PKI认证模型及其在网络环境下的应用研究
|
摘要
随着计算机网络应用的普及和电子商务的发展,互联网已经成为了人们生活的一部分,由于网络的开放性,如何保障网络上信息交互的安全性,如何解决可信问题以及用户身份认证、授权问题已经成为人们关心的话题和各国政府、企业关注和研究的重要课题。
公钥基础设施(Public Key Infrastructure,PKI)是目前公认的保障网络社会安全的最佳体系。PKI是基于公开密钥理论和技术建立起来的安全体系,是提供信息安全服务的具有普适性的安全基础设施。PKI作为国家信息化的基础设施,是相关技术、应用、组织、规范和法律法规的总和。PKI的核心是要解决信息网络空间中的信任问题,确定信息网络空间中各种经济、军事和管理行为主体身份的唯一性、真实性和合法性,保护信息网络空间中各种主体的安全利益。
公钥密码系统所支持的安全机制包括机密性,完整性,授权和认证。但是,这些安全机制必须通过仔细规划基础设施来管理。公开密钥基础设施是各种应用程序、系统和网络安全的基础,是全局安全策略的基础。
本论文的主要研究工作包括;
1)在对传统PKI认证模型分析的基础上,介绍了一种新型的PKI安全认证模型的框架结构。并结合现有的国家政府体系,分析研究了适合于政府体系现状的PKI安全认证模型。
2)介绍了一种网格环境下基于PKI的CA单向和双向认证方法,为CA认证提供了一种优越的可信途径,防止因为认证过于繁琐而产生的各种问题,并介绍了两个针对单向和双向认证的实例。
3)给出了一种PKI在网络环境下的实际应用即文件加密平台和文件加密锁的研究开发。
With the popularization and development of e-commerce of network application of the computer, Internet has already become very important in people's life. With the opening of network, how to ensure the security of mutual information, how to solve the trust and user's identity authentication , the question of authorize become the topic that people care about and important subject which the government, enterprise of various countries pay close attention to and study.
Public Key Infrastructure is the best system of the present guarantee network social safety. PKI can solve most security problems, and has formed a set of intact solutions tentatively, it establishes the system of security that stands up public key theory and technology, general and right security infrastructure offered information security service, such as the whole development strategies of the E-government, e-commerce and national informationization, etc. PKI, as the infrastructure of the national informationization, is the total of relevant technology, using, organizing, standardizing and laws and regulations. The core of PKI is to solve the trust problem in the information cyberspace, confirm various kinds of economy , military and only , authenticity and legitimacy of the identity of administration behavior subject (include organizations and individuals) in information cyberspace, protect the security interests of different subjects in information cyberspace.
Public key cryptography supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. However, to successfully implement these security mechanisms, these security mechanisms must be managed by carefully plan an infrastructure. A public key infrastructure (PKI) is a foundation on which other applications, system, and network security components are built. A PKI is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts.
The main innovative achievements are described as follows:
1) A new PKI secure Certification model is presented with emphasis on the architecture of the PKI secure certification model, based on analyzing the normal PKI Certification model. It provides a new valuable way of the construction of the national-level PKI secure certification model in the open networks.
2) A new CA unilateral certification and Bidirectional Certification based on PKI are present on the Grid environment. It can provide a good trusted way to avoiding various problems caused by a lot of certifications.
3) The research of PKI Secure Certification Model and Application on the Internet Environment, Design and Develop of Lock of File Encrypting Based on public Key Infrastructrue.
