小型CA认证系统的设计与实现
|
摘要
随着计算机网络技术的发展,网络尤其是Internet给人们的生活和工作提供了极大便利,如今网上购物、网上银行、网上炒股等已经十分普及。计算机网络在改变人们的生活方式和提高企业生产效率的同时,也暴露出了严重的安全隐患。为了保障网络上数据的机密性、完整性和不可抵赖性,必须要有相应的设施来提供服务。PKI就是以公钥加密体制为基础,给用户提供信息安全服务的基础设施。
CA认证系统作为PKI的核心组成部件,把用户的公钥和用户信息捆绑在一起,为用户签发标准的X.509证书。通过CA认证系统,很好的解决了密钥分发和管理问题,利用数字证书对传输的数据进行加密和签名,保证了数据的机密性、真实性、完整性和不可否认性。
目前已经有很多CA认证中心建立起来,例如各地的CA认证中心、金融认证中心,同时也有很多企业可以为用户建立CA认证系统,例如吉大正元、天威诚信等公司。现有的商业CA中心完全有能力解决校园网的数字证书需求的问题,但是,一方面,高昂的费用学校承担不起,另一方面,对系统的新增功能的实现不够灵活和及时且费用昂贵。另外,学校具备使用和维护PKI系统的专业人员。建立校园CA中心是必要的也是可行的。
本文通过对PKI的相关理论和技术的研究,设计并实现一个具有较好安全性、通用性和可扩展性的小型CA系统——FoxCA。该系统实现了CA的大部分功能:生成根证书、签发X.509证书、废除证书、将证书保存到USB Key中等。该系统具有结构精简、易于使用等特点。
本文最后对FoxCA进行了安全性分析,总结了全文并对该系统的研究做了进一步展望。
With the development of the computer network technologe, the computer plays a more and more important role in people's lives and works. Now the e-commerce becomes popular and widespread. The technologies of computer and information have changed the style of human being's lives and promoted the efficiency of the business, however they also exposed some weaknesses to the people who want to commit a crime. It is necessary to apply some security to ensure security service of confidentiality, integrity, authentication and non-repudiation for the Internet application. As an infrastructure of the information security, Public Key Infrastructure is based on the public key encrypting system.
Certificate Authority is the key component of PKI. It issues the standard X.509 certificate which bundle users' public key and users' other identification information. As a good solution to key distribution and management issues, CA uses the digital certificates on the transmission of data encryption and signature to ensure the confidentiality, authenticity, integrity and non-repudiation of the data.
At present many CA certificate centers have been established, for example, the local CA certificate center, the financial certificate center, and so on. At the same time many enterprises have the ability to build CA authentication system, such as JiLin University Information Technologies Co.Ltd, iTrusChina. The available commerce CA centre has capability completely resolving the problem that the campus network demands digital certificates. But, on the one hand, the college cannot bear the soaring expense, on the other hand, the realiztion to system's additional function is not very flexible, timely and the cost of that is expensive. In addition, mary schools have professionals in using and maintaining PKI system. The establishment of campus CA centre is not only necessary but also feasible.
The paper starts from the related theory and technology of PKI, designs and realizes a minitype CA - FoxCA system with better security, commonality and expansibility. The system realizes the majority of the CA functions which include generation root certificate, issued X.509 certificate, repeal certificate, the certificate will be saved to USB Key Medium. This system has characteristics such as simplified structure, easy using and ect.
In the end, We analyze security of the FoxCA, summarizing the paper and looking into the further distance of research into the system.
CA认证系统作为PKI的核心组成部件,把用户的公钥和用户信息捆绑在一起,为用户签发标准的X.509证书。通过CA认证系统,很好的解决了密钥分发和管理问题,利用数字证书对传输的数据进行加密和签名,保证了数据的机密性、真实性、完整性和不可否认性。
目前已经有很多CA认证中心建立起来,例如各地的CA认证中心、金融认证中心,同时也有很多企业可以为用户建立CA认证系统,例如吉大正元、天威诚信等公司。现有的商业CA中心完全有能力解决校园网的数字证书需求的问题,但是,一方面,高昂的费用学校承担不起,另一方面,对系统的新增功能的实现不够灵活和及时且费用昂贵。另外,学校具备使用和维护PKI系统的专业人员。建立校园CA中心是必要的也是可行的。
本文通过对PKI的相关理论和技术的研究,设计并实现一个具有较好安全性、通用性和可扩展性的小型CA系统——FoxCA。该系统实现了CA的大部分功能:生成根证书、签发X.509证书、废除证书、将证书保存到USB Key中等。该系统具有结构精简、易于使用等特点。
本文最后对FoxCA进行了安全性分析,总结了全文并对该系统的研究做了进一步展望。
With the development of the computer network technologe, the computer plays a more and more important role in people's lives and works. Now the e-commerce becomes popular and widespread. The technologies of computer and information have changed the style of human being's lives and promoted the efficiency of the business, however they also exposed some weaknesses to the people who want to commit a crime. It is necessary to apply some security to ensure security service of confidentiality, integrity, authentication and non-repudiation for the Internet application. As an infrastructure of the information security, Public Key Infrastructure is based on the public key encrypting system.
