企业信息网中数字证书系统的研究与实现
|
摘要
公钥基础设施(Public Key Infrastructure,PKI)是目前比较完善的网络安全解决方案。它可以为相应的网络应用提供身份认证,信息的机密性和完整性以及交易的不可否认性等安全服务。构架PKI体系,核心的技术就是建立功能完善的,可信的认证中心(CA),CA的建立是当前网络安全领域研究的热点之一,其实现具有重大的实用价值和社会价值。本选题的目的正是为了满足市场需求,设计了一个企业网中的数字证书系统。
本文在查阅大量国内外文献的基础上,结合企业信息化建设、企业信息安全需求的具体情况,研究了企业信息网数字证书认证系统的设计和实现,建立企业网内的认证中心,给出了基于数字证书技术的自动化办公系统的安全设计方案。
本文对PKI技术原理、加密技术进行了深入探讨,介绍了常用的认证方法,数字签名技术,CA认证体系以及SSL、S/MIME安全协议等,为企业数字证书系统的建立提供了理论上的支持。
企业数字证书系统的设计与实现是本文的重点。数字证书系统的设计介绍了系统的特点,总体研究,总体工作流程,把系统总体设计了五个模块即证书服务器、证书注册服务器、信息发布服务器、用户身份认证服务器及应用服务器。证书服务器、证书注册服务器及信息发布服务器组成CA认证中心,是整个企业网的安全基础设施。用户端的设计主要是证书申请、证书签发及证书撤销的工作流程。
数字证书系统的实现介绍了系统的用户端证书申请、签发、撤销的具体实现,包括证书功能的实现技术即微软的Certificate Enrollment Control(CEC)技术,数字证书系统界面,审批流程图和关键步骤的源码。
本文还对数字证书的应用进行了探析,包括电子邮件安全发送、企业内公文安全传输方面。
在论文总结中,介绍了论文完成的主要工作,说明了论文的特点和意义,同时指出了系统设计的不足,为课题的下一步研究做了准备。
PKI (Public Key Infrastructure) is thought a complete solution for network security at present .It can provide many network applications with all kinds of security service, such as authentication, confidentiality, information integrity and non-repudiation of transaction. The kernel component of PKI is Certification Authority (CA), CA is one of the hotspots for current security researches on network, and its implementation is of signification practical value and social value. This selected topic goal satisfies the market demand, has designed in an enterprise network digital certificate system.
This article consults massive domestic and foreign reference foundation, combines the special details of the enterprise information construction, the enterprise information security demand , discusses the design and realization the enterprise information network digital certificate authentication system, establishes the authentication center of the enterprise network ,provides the technical safe support for the automated work system of the design proposal which based on the digital certificate technology.
This article has thorough discussed the PKI technology principle and the encryption technology, introduced the usually used authentication method, the digital signature technology, the CA authentication system as well as SSL, S/MIME security agreement, provided the theoretically support for establishing the enterprise digital certificate system.
The enterprise digital certificate system design and realization are the key point of this article. The digital certificate system design introduced system characteristic, overall research, overall work flow, the system is divided into five modules which are certificate server, certificate registration server, information issue server, user status authentication server and application server. The certificate server, the certificate registration server and the information issued server are composed of CA authentication center is the enterprise network security infrastructure. The user end design has focused on the work flow of the certificate application, the certificate issues and the certificate abolishes.
The digital certificate system realization has introduced the realization concretely of system user end certificate application, issues, cancellation , included the certificate function realization technology of Microsoft's Certificate Enrollment Control (CEC) the technology, the digital certificate system contact surface and the examination and approval flow chart and the source code of essential step.
This article has also searched the digital certificate application, including in email safe transmission, enterprise archives safe transmission aspect.
In the conclusion, has introduced the paper main work, explained the characteristic and significance of the paper, simultaneously has pointed out insufficiency of the system design, has made the preparation for the topic next step of research.
