基于RKI数字证书的应用研究及其在工商网上年检系统中的应用
|
摘要
信息安全一直是业界十分敏感和热门的话题,专家们在逐步认识PKI的过程中,致力于各种基于PKI的网络安全解决方案的研究。网络信息化的高速发展对我们提出了更高的要求。
本文主要研究基于PKI数字证书的应用,面向网络信息安全领域。
在对密码学和PKI的原理进行研究的基础上,本文从PKI的应用层面出发,对PKI技术目前的发展状况和应用情况做了深入的探讨和研究,并且提出了基于PKI数字证书应用研究的方向,即建立一个“统一应用安全平台”。
在对PKI应用研究的基础上,本文提出了有效的电子政务安全解决方案,采用“SSL+数字签章”的模式,将PKI技术应用于工商网上年检系统中。在这个系统中,主要运用的PKI技术有数字证书登录技术、基于数字证书的SSL安全信息通道技术和数字签章技术。其中,以数字签章的设计为主要内容。利用数字证书认证确保了用户身份真实性;利用数字签章确保了表单数据的完整性和主体行为的不可否认性;利用基于数字证书的数据加密技术确保了敏感信息的安全传输。综合运用多种PKI技术,为电子政务搭建更合理、更方便、更完善的安全平台。
通过对PKI理论、应用的研究和具体项目的设计,总结出数字证书应用中的各种技术,推动PKI技术的发展,加强网络安全建设。
Information security is always a delicate and pop subject in the field of IT. During the gradual mastery of PKI, specialists are devoted to the study of network security based on PKI. The rapid development of information brings us more challenges.
The paper studies the application of digital certificates based on PKI, which is used in the field of network information security.
After researched about the principal of cryptography and PKI, the status of application and development of PKI is deeply discussed, and a direction of digital certificates based on PKI is presented.
Based upon all of above, the paper puts forward an effective scheme of the secure E-government, which used the technologies of X.509 digital certificates, digital signature and public key encryption related with SSL protocol. These technologies have technically ensured the identification, the secure transmission, the authenticity, and the coherence of data in the E-government affairs. A safer and more convenient system has been set up.
Through the study of the principle, the application and the scheme design of PKI, techniques of digital certificates application are concluded, which impulses the development of PKI and network security.
本文主要研究基于PKI数字证书的应用,面向网络信息安全领域。
在对密码学和PKI的原理进行研究的基础上,本文从PKI的应用层面出发,对PKI技术目前的发展状况和应用情况做了深入的探讨和研究,并且提出了基于PKI数字证书应用研究的方向,即建立一个“统一应用安全平台”。
在对PKI应用研究的基础上,本文提出了有效的电子政务安全解决方案,采用“SSL+数字签章”的模式,将PKI技术应用于工商网上年检系统中。在这个系统中,主要运用的PKI技术有数字证书登录技术、基于数字证书的SSL安全信息通道技术和数字签章技术。其中,以数字签章的设计为主要内容。利用数字证书认证确保了用户身份真实性;利用数字签章确保了表单数据的完整性和主体行为的不可否认性;利用基于数字证书的数据加密技术确保了敏感信息的安全传输。综合运用多种PKI技术,为电子政务搭建更合理、更方便、更完善的安全平台。
通过对PKI理论、应用的研究和具体项目的设计,总结出数字证书应用中的各种技术,推动PKI技术的发展,加强网络安全建设。
Information security is always a delicate and pop subject in the field of IT. During the gradual mastery of PKI, specialists are devoted to the study of network security based on PKI. The rapid development of information brings us more challenges.
The paper studies the application of digital certificates based on PKI, which is used in the field of network information security.
After researched about the principal of cryptography and PKI, the status of application and development of PKI is deeply discussed, and a direction of digital certificates based on PKI is presented.
Based upon all of above, the paper puts forward an effective scheme of the secure E-government, which used the technologies of X.509 digital certificates, digital signature and public key encryption related with SSL protocol. These technologies have technically ensured the identification, the secure transmission, the authenticity, and the coherence of data in the E-government affairs. A safer and more convenient system has been set up.
Through the study of the principle, the application and the scheme design of PKI, techniques of digital certificates application are concluded, which impulses the development of PKI and network security.
引文
[1] 冯登国.国内外信息安全发展现状和趋势.网络安全技术与应用.2001,1.
[2] William Stallings. Cryptography and Network Security: Principles and Practice 2nd ed.清华大学出版社.2002.
[3] Bruce Schneier,吴世忠等.Applied Cryptography: Protocols, Algorithms, and Source Code in.应用密码学——协议、算法与C源程序.机械工业出版社.2000.
[4] 聂元名,丘平.网络信息安全技术.科学出版社.2001.
[5] 戴宗铎.公钥密码体制的密码分析.中国学术期刊文摘.2000,6.
[6] R. Rivest. RFC 1321: The MD5 Message Digest Algorithm. April 1992.