Certificate Authority is the key component of PKI. It issues the standard X.509 certificate which bundle users' public key and users' other identification information. As a good solution to key distribution and management issues, CA uses the digital certificates on the transmission of data encryption and signature to ensure the confidentiality, authenticity, integrity and non-repudiation of the data.
At present many CA certificate centers have been established, for example, the local CA certificate center, the financial certificate center, and so on. At the same time many enterprises have the ability to build CA authentication system, such as JiLin University Information Technologies Co.Ltd, iTrusChina. The available commerce CA centre has capability completely resolving the problem that the campus network demands digital certificates. But, on the one hand, the college cannot bear the soaring expense, on the other hand, the realiztion to system's additional function is not very flexible, timely and the cost of that is expensive. In addition, mary schools have professionals in using and maintaining PKI system. The establishment of campus CA centre is not only necessary but also feasible.
The paper starts from the related theory and technology of PKI, designs and realizes a minitype CA - FoxCA system with better security, commonality and expansibility. The system realizes the majority of the CA functions which include generation root certificate, issued X.509 certificate, repeal certificate, the certificate will be saved to USB Key Medium. This system has characteristics such as simplified structure, easy using and ect.
In the end, We analyze security of the FoxCA, summarizing the paper and looking into the further distance of research into the system.
引文
[1]张文凯,曹大元,基于PKI/PMI的应用安全平台模型的研究,计算机工程,2004年,30卷第9期,131-133页
[2]数字证书,http://www.cfca.com.cn/zhishi/zhishi-004.htm
[3]徐远航,USB Key身份认证产品的产生与发展,计算机安全,2004 No.8,44-45页
[4]Chen-Chi Lin and Chi-Sung Laih,The GPKI developing status of Taiwan and some major Asia countries,Computer Communications,Volume 26,Issue 16,15 October 2003,Pages 1884-1892
[5]Costas Lambrinoudakis,Stefanos Gritzalis,Fredj Dridi and Gunther Pemul,Security.requirements for e-government services:a methodological approach for developing a common PKI-based security policy,Computer Communications,Volume 26,Issue 16,15 October 2003,Pages 1873-1883
[6]Georgios Kambourakis,Denise-Penelope N.Kontoni,Angelos Rouskas and Stefanos Gritzalis,A PKI approach for deploying modern secure distributed e-learning and m-learning environments,Computers & Education,Volume 48,Issue 1,January 2007.Pages 1-16
[7]谢希仁,计算机网络第四版,电子工业出版社,2003:356页
[8]IETF,The PPP Triple-DES Encryption Protocol(3DESE),RFC 2420,1998
[9]宋震等,密码学,中国水利水电出版社,2002:93-110页
[10]杨义先,现代密码新理论,北京:科学出版社,2002:8-10页
[11]Andrew S.Tanenbatun著,潘爱民译,计算机网络第四版,清华大学出版社2004:644-645页
[12]Sean Lancaster,David C.Yen and Shi-Ming Huang,Public key infrastructure:a micro and macro analysis,Computer Standards & Interfaces,Volume 25,Issue 5,September 2003,Pages 437-446
[13]C.Adams,S.Farrell,T.Kause,T.Mononen,RFC4210:Internet X.509 Public Key Infrastructure Certificate Management Protocol(CMP),IETF,2005
[14]Andrew Nash,William Duane,Celia Joseph,Derek Brink,PKI:Implementing and Managing E-Security,RSA Press,2001:232-233
[15]RSA Laboratories,PKCS#1:RSA Cryptography Standard,Version 2.1,RSA Security Inc,June 14,2002
[16]RSA Laboratories,PKCS#8:Private Key Information Syntax Standard,Version 1.2,1993
[17]RSA Laboratories,PKCS#10:Certification Request Syntax Standard.Version 1.7,2000
[18]RSA Laboratories,PKCS#11:Cryptographic Token Interface Standard,Version 2.20,2004
[19]RSA Laboratories,PKCS#12:Public Key User Information Syntax Standard.Version 1.0,1999
[20]B.Ramsdell,Ed.,RFC3851:Secure/Multipurpose Intemet Mail Extensions (S/MIME)Version 3.1 Message Specification,July 2004
[21]Microsoft TechNet,加密技术密钥和证书,2004,http://www.microsoft.com
[22]R.Housley,W.Polk,W.Ford,D.Solo,RFC3280:Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL)Profile,April 2002.
