基于PKI的园区网计费认证系统的研究与实践
|
摘要
随着Internet的不断发展,网络安全问题已日益突出,公钥认证逐渐成为网络信息安全的主流,以ITU X.509为证书标准的公钥基础设施PKI(Public Key Infrastructure)是其代表。然而,PKI面对的是复杂的Internet环境,在技术和管理方面尚有许多没有解决的问题。要利用PKI为具体应用提供安全的解决方案,必须进行具体的研究,根据实际情况修改应用程序的配置或者实施定做。
作者参加了清华大学“校园网认证系统”的设计和实现工作。在校园网实施的PKI的基础之上,作者了解了PKI的体系结构,并通过实践分析PKI为具体应用实施安全保护的工作原理,着重研究基于PKI的授权方法,提出了几种不同的基于PKI的授权机制,同时评价了这些机制的优缺点,肯定了利用属性证书开展安全应用的地位。针对园区网计费系统的发展情况和实际的安全需求,作者在基本不修改计费系统的前提下,提出Agent技术,结合属性证书,设计了基于PKI的园区网计费认证系统。该系统很好地解决了计费系统的安全问题以及相关的授权问题。
With Internet growing at a rapid speed,great attention has been drawn to the security problem.The authentication system based on public key cryptography has become an effective approach for the Internet security. The PKI(Public Key Infrastructure)based on ITU X.509 exactly fit for it.However,PKI faces a lot of technology and management problems because Internet is a complicated environment.If we want to develop an application based on it,we should do some research and revise the configuration of the application or do some customizing.
The author has participated in designing and developing the authentication system for Tsinghua University campus network.On the basis of the PKI that campus network has adopted,the author understood the architecture of PKI and analyzed the working theory behind the PKI.On the other hand,the author focus on researching and advancing several different authorization method.According to the requirement of the campus accounting system.the author bring forward the technology of Agent and design the accounting authentication system for campus network with the aid of AC(Attribute Certificate).
In this paper the architecture and principle of PKI are presented at first.As follow, We analyzed the accounting managgment of campus network.introduced several kinds of accounting method,and brought forward their shortcomings.After we summed up the security requirement of accounting system with the development of campus network,we talked something about the old authentication system for the campus network.On this condition,this paper gave emphasis on the authorization problem related with the PKI.In the end.this paper outlined the Accounting Authentication system for campus network that the author has designed with the aid of attribute certificate and agent technology.This system can solve the security problem of authentication
with the aid of attribute certificate and agent technology.This system can solve the security problem of authentication for accounting system considerably,what is more,it also solve the authorization problem.
作者参加了清华大学“校园网认证系统”的设计和实现工作。在校园网实施的PKI的基础之上,作者了解了PKI的体系结构,并通过实践分析PKI为具体应用实施安全保护的工作原理,着重研究基于PKI的授权方法,提出了几种不同的基于PKI的授权机制,同时评价了这些机制的优缺点,肯定了利用属性证书开展安全应用的地位。针对园区网计费系统的发展情况和实际的安全需求,作者在基本不修改计费系统的前提下,提出Agent技术,结合属性证书,设计了基于PKI的园区网计费认证系统。该系统很好地解决了计费系统的安全问题以及相关的授权问题。
With Internet growing at a rapid speed,great attention has been drawn to the security problem.The authentication system based on public key cryptography has become an effective approach for the Internet security. The PKI(Public Key Infrastructure)based on ITU X.509 exactly fit for it.However,PKI faces a lot of technology and management problems because Internet is a complicated environment.If we want to develop an application based on it,we should do some research and revise the configuration of the application or do some customizing.
The author has participated in designing and developing the authentication system for Tsinghua University campus network.On the basis of the PKI that campus network has adopted,the author understood the architecture of PKI and analyzed the working theory behind the PKI.On the other hand,the author focus on researching and advancing several different authorization method.According to the requirement of the campus accounting system.the author bring forward the technology of Agent and design the accounting authentication system for campus network with the aid of AC(Attribute Certificate).
In this paper the architecture and principle of PKI are presented at first.As follow, We analyzed the accounting managgment of campus network.introduced several kinds of accounting method,and brought forward their shortcomings.After we summed up the security requirement of accounting system with the development of campus network,we talked something about the old authentication system for the campus network.On this condition,this paper gave emphasis on the authorization problem related with the PKI.In the end.this paper outlined the Accounting Authentication system for campus network that the author has designed with the aid of attribute certificate and agent technology.This system can solve the security problem of authentication
with the aid of attribute certificate and agent technology.This system can solve the security problem of authentication for accounting system considerably,what is more,it also solve the authorization problem.
