separate, and they are constantly adding more users, partners and employees. These new entities are in different business and management environments, and PKI and PKI-integrated applications may have been established. Therefore, it is important to define a PKI strategy and interface, which is the CP. By defining a good CP, interoperability between different PKIs may be smoother.
4 Conclusion
PKI includes sophisticated technologies that work in conjunction with e-commerce applications. Therefore, application interfaces and standards are very important. PKI technology can support a very wide range of online applications. The need for PKI support will increase. PKI itself is not just a technology, but a way to use and manage technology, certificates, and keys. Ultimately, the use and management of PKI is in line with business rules.
In order to deepen the understanding of PKI related technologies, this article will further introduce the basic part of PKI.
1 Introduction
1.1 What is a PKI?
PKI (Public-Key Infrastruc-ture) is a collection of rules, procedures, people, facilities, software and hardware that can be used to issue, distribute and manage public key certificates. From a practical point of view, PKI establishes a trust system in a distributed environment by managing and controlling the use of keys and certificates. Without PKI management and authentication services, password-based security mechanisms cannot be used to support commercial applications.
1.2 How is PKI related to e-commerce?
In the online world, administrators are most concerned with the strategy of making rules and the process of e-commerce. All PKIs should be able to operate and manage according to rules established by specific business standards. Therefore, PKI is not just a technology, a software or a product; in essence, it is a rule in which all technologies, software and products are integrated according to this rule. Well-designed PKI products can support multiple business application frameworks.
1.3 How is PKI technology integrated into the application?
Most PKI components run as a service program on the network. The tool component for developers is an exception. Development tools help programmers deal with the underlying complex encryption services and protocols. Development tools combine software vendors and high-level interfaces that implement security standards, making it easy for any developer to integrate PKI into their applications.
1.4 Main market dynamics
* Growing online business applications constitute the basic business drivers for implementing PKI:
* Wireless and internet commerce
* Publishing of electronic content via the public network
* Online payments
* Intranet
For various organizations, when using these new applications to gain huge benefits, they also have to face serious security risks:
* Counterfeit legitimate users
* Refuse online transactions
* Tampering with data
* Eavesdropping data
* Unauthorized access
1.5 Security requirements for e-commerce
Online business operations have specific security needs. A well-designed PKI can meet all of these needs. PKI enables cryptography to play a role in business applications by managing relationships, keys, and certificates between entities.
Now, most of the views are that only the integration of PKI technology in the application can make better use of cryptography. In order to integrate PKI, applications must be able to access PKI resources, such as certificate authorities and certificate directories, as well as objects that often need to be exchanged with PKI, such as digital signatures and public key certificates.
PKI must meet the following requirements:
* Certification. To prevent counterfeiting, an entity (person, device, organization, and role) is authenticated before it conducts online transactions and accesses resources. If the application integrates a PKI, it can use digital signatures and public key certificates to verify the identity of individuals, servers, nodes, or other entities participating in the business process.
* Authorization. To prevent unauthorized activity, verify that an entity is licensed to participate in an activity or transaction, or is allowed to access resources. If the application integrates a PKI, it can cross-reference an entity authenticated by another entity through a priority list before authorizing (confirming or rejecting) an entity to participate in a transaction or access a resource.
* Non-denial. Prove that an entity has participated in an activity or accessed a resource. An application that integrates PKI can bind participants to his activities and when events occur, because applications can verify digital signatures, process public key certificates, and maintain an audit record.
* Privacy. Prevent eavesdropping and unauthorized access to data. Applications that integrate PKI also have the ability to encrypt data. Although PKI does not provide cryptographic services, it usually provides management and exchange key services.
* Integrity. Prevent data from being tampered with due to anomalies or human causes during the transmission and storage of data. Digital signatures are a good way to prevent data from being tampered with. If the digital signature passes verification, then the integrity of the transaction is considered guaranteed, otherwise the transaction's data is considered to be changed and the data should be discarded. Applications that integrate PKI can digitally sign transactions and verify digital signatures, so you can verify transaction integrity.
2 PKI technology and structure
A good PKI structure has open documentation, provides a clear application interface, and supports standards. PKI technology needs to implement the following features:
* End-Entity Application (EE)
* Registration Center (Registration Au-thority, RA)
* Certificate Center (Certification Au-thority, CA)
* PKI directory
2.1 Basic PKI structure and data flow
The main technical components and operation flow of PKI are shown in Figure 1.
