Editor's Note: Public Key Infrastructure (PKI) is an information security infrastructure built on the public key cryptosystem to provide identity authentication, encryption, digital signature and other security services for applications. The Digital Certificate Authority (CA) is a core component of PKI. However, the separation of PKI standards has brought difficulties to its development, and this paper analyzes this.
While enjoying the convenience of the network and computers, people also tasted the bitterness of security issues. The rapid spread of the virus, the hacking of computer "hackers", and the leakage of important information... have threatened national infrastructure such as government services, finance, telecommunications, and electricity. In order to prevent these hidden dangers, many new safety technical specifications are emerging, and PKI is one of them.
The Public Key Infrastructure (PKI) is an information security infrastructure built on the public key cryptosystem to provide security services such as identity authentication, encryption, digital signature, and time stamp for applications. The Certificate Authority (CA) is the core component of the PKI. Its main tasks are the issuance and management of digital certificates and certificate revocation lists. PKI has been widely used to protect the security of e-commerce and e-government. It can be said that PKI is used in e-commerce and e-government as the car on which the highway runs.
With the gradual popularization of PKI, in order to better serve the society, PKI products of different manufacturers need to be interconnected. If the power user wants to use the digital certificate to pay the electricity fee to the bank, the bank's PKI will authenticate the power user's certificate (identify the identity). Usually power PKI and bank PKI are products of different manufacturers, which requires two PKI products to interoperate, which needs to support the same standards, such as certificate format and interface specifications. At the same time, the security of the PKI product itself is also very important, which requires specialized institutions and standard specifications to evaluate the safety function and performance of the product. Therefore, standardization has become an inevitable trend in the development of PKI.
Two generations of PKI standards
The PKI standard can be divided into first generation and second generation standards.
First generation PKI standard
The first generation of PKI standards mainly include the US Public Key Cryptography Standards (PKCS) series of RSA, the ITU-T X.509 of the International Telecommunication Union, and the public key infrastructure X.509 of the IETF (Public Key Infrastructure). X.509, PKIX) Standard Series, Wireless Application Protocol (WAP) Forum Wireless Public Key Infrastructure (WPKI) standard.
The first generation of PKI standards are mainly coded based on Abstract Syntax Notation One (ASN.1), which is difficult to implement, which also affects the promotion of standards to some extent.
Second generation PKI standard
In 2001, the XML Key Management Specification (XKMS) was released by Microsoft, Versign, and webMethods, known as the second-generation PKI standard. XKMS consists of two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). X-KISS defines a trust service specification for verifying the legitimacy of public key information contained in the XML-SIG element; using the X-KISS specification, an XML application can authorize a trusted third-party CA to process the authentication signature, Query, verify, and bind public key information and other services. X-KRSS defines a service specification that can accept public key registration, revocation, and recovery through the network; a key pair established by the XML application can send the public key part and other related identity information to the X-KRSS specification. Trusted third-party CA registration. Both the X-KISS and X-KRSS specifications are defined in the XML Schema structured language, communicated using the Simple Object Access Protocol (SOAP V1.1), and the syntax definitions of services and messages follow the Web Services Definition Language (WSDL V1.0).
At present, XKMS has become the recommended standard of W3C, and has been integrated into their products by Microsoft, Versign and other companies (Microsoft has integrated XKMS in ASP.net, Versign has released the Java-based Trust Service Integration Toolkit TSIK).
Mutual division affects PKI development
China is in the midst of a PKI construction, and more than 40 large-scale industrial or regional PKI/CA have been successfully built. In addition, there are many small PKI/CAs established within many enterprises and institutions. The most influential industry PKI/CAs are: China Financial Certification Center (CFCA) and China Telecom Certification Center (CTCA); the most influential regional PKI/CA has Shanghai CA Certification Center and Guangdong CA Certification Center. These CA centers are mainly used for e-commerce. Governments at all levels are also building PKI/CA, mainly for e-government. However, the rapid growth of PKI construction has also brought many problems: such as digital signatures, electronic documents and the legal status of certification centers, China has not officially promulgated laws and regulations in this regard. This makes digital signatures not protected by law, thus damaging people's enthusiasm for electronic transactions; on the other hand, the country lacks a unified norm and management department to guide the construction of PKI, while domestic PKI manufacturers call them Support X.509 certificate format, but because some extensions of the certificate are not the same, the interface standard of the certificate is different, all of which makes the PKI/CA of each family basically in a state of mutual division, and the certificates cannot interoperate. This seriously affects the application of certificates, and also restricts the scale and efficiency of PKI/CA, which affects people's trust in PKI to some extent. If these problems are not resolved, the development of PKI will be in crisis.
