公钥证书管理系统的设计与实现
|
摘要
公钥基础设施PKI(Public Key Infrastructure)是综合的网络安全解决方案,是具有普适性的安全基础设施,近年来得到了广泛的研究与应用,其前景十分广阔。PKI以公开密钥密码学为基础,以证书的生命周期管理和信任关系管理为核心功能,并综合了管理、策略等多项安全措施,为整个信息系统构建了提供各种安全服务的通用平台。
网络安全的复杂性决定了PKI的应用实施是一个广义的、长期渐进的过程,它涉及了技术、管理、商业、法律乃至政府的范畴。本论文立足PKI的基本原理,遵循其技术标准、参考现有的产品,实现了一个具备核心功能的微型PKI系统,仔细考察了PKI实施中的各种技术细节,包括:系统的体系结构,功能模块、软件架构、运作管理,证书生命周期管理的完整过程,信任关系管理的简单情况,以及如何保证互操作性和可扩展性。
并且,对于上述的各种细节,论文根据具体的应用环境,做出了有针对性的实施方法,着重对系统的运作、客户端模块、证书的类型、扩展域选择等进行了新的探索,并进行了深入的探讨。
通过对PKI实施过程与实现技术的考察,可以丰富对PKI的认识,有助于在理论和实践中对它作进一步的改进和完善,最终建立一个更加高效的网络安全平台。
The Public Key Infrastructure (PKI) is an integrative solution of network security, which takes on universal characteristic. Recently, extensive researches and applications are carried out. And it is thought to have a bright future. Based on the public key cryptology, PKI chiefly functions in certificate life-cycle management and trust relation management. In addition, it synthesizes many other security methods such as management and strategy. By this way, PKI constructs an all-round platform for various security services.
The complexity of network security results in the application of PKI must be a comprehensive and long-term process, which has involved technology, management, business, law, government, and so on. This thesis realized a subminiature PKI with core functions according to PKI's basic principles, which followed the international standard, and referred to some existing products. What's more, the author also did a detailed investigation of various technical issues during the PKI's implementing, including system architecture, function module, software structure, operation management, certificate life-cycle, trust relation management, and the ways to guarantee its operability and extensibility.
For all the details discussed above, this paper has managed to offer corresponding methods to deal with specific practical environment. Especially, it puts great emphasis on exploring and discussing the system operation, client module, certificate type and extensions.
The investigation of PKI's implementing enriched our knowledge of PKI, which is helpful for its further improvement theoretically and practically. The final purpose of all these efforts is to build a high-efficiency network security platform.
网络安全的复杂性决定了PKI的应用实施是一个广义的、长期渐进的过程,它涉及了技术、管理、商业、法律乃至政府的范畴。本论文立足PKI的基本原理,遵循其技术标准、参考现有的产品,实现了一个具备核心功能的微型PKI系统,仔细考察了PKI实施中的各种技术细节,包括:系统的体系结构,功能模块、软件架构、运作管理,证书生命周期管理的完整过程,信任关系管理的简单情况,以及如何保证互操作性和可扩展性。
并且,对于上述的各种细节,论文根据具体的应用环境,做出了有针对性的实施方法,着重对系统的运作、客户端模块、证书的类型、扩展域选择等进行了新的探索,并进行了深入的探讨。
通过对PKI实施过程与实现技术的考察,可以丰富对PKI的认识,有助于在理论和实践中对它作进一步的改进和完善,最终建立一个更加高效的网络安全平台。
The Public Key Infrastructure (PKI) is an integrative solution of network security, which takes on universal characteristic. Recently, extensive researches and applications are carried out. And it is thought to have a bright future. Based on the public key cryptology, PKI chiefly functions in certificate life-cycle management and trust relation management. In addition, it synthesizes many other security methods such as management and strategy. By this way, PKI constructs an all-round platform for various security services.
The complexity of network security results in the application of PKI must be a comprehensive and long-term process, which has involved technology, management, business, law, government, and so on. This thesis realized a subminiature PKI with core functions according to PKI's basic principles, which followed the international standard, and referred to some existing products. What's more, the author also did a detailed investigation of various technical issues during the PKI's implementing, including system architecture, function module, software structure, operation management, certificate life-cycle, trust relation management, and the ways to guarantee its operability and extensibility.
For all the details discussed above, this paper has managed to offer corresponding methods to deal with specific practical environment. Especially, it puts great emphasis on exploring and discussing the system operation, client module, certificate type and extensions.
The investigation of PKI's implementing enriched our knowledge of PKI, which is helpful for its further improvement theoretically and practically. The final purpose of all these efforts is to build a high-efficiency network security platform.
