数字证书验证系统的设计与实现
摘要
计算机和网络技术的发展将人类带入信息化社会,随之而来的是倍受关注的信息安全问题。现代密码学己成为信息安全技术的核心,基于数字签名的数字证书是现代密码学主要研究的内容之一。数字证书技术在身份识别和认证、数据完整性、抗抵赖等方面具有其它技术所无法替代的作用,它在军事、电子商务和电子政务等领域有着极广泛的应用。
数字证书在信息传输中起着验证用户身份,保证信息传递的安全性、合法性和完整性等作用,它在公钥基础设施中是重要的一环。应用第三方软件对数字证书解析存在着安全性无法彻底保障,证书信息分析不彻底等诸多问题。因此对数字证书的验证过程的研究分析,实现数字证书验证代码的完全自主开发,为保证信息传输安全,建立有效的公钥基础设施起了重要的作用。
针对数字证书验证系统的实现,论文分析了基于X.509标准的公钥基础设施(PKI)数字证书的验证机制,探讨了数字证书的格式和语法定义、编码方法。对微软(MS)提供的数字证书解码和验证过程进行了探讨,使用C语言对数字证书的解码、有效期验证进行了实现,实现了不使用第三方接口完成了数字证书的安全认证。本文还探讨了PKI公钥基础设施、ASN.1抽象语法、信息摘要算法和签名算法,对信息安全的现状和应用进行了阐述,并对以后的发展提出了设想。
在实现数字证书验证过程中,主要还针对了微软公司提供的软件对公钥信息解码不完全的特点,把公钥信息中的n与e具体的解析出来,为数字证书的下一步使用提供了方便,也避免了在解密公钥时使用微软提供的未开源函数进行编程的不安全因素。
保证信息的安全关系到国家利益,对信息安全的研究,促使信息安全软件的国产化将是信息安全研究的发展趋势。
Human beings have entered into the information era with the development of computer and network technologies; thus, the security problem of information has become the fundamental mater. The modern cryptography is the kernel technique of information security. The digital certificate depend on digital signature is one of main researches in modern cryptography, and it cannot be substituted by other techniques in information security, including authentication data integrity, and non-repudiation. Digital certificate have many applications in military, electronic commerce and electronic government, etc.
Digital certificate is used for validating identity of net users, protecting validity and integrality of transferred messages. It is a important composing of the PKIX. Translate the digital certificate with the third sides provided software is very riskful, and it cannot translate the certificate completely. So it is very important for studying the validation of digital certificate and protecting message transfers.
This paper has analyzed the PKIX (Public Key Infrastructure based on X.509 standard) digital certificate validation mechanism, and has discussed the format of digital certificate, certificate syntax and encoding. It also has discussed the decoding and validating method provides by Microsoft Corporation and has realized decoding and validation of certificate by my own method using C language. In the end, this paper has discussed ASN.1, HASH algorithm and signature algorithm, the application prospect of PKIX and gives some suggestions for further development in the future.
In the process of implementation of Validating Digital Certificate System, I have distill the N and E which are the public key's parameters. Its can be conveniently used for next step of the certificate.
The safe of information is determined the safe of a country. Study on the infomation safety and make all the software loclized is the trend of research of infomation safety.
数字证书在信息传输中起着验证用户身份,保证信息传递的安全性、合法性和完整性等作用,它在公钥基础设施中是重要的一环。应用第三方软件对数字证书解析存在着安全性无法彻底保障,证书信息分析不彻底等诸多问题。因此对数字证书的验证过程的研究分析,实现数字证书验证代码的完全自主开发,为保证信息传输安全,建立有效的公钥基础设施起了重要的作用。
针对数字证书验证系统的实现,论文分析了基于X.509标准的公钥基础设施(PKI)数字证书的验证机制,探讨了数字证书的格式和语法定义、编码方法。对微软(MS)提供的数字证书解码和验证过程进行了探讨,使用C语言对数字证书的解码、有效期验证进行了实现,实现了不使用第三方接口完成了数字证书的安全认证。本文还探讨了PKI公钥基础设施、ASN.1抽象语法、信息摘要算法和签名算法,对信息安全的现状和应用进行了阐述,并对以后的发展提出了设想。
在实现数字证书验证过程中,主要还针对了微软公司提供的软件对公钥信息解码不完全的特点,把公钥信息中的n与e具体的解析出来,为数字证书的下一步使用提供了方便,也避免了在解密公钥时使用微软提供的未开源函数进行编程的不安全因素。
保证信息的安全关系到国家利益,对信息安全的研究,促使信息安全软件的国产化将是信息安全研究的发展趋势。
Human beings have entered into the information era with the development of computer and network technologies; thus, the security problem of information has become the fundamental mater. The modern cryptography is the kernel technique of information security. The digital certificate depend on digital signature is one of main researches in modern cryptography, and it cannot be substituted by other techniques in information security, including authentication data integrity, and non-repudiation. Digital certificate have many applications in military, electronic commerce and electronic government, etc.