公钥基础设施(Public Key Infrastructure,PKI)是目前公认的保障网络社会安全的最佳体系。PKI是基于公开密钥理论和技术建立起来的安全体系,是提供信息安全服务的具有普适性的安全基础设施。PKI作为国家信息化的基础设施,是相关技术、应用、组织、规范和法律法规的总和。PKI的核心是要解决信息网络空间中的信任问题,确定信息网络空间中各种经济、军事和管理行为主体身份的唯一性、真实性和合法性,保护信息网络空间中各种主体的安全利益。
公钥密码系统所支持的安全机制包括机密性,完整性,授权和认证。但是,这些安全机制必须通过仔细规划基础设施来管理。公开密钥基础设施是各种应用程序、系统和网络安全的基础,是全局安全策略的基础。
本论文的主要研究工作包括;
1)在对传统PKI认证模型分析的基础上,介绍了一种新型的PKI安全认证模型的框架结构。并结合现有的国家政府体系,分析研究了适合于政府体系现状的PKI安全认证模型。
2)介绍了一种网格环境下基于PKI的CA单向和双向认证方法,为CA认证提供了一种优越的可信途径,防止因为认证过于繁琐而产生的各种问题,并介绍了两个针对单向和双向认证的实例。
3)给出了一种PKI在网络环境下的实际应用即文件加密平台和文件加密锁的研究开发。
With the popularization and development of e-commerce of network application of the computer, Internet has already become very important in people's life. With the opening of network, how to ensure the security of mutual information, how to solve the trust and user's identity authentication , the question of authorize become the topic that people care about and important subject which the government, enterprise of various countries pay close attention to and study.
Public Key Infrastructure is the best system of the present guarantee network social safety. PKI can solve most security problems, and has formed a set of intact solutions tentatively, it establishes the system of security that stands up public key theory and technology, general and right security infrastructure offered information security service, such as the whole development strategies of the E-government, e-commerce and national informationization, etc. PKI, as the infrastructure of the national informationization, is the total of relevant technology, using, organizing, standardizing and laws and regulations. The core of PKI is to solve the trust problem in the information cyberspace, confirm various kinds of economy , military and only , authenticity and legitimacy of the identity of administration behavior subject (include organizations and individuals) in information cyberspace, protect the security interests of different subjects in information cyberspace.
Public key cryptography supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. However, to successfully implement these security mechanisms, these security mechanisms must be managed by carefully plan an infrastructure. A public key infrastructure (PKI) is a foundation on which other applications, system, and network security components are built. A PKI is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts.
The main innovative achievements are described as follows:
1) A new PKI secure Certification model is presented with emphasis on the architecture of the PKI secure certification model, based on analyzing the normal PKI Certification model. It provides a new valuable way of the construction of the national-level PKI secure certification model in the open networks.
2) A new CA unilateral certification and Bidirectional Certification based on PKI are present on the Grid environment. It can provide a good trusted way to avoiding various problems caused by a lot of certifications.
3) The research of PKI Secure Certification Model and Application on the Internet Environment, Design and Develop of Lock of File Encrypting Based on public Key Infrastructrue.
引文
[1].Younglove R.W.Public key infrastructure.How it works? Computing & Control Engineering Journal,2001,12(2);99-102.
[2].Jin-Bum Hwang,Do-Woo Kim,Yun-Kyung Lee,et al.Two Layered PKI Model for Device Authentication in Multi-Domain Home Networks Consumer Electronics,2006;1-6.
[3].Haibo Yu,Chunzhao Jin,Haiyan Che.A description logic for PKI trust domain modeling Information Technology and Applications,2005,2(2);524-528.
[4].Global Trust Network,http;//www.globaltrustnetwork.com,2007.
[5].贾忠田,李大兴.证书和私钥漫游系统的设计方案.计算机应用与软件,2006,23(4);66-71.
[6].Batina L,Guajardo J,Kerins T,et al.Public-Key Cryptography for RFID-Tags.Pervasive Computing and Communications Workshops,2007.PerCom Workshops '07.Fifth Annual IEEE International Conference on 19-23 March 2007;217-222.
[7].Saldamli Gokay,Cetin K.Spectral Modular Exponentiation Computer Arithmetic,2007.ARITH '07.18th IEEE Symposium on 25-27 June 2007 Page(s);123-132.
[8].Elias G,Carayannis,Eric Turner.Innovation diffusion and technology acceptance;The case of PKI technology.Technovation 2006,26(7);847-855.
[9].卢开澄.计算机密码学.北京;清华大学出版社.2003.