引文
[1] 王育民,何大可.《保密学—基础与应用》 西安电子科技大学出版社.1990.12
[2] B.施奈尔.《应用密码学—协议、算法和C源程序》 国防科学技术保密通信重点实验室,1995.4
[3] 王育民,刘建伟.《通信网的安全—理论与技术》 西安电子科技大学出版社.1999.4
[4] 冯登国,裴定一.《密码学导引》 科学出版社.1999.4
[5] Carlisle Adams,Steve Lloyd.《公开密钥基础设施—概念、标准和实施》冯登国等译.人民邮电出版社.2000.4
[6] 梁晋,施仁.《电子商务核心技术——安全电子交易协议的理论与设计》西安电子科技大学 2000.8
[7] William Stallings.《密码编码学与网络安全:原理与实践》杨明等译.(第二版)电子工业出版社.2001.4
[8] 赖溪松,韩亮,张真诚.《计算机密码学及其应用》国防工业出版社.2001.7
[9] 谢希仁.《计算机网络》(第2版)电子工业出版社.1999
[10] 刘志凌.《电子商务核心理论与技术实现》 国防工业出版社2001.7
[11] Steve Burnett,Stephen Paine.《密码工程实践者指南》冯登国等译.清华大学出版社.2001.10
[12] 关振胜.《公钥基础设施PKI与认证机构CA》 电子工业出版社.2002.1
[13] Michael Boerner等,《Linux部署专业技术》华中兴业科技发展有限公司译.人民邮电出版社.2001.3
[14] Eric Foster-Johnson.《跨平台Perl开发指南》王莉等译.电子工业出版社.2001.6
[15] GOC PKI Certificate and Key Management Interface Specification version1.0. 2000.3.
[16] GOC PKI X.509 Certificate and CRL Fields and Extensions Profile, Draft Version 2.0. 1999.10.
[17] RSA Laboratories. PKCS#1: RSA Cryptography Standard. Version 2.0, (RFC2437). 1998.10
[18] RSA Laboratories. PKCS#7: Cryptographic Message Syntax Standard. Version 1.5, (RFC2315). 1998.3
[19] RSA Laboratories. PKCS #10: Certification Request Syntax Standard.Version 1.5, (RFC 2314). 1998.3
[20] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax Standard. Version 1.0, 1999.6
[21] ITU-T Information Technology, ASN.1 encoding rules: Specification of Basic Encoding Rules(BER), Canonical Encoding Rules(CER) and Distinguished Encoding Rules(DER), 1995.
[22] ITU-T Recommendation X.509. Information Technology-Open Systems Interconnection-The Directory: Authentication Framework. 1997.6.
[23] M.Wahl, T. Howes, S.Kille. Lightweight Directory Access Protocol. RFC 2251. 1997.12
[24] C.Adams, S.Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC 2510. 1999.3.
[25] R.Housley, W. Ford, W. Polk, D.Solo. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459. 1999.1.
[26] S.Chokhani, W. Ford. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 2527. 1999.3.
[27] M.Myers, R.Ankney, A.Malpani, S.Galperin, C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.RFC 2560. 1999.6.