引文
[1] RFC 2459, R. Housley. In W. Ford. W. Polk. Internet X. 509 Public Key Infrastructure Certificate and CRL Profile, January 1999
[2] RFC 2559, S. Boeyen, T. Howes, P. Richard. Internet X. 509 Public Key Infrastructure Operational Protocols-LDAPv2,Apfil 1999
[3] Carlisle Adams,Steve Lloyd著,冯登国等译,公开密钥基础设施:概念、标准和实施,人民邮电出版社,2001,1
[4] Bruce Schneier, Applied Cryptography Second Edition:Protocols,algorithms,and source code in c, 1996,John Wiley & Sons,Inc P330-359
[5] RSA Laboratories, PKCS #7 v1.5: Cryptographic Message Syntax Standard, Nov.1993
[6] RSA Laboratories, PKCS #9 v2.0: Selected Object Classes and Attribute Types, Feb.20OO
[7] RSA Laboratories, PKCS #10 v1.7, Certification Request Syntax Standard, RSA Laboratories, May 2000
[8] RSA Laboratories, PKCS #12 v1.0: Personal Information Exchange Syntax, June 1999
[9] 杨建明.基于PKI的网络安全平台研究与实践:[硕士学位论文].北京:清华大学计算机系,2000年5月
[10] 王会.基于用户身份认证的园区网安全计费系统:[硕士学位论文].北京:清华大学计算机系,2001年6月
[11] 李振民.园区网PKI的设计与实现:[硕士学位论文].北京:清华大学计算机系,2001年6月
[12] RFC 2633, B. Ramsdell, Editor Worldtalk. S/MIME Version 3 Message Specification ,June 1999.
[13] J.Feigenbaum,Towards an Infrastructure for Authorization,Position Paper presented at the 3rd USENIX Workshop on Electronic Commerce,August 31-September
3,1998,Boston,Massachusetts,MA(USA)
[14] M.Blaze,J.Feigenbaum, and J.Lacy.Decentralized Trust Management,Proceedings of IEEE Conference on Security and Privacy, 1996. P 164-173
[15] R.Oppliger,Authorization Methods for E-commerce Application Proceeding of the International Workshop on Electronic Commerce held in conjunction with the 18th IEEE International Symposium on Reliable Distributed Systems(SRDS'99) ,Lausanne(Switzerland),October 19-22,1999
[16] Joon S.Park and Ravi Sandhu.Smart Certificate:Extending X.509 for Secure attribute services on the Web.In Proceedings of 22nd National Information Systems Security Conference.Crystal City,VA,October 1999
[17] Andrew Nash,Willam Duane,Celia Joseph,Derek Brink.PKI:Implementing and Managing E-Security Copyright@2001 by The McGraw-Hill Companies.P469-486
[18] A.Frier, P.Karlton, P.Kocher. The SSL 3. 0 Protocol,Netscape Communications Corp.,Nov.18th,1996
[19] Ravi S.Sandhu, Edward J.Coyne. Hal L.Feinstein, Charles E.Youman. Role-Based Access Control Models,IEEE Computer,Volume 29,November 2,February 1996,pages 38-47
[20] W.Diffe, M.Hellman. "New Directions in Cryptography," IEEE Transactions on Information Theory, IT-22(1976) ,P644-654
[21] John Linn and Magnus Nystrom. Attribute Certification: An Enabling Technology for Delegation and Role-Based Controls in Distributed Environments.In Proc. 1999 ACM workshop on role-based access control,Fairfax,VA USA,October 28-29,1999.