[23]赖建华,汪宏伟,PKI体系私钥保护机制研究,情报探索,2006,No.1
[24]飞天诚信,http://www.ftsafe.com.cn
[25]M.Oehler,R.Glenn,RFC2085:HMAC-MD5 IP Authentication with Replay Prevention,February 1997
[26]J.Schaad,RFC4211:Internet X.509 Public Key Infrastructure Certificate Request Message Format(CRMF),September 2005.
[27]R.Housley,W.Ford,W.Polk,D.Solo,RFC2459:Internet X.509 Public Key Infrastucture Certificate and CRL Profile,January 1999
[28]OpenSSL函数库,http://www.OpenSSL.org
[29]陈国辉,施伟,OPENSSL在电子商务安全中的应用.微计算机信息,2004,20(5):118-119页
[30]Andrew Nash,William Duane,Celia Joseph,Derek Brink著,张玉清等译,公钥基础设施(PKI):实现和管理电子安全,清华大学出版社,2002,124-128页
[31]Kenneth G.Paterson and Geraint Price,A comparison between traditional public key infrastructures and identity-based cryptography,Information Security Technical Report,Volume 8,Issue 3,9 July 2003,Pages 57-72
[32]飞天诚信公司,飞天诚信公司ePass系列USB Key网上银行身份安全解决方案,计算机安全,2006 No.5
[33]容晓峰等,基于OPENSSL的密码支撑平台的研究与开发,计算机与现代化2004(8):47-50页
[34]李冬梅,CA系统中RA中心的设计及实现,计算机科学,2004(4):198-200页
[35]于瑞华,SSL协议实现与PKI体系的支持,中国人民公安大学学报:自然科学版,2004,10(1):55-58页
[36]刘培德,刘培玉,尉永青,基于PKI加密设备的CSP软件设计与实现,计算机应用与软件,2005 Vol.22
[37]蔺守河,戴紫彬,人物合一的身份认证方法—一种基于指纹和USB Key的网络用户身份认证机制,计算机安全,2005 No.9
[38]刘培德,尉永青,刘培玉,基于USB接口和智能卡的PKI客户端设计,单片机与嵌入式系统应用,2005 No.6
[39]魏志东,赵华伟,冯登国,PIG系统中私钥的管理方法研究,计算机应用,2002,22(7):25-27页
[40]北京飞天诚信科技有限公司,飞天ePass系列USB Key身份认证技术,信息网络安全,2004 No.11
[41]RSA Laboratories,PKCS#15 vl.1:Cryptographic Token Information Syntax Standard,2000
[2]数字证书,http://www.cfca.com.cn/zhishi/zhishi-004.htm
[3]徐远航,USB Key身份认证产品的产生与发展,计算机安全,2004 No.8,44-45页
[4]Chen-Chi Lin and Chi-Sung Laih,The GPKI developing status of Taiwan and some major Asia countries,Computer Communications,Volume 26,Issue 16,15 October 2003,Pages 1884-1892
[5]Costas Lambrinoudakis,Stefanos Gritzalis,Fredj Dridi and Gunther Pemul,Security.requirements for e-government services:a methodological approach for developing a common PKI-based security policy,Computer Communications,Volume 26,Issue 16,15 October 2003,Pages 1873-1883
[6]Georgios Kambourakis,Denise-Penelope N.Kontoni,Angelos Rouskas and Stefanos Gritzalis,A PKI approach for deploying modern secure distributed e-learning and m-learning environments,Computers & Education,Volume 48,Issue 1,January 2007.Pages 1-16
[7]谢希仁,计算机网络第四版,电子工业出版社,2003:356页
[8]IETF,The PPP Triple-DES Encryption Protocol(3DESE),RFC 2420,1998
[9]宋震等,密码学,中国水利水电出版社,2002:93-110页
[10]杨义先,现代密码新理论,北京:科学出版社,2002:8-10页
[11]Andrew S.Tanenbatun著,潘爱民译,计算机网络第四版,清华大学出版社2004:644-645页