[28] R.Housley, P. Hoffman. Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. RFC 2585. 1999.5
[29] S.Boeyen, T. Howes, P. Richard. Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2.RFC 2559. 1999.4
[30] C. Adams, P. Cain, D. Pinkas, R. Zuccherato. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161. 2001.8
[31] 周武,冯登国.联邦公钥基础设施(PKI)技术简介.密码与信息.1999.3:24~61
[32] 杨建沾,王勇,易星.RSA公开密钥密码体制的密钥生成研究.武汉大学学报(自然科学版).1999,45(3):303~306
[33] 韦位,杜炜,王行刚.构造基于X.509公钥证书的密钥管理系统.计算机工程.1999,25(10):133~135
[34] 金晓耿,高百明,吴承荣.对大规模PKI中CRL分发机制的分析和比较.计算机工程.1999,25(10):175~178
[35] 王怀伯,李林,张申生.基于PKCS的数据安全框架及支持库设计.上海
交通大学学报.2000,34(6):813~817
[36] 宋志敏,王卫京,南相浩.SSL V3.0及其安全性分析.计算机工程与应用.2000.10:145~148
[37] 易江波,赵战生,阮耀平.SSL及使用SSLeay实现证书的签发和管理.计算机应用研究.2001.1:76~78
[38] 李侠,马光思.基于SSL的PKI技术及对WEB安全的维护.陕西师范大学学报.2001,29(5):49~53
[39] 高福令,陈福,刘云.公开密钥基础设施及其信任模型.中国数据通信.2001.5:21~25
[40] 齐晓虹,刘冬,赵岳松.RSA公开密钥密码体制的密钥生成研究.武汉理工大学学报.2001,23(6):37~40
[41] 孟桂娥,董伟文,杨宇航.公钥基础设施PKI的设计.计算机工程.2001,27(6):111~113
[42] 余秦勇.X.509 V3证书格式及语义.通信技术.2001.6
[43] 卢震宇,戴英侠,郑江.基于认证中心的多级信任模型的分析与构建.计算机工程.2001,27(10):48~50
[44] 张沪寅,吴建江,寇宁.基于PKI技术CA密钥算法分析与认证设计.武汉理工大学学报.2001,23(12):79~82
[45] 李朔京.PKI应用中私钥管理的研究.微型机与应用,2002.1:51~54
[46] 洪帆,何绪斌.基于角色的访问控制.小型微型计算机系统.2000,21(2):198~200
[47] Gary McGraw, John Viega. Reliable Software Technologies. http://www.ibm.com/developerWorks/security/. 2000
[48] Symeon Xenitellis. The Open-source PKI Book. A guide to PKIs and Open Source Implementations. http://ospkibook.sourceforge.net/
[49] Netscape Certificate Specifications: http://www. netscape.com/eng/security/certs.html.
[50] Microsoft Certificate Specifications. http://www. microsoft.com/intdev/security/csa/enroll.htm.
[51] SSLeay Certificate Cookbook: http://www.ultranet. com/~fhirsch/Papers/cook/ssl_intro.html.
[52] Frederick J. Hirsch. Introducing SSL and Certificates using SSLeay. World Wide Web Journal, 1997. http://www.ora.com/catalog/wjsum97/.
[53] T J Hudson, E A Young. SSLeay Programmer Reference: http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html
[54] PKIX Charter. http://www.ietf.org/html.charters/pkix-charter.html.
[55] OpenCA Group: www.openca.org.
[56] OpenSSL Group: www. openssl.org.
[57] MUSCLE Group: www. linuxnet.com
[58] 胡红钢.中国PKI的现状及面临的问题.信息网络安全 2002.3.8~11
[59] 中国商用密码网 hUp://www.cc.gov.cn
[2] B.施奈尔.《应用密码学—协议、算法和C源程序》 国防科学技术保密通信重点实验室,1995.4
[3] 王育民,刘建伟.《通信网的安全—理论与技术》 西安电子科技大学出版社.1999.4
[4] 冯登国,裴定一.《密码学导引》 科学出版社.1999.4
[5] Carlisle Adams,Steve Lloyd.《公开密钥基础设施—概念、标准和实施》冯登国等译.人民邮电出版社.2000.4
[6] 梁晋,施仁.《电子商务核心技术——安全电子交易协议的理论与设计》西安电子科技大学 2000.8
[7] William Stallings.《密码编码学与网络安全:原理与实践》杨明等译.(第二版)电子工业出版社.2001.4
[8] 赖溪松,韩亮,张真诚.《计算机密码学及其应用》国防工业出版社.2001.7
[9] 谢希仁.《计算机网络》(第2版)电子工业出版社.1999
[10] 刘志凌.《电子商务核心理论与技术实现》 国防工业出版社2001.7
[11] Steve Burnett,Stephen Paine.《密码工程实践者指南》冯登国等译.清华大学出版社.2001.10
[12] 关振胜.《公钥基础设施PKI与认证机构CA》 电子工业出版社.2002.1
[13] Michael Boerner等,《Linux部署专业技术》华中兴业科技发展有限公司译.人民邮电出版社.2001.3
[14] Eric Foster-Johnson.《跨平台Perl开发指南》王莉等译.电子工业出版社.2001.6
[15] GOC PKI Certificate and Key Management Interface Specification version1.0. 2000.3.
[16] GOC PKI X.509 Certificate and CRL Fields and Extensions Profile, Draft Version 2.0. 1999.10.
[17] RSA Laboratories. PKCS#1: RSA Cryptography Standard. Version 2.0, (RFC2437). 1998.10
[18] RSA Laboratories. PKCS#7: Cryptographic Message Syntax Standard. Version 1.5, (RFC2315). 1998.3
[19] RSA Laboratories. PKCS #10: Certification Request Syntax Standard.Version 1.5, (RFC 2314). 1998.3
[20] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax Standard. Version 1.0, 1999.6
[21] ITU-T Information Technology, ASN.1 encoding rules: Specification of Basic Encoding Rules(BER), Canonical Encoding Rules(CER) and Distinguished Encoding Rules(DER), 1995.