[7] R.L. Rivest, A. Shamir, and L.M. Adleman. On Digital Signatures and Public Key Cryptosystems. MIT Laboratory for Computer Science. Technical Report, MIT/LCS/TR-212, Jan 1979.
[8] 关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社.2002.
[9] 卢震宇.基于认证中心的多级信任模型的分析与构建.计算机工程.2001,10.
[10] CCITT. Recommendation X. 509: "The Directory-Authentication Framework".1988.
[11] S. Santesson. Internet X. 509 Public Key Infrastructure Qualified Certificates Profile. 2000.
[12] R. Housley, W. Ford and D. Solo. Internet Public Key
Infrastructure Part I: X. 509 Certificate and CRL Profile. (From Internet)
[13] W. Stallings. Network Security Essentials Applications and Standards. Prentice-Hall, Inc. 2000.
[14] Andrew Nash, William Duane, Celia Joseph, Derek Brink. PKI: Implementing and Managing E-Security. 清华大学出版社. 2002.
[15] J. Kohl, C. Neuman. The Kerberos Network Authentication Service (V5) . RFC 1510, 1993.
[16] S. M. Bellovin and M. Merritt. Limitations of the kerberos authentication system. In Proceedings of the Winter 1991 Usenix Conference. January 1991.
[17] Netscape Communication Corp Kip E. B. Hickman. The SSL Protocol. 1995.
[18] SSL 3. 0 Specification : http://home.netscape.com/eng/ss13/
[19] Jess Garms, Daniel Somefield著,庞南、管和昌等译, Java安全 性编程指南,电子工业出版社. 2002.
[20] 范红,数字签名技术及其在网络通信安全中的应用,中国科学院研究生院学报. 2001,10.
[21] D. Trcek, B. J. Blazic and N. Pavesic. Security Policy Space Definition and Structuring. Computer Standards & Interfaces. March 1996, pp. 191-195.
[22] D. Trcek, B. J. Blazic. NIST PKI Technical Working Group (W. Burr, Ed.).Certification Infrastructure Reference Procedures. NIST. 1995.
[23] RSA Laboratories. PKCS#1: RSA Encryption Standard. Version
1. 5, 1993.
[24] RSA Laboratories. PKCS#3: Diffie-Hellman Key-Agreement Standard. Version 1. 4, 1993.
[25] RSA Laboratories. PKCS#5: Password-Based Encryption Standard. Version 1. 5, 1993.
[26] RSA Laboratories.PKCS#6: Extended-Certificate Syntax Standard. Version 1. 5, 1993.
[27] RSA Laboratories. PKCS#7: Cryptographic Message Syntax Standard. Version 1. 5, 1993.
[28] RSA Laboratories. PKCS#8: Private Key Information Syntax Standard. Version 1. 2, 1993.
[29] RSA Laboratories. PKCS#9: Selected Attribute Types. Version 1. 1, 1993.
[30] RSA Laboratories. PKCS#10: Certification Request Syntax Standard. Version 1. 0, 1993.
[31] RSA Laboratories. PKCS#11: Cryptographic Token Interface Standard. Version 1. 0, 1995.
[32] RSA Laboratories. PKCS#12: Public Key User Information Syntax Standard. Version 1. 0, 1999.
[33] RSA Laboratories. PKCS#13: Elliptic Curve Cryptography Standard. Version 1. 0, 1999.
[34] RSA Laboratories. PKCS#15: Cryptographic Token Information Format Standard. Version 1. 0, 1996.
[35] 王玉柱,Intel的CDSA和Microsoft的CAPI,计算机应用研究.
[36] T. Berners-Lee, R. Fielding, L. Masinter. "Uniform Resource
Identifiers (URI): Generic Syntax". RFC 2396, MIT/LCS, U.C. Irvine, Xerox Corporation, 1998.
[37] Solomon W. Golomb, Guang Gong. "RSA-Based Unde-niable Signatures" IEEE Transactions on information theory. 2000.
[38] D. Trcek, T. Klobucar, B. J. Blazic and F. Bracun. CA-Browsing System-A Supporting Application for Global Security ISOC Symposium on Network and Distributed System Security. San Services. 1994.
[39] Peter Norton, Rob McGregor,孙凤英.MFC开发Windows 95/NT4应用程序.清华大学出版社.1998.
[40] 郑阿奇,丁有和,郑进.Visual C++实用教程.电子工业出版社.2000.
[41] 巩建平,廖述剑,宁红宙.The Constitution of CISN Testing Evironment. ICEM'2001. 2001.
[42] 杨君辉,张玉峰,戴宗铎.第六届中国密码学学术会议论文集.2000.
[2] William Stallings. Cryptography and Network Security: Principles and Practice 2nd ed.清华大学出版社.2002.
[3] Bruce Schneier,吴世忠等.Applied Cryptography: Protocols, Algorithms, and Source Code in.应用密码学——协议、算法与C源程序.机械工业出版社.2000.