Digital certificate is used for validating identity of net users, protecting validity and integrality of transferred messages. It is a important composing of the PKIX. Translate the digital certificate with the third sides provided software is very riskful, and it cannot translate the certificate completely. So it is very important for studying the validation of digital certificate and protecting message transfers.
This paper has analyzed the PKIX (Public Key Infrastructure based on X.509 standard) digital certificate validation mechanism, and has discussed the format of digital certificate, certificate syntax and encoding. It also has discussed the decoding and validating method provides by Microsoft Corporation and has realized decoding and validation of certificate by my own method using C language. In the end, this paper has discussed ASN.1, HASH algorithm and signature algorithm, the application prospect of PKIX and gives some suggestions for further development in the future.
In the process of implementation of Validating Digital Certificate System, I have distill the N and E which are the public key's parameters. Its can be conveniently used for next step of the certificate.
The safe of information is determined the safe of a country. Study on the infomation safety and make all the software loclized is the trend of research of infomation safety.
引文
[1] 谢冬青, 冷健. PKI 原理与技术, 北京: 清华大学出版社, 2004. 8–10
[2] Andrew Nash, William Duane, Celia Joseph, et al. 公钥基础设施(PKI), 张玉清, 陈建妻, 杨波等译. 北京: 清华大学出版社, 2002. 12–18
[3] 陈彦学. 信息安全理论与务实. 北京: 中国铁道出版社, 2001. 8–16
[4] 陆垂伟, 成俊, 郑实. PKI 技术分析及应用. 计算机与数字工程, 2006, 9: 60–62
[5] Burton S, Kaliski Jr. A Layman’s Guide to a Subset of ASN.1, BER and DER. Red- wood City: RSA Data Security Inc., 1991: 36–49
[6] Rivest R., A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 2000, 21: 120–126
[7] Olivier Dubuisson. ASN.1 Communication between Heterogeneous System. New York: Academic Press, 2001: 95–389
[8] Neal Koblitz. A Course in Number Theory and Cryptography. Berlin : Springer–Verlag Press, 1994: 173–199
[9] 李宁, 吴耀华. 基于 X.509 的双向认证框架. 计算机工程与应用, 2005, 18: 10–11
[10] 刘洪辉. 基于 Windows 平台的认证系统的开发. 电脑开发与应用, 2006, 08: 25–26
[11] RSA Laboratories. The Public–Key Cryptography Standards(PKCS). Red–wood City : RSA Data Security Inc., 1993: 75–89
[12] RSA Laboratories. The Public–Key Cryptography Standards–PKCS﹟11: Crypto- graphic Token Interface Standard. Redwood City: RSA Data Security Inc., 1995: 67–80
[13] Cheng, P., R. Glenn. Test Cases for HMAC-MD5 and HMAC-SHA-1. RFC 2202, 1997: 12–36
[14] 吴向东. 公开密钥基础设施 PKI 的应用. 中国科技信息, 2006, 07: 202–203
[15] C. Adams, S. Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC2510, 1999: 16–23
[16] 袁辉. 基于 X.509 证书的身份认证机制的研究. 大众科技, 2006, 02: 180–181
[17] 曾凤萍, 潘爱民. X.509 证书库的设计与实现. 计算机应用研究, 2004, 04: 133–136
[18] B. J. Desind, T. M. Sharick, J. P. Long. Development of a Public Key Infrastructure across Multiple Enterprises. Journal of Engineering and Applied Science, 1997, 22: 14–21
[19] 余秦勇. X.509 V3 证书格式及语义. 通信技术, 2001, 6(06): 15–17
[20] 苏丹. X.509 v4 中基于角色的 PMI 应用. 高性能计算技术, 2004, 01: 13–14
[21] Lan Zengwei, Han Zhen, Shen Changxiang. Hierarchy-distribution combined PKI trust model. IEEE, 2002, 30: 121–124
[22] 李景峰, 潘恒, 祝跃飞. 基于单向散列链的公钥证书撤销机制. 小型微型计算机系统, 2006, 04: 68–71
