基于公钥基础结构(PKI)的Internet安全研究
|
摘要
计算机网络技术的发展,极大地推动了社会信息化进程,人们可以通过Internet很方便地进行信息交流。但是,公开便利的网络环境同时也带来网络通信安全方面的挑战。
在开放的网络环境中,公开密钥算法已成为网上电子商务和其他需要保密和验证的网络应用之基础。而广泛地公钥算法则又需要一个公钥基础结构(PKI)来公布和管理众多公开密钥。如果没有这样的一种基础结构,公钥加密的应用前景恐怕不会比传统的私钥加密宽广。
本文首先在综述Internet加密算法与安全机制的基础上,分析了适合于一般PKI系统的PKI基本特征。运用这些特征,文章对几种常用的PKI构想进行了讨论,着重对他们的结构及存在的问题作了详细的分析,并简要对问题的解决方法与系统的具体实现进行了介绍。
其次,文章在第五章分析了一般C/S模式中存在的安全性隐患,提出用密文形式传输和存储用户口令的方法,解决用户口令在传送和存储时有可能被窃听或截取的问题。同时,在结合PKI模式中CA认证、数字签名以及公开密钥与对称密钥算法技术的基础之上,提出了密文传输和存储口令机制下的用户注册和C/S、B/S模式资源访问的基本模型,以实现C/S和B/S的安全机制。
文章最后运用Java语言,实现了客户端的数字签名与加密机制和服务器端的信息解密与数据完整性验证。整个系统以演示为目的,将各种功能明显地加以区分,分步实现各阶段的功能,旨在说明数字签名与数据完整性验证的详细过程。
The developments of computer network technology are powerfully improving the process of the society information. Now it is very conveniently that people can exchange message with each other on the Internet. At the same time, however, the opened and well-suited network can bring the challenge of security of the network communication.
Public-key cryptography is fast becoming the foundation for online commerce and other applications that require security and authentication in an opened network environment. The widespread use of public-key cryptography also requires a public-key infrastructure (PKI) to publish and manage public-key values. Without a functioning infrastructure, public-key cryptography is only marginally more useful than traditional, secret-key cryptography.
This thesis reviews the basic of the encryption algorithm and security framework, analyses a set of PKI characteristics that apply to any PKI system, And uses these characteristics to describe several internet PKI proposals in common use. This thesis emphasizes to analyse their structure and matters, then describes the resolvent and action method of all kinds of system.
In chapter 5, the thesis analyses the hidden trouble of security hi usually C/S pattern, advances a measure of transferring and memorizing the user's password in cryptograph form to solve the trouble that user's password can be eavesdropped and intercepted possibility when it was transferred and memorized. Contemporary, with the basic of CA Authentication, Digital Signature, Public-key cryptography and Secret-key cryptography, this thesis bring forward a basic model of user registration and C/S, B/S resource accessing under the mechanism that using cryptography to transfer and memory the user's password.
At last, using Java language, the thesis implements Client's Digital Signature & Encryption and Server's Decryption & Integrality Validation. The system is a demo program, and distinguishes all kinds of functions very obviously. It implements each phase function step by step, in order to explain the particular process of Digital Signature and Integrality Validation.
在开放的网络环境中,公开密钥算法已成为网上电子商务和其他需要保密和验证的网络应用之基础。而广泛地公钥算法则又需要一个公钥基础结构(PKI)来公布和管理众多公开密钥。如果没有这样的一种基础结构,公钥加密的应用前景恐怕不会比传统的私钥加密宽广。
本文首先在综述Internet加密算法与安全机制的基础上,分析了适合于一般PKI系统的PKI基本特征。运用这些特征,文章对几种常用的PKI构想进行了讨论,着重对他们的结构及存在的问题作了详细的分析,并简要对问题的解决方法与系统的具体实现进行了介绍。
其次,文章在第五章分析了一般C/S模式中存在的安全性隐患,提出用密文形式传输和存储用户口令的方法,解决用户口令在传送和存储时有可能被窃听或截取的问题。同时,在结合PKI模式中CA认证、数字签名以及公开密钥与对称密钥算法技术的基础之上,提出了密文传输和存储口令机制下的用户注册和C/S、B/S模式资源访问的基本模型,以实现C/S和B/S的安全机制。
文章最后运用Java语言,实现了客户端的数字签名与加密机制和服务器端的信息解密与数据完整性验证。整个系统以演示为目的,将各种功能明显地加以区分,分步实现各阶段的功能,旨在说明数字签名与数据完整性验证的详细过程。
The developments of computer network technology are powerfully improving the process of the society information. Now it is very conveniently that people can exchange message with each other on the Internet. At the same time, however, the opened and well-suited network can bring the challenge of security of the network communication.
Public-key cryptography is fast becoming the foundation for online commerce and other applications that require security and authentication in an opened network environment. The widespread use of public-key cryptography also requires a public-key infrastructure (PKI) to publish and manage public-key values. Without a functioning infrastructure, public-key cryptography is only marginally more useful than traditional, secret-key cryptography.
