CPKI中CA认证系统的设计与实现
|
摘要
Internet技术和电子商务的迅速发展,极大的改变了人们的生活和工作方式,同时也带来了许多安全隐患。因此,安全服务正在成为Internet和电子商务应用中的一种基本服务。能提供这种服务的基础设施就是公开密钥安全基础设施(PKI)。PKI的目的就是使不同的实体可以方便的使用公钥技术。
PKI是由一些相互关联的组件提供的服务的集合,这些组件共同为上层应用和用户提供基于公钥技术的安全服务。PKI为Internet和电子商务技术提供了三种主要的核心服务,首先,它可以提供数据的机密性,第二,它可以实现实体的身份认证,最后,PKI还可以保证数据的完整性。本文首先介绍了基本的PKI概念,包括与PKI相关的密码学知识,PKI的组成和提供的核心服务,PKI的结构框架和相关的各种技术标准。接下来对PKI中CA信任模型做了深入的研究,讨论了当前流行的四种信任模型,并且给出了各种模型的优缺点,以及在每种信任模型中证书路径处理的问题。
CA认证系统是PKI的核心组成部件,它负责为PKI中的实体颁发公钥证书。公钥证书是将实体的身份和公开密钥绑定在一起的一种数据结构。本文详细讨论了CA系统的设计和实现过程。在对当前各个CA认证系统进行分析的基础之上,我们利用Cryptlib工具包自行设计和实现了一个CA认证系统,它具有完整的密钥和证书管理功能。CA系统的实现遵循了国际上通用的证书标准和规范,并且具有良好的可扩展性,能够随着规模的扩大通过增加下级CA来扩展整个系统的规模。在文章的最后,还讨论了CA认证系统的运行要求。在实际运行过程中,CA认证系统,证书用户和依托方都必须承担相应的责任和义务。
The rapid development of the Internet and electronic commerce has greatly changed people's life style and working. Meanwhile,it brings many security problems. Therefore security service is becoming a basic service in the Internet and electronic commerce. The infrastructure which can provide security services is called Public Key Infrastructure (PKI).The purpose of PKI is to make it easy for entities to use public-key cryptography.
PKI is a set of useful services provided by a collection of interconnected components,these Components work together to provide public-key-based security services to applications and users. PKI provides three kinds of services that are valuable to Internet and e-commerce. Firstly,it provides privacy for data. Secondly,it provides authentication of entities. Finally,it provides integrity for data. This paper first describes the fundaments of PKI,including the knowledge of cryptography,the components of PKI,the services provided by PKI,the structure and standards about PKI. Then the paper discusses the CA trust model,we will mainly describe four popular trust models,their advantage and disadvantages,and the certificate path in the trust model.
Certificate Authority is the key component of PKI. which is responsible for issuing Public-key certificates to users. PKI is the data structure which bind the identity of entity with its public-key. So next,this paper discussed the design and implementation of certificate authority. Based on the analysis of many CA systems,we have designed and implemented a certificate authority,which has the full capability of certificate and key management. The design of the CA system follows the common International certificate standards,and has good scalability. In the end of this paper,we also discussed the operation requirements of certificate authority. Certificate authority,certificate holders and users that rely on the certificate all have corresponding responsibilities and obligations in the real life.
PKI是由一些相互关联的组件提供的服务的集合,这些组件共同为上层应用和用户提供基于公钥技术的安全服务。PKI为Internet和电子商务技术提供了三种主要的核心服务,首先,它可以提供数据的机密性,第二,它可以实现实体的身份认证,最后,PKI还可以保证数据的完整性。本文首先介绍了基本的PKI概念,包括与PKI相关的密码学知识,PKI的组成和提供的核心服务,PKI的结构框架和相关的各种技术标准。接下来对PKI中CA信任模型做了深入的研究,讨论了当前流行的四种信任模型,并且给出了各种模型的优缺点,以及在每种信任模型中证书路径处理的问题。
CA认证系统是PKI的核心组成部件,它负责为PKI中的实体颁发公钥证书。公钥证书是将实体的身份和公开密钥绑定在一起的一种数据结构。本文详细讨论了CA系统的设计和实现过程。在对当前各个CA认证系统进行分析的基础之上,我们利用Cryptlib工具包自行设计和实现了一个CA认证系统,它具有完整的密钥和证书管理功能。CA系统的实现遵循了国际上通用的证书标准和规范,并且具有良好的可扩展性,能够随着规模的扩大通过增加下级CA来扩展整个系统的规模。在文章的最后,还讨论了CA认证系统的运行要求。在实际运行过程中,CA认证系统,证书用户和依托方都必须承担相应的责任和义务。
The rapid development of the Internet and electronic commerce has greatly changed people's life style and working. Meanwhile,it brings many security problems. Therefore security service is becoming a basic service in the Internet and electronic commerce. The infrastructure which can provide security services is called Public Key Infrastructure (PKI).The purpose of PKI is to make it easy for entities to use public-key cryptography.
