信息安全工具包CIST消息机制及密钥管理的研究与实现
|
摘要
随着计算机和网络技术的飞速发展及广泛应用,人们的生活方式和工作方式也随之改变,但也带来了许多的安全问题,信息安全已成了人们研究的重点。信息安全工具包正是解决信息安全问题的基础,我们基于面向对象技术开发了自主版权的信息安全工具包CIST(Chinese Information Security Toolkit),它能够提供各种信息安全服务。
在开发CIST的过程中,本人主要设计并实现了消息机制和密钥管理两大部分。
在CIST中,完成和实现PKI功能的有七类对象:设备对象、用户对象、上下文对象、证书对象、密钥集对象、信封对象及会话对象。消息管理机制是CIST中内核的重要组成部分,它负责整个系统中各对象之间的联系以及访问对象时的一些相关检查。在CIST中,各对象之间以及外部与内部之间的通信是通过消息来实现的,而消息的管理和转发则通过消息管理器来完成。消息机制的实现使得系统内部与用户应用程序完全分离,极大地提高了系统的安全强度。
密钥管理包括密钥的产生和密钥的存储、备份及恢复等。密钥的管理遵循了国际上通用的标准和规范,支持密钥以文件、DBMS、HTTP以及LDAP四种形式的存储备份。此外,为了保证运行时敏感数据在内存中的安全,还设计了系统的内存管理方式。
信息安全工具包CIST的设计和实现,对我国在信息安全方面提供了有力的支持,并且,由于信息和网络使用的广泛性,它将会有广阔的应用前景和重要的社会经济效益。
Life and working style changes with the rapid development and deployment of computer and network-technologies, however, it brings many security problems. Information security thus becomes the focus of current research. Information security toolkit is just the key to these information security problems. Based on object-oriented techniques we developed self-copyrighted Chinese Information Security Toolkit (CIST), which provides various information security services.In this project, we designed and implemented key management and message mechanism.There are seven types of objects that implement PKI functions. They are: Device Object, User Object, Context Object, Certification Object, Keyset Object, Envelop Object and Session Object. Message management mechanism is the principal part of CIST kernel. It is responsible for communications among objects and checking related to object access in the systems. In CIST, communications among objects and communication between system internals and system externals are implemented via messages. Meanwhile, message management and forwarding are implemented in message manager. This kind of message mechanism implementation makes system internals isolated from user application completely, thus greatly enhanced system security.Key management includes key generation and key storage, backup and restore. Key management follows general specification and standards of this fields that support key storage backup methods in the form of files, DBMS, HTTP and LDAP. Furthermore, system is designed to have its own memory management method in order to secure runtime sensitive data in memory.The designing and implementation of CIST provides powerful support for information security of our nation. What's more, due to the generosity of information and network deployment, CIST might have profound application perspective as well as social economy benefit.
在开发CIST的过程中,本人主要设计并实现了消息机制和密钥管理两大部分。
在CIST中,完成和实现PKI功能的有七类对象:设备对象、用户对象、上下文对象、证书对象、密钥集对象、信封对象及会话对象。消息管理机制是CIST中内核的重要组成部分,它负责整个系统中各对象之间的联系以及访问对象时的一些相关检查。在CIST中,各对象之间以及外部与内部之间的通信是通过消息来实现的,而消息的管理和转发则通过消息管理器来完成。消息机制的实现使得系统内部与用户应用程序完全分离,极大地提高了系统的安全强度。
密钥管理包括密钥的产生和密钥的存储、备份及恢复等。密钥的管理遵循了国际上通用的标准和规范,支持密钥以文件、DBMS、HTTP以及LDAP四种形式的存储备份。此外,为了保证运行时敏感数据在内存中的安全,还设计了系统的内存管理方式。
信息安全工具包CIST的设计和实现,对我国在信息安全方面提供了有力的支持,并且,由于信息和网络使用的广泛性,它将会有广阔的应用前景和重要的社会经济效益。
Life and working style changes with the rapid development and deployment of computer and network-technologies, however, it brings many security problems. Information security thus becomes the focus of current research. Information security toolkit is just the key to these information security problems. Based on object-oriented techniques we developed self-copyrighted Chinese Information Security Toolkit (CIST), which provides various information security services.In this project, we designed and implemented key management and message mechanism.There are seven types of objects that implement PKI functions. They are: Device Object, User Object, Context Object, Certification Object, Keyset Object, Envelop Object and Session Object. Message management mechanism is the principal part of CIST kernel. It is responsible for communications among objects and checking related to object access in the systems. In CIST, communications among objects and communication between system internals and system externals are implemented via messages. Meanwhile, message management and forwarding are implemented in message manager. This kind of message mechanism implementation makes system internals isolated from user application completely, thus greatly enhanced system security.Key management includes key generation and key storage, backup and restore. Key management follows general specification and standards of this fields that support key storage backup methods in the form of files, DBMS, HTTP and LDAP. Furthermore, system is designed to have its own memory management method in order to secure runtime sensitive data in memory.The designing and implementation of CIST provides powerful support for information security of our nation. What's more, due to the generosity of information and network deployment, CIST might have profound application perspective as well as social economy benefit.
