一种专用网络的CA体系结构研究及实现
摘要
为解决在网络化环境下的实体信任问题,世界各国经过多年的研究,形成了一套解决方案,即利用公钥基础设施(Public Key Infrastructure,PKI)在网络上实现证书的分发和管理。PKI是基于公开密钥理论和技术建立起来的一种信任体系,是提供信息安全服务的具有普适性的安全基础设施。该体系在统一的安全证书标准和规范基础上提供在线身份认证,是CA认证、数字证书、数字签名以及相关的安全应用组件模块的集合。
论文作者首先讨论了实现CA系统结构的理论基础和一般方法,并在本单位的专用网络系统实施PKI/CA项目的基础之上,进一步研究了PKI/CA系统的体系结构和实现的具体技术,其方案具有的特点是:一、参考有关PKI体系及CA系统的国际标准,采用中央、地方两级管理体制,整个证书体系实行统一管理;二、该方案设置CA中心和密钥管理中心,采用签名证书与加密证书的双证书方案;三、该方案在本系统的B/W应用系统、C/S应用系统、邮件系统、办公自动化系统、个人PC等业务应用系统基础上,增加了SSL安全代理、应用安全审计、安全电子邮件、NOTES安全扩展模块、个人桌面安全等安全功能,满足应用系统中的身份验证、数据安全、防抵赖等安全需求。论文还研究了CA体系固有的一些缺陷,并指出在当前PKI/CA技术条件下,CA技术适合的具体应用范围。
In order to resolve the question of entity's trust relationship in network environment,scientists in the whole world provided a solution that use Public Key Infrastructure (PKI) to realize the distributing and managment of certificate. PKI is a trust relationship system that set by the theory and technology based on public key. It's a universal applicability infrastructure that offer information security service. It' s a module collection such as online authentication,CA authentication,digital certificate,digital signature and secure application component. CA is not only excute unit in PKI but also main parts of PKI. To construct a Certificate Authority is a specific process that design and realize the PKI system structure. The paper first disscusses the foundation theory and general method to realize CA system structure. Finally,it describes the process that realizes a Certificate Authority example in a private network.
论文作者首先讨论了实现CA系统结构的理论基础和一般方法,并在本单位的专用网络系统实施PKI/CA项目的基础之上,进一步研究了PKI/CA系统的体系结构和实现的具体技术,其方案具有的特点是:一、参考有关PKI体系及CA系统的国际标准,采用中央、地方两级管理体制,整个证书体系实行统一管理;二、该方案设置CA中心和密钥管理中心,采用签名证书与加密证书的双证书方案;三、该方案在本系统的B/W应用系统、C/S应用系统、邮件系统、办公自动化系统、个人PC等业务应用系统基础上,增加了SSL安全代理、应用安全审计、安全电子邮件、NOTES安全扩展模块、个人桌面安全等安全功能,满足应用系统中的身份验证、数据安全、防抵赖等安全需求。论文还研究了CA体系固有的一些缺陷,并指出在当前PKI/CA技术条件下,CA技术适合的具体应用范围。
In order to resolve the question of entity's trust relationship in network environment,scientists in the whole world provided a solution that use Public Key Infrastructure (PKI) to realize the distributing and managment of certificate. PKI is a trust relationship system that set by the theory and technology based on public key. It's a universal applicability infrastructure that offer information security service. It' s a module collection such as online authentication,CA authentication,digital certificate,digital signature and secure application component. CA is not only excute unit in PKI but also main parts of PKI. To construct a Certificate Authority is a specific process that design and realize the PKI system structure. The paper first disscusses the foundation theory and general method to realize CA system structure. Finally,it describes the process that realizes a Certificate Authority example in a private network.