[12]Sean Lancaster,David C.Yen and Shi-Ming Huang,Public key infrastructure:a micro and macro analysis,Computer Standards & Interfaces,Volume 25,Issue 5,September 2003,Pages 437-446
[13]C.Adams,S.Farrell,T.Kause,T.Mononen,RFC4210:Internet X.509 Public Key Infrastructure Certificate Management Protocol(CMP),IETF,2005
[14]Andrew Nash,William Duane,Celia Joseph,Derek Brink,PKI:Implementing and Managing E-Security,RSA Press,2001:232-233
[15]RSA Laboratories,PKCS#1:RSA Cryptography Standard,Version 2.1,RSA Security Inc,June 14,2002
[16]RSA Laboratories,PKCS#8:Private Key Information Syntax Standard,Version 1.2,1993
[17]RSA Laboratories,PKCS#10:Certification Request Syntax Standard.Version 1.7,2000
[18]RSA Laboratories,PKCS#11:Cryptographic Token Interface Standard,Version 2.20,2004
[19]RSA Laboratories,PKCS#12:Public Key User Information Syntax Standard.Version 1.0,1999
[20]B.Ramsdell,Ed.,RFC3851:Secure/Multipurpose Intemet Mail Extensions (S/MIME)Version 3.1 Message Specification,July 2004
[21]Microsoft TechNet,加密技术密钥和证书,2004,http://www.microsoft.com
[22]R.Housley,W.Polk,W.Ford,D.Solo,RFC3280:Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL)Profile,April 2002.
[23]赖建华,汪宏伟,PKI体系私钥保护机制研究,情报探索,2006,No.1
[24]飞天诚信,http://www.ftsafe.com.cn
[25]M.Oehler,R.Glenn,RFC2085:HMAC-MD5 IP Authentication with Replay Prevention,February 1997
[26]J.Schaad,RFC4211:Internet X.509 Public Key Infrastructure Certificate Request Message Format(CRMF),September 2005.
[27]R.Housley,W.Ford,W.Polk,D.Solo,RFC2459:Internet X.509 Public Key Infrastucture Certificate and CRL Profile,January 1999
[28]OpenSSL函数库,http://www.OpenSSL.org
[29]陈国辉,施伟,OPENSSL在电子商务安全中的应用.微计算机信息,2004,20(5):118-119页
[30]Andrew Nash,William Duane,Celia Joseph,Derek Brink著,张玉清等译,公钥基础设施(PKI):实现和管理电子安全,清华大学出版社,2002,124-128页
[31]Kenneth G.Paterson and Geraint Price,A comparison between traditional public key infrastructures and identity-based cryptography,Information Security Technical Report,Volume 8,Issue 3,9 July 2003,Pages 57-72
[32]飞天诚信公司,飞天诚信公司ePass系列USB Key网上银行身份安全解决方案,计算机安全,2006 No.5
[33]容晓峰等,基于OPENSSL的密码支撑平台的研究与开发,计算机与现代化2004(8):47-50页
[34]李冬梅,CA系统中RA中心的设计及实现,计算机科学,2004(4):198-200页
[35]于瑞华,SSL协议实现与PKI体系的支持,中国人民公安大学学报:自然科学版,2004,10(1):55-58页
[36]刘培德,刘培玉,尉永青,基于PKI加密设备的CSP软件设计与实现,计算机应用与软件,2005 Vol.22
[37]蔺守河,戴紫彬,人物合一的身份认证方法—一种基于指纹和USB Key的网络用户身份认证机制,计算机安全,2005 No.9
[38]刘培德,尉永青,刘培玉,基于USB接口和智能卡的PKI客户端设计,单片机与嵌入式系统应用,2005 No.6
[39]魏志东,赵华伟,冯登国,PIG系统中私钥的管理方法研究,计算机应用,2002,22(7):25-27页
[40]北京飞天诚信科技有限公司,飞天ePass系列USB Key身份认证技术,信息网络安全,2004 No.11
[41]RSA Laboratories,PKCS#15 vl.1:Cryptographic Token Information Syntax Standard,2000