引文
[1] 吴世忠,祝世雄,张文政等译.应用密码学——协议、算法与C源程序.北京:机械工业出版社,2000.
[2] 谭思亮.监听与隐藏—网络侦听揭密与数据保护技术.北京:人民邮电出版社,2002.
[3] RFC 2510: C.Adams, S.Farrell. Internet X.509 Public Key Infrastructure: Certificate Management Protocols, March 1999.
[4] Peter Gutmann. X.509 style Guide. URL:http://www.cs.auckland.ac.nz/~pgut001/pbus/pfx.html.
[5] RFC 2527: S.Chokhani, W.Ford. Internet X.509 Public Key Infastructure: Certificate Policy and Certification Practices Framework, March 1999.
[6] RFC 2459: R.Housley, W.Ford, W.Polk. Internet X.509 Public Key Infrastructure: Certificate and CRL Profile, January 1999.
[7] Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman. Understanding LDAP. International Technical Support Organization, June, 1998.
[8] 赵宏建,孙吉贵.目录服务技术的分析比较在PKI中的实现.吉林大学自然科学学报,2001.10.
[9] Michael Donnelly. An Introduction to LDAP, April 2000.
[10] 骆俐倩,安常青,李学农.LDAP在校园网公钥认证体系中的应用.计算机工程与设计,2002.3.
[11] RFC 2559: S.Boeyen, T.Howes, ERichard. Interact X.509 Public Key Infrastructure: Operational Protocols-LDAPv2, April 1999.
[12] Peter Gutmann. The Sortware Architecture. URL:http://www.cypherpunks.to/~peter/01_software_arch.pdf.
[13] Peter Gutmann. The Kernal Implementation. URL:http://www.cypherpunks.to/~peter/03_implementation.pdf.
[14] Donald Firesmith, John Wiley and Sons. Object-Oriented Requirements Analysis and Logical Design: A Software Engineering Approach, 1993.
[15] David Taenzer, Murhty Ganti, and Sunil Podar. Problems in Object-Oriented Software Reuse. Proceedings of the 1989 European Conference on Object-Oriented Programming (ECOOP'89), Cambridge University Press, July 1989.
[16] Peter Gutmann. Cryptlib v3.1 Security Toolkit Manual, 2002.
[17] Bjarne Stroustrup. The C++ Programming Language (Special Edition). Published by arrangement with the original publisher, 2002.
[18] 卢开澄.计算机密码学——计算机网络中的数据保密与安全.北京:清华大学出版社, 2000.
[1
[19] 阙喜戎,孙锐,龚向阳,王纯.信息安全原理与应用.北京:清华大学出版社,2003.
[20] Peter Gutmann. Random NumberGeneration. URL:http://www.cypherpunks.to/~peter/06_random.pdf.
[21] Peter Gutmann. PKI Technology Survey and Blueprint. URL:http://www.es.auckland. ac.nz/~pgut001/pbus/pkitech.pdf.
[22] 刘伟峰,陈怀义.基于面向对象的PKI密钥的软件生成.计算机工程与科学(已录用).
[23] Arto Salomaa. Public-Key Cryptography. Springer-Verlag, 1990.
[24] Audun Josang Modelling Trust in Information Security. URL:http://www.item.ntnu.no/~ajos/index.html, 1998.
[25] Andrew Nash, William Duane, Celia Joseph, and Derek Brink. PKI: Implementing and Managing E-Security, 2000.
[26] Peter Gutmann. Cryptlib v3.1 Security Toolkit Brochure, 2002.
[27] Eric Rescorla著,崔凯译.SSL与TLS——Designing and Building Secure Systems, 北京:中国电力出版社,2002.
[28] Mark Wilcox. Implementing LDAP, March 1999.
[29] PKCS #15 v 1.1: Cryptographic Token Information Syntax Standard. URL:ftp://rsasecurity.com/pub/pkcs/pkcs-15/pkcs-15v1_1 .pdf.
