Composition of ca authentication system
Ca authentication system consists of the following departments: First, ca is responsible for generating and determining the digital certificates of user entities. Second, the examination and authorization department, referred to as ra(registry authority), is responsible for examining the qualifications of certificate applicants and deciding whether to grant certificates. At the same time, it should bear all the consequences caused by audit mistakes and issuing certificates to unqualified people, and should be borne by institutions that can bear these responsibilities. The third is the certificate operation department. Cp (Certificate Handler) of Certificate Operation Department makes, issues and manages certificates for authorized applicants, and bears all consequences caused by operational errors, including confidentiality loss and issuing certificates to unauthorized personnel. It can be held by ra itself or entrusted to a third party. The fourth is the Key Management Department (km), which is responsible for generating encryption key pairs of entities and providing hosting services for decrypting their private keys. The fifth is the certificate repository (dir), which includes all the certificate directories on the Internet.
In the ca authentication system, the authentication relationship between components is generally as follows:
(1) Between the user and ra: When the user requests ra to review, the user should submit his own identity information to ra, and after ra reviews the user's identity, the information should be safely forwarded to ca.
(2) Between RA and ca: RA should transmit the user's identity information to ca in a safe and reliable way. Ca sends the user's digital certificate to ra or directly to the user in a safe and feasible way.
(3) Between users and dir: Users can query and revoke certificate lists and digital certificates in dir.
(4) Between DIR and ca: ca directly transmits the digital certificate generated by itself to the directory DIR and registers it in the directory. Registering a digital certificate in a directory requires user authentication and access control.
(5) Between users and km: km accepts the entrustment of users and generates encryption key pairs on behalf of users; The encryption key of the certificate held by the user must be entrusted to the key management center for generation; Users can apply to decrypt the private key to restore service; Km should provide users with the recovery service of decrypting private keys. The user's decryption private key must be managed in the key management center.
(6) Between CA and km: The communication between CA and KM must be confidential and safe. A communication certificate between them is needed to ensure security. A communication certificate is a computer equipment certificate used by a certificate authority when communicating with a key management center or a superior or subordinate certificate authority. These special computer devices must apply for and install the special communication certificate issued by the certification body, and at the same time, they must install the communication key certificate held by the special communication computer devices of the key management center, the superior or subordinate certification body and the root certificate of the certification body.
Responsibility of certification system
From the above discussion, it can be concluded that ca should at least undertake the following specific responsibilities:
(1) Verify and identify the identity of the entity whose public key information is submitted for authentication;
(2) Ensure the quality of asymmetric key pairs used to generate digital certificates;
(3) Ensure the security of the authentication process and the private key used to sign the public key information;
(4) To ensure that two different entities are not given the same identity, so as to distinguish them;
(5) Manage the certificate material information contained in the public key information, such as the serial number of the digital certificate, the identification of the certification authority, etc. ;
(6) Maintain and publish the list of revoked certificates;
(7) Specify and check the validity period of the certificate;
(8) Notify the entity digital certificate identified in the public key information that it has been issued;
(9) Record all steps of the digital certificate generation process.
Functions of ca security authentication system
The main functions of ca security authentication system include: issuing digital certificates, managing subordinate audit and registration institutions, accepting business applications from subordinate audit and registration institutions, maintaining and managing all certificate directory services, applying for keys from key management center, and managing entity authentication key equipment.