[4] 聂元名,丘平.网络信息安全技术.科学出版社.2001.
[5] 戴宗铎.公钥密码体制的密码分析.中国学术期刊文摘.2000,6.
[6] R. Rivest. RFC 1321: The MD5 Message Digest Algorithm. April 1992.
[7] R.L. Rivest, A. Shamir, and L.M. Adleman. On Digital Signatures and Public Key Cryptosystems. MIT Laboratory for Computer Science. Technical Report, MIT/LCS/TR-212, Jan 1979.
[8] 关振胜.公钥基础设施PKI与认证机构CA.电子工业出版社.2002.
[9] 卢震宇.基于认证中心的多级信任模型的分析与构建.计算机工程.2001,10.
[10] CCITT. Recommendation X. 509: "The Directory-Authentication Framework".1988.
[11] S. Santesson. Internet X. 509 Public Key Infrastructure Qualified Certificates Profile. 2000.
[12] R. Housley, W. Ford and D. Solo. Internet Public Key
Infrastructure Part I: X. 509 Certificate and CRL Profile. (From Internet)
[13] W. Stallings. Network Security Essentials Applications and Standards. Prentice-Hall, Inc. 2000.
[14] Andrew Nash, William Duane, Celia Joseph, Derek Brink. PKI: Implementing and Managing E-Security. 清华大学出版社. 2002.
[15] J. Kohl, C. Neuman. The Kerberos Network Authentication Service (V5) . RFC 1510, 1993.
[16] S. M. Bellovin and M. Merritt. Limitations of the kerberos authentication system. In Proceedings of the Winter 1991 Usenix Conference. January 1991.
[17] Netscape Communication Corp Kip E. B. Hickman. The SSL Protocol. 1995.
[18] SSL 3. 0 Specification : http://home.netscape.com/eng/ss13/
[19] Jess Garms, Daniel Somefield著,庞南、管和昌等译, Java安全 性编程指南,电子工业出版社. 2002.
[20] 范红,数字签名技术及其在网络通信安全中的应用,中国科学院研究生院学报. 2001,10.
[21] D. Trcek, B. J. Blazic and N. Pavesic. Security Policy Space Definition and Structuring. Computer Standards & Interfaces. March 1996, pp. 191-195.
[22] D. Trcek, B. J. Blazic. NIST PKI Technical Working Group (W. Burr, Ed.).Certification Infrastructure Reference Procedures. NIST. 1995.
[23] RSA Laboratories. PKCS#1: RSA Encryption Standard. Version
1. 5, 1993.
[24] RSA Laboratories. PKCS#3: Diffie-Hellman Key-Agreement Standard. Version 1. 4, 1993.
[25] RSA Laboratories. PKCS#5: Password-Based Encryption Standard. Version 1. 5, 1993.
[26] RSA Laboratories.PKCS#6: Extended-Certificate Syntax Standard. Version 1. 5, 1993.
[27] RSA Laboratories. PKCS#7: Cryptographic Message Syntax Standard. Version 1. 5, 1993.
[28] RSA Laboratories. PKCS#8: Private Key Information Syntax Standard. Version 1. 2, 1993.
[29] RSA Laboratories. PKCS#9: Selected Attribute Types. Version 1. 1, 1993.
[30] RSA Laboratories. PKCS#10: Certification Request Syntax Standard. Version 1. 0, 1993.
[31] RSA Laboratories. PKCS#11: Cryptographic Token Interface Standard. Version 1. 0, 1995.
[32] RSA Laboratories. PKCS#12: Public Key User Information Syntax Standard. Version 1. 0, 1999.
[33] RSA Laboratories. PKCS#13: Elliptic Curve Cryptography Standard. Version 1. 0, 1999.
[34] RSA Laboratories. PKCS#15: Cryptographic Token Information Format Standard. Version 1. 0, 1996.
[35] 王玉柱,Intel的CDSA和Microsoft的CAPI,计算机应用研究.
[36] T. Berners-Lee, R. Fielding, L. Masinter. "Uniform Resource
Identifiers (URI): Generic Syntax". RFC 2396, MIT/LCS, U.C. Irvine, Xerox Corporation, 1998.
[37] Solomon W. Golomb, Guang Gong. "RSA-Based Unde-niable Signatures" IEEE Transactions on information theory. 2000.
[38] D. Trcek, T. Klobucar, B. J. Blazic and F. Bracun. CA-Browsing System-A Supporting Application for Global Security ISOC Symposium on Network and Distributed System Security. San Services. 1994.
[39] Peter Norton, Rob McGregor,孙凤英.MFC开发Windows 95/NT4应用程序.清华大学出版社.1998.
[40] 郑阿奇,丁有和,郑进.Visual C++实用教程.电子工业出版社.2000.
[41] 巩建平,廖述剑,宁红宙.The Constitution of CISN Testing Evironment. ICEM'2001. 2001.
[42] 杨君辉,张玉峰,戴宗铎.第六届中国密码学学术会议论文集.2000.