[30] PKCS 12 v1.0: Personal Information Exchange Syntax. URL:ftp://rsasecurity.com/pub/pkcs/pkcs- 12/pkcs- 12v1.pdf.
[31] PKCS #15—A Cryptographic-Token Information Format Standard. URL:http://www. usenix.org/publications/library/proceedings/smartcard99/full_papers/nystrom/nystrom.pdf
[2] 谭思亮.监听与隐藏—网络侦听揭密与数据保护技术.北京:人民邮电出版社,2002.
[3] RFC 2510: C.Adams, S.Farrell. Internet X.509 Public Key Infrastructure: Certificate Management Protocols, March 1999.
[4] Peter Gutmann. X.509 style Guide. URL:http://www.cs.auckland.ac.nz/~pgut001/pbus/pfx.html.
[5] RFC 2527: S.Chokhani, W.Ford. Internet X.509 Public Key Infastructure: Certificate Policy and Certification Practices Framework, March 1999.
[6] RFC 2459: R.Housley, W.Ford, W.Polk. Internet X.509 Public Key Infrastructure: Certificate and CRL Profile, January 1999.
[7] Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman. Understanding LDAP. International Technical Support Organization, June, 1998.
[8] 赵宏建,孙吉贵.目录服务技术的分析比较在PKI中的实现.吉林大学自然科学学报,2001.10.
[9] Michael Donnelly. An Introduction to LDAP, April 2000.
[10] 骆俐倩,安常青,李学农.LDAP在校园网公钥认证体系中的应用.计算机工程与设计,2002.3.
[11] RFC 2559: S.Boeyen, T.Howes, ERichard. Interact X.509 Public Key Infrastructure: Operational Protocols-LDAPv2, April 1999.
[12] Peter Gutmann. The Sortware Architecture. URL:http://www.cypherpunks.to/~peter/01_software_arch.pdf.
[13] Peter Gutmann. The Kernal Implementation. URL:http://www.cypherpunks.to/~peter/03_implementation.pdf.
[14] Donald Firesmith, John Wiley and Sons. Object-Oriented Requirements Analysis and Logical Design: A Software Engineering Approach, 1993.
[15] David Taenzer, Murhty Ganti, and Sunil Podar. Problems in Object-Oriented Software Reuse. Proceedings of the 1989 European Conference on Object-Oriented Programming (ECOOP'89), Cambridge University Press, July 1989.
[16] Peter Gutmann. Cryptlib v3.1 Security Toolkit Manual, 2002.
[17] Bjarne Stroustrup. The C++ Programming Language (Special Edition). Published by arrangement with the original publisher, 2002.
[18] 卢开澄.计算机密码学——计算机网络中的数据保密与安全.北京:清华大学出版社, 2000.
[1
[19] 阙喜戎,孙锐,龚向阳,王纯.信息安全原理与应用.北京:清华大学出版社,2003.
[20] Peter Gutmann. Random NumberGeneration. URL:http://www.cypherpunks.to/~peter/06_random.pdf.
[21] Peter Gutmann. PKI Technology Survey and Blueprint. URL:http://www.es.auckland. ac.nz/~pgut001/pbus/pkitech.pdf.
[22] 刘伟峰,陈怀义.基于面向对象的PKI密钥的软件生成.计算机工程与科学(已录用).
[23] Arto Salomaa. Public-Key Cryptography. Springer-Verlag, 1990.
[24] Audun Josang Modelling Trust in Information Security. URL:http://www.item.ntnu.no/~ajos/index.html, 1998.
[25] Andrew Nash, William Duane, Celia Joseph, and Derek Brink. PKI: Implementing and Managing E-Security, 2000.
[26] Peter Gutmann. Cryptlib v3.1 Security Toolkit Brochure, 2002.
[27] Eric Rescorla著,崔凯译.SSL与TLS——Designing and Building Secure Systems, 北京:中国电力出版社,2002.
[28] Mark Wilcox. Implementing LDAP, March 1999.
[29] PKCS #15 v 1.1: Cryptographic Token Information Syntax Standard. URL:ftp://rsasecurity.com/pub/pkcs/pkcs-15/pkcs-15v1_1 .pdf.
[30] PKCS 12 v1.0: Personal Information Exchange Syntax. URL:ftp://rsasecurity.com/pub/pkcs/pkcs- 12/pkcs- 12v1.pdf.
[31] PKCS #15—A Cryptographic-Token Information Format Standard. URL:http://www. usenix.org/publications/library/proceedings/smartcard99/full_papers/nystrom/nystrom.pdf