[22] B. Harris, R. Hunt, TCP/IP security threats and attack methods, Computer Communications 22(10) 1999, pp.885-897
[23] P. Wing, B. O'Higgins, Using Public Key Infrastructures for Security and Risk Management, IEEE Communications Magazine, Sept 1999, pp.71-73
[24] 钟鑫,张凌,汤立群,等.流量数据采集方法的研究,计算机工程2000年CERNET第7届学术会议论文集,2000,309-314
[25] S.Farrell,Baltimore Technologies, R.Housley, An Internet Attribute Certificate Profile
for Authorization, 〈draft-ietf-pkix-ac509prof-09.txt〉, RSA Laboratories, June 8th2001
[26] 陈建奇,张玉清,李学农,吴子文,基于PKI的校园网计费认证系统的研究与设计,《计算机系统应用》,录用待发表
[27] 陈建奇,张玉清,李学农,吴子文,安全电子邮件的研究与实现,《计算机工程》,录用待发表
[2] RFC 2559, S. Boeyen, T. Howes, P. Richard. Internet X. 509 Public Key Infrastructure Operational Protocols-LDAPv2,Apfil 1999
[3] Carlisle Adams,Steve Lloyd著,冯登国等译,公开密钥基础设施:概念、标准和实施,人民邮电出版社,2001,1
[4] Bruce Schneier, Applied Cryptography Second Edition:Protocols,algorithms,and source code in c, 1996,John Wiley & Sons,Inc P330-359
[5] RSA Laboratories, PKCS #7 v1.5: Cryptographic Message Syntax Standard, Nov.1993
[6] RSA Laboratories, PKCS #9 v2.0: Selected Object Classes and Attribute Types, Feb.20OO
[7] RSA Laboratories, PKCS #10 v1.7, Certification Request Syntax Standard, RSA Laboratories, May 2000
[8] RSA Laboratories, PKCS #12 v1.0: Personal Information Exchange Syntax, June 1999
[9] 杨建明.基于PKI的网络安全平台研究与实践:[硕士学位论文].北京:清华大学计算机系,2000年5月
[10] 王会.基于用户身份认证的园区网安全计费系统:[硕士学位论文].北京:清华大学计算机系,2001年6月
[11] 李振民.园区网PKI的设计与实现:[硕士学位论文].北京:清华大学计算机系,2001年6月
[12] RFC 2633, B. Ramsdell, Editor Worldtalk. S/MIME Version 3 Message Specification ,June 1999.
[13] J.Feigenbaum,Towards an Infrastructure for Authorization,Position Paper presented at the 3rd USENIX Workshop on Electronic Commerce,August 31-September
3,1998,Boston,Massachusetts,MA(USA)
[14] M.Blaze,J.Feigenbaum, and J.Lacy.Decentralized Trust Management,Proceedings of IEEE Conference on Security and Privacy, 1996. P 164-173
[15] R.Oppliger,Authorization Methods for E-commerce Application Proceeding of the International Workshop on Electronic Commerce held in conjunction with the 18th IEEE International Symposium on Reliable Distributed Systems(SRDS'99) ,Lausanne(Switzerland),October 19-22,1999
[16] Joon S.Park and Ravi Sandhu.Smart Certificate:Extending X.509 for Secure attribute services on the Web.In Proceedings of 22nd National Information Systems Security Conference.Crystal City,VA,October 1999
[17] Andrew Nash,Willam Duane,Celia Joseph,Derek Brink.PKI:Implementing and Managing E-Security Copyright@2001 by The McGraw-Hill Companies.P469-486
[18] A.Frier, P.Karlton, P.Kocher. The SSL 3. 0 Protocol,Netscape Communications Corp.,Nov.18th,1996
[19] Ravi S.Sandhu, Edward J.Coyne. Hal L.Feinstein, Charles E.Youman. Role-Based Access Control Models,IEEE Computer,Volume 29,November 2,February 1996,pages 38-47
[20] W.Diffe, M.Hellman. "New Directions in Cryptography," IEEE Transactions on Information Theory, IT-22(1976) ,P644-654
[21] John Linn and Magnus Nystrom. Attribute Certification: An Enabling Technology for Delegation and Role-Based Controls in Distributed Environments.In Proc. 1999 ACM workshop on role-based access control,Fairfax,VA USA,October 28-29,1999.
[22] B. Harris, R. Hunt, TCP/IP security threats and attack methods, Computer Communications 22(10) 1999, pp.885-897
[23] P. Wing, B. O'Higgins, Using Public Key Infrastructures for Security and Risk Management, IEEE Communications Magazine, Sept 1999, pp.71-73
[24] 钟鑫,张凌,汤立群,等.流量数据采集方法的研究,计算机工程2000年CERNET第7届学术会议论文集,2000,309-314
[25] S.Farrell,Baltimore Technologies, R.Housley, An Internet Attribute Certificate Profile
for Authorization, 〈draft-ietf-pkix-ac509prof-09.txt〉, RSA Laboratories, June 8th2001
[26] 陈建奇,张玉清,李学农,吴子文,基于PKI的校园网计费认证系统的研究与设计,《计算机系统应用》,录用待发表
[27] 陈建奇,张玉清,李学农,吴子文,安全电子邮件的研究与实现,《计算机工程》,录用待发表