本文在查阅大量国内外文献的基础上,结合企业信息化建设、企业信息安全需求的具体情况,研究了企业信息网数字证书认证系统的设计和实现,建立企业网内的认证中心,给出了基于数字证书技术的自动化办公系统的安全设计方案。
本文对PKI技术原理、加密技术进行了深入探讨,介绍了常用的认证方法,数字签名技术,CA认证体系以及SSL、S/MIME安全协议等,为企业数字证书系统的建立提供了理论上的支持。
企业数字证书系统的设计与实现是本文的重点。数字证书系统的设计介绍了系统的特点,总体研究,总体工作流程,把系统总体设计了五个模块即证书服务器、证书注册服务器、信息发布服务器、用户身份认证服务器及应用服务器。证书服务器、证书注册服务器及信息发布服务器组成CA认证中心,是整个企业网的安全基础设施。用户端的设计主要是证书申请、证书签发及证书撤销的工作流程。
数字证书系统的实现介绍了系统的用户端证书申请、签发、撤销的具体实现,包括证书功能的实现技术即微软的Certificate Enrollment Control(CEC)技术,数字证书系统界面,审批流程图和关键步骤的源码。
本文还对数字证书的应用进行了探析,包括电子邮件安全发送、企业内公文安全传输方面。
在论文总结中,介绍了论文完成的主要工作,说明了论文的特点和意义,同时指出了系统设计的不足,为课题的下一步研究做了准备。
PKI (Public Key Infrastructure) is thought a complete solution for network security at present .It can provide many network applications with all kinds of security service, such as authentication, confidentiality, information integrity and non-repudiation of transaction. The kernel component of PKI is Certification Authority (CA), CA is one of the hotspots for current security researches on network, and its implementation is of signification practical value and social value. This selected topic goal satisfies the market demand, has designed in an enterprise network digital certificate system.
This article consults massive domestic and foreign reference foundation, combines the special details of the enterprise information construction, the enterprise information security demand , discusses the design and realization the enterprise information network digital certificate authentication system, establishes the authentication center of the enterprise network ,provides the technical safe support for the automated work system of the design proposal which based on the digital certificate technology.
This article has thorough discussed the PKI technology principle and the encryption technology, introduced the usually used authentication method, the digital signature technology, the CA authentication system as well as SSL, S/MIME security agreement, provided the theoretically support for establishing the enterprise digital certificate system.
The enterprise digital certificate system design and realization are the key point of this article. The digital certificate system design introduced system characteristic, overall research, overall work flow, the system is divided into five modules which are certificate server, certificate registration server, information issue server, user status authentication server and application server. The certificate server, the certificate registration server and the information issued server are composed of CA authentication center is the enterprise network security infrastructure. The user end design has focused on the work flow of the certificate application, the certificate issues and the certificate abolishes.
The digital certificate system realization has introduced the realization concretely of system user end certificate application, issues, cancellation , included the certificate function realization technology of Microsoft's Certificate Enrollment Control (CEC) the technology, the digital certificate system contact surface and the examination and approval flow chart and the source code of essential step.
This article has also searched the digital certificate application, including in email safe transmission, enterprise archives safe transmission aspect.
In the conclusion, has introduced the paper main work, explained the characteristic and significance of the paper, simultaneously has pointed out insufficiency of the system design, has made the preparation for the topic next step of research.