[23] 崔捷, 张冬梅, 原源. 公钥证书与属性证书的结合——融合证书. 计算机应用研究, 2006, 01: 114–116
[24] 徐志大, 南相浩. Internet X.509 PKI 安全通信协议设计与证明. 计算机工程与应用, 2003, 01: 164–167
[25] 王建业, 周振国, 陈森发. Internet X.509 PKI 深入讨论与分析. 计算机应用研究, 2003, 02: 99–101
[26] Sheth A., Rusinkiewicz M.. On transactional work flows. Bulletin of the Technical Committee on Data Engineering, 1993, 16(2): 37–40
[27] R. L. Rivest. Can We Eliminate Certificate Revocation Lists. Financial Cryptography, 1998, 1465(2): 178–183
[28] 张红旗, 李景峰. 基于属性证书的 X.509 证书改进方案. 计算机工程与应用, 2001, 20: 72–73
[29] 李永胜, 苑津莎, 张铁峰. 网络信息安全与防范技术的研究. 电工理论与新技术学术年会论文集, 2005: 203–205
[30] P. McDaniel, S. Jamin. Windowed Certificate Revocation. In Proceedings of IEEE Infocom, 1999, 11: 1406–1414
[31] B. Kaliski. The MD2 Message-Digest Algorithm. Internet Request for Comments, 1992, 1319: 13–25
[32] R. Rivest. The MD5 Message-Digest Algorithm. Internet Request for Comments, 1992, 1321: 15–33
[33] J. Linn. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. Internet Request for Comments, 1993, 1421: 7–16
[34] S. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. Internet Request for Comments, 1993, 1422: 3–22
[35] D. Balenson. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes and Identifiers. Internet Request for Comments, 1993, 1423: 5–19
[36] B. Kaliski. Privacy Enhancement for Internet Electronic Mail: Part IV: KeyCertification and Related Services. Internet Request for Comments, 1993: 1424: 7–15
[37] ITU-T. Specification of Abstract Syntax Notation One(ASN.1). X.208, 1993
[38] ITU-T. Specification of Basic Encoding Rules for Abstract Syntax Notation One(ASN.1). X.209, 1993
[39] ITU-T. The Directory’s Authentication Framework. X.509, 2001
[40] 余秦勇. X.509 v3 证书格式及语义. 通信技术, 2001, 06: 21–24
[41] 高峰修, 黄根勋, 张利民. 基于 RSA 体制的秘密共享体制. 通讯技术, 2001, 06: 5–6
[42] R. Housley. Internet X.509 Certificate Request Message Format PKIX Standard. Internet Request for Comments, 2002, 2511: 12–25
[43] W. Polk. Internet X.509 Public Key Infrastructure Certificate Management Protocols. Internet Request for Comments, 2002, 2510: 16–21
[44] Toni Nyk?nen. Attribute Certificates in X.509. Seminar on Network Security, 2000, 110(501): 7–15
[45] 闫乐林, 蔡平胜. 一种基于 RSA 签名的公平交换协议的算法设计. 计算机系统应用, 2006, 5: 40–42
[46] 周玉洁, 冯登国. 公开密钥密码算法及其快速实现. 北京: 国防工业出版社, 2002. 23–35
[47] Douglas R. Stinson. 密码学原理与实践, 冯登国译. 北京: 电子工业出版社, 2003. 141–143
[2] Andrew Nash, William Duane, Celia Joseph, et al. 公钥基础设施(PKI), 张玉清, 陈建妻, 杨波等译. 北京: 清华大学出版社, 2002. 12–18
[3] 陈彦学. 信息安全理论与务实. 北京: 中国铁道出版社, 2001. 8–16
[4] 陆垂伟, 成俊, 郑实. PKI 技术分析及应用. 计算机与数字工程, 2006, 9: 60–62
[5] Burton S, Kaliski Jr. A Layman’s Guide to a Subset of ASN.1, BER and DER. Red- wood City: RSA Data Security Inc., 1991: 36–49
[6] Rivest R., A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 2000, 21: 120–126
[7] Olivier Dubuisson. ASN.1 Communication between Heterogeneous System. New York: Academic Press, 2001: 95–389
[8] Neal Koblitz. A Course in Number Theory and Cryptography. Berlin : Springer–Verlag Press, 1994: 173–199
[9] 李宁, 吴耀华. 基于 X.509 的双向认证框架. 计算机工程与应用, 2005, 18: 10–11
[10] 刘洪辉. 基于 Windows 平台的认证系统的开发. 电脑开发与应用, 2006, 08: 25–26
[11] RSA Laboratories. The Public–Key Cryptography Standards(PKCS). Red–wood City : RSA Data Security Inc., 1993: 75–89