PKI is a set of useful services provided by a collection of interconnected components,these Components work together to provide public-key-based security services to applications and users. PKI provides three kinds of services that are valuable to Internet and e-commerce. Firstly,it provides privacy for data. Secondly,it provides authentication of entities. Finally,it provides integrity for data. This paper first describes the fundaments of PKI,including the knowledge of cryptography,the components of PKI,the services provided by PKI,the structure and standards about PKI. Then the paper discusses the CA trust model,we will mainly describe four popular trust models,their advantage and disadvantages,and the certificate path in the trust model.
Certificate Authority is the key component of PKI. which is responsible for issuing Public-key certificates to users. PKI is the data structure which bind the identity of entity with its public-key. So next,this paper discussed the design and implementation of certificate authority. Based on the analysis of many CA systems,we have designed and implemented a certificate authority,which has the full capability of certificate and key management. The design of the CA system follows the common International certificate standards,and has good scalability. In the end of this paper,we also discussed the operation requirements of certificate authority. Certificate authority,certificate holders and users that rely on the certificate all have corresponding responsibilities and obligations in the real life.
引文
[1] Carlisle Adams,Steve Lloyd.公开密钥基础设施一概念、标准和实施.冯登国等译.北京:人民邮电出版社,2001
[2] 应用密码学一协议、算法与C源程序.吴世忠等.北京:机械工业出版社,2000
[3] John Shum,Netscape认证管理系统安装和配置指南.北京:希望电子出版社,2000
[4] Rolf Oppliger.www 安全技术.杨义先等译.北京:人民邮电出版社,2001
[5] Bruce Schneier. Applied Cryptography (Protocols, algorithms, and source code in C) Second Edition
[6] Peter Gutmann. Cryptlibv 3. 0 帮助文档,2001
[7] Peter Gutmann. Secure Internet-based Electronic Commerce:The View from Outside the US, URL: http://www.cs.auckland.ac.nz/-pgut001/pubs/icommerce.pdf
[8] Peter Gutmann. godzilla crypto tutorial,URL:http://www.cs.auckland.ac.nz/-pgut001/tutorial /index, html
[9] Peter Gutmann. X.509 style Guide, URL:http://www.cs.auckland.ac.nz/-pgut001/
[10] David A Cooper . A Model of Certificate Revocation, 1999.
[11] David A Cooper. A More Efficient Use of Delta Crls, 2000
[12] H.Muller N P Smart. A wearable public key infrastructure(WPKI), 2000
[13] Toni Nykanen. Attribute Certificate in X.509, 2000
[14] Butlerampson 等. Authentication in Distributed Systems:Theory and Practice, 1992
[15] Patrick McDaniel 等. A Response to "Can We Eliminate Certificate Revocation Lists?"
[16] Jonathan K. Millen,Rebecca N Wright. Certificate Revocation the Responsible Way
[17] Microsoft Corporation. An Introduction to the Windows 2000 Public-Key Infrastructure, 1999, URL: http://www.microsoft.com/windows2000/zipdocs/pkiintro.exe
[18] Microsoft Corporation. Microsoft Windows 2000 Public Key Infrastructure White Paper, 1999, URL: http://www.microsoft.com/windows2000/zipdocs/pki.exe
[19] 吉大正元公司。 JIT-Certificate Authority 技术白皮书, 2001
[20] The Open-source PKI Book. URL: http://ospkibook.sourceforge.net/docs/OSPKI-2. 4. 6.