[10].Bruce schneier.应用密码学.北京;国防工业出版社.1998;167-173.
[11].Adams C冯登国,公开密钥基础设施一慨念、标准和实施,北京;人民邮电出版社,2001;88-90.
[12].徐志大.认证中心CA理论与开发技术.计算机工程与应用.2000.36(9);87-90.
[13].ISO/IEC 9594-8/ITO-T Recommendation X.509 Information Technology-Open System Interconnection-The Directory;Authentication Framework ITO,1997.
[14].ASN.1 Project,http;//www.itu.int/ITU-T/asnl,2007.
[15].Laih C S,Chen K Y.Generating Visible RSA Public Keys for PKI,International Journal of Information Security,2004;103-109.
[16].PKI TWG 96,Federal Public Key Infrastructure(PKI)Technical Specifications(Version 1)Part A;Requirements,1996;3-5.
[17].CCITT X.500 Series(1992)|ISO/IEC 9594,1-9,Information Technology-Open Systems Interconnection-The Directory,1992.
[18].C.Adams and S.Farrell,Internet X.509 Public Key Infrastructure Certificate Management Protocols,RFC 2510,1999.
[19].ITU-T Recommendation X.509(1997 E);Information Technology-Open Systems Interconnection-The Directory;Authentication Framework,June 1997.
[20].Myers M,Ankney R,Malpani A,Galperin S,et al.X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP,RFC2560,June 1999
[21].RSA Data Security Inc.PKCS 12;Personal Information Exchange Syntax Standard,1997.
[22].PKI TWG 96,Federal Public Key Infrastructure(PKI)Technical Specifications(Version 1)Part A;Requirements,1996;3-5.
[23].赵秀文,罗平,陈强等.基于SSH和LDAP的分布式安全文件系统.计算机应用研究.2006,4.
[24].韩华,代亚非,李晓明等.“一种基于分布式LDAP的分布对象名字服务机制”,《高技术通讯》,2002,10;33-38.
[25].卢开澄.计算机密码学—计算机网络中的数据预安全.北京;清华大学出版社,1998.
[26].Shannon C E.Communication theory of secrecy systems.Bell Syst.Tech J 1949,28;656-715.
[27].Shannon C E,A Mathematical Theory of communication",1948
[28].Shannon C E,Coding Theorems for a Discrete Source with a Fidelity Criterion,1959.
[29].Simmons G J.Authentication codes that permit arbitration.Congresses Numerantium,1987,59;275-290.
[30].Simmons G J.Contemporary cryptology-the science of information integrity.New York;IEEE Press,1992.
[3l].肖皇培,张国基.基于Hash函数的报文鉴别方法,计算机工程,2007,33(6);65-71.
[32].Burr W E.Public Key Infrastructure(PKI)Technical Specification;Part A Technical Concept of Operations.http;//csrc.nist.gov/pki/twg/baseline/pkicon20b.pdf,1998.
[33].费巧玲,徐向阳,蒋国清.潘勇基于SSL的安全邮件解决方案.计算机工程,2007,33(5);52-56.
[34]. Dawson M.H. and Tavares S.E, An Expanded Set of Design Criteria for Substitution Box and Their Use in Strengthening DES-like Cryptosystems , IEEE Pacific Rim Conference on Communications, Computer and Signal Processing, 1991:191-195.
[35]. Foster I., Kesselman C., and Tuecke S.The Anatomy of the Grid: Enabling Scalable Virtual Organizations, International Journal of Supercomputer Applications, 2001, 15(3): 200-222.
[36]. Foster I. Globus: A metacomputing infrastructure toolkit. International Journal of Supercomputer Applications, 1997, 11 (2): 115-128.
[37]. Licklider, J.R. Man-computer symbiosis, IRE Transaction on Human Factors in Electronics, 1960:4-11.
[38]. Czajkowski K, Foster I, Kesselman C, Resource Co-Allocation in Computational Grid, 1999: 219-228.