引文
1、Carlisle Adams Steve Lloyd.公开密钥基础设施,冯登国译,北京:人民邮电出版社,2001
2、Bruce Schneier.应用密码学协议、算法与C源程序,吴世忠,祝世雄,张文政译,北京:机械工业出版社,2000
3、Rivest R, Shamir A, Adleman L. A Method for Obtaining Digital Signatures and Public Cryptosystems. Communications of the ACM, 1978,21;120-126
4、Rivest R. The Md5 Message igest Algorithm. RFC 1321,1992(4):80-96
5、IPSec VPN的安全实施,Carlton R.Davis著,清华大学出版社
6、密码工程实践指南,Steve Burnett等著,清华大学出版社
7、李新等,PKI信任模式分析,信息安全与通信保密,2002年第1期
8、Report of Federal Bridge Certification Authority Initiative and Demonstration--Electronic Messaging Association Challenge 2000.http://csrc.nist. gov/pki/documents/emareport_20001015.pdf
9、William T.Polk, Nelson E.Hastings. Bridge Certification Authorities :Connecting B2B Public Key Infrastructures. http://csrc.nist.gov/pki/documents/B2B-article.pdf
10、Proposed FPKI Architecture http://csrc.nist.gov/pki/twg/BridgeCA/sldO20.htm
11、Richard A. Guida. MEMORANDUM TO FILE http://www.cio.gov/fpkisc/documents/london_meeting.htm
12、FPKI Steering Committee Action Plan. http://www.cio.gov/fpkisc/documents/Action_Plan.htm
13、Federal Public Key Infrastructure Steering Committee, Federal Chief Information Officers Council. The Evolving Federal Public Key Instructure http://www.hipaadvisory.com/tech/pdfs/PKI_Brochure.pdf
14、W.E.Burr. Public Key Infrastructure (PKI)Technical Specifications: Part A-Technical Concept of Operations. http://csrc.nist.gov/pki/twg/baseline/pkicon20b. PDF
15、Building Trust in Electronic Markets: Cryptography, Authentication, Privacy and Consumer Confidence. http://e-com.ic.gc.ca/english/authen/631e1.html
16、GOC PKI Initiative http://www.cio-dpi.gc.ca/pki-icp/initiatives/initiatives_e.asp
17、Government Security Policy http ://canada. gc.ca/prpgrams/guide/4-1-6e, html
18、Government of Canada Pki Architecture http://www.cio-dpi.gc.ca/pki-icp/news_brief/presentations/mike/mikepr_e.asp
19、GOC PKI Object Identifiers Governance and Registration Process http://www.cio-dpi.gc.ca/pki-icp/documents/oids/oids00_e.asp
20、Government of CanadaPublic Key Infrastructure White Paper http://www.cse-cst.gc.ca/cse/english/Manuals/mg15ae.pdf
21、郑华等,PKI—CA认证体系在实际应用中的优缺点讨论,网络安全技术与应用,2002年第3期
22、张沪寅等,基于PKI技术CA密钥算法分析与认证设计,武汉理工大学学报 VOL.23 No.12 Dec 2001
23、刘明桥等,PKI系统设计与实现,现代计算机,2001年4期
24、卢开澄,计算机密码学,北京清华大学出版社,1990年
25、刘微微等,公钥基础设施PKI/CA认证安全体系,计算机辅助工程,Mar.2002
2、Bruce Schneier.应用密码学协议、算法与C源程序,吴世忠,祝世雄,张文政译,北京:机械工业出版社,2000
3、Rivest R, Shamir A, Adleman L. A Method for Obtaining Digital Signatures and Public Cryptosystems. Communications of the ACM, 1978,21;120-126
4、Rivest R. The Md5 Message igest Algorithm. RFC 1321,1992(4):80-96
5、IPSec VPN的安全实施,Carlton R.Davis著,清华大学出版社
6、密码工程实践指南,Steve Burnett等著,清华大学出版社
7、李新等,PKI信任模式分析,信息安全与通信保密,2002年第1期
8、Report of Federal Bridge Certification Authority Initiative and Demonstration--Electronic Messaging Association Challenge 2000.http://csrc.nist. gov/pki/documents/emareport_20001015.pdf
9、William T.Polk, Nelson E.Hastings. Bridge Certification Authorities :Connecting B2B Public Key Infrastructures. http://csrc.nist.gov/pki/documents/B2B-article.pdf
10、Proposed FPKI Architecture http://csrc.nist.gov/pki/twg/BridgeCA/sldO20.htm
11、Richard A. Guida. MEMORANDUM TO FILE http://www.cio.gov/fpkisc/documents/london_meeting.htm
12、FPKI Steering Committee Action Plan. http://www.cio.gov/fpkisc/documents/Action_Plan.htm
13、Federal Public Key Infrastructure Steering Committee, Federal Chief Information Officers Council. The Evolving Federal Public Key Instructure http://www.hipaadvisory.com/tech/pdfs/PKI_Brochure.pdf
14、W.E.Burr. Public Key Infrastructure (PKI)Technical Specifications: Part A-Technical Concept of Operations. http://csrc.nist.gov/pki/twg/baseline/pkicon20b. PDF
15、Building Trust in Electronic Markets: Cryptography, Authentication, Privacy and Consumer Confidence. http://e-com.ic.gc.ca/english/authen/631e1.html
16、GOC PKI Initiative http://www.cio-dpi.gc.ca/pki-icp/initiatives/initiatives_e.asp
17、Government Security Policy http ://canada. gc.ca/prpgrams/guide/4-1-6e, html
18、Government of Canada Pki Architecture http://www.cio-dpi.gc.ca/pki-icp/news_brief/presentations/mike/mikepr_e.asp
19、GOC PKI Object Identifiers Governance and Registration Process http://www.cio-dpi.gc.ca/pki-icp/documents/oids/oids00_e.asp
20、Government of CanadaPublic Key Infrastructure White Paper http://www.cse-cst.gc.ca/cse/english/Manuals/mg15ae.pdf
21、郑华等,PKI—CA认证体系在实际应用中的优缺点讨论,网络安全技术与应用,2002年第3期
22、张沪寅等,基于PKI技术CA密钥算法分析与认证设计,武汉理工大学学报 VOL.23 No.12 Dec 2001
23、刘明桥等,PKI系统设计与实现,现代计算机,2001年4期
24、卢开澄,计算机密码学,北京清华大学出版社,1990年
25、刘微微等,公钥基础设施PKI/CA认证安全体系,计算机辅助工程,Mar.2002