引文
[1] 谢冬青,冷健,《PKI原理与技术》,北京,清华大学出版社,2004年
[2] 杨波,《现代密码学》,北京,清华大学出版社,2003年
[3] 孙淑玲,《应用密码学》,北京,清华大学出版社,2004年
[4] 同勇,《基于PKI的CA终端实体EE及RA的研究与实现》,[学位论文],四川,电子科技大学,2001
[5] 宋艳红,《CA认证在中南财经政法大学网上办公系统中的应用》,[学位论文],湖北,华中师范大学,2002
[6] 关振胜,《公钥基础设施PKI与认证机构CA》,北京,电子工业出版社,2002年
[7] Paul Garrett著,《密码学导引》,北京,机械工业出版社,2003年
[8] Oded Goldreich著,《密码学基础》,北京,人民邮电出版社,2003年
[9] Mohan Atreya著,《数字签名》,北京,清华大学出版社,2003年
[10] Gong Jian,Liu JianHang.A Smooth Eapansion Model for PKLJouRAI of Southeast University(English Edition),June 2000,Vol.16 No.1
[11] Diffie W,Hellman M E. New directions in cryptography[J]. IEEE Transactions on Information Theory.1976,IT-22(6):644-654
[12] Revist R L, Shamir A,Adleman L. A method for obtaining digital signatures and public-key cryptosystems[J].Communieations of the ACM. 1978,21 (2): 120-126
[13] Harn I, Keisler T. New scheme for Digital Multisignature[J]. Electronic Letters, 1989, 25(15):1002-1003
[14] Mitomi S,Miyaji A.A general model of multisignature schemes with message flexibility, orderflexibility;andorderverifiability[J].IEICETrans.Fundamentals .2001,E84-A(10):2488-2499
[15] 何小航,《数字证书:企业必备的身份证》,中国会计电算化,2003.6,16-17
[16] 袁树雄,《基于PKI的企业信息化应用的构建》,宜春学院学报,2005.4,27(4),58-60
[17] 冯登国,《计算机通讯网络安全》,北京,清华大学出版社,2001年3月版
[18] 姜静,《基于公钥基础设施PKI的安全电子邮件系统的实现》,[学位论文],天津, 天津工业大学,2005
[19] 林先茂,《基于数据加密技术下的网络信息安全系统》,杭州电子工业学院学报,2001.1,18-20
[20] 强勇军,谢鸿波,《基于PKI的企业证书管理系统》,信息安全与通信保密,2005.2,115-116
[21] 商建伟,李大兴,《一个安全的企业域上的PKI建设方案》,通信技术,2002.2,74-76
[22] 袁树雄,《公钥基础设施与企业网络应用方案》,重庆科技学院学报(自然科学版),2005.2,91-94
[23] 李别,《电子商务中的数字签名技术》,福建电脑,2006.1,98-99
[24] Chen X, Zhang F, Kim K. A New ID-based Group Signature Scheme from Bilinear Pairing. Proceedings of WISA'2003,Jeju Island(KR), August 2003, 585-592
[25] Y.M.Tseng J.K.Jan An efficient authenticated encryption schemes with message linkages and lowcommunication costs[J].Journal of information and engineering.2002, Vol.18, 41-46
[26] Rivest R L, Shamir A, TaumanY. How to Leak a Secret[A]. Cryptology-Asiacrypt 2001 LNCS 2248[C]. Berlin: Springer-Verlag 2001:552-565
[27] W B Lee, C Y Chang. Efficient proxy-protected proxy signature scheme based on discrete logarithm[A].Proceedings of 10th Conference on information security[C].Hualien, Taiwan, ROC, 2000, 4-7
[28] Ateniese G, Camenisch J, JoyeM, Tsudik G A practical and provably secure coalition-resistant group signature scheme[A]. In Advances in CRYPTO'00, LNCS 1880[C]. Springer-Verlag, 2000. 255-270
[29] 付永平,赵银亮,任秦安等,《基于公钥基础设施的园区网络安全系统设计与实现》,安康师专学报,2006.2,18(1):104-107
[30] 成孝禹,《公开密钥基础设施(PKI)及电子证书系统的设计与实现》,[学位论文],北京,中国科学院,2001
[31] 曾纪汉,《基于PKI的企业数字认证系统的设计与实现》,[学位论文],江西,南昌大学,2005
[32] 李娟,《基于区域性卫生信息系统的专用PKI研究与设计》,[学位论文],广州,汕头大学,2005
[33] 汪学舜,《基于公开密钥基础设施信息安全系统研究与实现》,[学位论文],湖北,武汉理工大学,2004