[39]. Allen Gabrielle, Dramlitsch Thomas, Foster Ian, et al. Supporting Efficient Execution in Heterogeneous Distributed Computing Environments with Cactus and Globus, Supercomputing, 2001:108-121.
[40]. Natrajan A, Humphrey M. A and Grimshaw A. S. Grids: Harnessing geographically-separated resources in a multi-organizational context. In 15th Annual International Symposium on High Performance Computing Systems and Applications, June 2001.
[41]. Wang Han, Wang Hao, Shen Jinmei. Architectural design and implementation of highly available and scalable medical system with IBM Websphere middleware, Computer-Based Medical Systems, 2004. Proceedings of 17th IEEE Symposium, June 24-25, 2004:174-179.
[42]. Ramljak D., Puksec J., Huljenic D., et al. Building enterprise information system using model driven architecture on J2EE platform, Telecommunications, Proceedings of the 7th International Conference, June 2003 (2):521-526.
[43]. .Net Framework Developer Center,http://msdn.microsoft.com/netframework, 2007.
[44]. Foster I., Kesselman C. The physiology of the grid: An open grid services architecture for distributed systems integration. Open Grid Service Infrastructure WG, Global Grid Forum, June 22, 2002.
[45]. Luis F.G.Sarmenta. Computing .NET: Grid Computing with XML Web Services. Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid.
[46]. Web Services Description Language, W3C, Notel5,http:/www.w3.org/TR/wsdl, 2001.
[2].Jin-Bum Hwang,Do-Woo Kim,Yun-Kyung Lee,et al.Two Layered PKI Model for Device Authentication in Multi-Domain Home Networks Consumer Electronics,2006;1-6.
[3].Haibo Yu,Chunzhao Jin,Haiyan Che.A description logic for PKI trust domain modeling Information Technology and Applications,2005,2(2);524-528.
[4].Global Trust Network,http;//www.globaltrustnetwork.com,2007.
[5].贾忠田,李大兴.证书和私钥漫游系统的设计方案.计算机应用与软件,2006,23(4);66-71.
[6].Batina L,Guajardo J,Kerins T,et al.Public-Key Cryptography for RFID-Tags.Pervasive Computing and Communications Workshops,2007.PerCom Workshops '07.Fifth Annual IEEE International Conference on 19-23 March 2007;217-222.
[7].Saldamli Gokay,Cetin K.Spectral Modular Exponentiation Computer Arithmetic,2007.ARITH '07.18th IEEE Symposium on 25-27 June 2007 Page(s);123-132.
[8].Elias G,Carayannis,Eric Turner.Innovation diffusion and technology acceptance;The case of PKI technology.Technovation 2006,26(7);847-855.
[9].卢开澄.计算机密码学.北京;清华大学出版社.2003.
[10].Bruce schneier.应用密码学.北京;国防工业出版社.1998;167-173.
[11].Adams C冯登国,公开密钥基础设施一慨念、标准和实施,北京;人民邮电出版社,2001;88-90.
[12].徐志大.认证中心CA理论与开发技术.计算机工程与应用.2000.36(9);87-90.
[13].ISO/IEC 9594-8/ITO-T Recommendation X.509 Information Technology-Open System Interconnection-The Directory;Authentication Framework ITO,1997.
[14].ASN.1 Project,http;//www.itu.int/ITU-T/asnl,2007.
[15].Laih C S,Chen K Y.Generating Visible RSA Public Keys for PKI,International Journal of Information Security,2004;103-109.
[16].PKI TWG 96,Federal Public Key Infrastructure(PKI)Technical Specifications(Version 1)Part A;Requirements,1996;3-5.
[17].CCITT X.500 Series(1992)|ISO/IEC 9594,1-9,Information Technology-Open Systems Interconnection-The Directory,1992.
[18].C.Adams and S.Farrell,Internet X.509 Public Key Infrastructure Certificate Management Protocols,RFC 2510,1999.
[19].ITU-T Recommendation X.509(1997 E);Information Technology-Open Systems Interconnection-The Directory;Authentication Framework,June 1997.