[12] RSA Laboratories. The Public–Key Cryptography Standards–PKCS﹟11: Crypto- graphic Token Interface Standard. Redwood City: RSA Data Security Inc., 1995: 67–80
[13] Cheng, P., R. Glenn. Test Cases for HMAC-MD5 and HMAC-SHA-1. RFC 2202, 1997: 12–36
[14] 吴向东. 公开密钥基础设施 PKI 的应用. 中国科技信息, 2006, 07: 202–203
[15] C. Adams, S. Farrell. Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC2510, 1999: 16–23
[16] 袁辉. 基于 X.509 证书的身份认证机制的研究. 大众科技, 2006, 02: 180–181
[17] 曾凤萍, 潘爱民. X.509 证书库的设计与实现. 计算机应用研究, 2004, 04: 133–136
[18] B. J. Desind, T. M. Sharick, J. P. Long. Development of a Public Key Infrastructure across Multiple Enterprises. Journal of Engineering and Applied Science, 1997, 22: 14–21
[19] 余秦勇. X.509 V3 证书格式及语义. 通信技术, 2001, 6(06): 15–17
[20] 苏丹. X.509 v4 中基于角色的 PMI 应用. 高性能计算技术, 2004, 01: 13–14
[21] Lan Zengwei, Han Zhen, Shen Changxiang. Hierarchy-distribution combined PKI trust model. IEEE, 2002, 30: 121–124
[22] 李景峰, 潘恒, 祝跃飞. 基于单向散列链的公钥证书撤销机制. 小型微型计算机系统, 2006, 04: 68–71
[23] 崔捷, 张冬梅, 原源. 公钥证书与属性证书的结合——融合证书. 计算机应用研究, 2006, 01: 114–116
[24] 徐志大, 南相浩. Internet X.509 PKI 安全通信协议设计与证明. 计算机工程与应用, 2003, 01: 164–167
[25] 王建业, 周振国, 陈森发. Internet X.509 PKI 深入讨论与分析. 计算机应用研究, 2003, 02: 99–101
[26] Sheth A., Rusinkiewicz M.. On transactional work flows. Bulletin of the Technical Committee on Data Engineering, 1993, 16(2): 37–40
[27] R. L. Rivest. Can We Eliminate Certificate Revocation Lists. Financial Cryptography, 1998, 1465(2): 178–183
[28] 张红旗, 李景峰. 基于属性证书的 X.509 证书改进方案. 计算机工程与应用, 2001, 20: 72–73
[29] 李永胜, 苑津莎, 张铁峰. 网络信息安全与防范技术的研究. 电工理论与新技术学术年会论文集, 2005: 203–205
[30] P. McDaniel, S. Jamin. Windowed Certificate Revocation. In Proceedings of IEEE Infocom, 1999, 11: 1406–1414
[31] B. Kaliski. The MD2 Message-Digest Algorithm. Internet Request for Comments, 1992, 1319: 13–25
[32] R. Rivest. The MD5 Message-Digest Algorithm. Internet Request for Comments, 1992, 1321: 15–33
[33] J. Linn. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. Internet Request for Comments, 1993, 1421: 7–16
[34] S. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. Internet Request for Comments, 1993, 1422: 3–22
[35] D. Balenson. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes and Identifiers. Internet Request for Comments, 1993, 1423: 5–19
[36] B. Kaliski. Privacy Enhancement for Internet Electronic Mail: Part IV: KeyCertification and Related Services. Internet Request for Comments, 1993: 1424: 7–15
[37] ITU-T. Specification of Abstract Syntax Notation One(ASN.1). X.208, 1993
[38] ITU-T. Specification of Basic Encoding Rules for Abstract Syntax Notation One(ASN.1). X.209, 1993
[39] ITU-T. The Directory’s Authentication Framework. X.509, 2001
[40] 余秦勇. X.509 v3 证书格式及语义. 通信技术, 2001, 06: 21–24
[41] 高峰修, 黄根勋, 张利民. 基于 RSA 体制的秘密共享体制. 通讯技术, 2001, 06: 5–6
[42] R. Housley. Internet X.509 Certificate Request Message Format PKIX Standard. Internet Request for Comments, 2002, 2511: 12–25
[43] W. Polk. Internet X.509 Public Key Infrastructure Certificate Management Protocols. Internet Request for Comments, 2002, 2510: 16–21
[44] Toni Nyk?nen. Attribute Certificates in X.509. Seminar on Network Security, 2000, 110(501): 7–15
[45] 闫乐林, 蔡平胜. 一种基于 RSA 签名的公平交换协议的算法设计. 计算机系统应用, 2006, 5: 40–42
[46] 周玉洁, 冯登国. 公开密钥密码算法及其快速实现. 北京: 国防工业出版社, 2002. 23–35
[47] Douglas R. Stinson. 密码学原理与实践, 冯登国译. 北京: 电子工业出版社, 2003. 141–143