2.1.1 What is a public key certificate?
A public key certificate is a data object that binds a public key to a set of information that identifies the owner of the key pair (an entity such as people, organizations, nodes, and websites). The public key in the certificate is related to the private key in the key pair. The owner of the key pair is called the "principal" in the certificate. Secure transactions rely on the exact identity (subject) and the public key contained in the certificate. Relying on a credible, accurate identity and public key, one participant can authenticate other participants before performing an online transaction. Figure 2 visually shows the contents of the certificate.
2.1.2 What is a digital signature?
As the name suggests, digital signatures are the electronic equivalent of traditional handwritten signatures. However, digital signatures are not like traditional signatures, and they are not intuitively recognized. Applications that integrate PKI can identify (create, store, transfer, and authenticate) digital signatures by accessing key management and password services. Figure 3 shows the general process of generating and verifying a digital signature.
Digital signatures and public key certificates provide two basic security services in PKI: data integrity and user authentication.
2.1.2.1 Data integrity in PKI
As noted above, in order to create a digital signature, both the transaction data to be signed and the user's private key are used as input to the signature process. In order to verify the digital signature, the signed data, the user's public key, and the digital signature itself are all input to the verification process. Since the transaction data itself is always included in the process of signing and verification, if the data is changed after the signature, the verification process will not succeed. Therefore, digital signatures have become the preferred method of ensuring transaction integrity.
2.1.2.2 User Authentication in PKI
The public key certificate ensures that the public key used to verify the digital signature belongs to the user who generated the signature. As described above, the certificate contains both the user's public key and identity. Therefore, if the signature verification is successful, the verifier will also know the exact identity of the signer, because the CA that issued the public key certificate guarantees the identity of the user.
2.2 The main technical components of PKI
The following are the main technical components of PKI: * End User Application (EE). Its features include:
* Generate, store, and access the user's public key pair
* Complete, sign and submit the first certificate request
* Complete, sign and submit an update request for the certificate
* Complete, sign and submit a void request for a certificate
* Search and obtain certificates and void information
* Verify the certificate and get the contents of the certificate
* Generate and verify digital signatures
* Registration Center (RA). Fully compatible with EE and CA and interoperable, supporting the same basic functions, including key generation, storage, access, and digital signature and certificate processing. In PKI, RA is usually able to support multiple EEs and CAs. His main purpose is to support the special tasks of RA users, such as:
* User registration. The process of registering a user as a potential participant in a PKI. The RA creates user objects in a dedicated database. Depending on the registration rules, the user object can include any number of user attributes, such as name, occupation, and email address.
* Identity survey. Through this process, the RA verifies the identity of the first certificate applicant (subject), thereby confirming that a specific public key (to be placed in the certificate) belongs to the applicant.
* Approve an end user's application. The RA will approve or reject the end user's request, such as the first request for a certificate or the request to update an expired certificate.
* The certificate is void. Through this behavior, the RA commands the CA to invalidate a user's certificate. According to the PKI certificate invalidation rule, RA may provide the reason for invalidation or not.
* Certificate Center (CA). CA is a highly trusted signature engine. Based on pre-defined conditions, the CA is responsible for issuing certificates, issuing invalid applications, and handling other transactions. CA plays a central role in PKI. In fact, CA is responsible for the following functions:
* Key authentication. The CA signs the principal's public key and issues a certificate.
* Certificate update. When the subject's current certificate expires, a new certificate is issued.
* The certificate is void. Make the certificate illegal from this moment.
* Certificate is released. PKI users can search for and obtain the certificate.
* Maintain a certificate void list. Keep the timeliness of the invalid list in the PKI.
* Publish the void list. Enable PKI users to access the obsolete list.
* PKI directory. The PKI Directory is an online database where all PKI participants can search and obtain certificates, obsolete information and policy information. Only dedicated users and components have permission to rewrite and delete. In general, directories are mostly based on the IETF's LDAP protocol. The directory structure consists of two main parts: an LDAP client (usually implemented in EE) and an LDAP server - a web server that stores directory information and handles requests initiated by authorized users in the PKI such as search, read, write, delete, and update. . These processes are shown in Figure 4.