[21] Operissl 文档. URL: http://www.openssl.org/docs/
[22] μPKI文档. URL: http://www.wedgetail.com/upki/
[23] pyCA文档。 URL: http://www.pyca.de/
[24] The Open-source PKI Project. URL: http://www.mozilia.org/projects/security/pki/
[25] RSA Laboratories.Frequently Asked Questions About Today's Cryptography , URL: ftp://ftp. rsasecurity. com/pub/labsfaq/rsalabs_faq4. pdf
[26] Minimal Interoperability Specifications for PKI. URL: http://csrc.nist.gov/pki/mispc/
[27] Federal Bridge Certificate Authority.URL: http://csrc.nist.gov/pki/fbca/
[28] Tim Redhead,Dean Povey. The Problems with Secure On-line Banking, CRC for Distributed Systems Technology (DSTC)
[29] Audun Josang. Modelling Trust in Information Security, 1998 URL: http://www.item.ntnu.no/-ajos/index.html
[30] Modeling of PKI Architectures,URL: http://csrc.nist.gov/pki/PKImodels/
[31] RFC 2459: Internet X.509 Public Key Infrastructure: Certificate and CRL Profile
[32] RFC 2510: Internet X.509 Public Key Infrastructure: Certificate Management Protocols
[33] RFC 2511: Internet X.509 Public Key Infrastructure: Certificate Request Message Format
[34] RFC 2527: Internet X.509 Public Key Infrastructure: Certificate Policy and Certification Practices Framework
[35] RFC 2560 Internet X.509 Public Key Infrastructure: Online Certificate Status Protocol-OCSP
[2] 应用密码学一协议、算法与C源程序.吴世忠等.北京:机械工业出版社,2000
[3] John Shum,Netscape认证管理系统安装和配置指南.北京:希望电子出版社,2000
[4] Rolf Oppliger.www 安全技术.杨义先等译.北京:人民邮电出版社,2001
[5] Bruce Schneier. Applied Cryptography (Protocols, algorithms, and source code in C) Second Edition
[6] Peter Gutmann. Cryptlibv 3. 0 帮助文档,2001
[7] Peter Gutmann. Secure Internet-based Electronic Commerce:The View from Outside the US, URL: http://www.cs.auckland.ac.nz/-pgut001/pubs/icommerce.pdf
[8] Peter Gutmann. godzilla crypto tutorial,URL:http://www.cs.auckland.ac.nz/-pgut001/tutorial /index, html
[9] Peter Gutmann. X.509 style Guide, URL:http://www.cs.auckland.ac.nz/-pgut001/
[10] David A Cooper . A Model of Certificate Revocation, 1999.
[11] David A Cooper. A More Efficient Use of Delta Crls, 2000
[12] H.Muller N P Smart. A wearable public key infrastructure(WPKI), 2000
[13] Toni Nykanen. Attribute Certificate in X.509, 2000
[14] Butlerampson 等. Authentication in Distributed Systems:Theory and Practice, 1992
[15] Patrick McDaniel 等. A Response to "Can We Eliminate Certificate Revocation Lists?"
[16] Jonathan K. Millen,Rebecca N Wright. Certificate Revocation the Responsible Way
[17] Microsoft Corporation. An Introduction to the Windows 2000 Public-Key Infrastructure, 1999, URL: http://www.microsoft.com/windows2000/zipdocs/pkiintro.exe
[18] Microsoft Corporation. Microsoft Windows 2000 Public Key Infrastructure White Paper, 1999, URL: http://www.microsoft.com/windows2000/zipdocs/pki.exe
[19] 吉大正元公司。 JIT-Certificate Authority 技术白皮书, 2001
[20] The Open-source PKI Book. URL: http://ospkibook.sourceforge.net/docs/OSPKI-2. 4. 6.
[21] Operissl 文档. URL: http://www.openssl.org/docs/
[22] μPKI文档. URL: http://www.wedgetail.com/upki/
[23] pyCA文档。 URL: http://www.pyca.de/
[24] The Open-source PKI Project. URL: http://www.mozilia.org/projects/security/pki/
[25] RSA Laboratories.Frequently Asked Questions About Today's Cryptography , URL: ftp://ftp. rsasecurity. com/pub/labsfaq/rsalabs_faq4. pdf
[26] Minimal Interoperability Specifications for PKI. URL: http://csrc.nist.gov/pki/mispc/
[27] Federal Bridge Certificate Authority.URL: http://csrc.nist.gov/pki/fbca/
[28] Tim Redhead,Dean Povey. The Problems with Secure On-line Banking, CRC for Distributed Systems Technology (DSTC)
[29] Audun Josang. Modelling Trust in Information Security, 1998 URL: http://www.item.ntnu.no/-ajos/index.html
[30] Modeling of PKI Architectures,URL: http://csrc.nist.gov/pki/PKImodels/
[31] RFC 2459: Internet X.509 Public Key Infrastructure: Certificate and CRL Profile
[32] RFC 2510: Internet X.509 Public Key Infrastructure: Certificate Management Protocols
[33] RFC 2511: Internet X.509 Public Key Infrastructure: Certificate Request Message Format
[34] RFC 2527: Internet X.509 Public Key Infrastructure: Certificate Policy and Certification Practices Framework
[35] RFC 2560 Internet X.509 Public Key Infrastructure: Online Certificate Status Protocol-OCSP