As information security has risen to the level of national security, countries are developing their own safety standards and norms. In order to strengthen China's information security standardization work, approved by the National Standardization Administration Committee, the National Information Security Standardization Technical Committee (No. TC260) was established in April 2002, and several working groups were set up. The formulation of the PKI standard is completed by the PKI/PMI Working Group (WG4). The PKI standard specifications being developed include: X509-based domestic certificate format specification, PKI component minimum interoperability specification, X509 online certificate status inquiry protocol, X509 certificate management protocol, PKI product security test certification specification, PKI system security protection level evaluation criteria. , PKI system security protection level technical requirements.
Who benefits from the PKI standard?
Information security standards are an important part of China's information security system and an important basis for the government to conduct macro management. Information security standards are not only related to national security, but also an important means of protecting national interests and promoting industrial development.
For the majority of PKI product providers, the impact can be seen from two perspectives: from a passive perspective, the introduction of standards will force them to regulate behavior and improve products, which is not necessarily recognized by the manufacturers at the beginning; PKI products, through relevant safety assessment and certification, are of great significance for improving the social image of manufacturers and expanding market share.
For users, the PKI standard can guide users to develop a reasonable PKI strategy, select better PKI products, measure and improve the implementation of PKI projects, and standardize the security management of PKI. Specifically, in terms of PKI product selection, first of all, users have the following questions: What are the functions of the manufacturer's PKI products? What features do I need now? What is the performance of the product? Will my network system performance drop after PKI? What is the security of the PKI product itself? These questions can be answered by the "PKI Product Safety Test Certification Specification". Secondly, the user may have some questions: With the expansion of the business in the future, I need to connect with other PKIs, can it be achieved? This is an interoperability consideration for PKI products. This can be answered from the "X509-based domestic certificate format specification and the minimum interoperability specification for PKI components."
For the general technical staff, understanding the dynamics of the PKI standard can stand at the forefront of PKI and help to grasp the development direction of PKI technology and the entire information security industry.
Future $3 billion scale
PKI's development prospects are promising
According to the IDC survey, the PKI market is expanding rapidly. Since 1999, it has expanded rapidly with an average annual growth rate of 61%. By 2004, it is expected to reach a scale of US$3 billion.
In January of this year, the China PKI Strategic Development and Application Seminar was held in Beijing. The meeting exchanged the norms that were being developed to fully develop domestic PKI construction, including the national e-government PKI system related to national economy and people's livelihood, and whether it relates to e-commerce. The core means that can be carried out smoothly - the construction of the national public PKI system. If these PKI standards and specifications are released at an early date, it will stimulate another PKI construction boom, so China's PKI will have a bright future.
While enjoying the convenience of the network and computers, people also tasted the bitterness of security issues. The rapid spread of the virus, the hacking of computer "hackers", and the leakage of important information... have threatened national infrastructure such as government services, finance, telecommunications, and electricity. In order to prevent these hidden dangers, many new safety technical specifications are emerging, and PKI is one of them.
The Public Key Infrastructure (PKI) is an information security infrastructure built on the public key cryptosystem to provide security services such as identity authentication, encryption, digital signature, and time stamp for applications. The Certificate Authority (CA) is the core component of the PKI. Its main tasks are the issuance and management of digital certificates and certificate revocation lists. PKI has been widely used to protect the security of e-commerce and e-government. It can be said that PKI is used in e-commerce and e-government as the car on which the highway runs.
With the gradual popularization of PKI, in order to better serve the society, PKI products of different manufacturers need to be interconnected. If the power user wants to use the digital certificate to pay the electricity fee to the bank, the bank's PKI will authenticate the power user's certificate (identify the identity). Usually power PKI and bank PKI are products of different manufacturers, which requires two PKI products to interoperate, which needs to support the same standards, such as certificate format and interface specifications. At the same time, the security of the PKI product itself is also very important, which requires specialized institutions and standard specifications to evaluate the safety function and performance of the product. Therefore, standardization has become an inevitable trend in the development of PKI.
Two generations of PKI standards
The PKI standard can be divided into first generation and second generation standards.
First generation PKI standard
The first generation of PKI standards mainly include the US Public Key Cryptography Standards (PKCS) series of RSA, the ITU-T X.509 of the International Telecommunication Union, and the public key infrastructure X.509 of the IETF (Public Key Infrastructure). X.509, PKIX) Standard Series, Wireless Application Protocol (WAP) Forum Wireless Public Key Infrastructure (WPKI) standard.
The first generation of PKI standards are mainly coded based on Abstract Syntax Notation One (ASN.1), which is difficult to implement, which also affects the promotion of standards to some extent.
