The setting of public key infrastructure enables unconnected computer users to submit authentication and encryption to each other using the public key information in the public key certificate. When decrypting, each user decrypts with his own private key, which is usually protected by a password.

Generally speaking, public key infrastructure consists of client software, server software, hardware, legal contracts and guarantees, operating procedures, etc. The signer's public key certificate can also be used by a third party to verify the digital signature signed by the signer.

Generally, public key infrastructure helps participants in a conversation to achieve confidentiality, message integrity and user authentication without exchanging any secret information in advance. However, the public key infrastructure among interconnected members is affected by many practical problems, such as the uncertainty of certificate revocation, the conditions for issuing certificates by certificate centers, changes in judicial norms and laws, and trust.

Second, composition

The main elements of PKI are: users (people or institutions using PKI); Certificate Authority (CA) (the person or organization that issues certificates); Warehouse (database for storing certificates). Users and certification authorities are called entities.

Users are people who use PKI. There are two kinds of people who use PKI: one is people who register their own public keys with a certificate authority (CA), and the other is people who want to use the registered public keys.

Certification bodies are individuals or institutions that manage certificates. The certification authority carries out these operations: generating key pairs on behalf of users (of course, they can also be generated by users themselves); Authenticate the user who registered the public key; Generate and issue certificates; Invalid certificate. In addition, public key registration and user authentication can be completed by the registration authority (RA).

A repository is a database for storing certificates. A repository is also called a certificate directory.

Third, use.

Most enterprise-level public key infrastructure systems rely on the certificates issued by the superior certificate center to the lower certificate center, and the legitimacy of a participant's identity certificate is created by building a certificate chain layer by layer.

This leads to a certificate hierarchy with multiple computers and usually covering multiple organizations, which involves cooperation between multiple source software. Therefore, open standards are very important for public key infrastructure. Standardization in this field is mostly completed by PKIX working group of Internet Engineering Working Group.

The enterprise public key infrastructure is usually closely integrated with the enterprise database directory, and the public key of each employee is embedded in the certificate and stored with the personnel data.

The most advanced directory technology today is Lightweight Directory Access Protocol (LDAP). In fact, X.500, the predecessor of the most common certificate format X.509, is a directory sketch of the preprocessor for LDAP.

history

After 1976, Whitfield Duffy, Martin Hailmann | Hailmann, Ron Livingstone, adi shamir and Leonard Aderman announced the secure key exchange and asymmetric key algorithm successively, the whole communication mode changed.

With the development of high-speed electronic digital communication, users' demand for secure communication is increasing.

Cryptographic protocols have gradually developed under this appeal, creating new cryptographic prototypes. After the invention and popularization of the global Internet, the requirements for authentication and secure communication have become more stringent. Business reasons alone speak for themselves. Taher ElGamal, who works in Netscape, and others have developed a transport security layer protocol, including key creation, server authentication and so on. Therefore, the architecture of public key infrastructure came into being.

Manufacturers and entrepreneurs are aware of the huge market that follows, and start to establish new companies to guide legal awareness and protection. The American Bar Association project published a detailed analysis of the foreseeable legal views on the operation of public key infrastructure, and then several American state governments and judicial units in other countries began to formulate relevant laws and regulations. Consumer groups have raised questions about privacy, access and reliability, which have also been included in judicial considerations.

The laws and regulations formulated are actually different, and there are practical problems in transforming the mechanism of public key infrastructure into commercial operation, which is far slower than many pioneers' ideas.

In the first few years of 2 1 century, people gradually found that cryptographic engineering was not so easy to design and practice, and some existing standards were even inappropriate in some aspects.

The manufacturer of public key infrastructure has found a market, but it is not the market expected in the mid-1990s. This market is developing slowly and moving forward in different ways.

Public key infrastructure did not solve the expected problems, and some vendors even withdrew from the market.

The most successful public key infrastructure is in government departments. At present, the largest public key infrastructure is the Defense Information Systems Agency. (DISA Defense Information Systems Agency) * * Universal Access Card Program.