This thesis reviews the basic of the encryption algorithm and security framework, analyses a set of PKI characteristics that apply to any PKI system, And uses these characteristics to describe several internet PKI proposals in common use. This thesis emphasizes to analyse their structure and matters, then describes the resolvent and action method of all kinds of system.
In chapter 5, the thesis analyses the hidden trouble of security hi usually C/S pattern, advances a measure of transferring and memorizing the user's password in cryptograph form to solve the trouble that user's password can be eavesdropped and intercepted possibility when it was transferred and memorized. Contemporary, with the basic of CA Authentication, Digital Signature, Public-key cryptography and Secret-key cryptography, this thesis bring forward a basic model of user registration and C/S, B/S resource accessing under the mechanism that using cryptography to transfer and memory the user's password.
At last, using Java language, the thesis implements Client's Digital Signature & Encryption and Server's Decryption & Integrality Validation. The system is a demo program, and distinguishes all kinds of functions very obviously. It implements each phase function step by step, in order to explain the particular process of Digital Signature and Integrality Validation.
引文
[1] Andrew S. Tanenbaum: Computer Networks (Third Edition), Prentice Hall, 1997
[2] Marc Baranchaud: A Survey of Public-Key Infrastructure, McGill University, Montreal, 1997
[3] Comer D.E.: Computer Networks and Internets, Prentice Hall, 1997
[4] C.Adams et al.: Intemet X.509 Public Key Infrastructure Certificate Management, Network Working Group, March 1999
[5] S.Chokhani et al.: Internet X.509 Public Key Infrastructure Certificate policy and Certificate Practices Framwork, Network Working Group, March 1999
[6] http://www.whatis.com/PKI.htm, May 2001
[7] http://www.whatis.com/Digitace.htm, May 2001
[8] http://www.whatis.com/Authenti.htm, May 2001
[9] http://www.whatis.com/Encrypti.htm, May 2001
[10] http://www.whatis.com/RSA.htm, May 2001
[11] http://www.whatis.comfIDEA.htm, May 2001
[12] http://www.whatis.com/Algorithm.htm, May 2001
[13] http://www.whatis.com/X.509.htm, May 2001
[14] http://www.whatis.com/Ecommerce.htm, May 2001
[15] http://www.whatis.com/SSL.htm, May 2001
[16] W. Diffle et al.: New Directions in Cryptography, IEEE Transactions on Information Theory, V. IT-22, n.6, Jun 1997, pp. 74-84.
[17] ElGamal T.: A Public-key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, 31, pp. 469-472.
[18] Mare F. et al.: LAN Times Guides to Security and Data Integrity, McGraw-Hill, 1998
[19] 张超,Internet/Intranet安全技术,西安电子科技大学出版社,1999
[20] 蒋继红等,计算机系统、数据库系统和通信网络的安全与保密,电子科技大学出版社,1995
[21] 周明天等,TCP/IP网络原理与技术,清华大学出版社,1997
[22] 宋辉等,Java服务器程序设计,清华大学出版社,1999
[23] 陈功等,VisualJ++6.0开发指南,清华大学出版社,1999
[24] Timothy P.: Teach yourself TCP/IP in 14 days, Que Corporation, 1997
[25] Michael A.: Java Quick Reference, Que Corporation, 1997
[26] 王克宏等,Java语言API类库,清华大学出版社,1997
[27]htttp://home.netscape.com/Security/SSL_protocol/contents_PKI.html, 2000
[28]http://developer, netscape.com/docs/manuals/index.html, 2000
[29]ftp ://fip.funet. fi:/pub/crypt/cryptography/asymmetric/rsa, 2000
[30]http://www.rsa.com/index.heml, 2001
[31]Alan O.F. et al.: The SSL Protocol Version 3.0, Netscape Communications Corporation, March 1996
[32]徐斌等,基于用户的WWW服务器安全访问控制模型,计算机工程与应用,1999.4,p12-13
[33]陈修环等,CSCW网络安全问题探讨,计算机工程与应用,1999.1,p68-70,89
[34]龚正虎,计算机网络协议工程,国防科技大学出版社,1993.12
[36]Marcus G.:Web站点安全技术,清华大学出版社,1998
[37]余建斌,黑客的攻击手段及用户对策,人民邮电出版社,1998
