摘要
传统的电子商务安全中主要应用PKI/CA体系来通过实体认证、数字签名、加密等技术手段来保证电子商务的机密性、完整性、可用性、认证性和不可否认性。但由于PKI/CA体系数字证书管理复杂,不适于实时在线交易等问题,因此有必要对现有PKI/CA体系进行改进。
在基于身份密码学(IBC)的公开密钥密码系统(IB-PKCS)中不再使用数字证书,用户公钥是它的身份信息(或由身份信息转化而得出),极大简化了传统的PKI/CA体系负担最重的密钥管理工作。
本文将传统公钥密码系统替换为基于身份密码学的公钥密码系统,对WS-Security规范进行扩展,提出了基于身份密码学的Web服务安全(IB-WSS)体系。
文中利用双线性映射技术实现了基于身份的公开密钥系统(IB-PKCS)中的基础设施:基于身份的加密(IBE);基于身份的数字签名(IBS);基于身份的密钥协商(IBAKA),并结合已有的XML数字签名、XML加密、Web Services Security规范实现了基于身份的公开密钥基础设施(IB-PKI),构建一个完整的基于身份密码学的电子商务安全体系。
最后在一个证券交易系统中实现了安全体系原型。
The traditional system of Electronic Business security guarantees the Electronic Business's confidentiality, integrity,usability,the authentication and undeniable mainly through entity authentication,digital signature,encryption by using the PKI/CA system.However,because of the complexity of the digital certificates management in PKI/CA system,it is unsuitable for real-time online exchanges and so on,therefore, it is necessary to improve the existing PKI/CA system.
In Identity-Based Cryptography(IBC)of Public Key Cryptography System(IB-PKCS)no longer needed in the digital certificate,the user' public key is its identity(or identity information into the draw),greatly simplifies the traditional The PKI/CA system with the heaviest burden of key management.
This article will replace the traditional public key cryptography system for identity-based cryptography of public key cryptography system,the WS-Security specifications expansion by the identity-based Web services security(IB-WSS) Architecture.
To use bilinear pairings technology,this paper achieves the Identity-Based Public Key Cryptography System(IB-PKCS)in infrastructure:identity-based encryption(IBE);identitybased digital signature(IBS);identity-based key agreement (IBAKA);Combined with existed XML digital signature,XML encryption,Web Services Security standard Identity-Based Cryptography of the public key infrastructure(IB-PKI),build a complete identity-based cryptography Electronic Business security system.
Finally,the security system prototype in a securities trading system.
引文
[1]劳帼龄.电子商务10年发展理论综述.软件导刊,2005,14:37-41
[2]Brian Eisenberg,Duane Nickull.ebXML Technical Architecture Specification vl.0.4,http://-www.ebxml.org/specs/ebTA.pdf,2001-02-16
[3]科技部门户网站.“基于XML的电子商务关键技术标准研究”.http://www.most.gov.cn/-kjbgz/200603/t20060329_30046.htm,2006-03-30
[4]David Booth.Hugo Haas.Francis McCabe.Web Services Architecture,http://www.w3.org/-TR/2004/NOTE-ws-arch-20040211/,2004-02-11
[5]C.Matthew MacKenzie,Ken Laskey,Francis McCabe.Reference Model for Service Oriented Architecture 1.0.http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=soa-rm.,2006-08-02
[6]劳帼龄.电子商务安全与管理.第2版.北京:高等教育出版社,2006,3-5
[7]张明光,魏琦.电子商务安全体系的探讨.计算机工程与设计,2005,26:394-396
[8]CCID中国市场情报中心.2006-2007年世界电子商务发展研究年度报告.http://market.-ccidnet.com/pub/report/show_12746.html,2007-02-05
[9]艾瑞咨询.2007-2008中国B2B电子商务发展报告.http://news.iresearch.cn/viewpoints/-76392.shtml,2008-02-13
[10]艾瑞咨询.2007-2008年中国网上银行行业发展报告.http://www.iresearch.com.cn/html/-Consulting/online_payment/DetailNews_id_77341.html,2008-03-14
[11]中国人民银行.2007年金融市场运行情况.www.pbc.gov.cn/showacc2.asp?id=1158,2008-01-25
[12]周龙骧.电子商务协议研究综述,软件学报,2001,12(7):1015-1031
[13]C.SHANNON.Communication Theory of Secrecy Systems.Bell Systems Technical Journal,1948,28:656-715
[14]W.DIFFIE,M.HELLMAN.New Directions in Cryptography.IEEE Transactions on Information Theory,1976,22:644-654
[15]A Fiat.A Shamir Identity-based Cryptosystems and signature schemes.In:Advances in Cryptology-Crypto'84 LNCS 196.Berlin:Springer-Verlag,1984,47-53
[16]D Boneh,M Franklin.Identity-based encryption from the Weil pairing.In:Advances in Cryptology-Crypto'01,LNCS2139.Berlin:Springer-Verlag,2001,213-229
[17]ISO/IEC JTC 1.ISO/IEC 14888-3 Information technology-Security techniques-Digital signatures with appendix-Part 3:Discrete logarithm based mechanisms,http://www.iso.org/iso/-iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43656
[18]IEEE P1363.3.Identity-Based Public Key Cryptography.http://grouper.ieee.org/groups/-1363/IBC/index.html,2007-10-25
[20]D EASTLAKE,J REAGLE,D SOLO.XML-Signature Syntax and Processing.http://www.-w3.org/TR/2002/REC-xmldsig-core-20020212/.2002-02-12
[21]T.IMAMURA,B.DILLAWAY,E.SIMON.XML Encryption Syntax and Processing.http://-www.w3.org/TR/2002/REC-xmlenc-core-20021210/,2002-10-10
[22]W.FORD,P.HALLAM-BAKER,B.FOX.XML Key Management Specification(XKMS).http://www.w3.org/TR/2001/NOTE-xkms-20010330/.2001-03-30
[23]Simon Godik,Tim Moses.eXtensible Access Control Markup Language(XACML)Version 1.0.http://www.oasis-open.org/committees/xacml/repository/,2003-02-18
[24]Phillip Hallam-Baker,Eve Maler.Security Assertion Markup Language(SAML)http://-www.oasis-open.org/committees/security/docs/,2002-11-05
[25]IBM,Microsoft.Security in a Web Services World:A Proposed Architecture and Roadmap.http://www.ibm.com/developerworks/library/specification/ws-secmap/,2002-04-05
[26]Allen Brown,Barbara Fox,Satoshi Hada SOAP Security Extensions:Digital Signature http://www.w3.org/TR/2001/NOTE-SOAP-dsig-20010206/,2001-02-06
[27]Bob Atkinson,Giovanni Della-Libera,Satoshi Hada,Web Services Security(WS-Security)http://www.ibm.com/developerworks/library/ws-secure/,2002-04-05
[28]Anthony Nadalin,Chris Kaler,Phillip Hallam-Baker Web Services Security:SOAP Message Security 1.0 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-secu-rity-1.0.pdf.2004-03-10
[29]F Hess.Efficient identity based signature schemes based on pairings.In:Selected Area in Cryptography(SAC'02),LNCS2595.Berlin:Springer-Verlag,2003.310-324
[30]Don Box,David Ehnebuske,Gopal Kakivaya.Simple Object Access Protocol(SOAP)1.1http://www.w3.org/TR/2000/NOTE-SOAP-20000508/,2000-05-08