[20].Myers M,Ankney R,Malpani A,Galperin S,et al.X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP,RFC2560,June 1999
[21].RSA Data Security Inc.PKCS 12;Personal Information Exchange Syntax Standard,1997.
[22].PKI TWG 96,Federal Public Key Infrastructure(PKI)Technical Specifications(Version 1)Part A;Requirements,1996;3-5.
[23].赵秀文,罗平,陈强等.基于SSH和LDAP的分布式安全文件系统.计算机应用研究.2006,4.
[24].韩华,代亚非,李晓明等.“一种基于分布式LDAP的分布对象名字服务机制”,《高技术通讯》,2002,10;33-38.
[25].卢开澄.计算机密码学—计算机网络中的数据预安全.北京;清华大学出版社,1998.
[26].Shannon C E.Communication theory of secrecy systems.Bell Syst.Tech J 1949,28;656-715.
[27].Shannon C E,A Mathematical Theory of communication",1948
[28].Shannon C E,Coding Theorems for a Discrete Source with a Fidelity Criterion,1959.
[29].Simmons G J.Authentication codes that permit arbitration.Congresses Numerantium,1987,59;275-290.
[30].Simmons G J.Contemporary cryptology-the science of information integrity.New York;IEEE Press,1992.
[3l].肖皇培,张国基.基于Hash函数的报文鉴别方法,计算机工程,2007,33(6);65-71.
[32].Burr W E.Public Key Infrastructure(PKI)Technical Specification;Part A Technical Concept of Operations.http;//csrc.nist.gov/pki/twg/baseline/pkicon20b.pdf,1998.
[33].费巧玲,徐向阳,蒋国清.潘勇基于SSL的安全邮件解决方案.计算机工程,2007,33(5);52-56.
[34]. Dawson M.H. and Tavares S.E, An Expanded Set of Design Criteria for Substitution Box and Their Use in Strengthening DES-like Cryptosystems , IEEE Pacific Rim Conference on Communications, Computer and Signal Processing, 1991:191-195.
[35]. Foster I., Kesselman C., and Tuecke S.The Anatomy of the Grid: Enabling Scalable Virtual Organizations, International Journal of Supercomputer Applications, 2001, 15(3): 200-222.
[36]. Foster I. Globus: A metacomputing infrastructure toolkit. International Journal of Supercomputer Applications, 1997, 11 (2): 115-128.
[37]. Licklider, J.R. Man-computer symbiosis, IRE Transaction on Human Factors in Electronics, 1960:4-11.
[38]. Czajkowski K, Foster I, Kesselman C, Resource Co-Allocation in Computational Grid, 1999: 219-228.
[39]. Allen Gabrielle, Dramlitsch Thomas, Foster Ian, et al. Supporting Efficient Execution in Heterogeneous Distributed Computing Environments with Cactus and Globus, Supercomputing, 2001:108-121.
[40]. Natrajan A, Humphrey M. A and Grimshaw A. S. Grids: Harnessing geographically-separated resources in a multi-organizational context. In 15th Annual International Symposium on High Performance Computing Systems and Applications, June 2001.
[41]. Wang Han, Wang Hao, Shen Jinmei. Architectural design and implementation of highly available and scalable medical system with IBM Websphere middleware, Computer-Based Medical Systems, 2004. Proceedings of 17th IEEE Symposium, June 24-25, 2004:174-179.
[42]. Ramljak D., Puksec J., Huljenic D., et al. Building enterprise information system using model driven architecture on J2EE platform, Telecommunications, Proceedings of the 7th International Conference, June 2003 (2):521-526.
[43]. .Net Framework Developer Center,http://msdn.microsoft.com/netframework, 2007.
[44]. Foster I., Kesselman C. The physiology of the grid: An open grid services architecture for distributed systems integration. Open Grid Service Infrastructure WG, Global Grid Forum, June 22, 2002.
[45]. Luis F.G.Sarmenta. Computing .NET: Grid Computing with XML Web Services. Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid.
[46]. Web Services Description Language, W3C, Notel5,http:/www.w3.org/TR/wsdl, 2001.