[38]樊宬丰等,网络信息安全&PGP加密,清华大学出版社,1998
[39]王锐等,网络最高安全技术指南,机械工业出版社,1998
[40]陈龙,安全防范系统工程,清华大学出版社,1999
[41]Derek A. Et al.:Internet Security Professional Reference (2nd), New Riders, 1997
[42]高鹏等,构建安全的Web站点,清华大学出版社,1999
[43]张小斌等,计算机安全工具,清华大学出版社,1999
[44]Chris B.: Mastering: Network Security, SYBEX, 1999
[45]韦卫等,基于SSL的安全WWW系统的研究与实现,计算机研究与发展,1999.5,p619-624
[46]马海波,通信系统中的信息安全问题,情报学报,1998.2(17卷,第一期),p13-18
[47]丁蔚,Internet的安全缺口及相应对策,情报杂志,1998.5(17卷,第三期),p57-58,61
[48]Devra Hall:建立Web站点的方法,科学出版社,1997
[49]裴有福,HTML实用技术,中国水利水电出版社,1998
[50]娄策群,范昊,现代信息技术环境中的信息安全问题及其对策,中国图书馆学报,2000.6,
[51]范昊等,计算机网络安全中的信息安全问题,华中师范大学学报(人文社会科学版),专辑,1999
[52]Bruce Eckel: Thinking in JAVA, 机械工业出版社,2001
[35]Anonymous: Maximum Security (2nd), Sama, 1999
[2] Marc Baranchaud: A Survey of Public-Key Infrastructure, McGill University, Montreal, 1997
[3] Comer D.E.: Computer Networks and Internets, Prentice Hall, 1997
[4] C.Adams et al.: Intemet X.509 Public Key Infrastructure Certificate Management, Network Working Group, March 1999
[5] S.Chokhani et al.: Internet X.509 Public Key Infrastructure Certificate policy and Certificate Practices Framwork, Network Working Group, March 1999
[6] http://www.whatis.com/PKI.htm, May 2001
[7] http://www.whatis.com/Digitace.htm, May 2001
[8] http://www.whatis.com/Authenti.htm, May 2001
[9] http://www.whatis.com/Encrypti.htm, May 2001
[10] http://www.whatis.com/RSA.htm, May 2001
[11] http://www.whatis.comfIDEA.htm, May 2001
[12] http://www.whatis.com/Algorithm.htm, May 2001
[13] http://www.whatis.com/X.509.htm, May 2001
[14] http://www.whatis.com/Ecommerce.htm, May 2001
[15] http://www.whatis.com/SSL.htm, May 2001
[16] W. Diffle et al.: New Directions in Cryptography, IEEE Transactions on Information Theory, V. IT-22, n.6, Jun 1997, pp. 74-84.
[17] ElGamal T.: A Public-key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, 31, pp. 469-472.
[18] Mare F. et al.: LAN Times Guides to Security and Data Integrity, McGraw-Hill, 1998
[19] 张超,Internet/Intranet安全技术,西安电子科技大学出版社,1999
[20] 蒋继红等,计算机系统、数据库系统和通信网络的安全与保密,电子科技大学出版社,1995
[21] 周明天等,TCP/IP网络原理与技术,清华大学出版社,1997
[22] 宋辉等,Java服务器程序设计,清华大学出版社,1999
[23] 陈功等,VisualJ++6.0开发指南,清华大学出版社,1999
[24] Timothy P.: Teach yourself TCP/IP in 14 days, Que Corporation, 1997
[25] Michael A.: Java Quick Reference, Que Corporation, 1997
[26] 王克宏等,Java语言API类库,清华大学出版社,1997
[27]htttp://home.netscape.com/Security/SSL_protocol/contents_PKI.html, 2000
[28]http://developer, netscape.com/docs/manuals/index.html, 2000
[29]ftp ://fip.funet. fi:/pub/crypt/cryptography/asymmetric/rsa, 2000
[30]http://www.rsa.com/index.heml, 2001
[31]Alan O.F. et al.: The SSL Protocol Version 3.0, Netscape Communications Corporation, March 1996
[32]徐斌等,基于用户的WWW服务器安全访问控制模型,计算机工程与应用,1999.4,p12-13
[33]陈修环等,CSCW网络安全问题探讨,计算机工程与应用,1999.1,p68-70,89
[34]龚正虎,计算机网络协议工程,国防科技大学出版社,1993.12
[36]Marcus G.:Web站点安全技术,清华大学出版社,1998
[37]余建斌,黑客的攻击手段及用户对策,人民邮电出版社,1998
[38]樊宬丰等,网络信息安全&PGP加密,清华大学出版社,1998
[39]王锐等,网络最高安全技术指南,机械工业出版社,1998
[40]陈龙,安全防范系统工程,清华大学出版社,1999
[41]Derek A. Et al.:Internet Security Professional Reference (2nd), New Riders, 1997
[42]高鹏等,构建安全的Web站点,清华大学出版社,1999
[43]张小斌等,计算机安全工具,清华大学出版社,1999
[44]Chris B.: Mastering: Network Security, SYBEX, 1999
[45]韦卫等,基于SSL的安全WWW系统的研究与实现,计算机研究与发展,1999.5,p619-624
[46]马海波,通信系统中的信息安全问题,情报学报,1998.2(17卷,第一期),p13-18
[47]丁蔚,Internet的安全缺口及相应对策,情报杂志,1998.5(17卷,第三期),p57-58,61
[48]Devra Hall:建立Web站点的方法,科学出版社,1997
[49]裴有福,HTML实用技术,中国水利水电出版社,1998
[50]娄策群,范昊,现代信息技术环境中的信息安全问题及其对策,中国图书馆学报,2000.6,
[51]范昊等,计算机网络安全中的信息安全问题,华中师范大学学报(人文社会科学版),专辑,1999
[52]Bruce Eckel: Thinking in JAVA, 机械工业出版社,2001
[35]Anonymous: Maximum Security (2nd), Sama, 1999