[2] 杨波,《现代密码学》,北京,清华大学出版社,2003年
[3] 孙淑玲,《应用密码学》,北京,清华大学出版社,2004年
[4] 同勇,《基于PKI的CA终端实体EE及RA的研究与实现》,[学位论文],四川,电子科技大学,2001
[5] 宋艳红,《CA认证在中南财经政法大学网上办公系统中的应用》,[学位论文],湖北,华中师范大学,2002
[6] 关振胜,《公钥基础设施PKI与认证机构CA》,北京,电子工业出版社,2002年
[7] Paul Garrett著,《密码学导引》,北京,机械工业出版社,2003年
[8] Oded Goldreich著,《密码学基础》,北京,人民邮电出版社,2003年
[9] Mohan Atreya著,《数字签名》,北京,清华大学出版社,2003年
[10] Gong Jian,Liu JianHang.A Smooth Eapansion Model for PKLJouRAI of Southeast University(English Edition),June 2000,Vol.16 No.1
[11] Diffie W,Hellman M E. New directions in cryptography[J]. IEEE Transactions on Information Theory.1976,IT-22(6):644-654
[12] Revist R L, Shamir A,Adleman L. A method for obtaining digital signatures and public-key cryptosystems[J].Communieations of the ACM. 1978,21 (2): 120-126
[13] Harn I, Keisler T. New scheme for Digital Multisignature[J]. Electronic Letters, 1989, 25(15):1002-1003
[14] Mitomi S,Miyaji A.A general model of multisignature schemes with message flexibility, orderflexibility;andorderverifiability[J].IEICETrans.Fundamentals .2001,E84-A(10):2488-2499
[15] 何小航,《数字证书:企业必备的身份证》,中国会计电算化,2003.6,16-17
[16] 袁树雄,《基于PKI的企业信息化应用的构建》,宜春学院学报,2005.4,27(4),58-60
[17] 冯登国,《计算机通讯网络安全》,北京,清华大学出版社,2001年3月版
[18] 姜静,《基于公钥基础设施PKI的安全电子邮件系统的实现》,[学位论文],天津, 天津工业大学,2005
[19] 林先茂,《基于数据加密技术下的网络信息安全系统》,杭州电子工业学院学报,2001.1,18-20
[20] 强勇军,谢鸿波,《基于PKI的企业证书管理系统》,信息安全与通信保密,2005.2,115-116
[21] 商建伟,李大兴,《一个安全的企业域上的PKI建设方案》,通信技术,2002.2,74-76
[22] 袁树雄,《公钥基础设施与企业网络应用方案》,重庆科技学院学报(自然科学版),2005.2,91-94
[23] 李别,《电子商务中的数字签名技术》,福建电脑,2006.1,98-99
[24] Chen X, Zhang F, Kim K. A New ID-based Group Signature Scheme from Bilinear Pairing. Proceedings of WISA'2003,Jeju Island(KR), August 2003, 585-592
[25] Y.M.Tseng J.K.Jan An efficient authenticated encryption schemes with message linkages and lowcommunication costs[J].Journal of information and engineering.2002, Vol.18, 41-46
[26] Rivest R L, Shamir A, TaumanY. How to Leak a Secret[A]. Cryptology-Asiacrypt 2001 LNCS 2248[C]. Berlin: Springer-Verlag 2001:552-565
[27] W B Lee, C Y Chang. Efficient proxy-protected proxy signature scheme based on discrete logarithm[A].Proceedings of 10th Conference on information security[C].Hualien, Taiwan, ROC, 2000, 4-7
[28] Ateniese G, Camenisch J, JoyeM, Tsudik G A practical and provably secure coalition-resistant group signature scheme[A]. In Advances in CRYPTO'00, LNCS 1880[C]. Springer-Verlag, 2000. 255-270
[29] 付永平,赵银亮,任秦安等,《基于公钥基础设施的园区网络安全系统设计与实现》,安康师专学报,2006.2,18(1):104-107
[30] 成孝禹,《公开密钥基础设施(PKI)及电子证书系统的设计与实现》,[学位论文],北京,中国科学院,2001
[31] 曾纪汉,《基于PKI的企业数字认证系统的设计与实现》,[学位论文],江西,南昌大学,2005
[32] 李娟,《基于区域性卫生信息系统的专用PKI研究与设计》,[学位论文],广州,汕头大学,2005
[33] 汪学舜,《基于公开密钥基础设施信息安全系统研究与实现》,[学位论文],湖北,武汉理工大学,2004