[22] ITU-T Recommendation X.509. Information Technology-Open Systems Interconnection-The Directory: Authentication Framework. 1997.6.
[23] M.Wahl, T. Howes, S.Kille. Lightweight Directory Access Protocol. RFC 2251. 1997.12
[24] C.Adams, S.Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC 2510. 1999.3.
[25] R.Housley, W. Ford, W. Polk, D.Solo. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459. 1999.1.
[26] S.Chokhani, W. Ford. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 2527. 1999.3.
[27] M.Myers, R.Ankney, A.Malpani, S.Galperin, C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.RFC 2560. 1999.6.
[28] R.Housley, P. Hoffman. Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. RFC 2585. 1999.5
[29] S.Boeyen, T. Howes, P. Richard. Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2.RFC 2559. 1999.4
[30] C. Adams, P. Cain, D. Pinkas, R. Zuccherato. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). RFC 3161. 2001.8
[31] 周武,冯登国.联邦公钥基础设施(PKI)技术简介.密码与信息.1999.3:24~61
[32] 杨建沾,王勇,易星.RSA公开密钥密码体制的密钥生成研究.武汉大学学报(自然科学版).1999,45(3):303~306
[33] 韦位,杜炜,王行刚.构造基于X.509公钥证书的密钥管理系统.计算机工程.1999,25(10):133~135
[34] 金晓耿,高百明,吴承荣.对大规模PKI中CRL分发机制的分析和比较.计算机工程.1999,25(10):175~178
[35] 王怀伯,李林,张申生.基于PKCS的数据安全框架及支持库设计.上海
交通大学学报.2000,34(6):813~817
[36] 宋志敏,王卫京,南相浩.SSL V3.0及其安全性分析.计算机工程与应用.2000.10:145~148
[37] 易江波,赵战生,阮耀平.SSL及使用SSLeay实现证书的签发和管理.计算机应用研究.2001.1:76~78
[38] 李侠,马光思.基于SSL的PKI技术及对WEB安全的维护.陕西师范大学学报.2001,29(5):49~53
[39] 高福令,陈福,刘云.公开密钥基础设施及其信任模型.中国数据通信.2001.5:21~25
[40] 齐晓虹,刘冬,赵岳松.RSA公开密钥密码体制的密钥生成研究.武汉理工大学学报.2001,23(6):37~40
[41] 孟桂娥,董伟文,杨宇航.公钥基础设施PKI的设计.计算机工程.2001,27(6):111~113
[42] 余秦勇.X.509 V3证书格式及语义.通信技术.2001.6
[43] 卢震宇,戴英侠,郑江.基于认证中心的多级信任模型的分析与构建.计算机工程.2001,27(10):48~50
[44] 张沪寅,吴建江,寇宁.基于PKI技术CA密钥算法分析与认证设计.武汉理工大学学报.2001,23(12):79~82
[45] 李朔京.PKI应用中私钥管理的研究.微型机与应用,2002.1:51~54
[46] 洪帆,何绪斌.基于角色的访问控制.小型微型计算机系统.2000,21(2):198~200
[47] Gary McGraw, John Viega. Reliable Software Technologies. http://www.ibm.com/developerWorks/security/. 2000
[48] Symeon Xenitellis. The Open-source PKI Book. A guide to PKIs and Open Source Implementations. http://ospkibook.sourceforge.net/
[49] Netscape Certificate Specifications: http://www. netscape.com/eng/security/certs.html.
[50] Microsoft Certificate Specifications. http://www. microsoft.com/intdev/security/csa/enroll.htm.
[51] SSLeay Certificate Cookbook: http://www.ultranet. com/~fhirsch/Papers/cook/ssl_intro.html.
[52] Frederick J. Hirsch. Introducing SSL and Certificates using SSLeay. World Wide Web Journal, 1997. http://www.ora.com/catalog/wjsum97/.
[53] T J Hudson, E A Young. SSLeay Programmer Reference: http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html
[54] PKIX Charter. http://www.ietf.org/html.charters/pkix-charter.html.
[55] OpenCA Group: www.openca.org.
[56] OpenSSL Group: www. openssl.org.
[57] MUSCLE Group: www. linuxnet.com
[58] 胡红钢.中国PKI的现状及面临的问题.信息网络安全 2002.3.8~11
[59] 中国商用密码网 hUp://www.cc.gov.cn