2.2.1 PKI Toolbox
If you can't integrate with the application, PKI has no value in business. Therefore, a good PKI design should focus on the application interface. The best approach is to design the application interface and standards into a development toolbox. The toolkit supports seamless integration with applications with minimal resource requirements. Although the toolbox is transparent to users and administrators, it plays an important role in the implementation and maintenance of PKI, and is therefore a key technology component of PKI.
Universal PKI Toolbox: The development toolkit includes all PKI libraries and interfaces to support third-party applications using PKI. Ideally, all other components in the PKI (EE, RA, CA) are also developed using the same toolkit. This structure guarantees compatibility between PKI components and can quickly add and modify new features. With support standards, it is possible to integrate PKI components from different vendors. The general PKI toolbox design is shown in Figure 5.
2.3 Application Protocols Used in E-Commerce
Some application protocols support e-commerce. These protocols are not e-commerce applications themselves, but rather general-purpose protocols that are widely used in various e-commerce. Table 1 lists the protocols that are frequently used and the standards they depend on. These standards all require PKI support.
* WTLS (Wireless Transport Layer Security) is able to authenticate the parties involved in the communication and encrypt WML (Wireless Markup Lan-guage) data during transmission.
* SSL (Secure Sockets Lay-er) and TLS (Transport Layer Secu-rity) are similar to WTLS, except for Web-based transactions.
* IPSec (Internet Protocol Security) is mainly used to establish VPN (Virtual Private Networks) to support intranets and external networks. The protocol implements encryption and integrity checks at the IP packet layer and authenticates the sending and receiving network devices in the communication session.
* S/MIME (Secure/Multi-purpose Internet Mail Extensions) is used to encrypt, send/receive emails.
* There are many other technologies that are used to securely publish content. There are many different types of content, including music, books, pictures and software. But PKI can support these applications to securely publish and manage user permissions.
Application protocol standard (PKI support)
WML WTLS? Acupoint WAP-199-
WTLS-20000218-A? Snow
HTML SSL and TLS
Email S/MIME
VPN IPSEC
Table 1 frequently used application protocols and corresponding standards
3 PKI strategy
There are two main strategies that determine the operation and technical implementation of PKI: CP (Certificate Policy) and CPS (Certification Practice Statement).
3.1 CPS
CPS defines the extent to which a user can trust a PKI certificate. As mentioned earlier, the strategy of controlling business rules is also a strategy that PKI must support. These policies will control how PKI participants create, manage, use, and access keys and certificates. CPS defines these strategies. The CPS may cover the registration process for users and administrators, the operational procedures and security controls of the CA, and the obligations of the principal and CA. The CPS must define the level of information for the PKI that is at least as good as the value level of the business transaction that depends on the PKI. In an e-commerce environment, the trust level must be greater than or equal to the value level. CPS is a method of definition and verification.
3.2 CP
Online commerce and the PKI that supports them are not separate, and they are constantly adding more users, partners and employees. These new entities are in different business and management environments, and PKI and PKI-integrated applications may have been established. Therefore, it is important to define a PKI strategy and interface, which is the CP. By defining a good CP, interoperability between different PKIs may be smoother.
4 Conclusion
PKI includes sophisticated technologies that work in conjunction with e-commerce applications. Therefore, application interfaces and standards are very important. PKI technology can support a very wide range of online applications. The need for PKI support will increase. PKI itself is not just a technology, but a way to use and manage technology, certificates, and keys. Ultimately, the use and management of PKI is in line with business rules.
Eyeliner is a kind of makeup products, used to deepen and highlight the makeup effect of the eyes, so that the eyes have spirit. The shape is similar to a pencil. 1) Emulsion eyeliner: strong expression, not easy to fall off after coloring, tracing lines are smooth. But because the thickness of the nib is limited, the thickness of the lines drawn is not easy to change.
2) Pencil eyeliner: easy to use, easy to carry, low price. But its performance is weak, easy to fall off after coloring, suitable for a short time when wearing makeup. Black and coffee for everyday makeup.
White eyeliner has a brightening effect, generally used in the lower eyelid. White eyeliner is popular in Japan and South Korea and is an indispensable tool for "lying silkworm makeup".
Eye Liner,Liquid Eyeliner,Eyeliner Pencil
DONGGUAN VOLES COMMODITY CO., LTD , https://www.volesvip.com