Second generation PKI standard
In 2001, the XML Key Management Specification (XKMS) was released by Microsoft, Versign, and webMethods, known as the second-generation PKI standard. XKMS consists of two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). X-KISS defines a trust service specification for verifying the legitimacy of public key information contained in the XML-SIG element; using the X-KISS specification, an XML application can authorize a trusted third-party CA to process the authentication signature, Query, verify, and bind public key information and other services. X-KRSS defines a service specification that can accept public key registration, revocation, and recovery through the network; a key pair established by the XML application can send the public key part and other related identity information to the X-KRSS specification. Trusted third-party CA registration. Both the X-KISS and X-KRSS specifications are defined in the XML Schema structured language, communicated using the Simple Object Access Protocol (SOAP V1.1), and the syntax definitions of services and messages follow the Web Services Definition Language (WSDL V1.0).
At present, XKMS has become the recommended standard of W3C, and has been integrated into their products by Microsoft, Versign and other companies (Microsoft has integrated XKMS in ASP.net, Versign has released the Java-based Trust Service Integration Toolkit TSIK).
Mutual division affects PKI development
China is in the midst of a PKI construction, and more than 40 large-scale industrial or regional PKI/CA have been successfully built. In addition, there are many small PKI/CAs established within many enterprises and institutions. The most influential industry PKI/CAs are: China Financial Certification Center (CFCA) and China Telecom Certification Center (CTCA); the most influential regional PKI/CA has Shanghai CA Certification Center and Guangdong CA Certification Center. These CA centers are mainly used for e-commerce. Governments at all levels are also building PKI/CA, mainly for e-government. However, the rapid growth of PKI construction has also brought many problems: such as digital signatures, electronic documents and the legal status of certification centers, China has not officially promulgated laws and regulations in this regard. This makes digital signatures not protected by law, thus damaging people's enthusiasm for electronic transactions; on the other hand, the country lacks a unified norm and management department to guide the construction of PKI, while domestic PKI manufacturers call them Support X.509 certificate format, but because some extensions of the certificate are not the same, the interface standard of the certificate is different, all of which makes the PKI/CA of each family basically in a state of mutual division, and the certificates cannot interoperate. This seriously affects the application of certificates, and also restricts the scale and efficiency of PKI/CA, which affects people's trust in PKI to some extent. If these problems are not resolved, the development of PKI will be in crisis.
As information security has risen to the level of national security, countries are developing their own safety standards and norms. In order to strengthen China's information security standardization work, approved by the National Standardization Administration Committee, the National Information Security Standardization Technical Committee (No. TC260) was established in April 2002, and several working groups were set up. The formulation of the PKI standard is completed by the PKI/PMI Working Group (WG4). The PKI standard specifications being developed include: X509-based domestic certificate format specification, PKI component minimum interoperability specification, X509 online certificate status inquiry protocol, X509 certificate management protocol, PKI product security test certification specification, PKI system security protection level evaluation criteria. , PKI system security protection level technical requirements.
Who benefits from the PKI standard?
Information security standards are an important part of China's information security system and an important basis for the government to conduct macro management. Information security standards are not only related to national security, but also an important means of protecting national interests and promoting industrial development.
For the majority of PKI product providers, the impact can be seen from two perspectives: from a passive perspective, the introduction of standards will force them to regulate behavior and improve products, which is not necessarily recognized by the manufacturers at the beginning; PKI products, through relevant safety assessment and certification, are of great significance for improving the social image of manufacturers and expanding market share.
For users, the PKI standard can guide users to develop a reasonable PKI strategy, select better PKI products, measure and improve the implementation of PKI projects, and standardize the security management of PKI. Specifically, in terms of PKI product selection, first of all, users have the following questions: What are the functions of the manufacturer's PKI products? What features do I need now? What is the performance of the product? Will my network system performance drop after PKI? What is the security of the PKI product itself? These questions can be answered by the "PKI Product Safety Test Certification Specification". Secondly, the user may have some questions: With the expansion of the business in the future, I need to connect with other PKIs, can it be achieved? This is an interoperability consideration for PKI products. This can be answered from the "X509-based domestic certificate format specification and the minimum interoperability specification for PKI components."
For the general technical staff, understanding the dynamics of the PKI standard can stand at the forefront of PKI and help to grasp the development direction of PKI technology and the entire information security industry.
Future $3 billion scale
PKI's development prospects are promising
According to the IDC survey, the PKI market is expanding rapidly. Since 1999, it has expanded rapidly with an average annual growth rate of 61%. By 2004, it is expected to reach a scale of US$3 billion.
In January of this year, the China PKI Strategic Development and Application Seminar was held in Beijing. The meeting exchanged the norms that were being developed to fully develop domestic PKI construction, including the national e-government PKI system related to national economy and people's livelihood, and whether it relates to e-commerce. The core means that can be carried out smoothly - the construction of the national public PKI system. If these PKI standards and specifications are released at an early date, it will stimulate another PKI construction boom, so China's PKI will have a bright future.
cat toys interactive,cat toys wand,cat toys balls,cat teething toys
Ningbo XISXI E-commerce Co., Ltd , https://www.petspetsdoggze.com