中国金融认证中心RA的设计和实现
摘要
PKI公钥基础设施已逐渐得到社会的公认,目前正处于一个不断完善的阶段。它以加密技术为基础,提供了实际实施和运作使用证书的系统所需的组件和服务。数字证书是PKI技术的直接载体。认证中心就是颁发和管理数字证书的机构,在具体的应用中处于大家都信任的第三方地位。它由三部分组成:CA、RA、DA。其中RA系统是认证中心与证书用户的界面,提供对用户的注册和管理服务,同时,它也是与应用系统相结合的接口。
本文以CFCA对RA系统的需求为契机,在CFCA前置机的基础上设计了一套可以广泛推广使用的RA系统。该RA系统安全可靠,性能优越,跨越SOLARIS和WINDOWS两种平台,可以充分满足不同用户的需求。系统具有良好的扩展性,可以根据需要扩大使用规模。系统具有友好的操作界面,使用方便,可以迅速的部署,作为CFCA的用户接口提供数字证书认证服务。
在该RA系统基础上,本文还提出了在证券领域的使用的代理系统,解决了RA系统和券商的数据系统共享的问题,简化了证券用户证书的申请的流程,以更方便地为证券用户提供证书服务。该代理系统具有通用性,稍加改动,就可以用于其它领域。
Basing on the encrpytion techniques, PKI (Public Key Infrastructure) provide modules and services for deploying certificate system. The Certificate Authority (CA) is the organization for issuing and managing certificate and is the third part that all believes. The RA (Registration Authority) is the interface of CA to certificate users, and provides service of registering user and managing users.
This paper designs a RA system on the FEP of CFCA. It has two versions for Solaris 8 opration system and for Windows NT. RA system use mutiple-thread technology to process the requests from mutiple RA clients. It is of high security by building SPKM linking between RA system and FEP and between RA Server and RA Client. The interface to users is so friendly that this system can be operated simply and can be deployed to a new place easly. Being the Interface of CFCA, the RA system provides digital service with CFCA together.
This paper brings forward a kind of proxy system for RA system used in stockjobber. This system can resolve the problem of data sharing between stock system and RA systems, and can simplyfy the flow of stock user applying for digital certificate, provide certificate services that promote the customer's convenience. This system also can be used in other fieldes with little modification.
本文以CFCA对RA系统的需求为契机,在CFCA前置机的基础上设计了一套可以广泛推广使用的RA系统。该RA系统安全可靠,性能优越,跨越SOLARIS和WINDOWS两种平台,可以充分满足不同用户的需求。系统具有良好的扩展性,可以根据需要扩大使用规模。系统具有友好的操作界面,使用方便,可以迅速的部署,作为CFCA的用户接口提供数字证书认证服务。
在该RA系统基础上,本文还提出了在证券领域的使用的代理系统,解决了RA系统和券商的数据系统共享的问题,简化了证券用户证书的申请的流程,以更方便地为证券用户提供证书服务。该代理系统具有通用性,稍加改动,就可以用于其它领域。
Basing on the encrpytion techniques, PKI (Public Key Infrastructure) provide modules and services for deploying certificate system. The Certificate Authority (CA) is the organization for issuing and managing certificate and is the third part that all believes. The RA (Registration Authority) is the interface of CA to certificate users, and provides service of registering user and managing users.
This paper designs a RA system on the FEP of CFCA. It has two versions for Solaris 8 opration system and for Windows NT. RA system use mutiple-thread technology to process the requests from mutiple RA clients. It is of high security by building SPKM linking between RA system and FEP and between RA Server and RA Client. The interface to users is so friendly that this system can be operated simply and can be deployed to a new place easly. Being the Interface of CFCA, the RA system provides digital service with CFCA together.
This paper brings forward a kind of proxy system for RA system used in stockjobber. This system can resolve the problem of data sharing between stock system and RA systems, and can simplyfy the flow of stock user applying for digital certificate, provide certificate services that promote the customer's convenience. This system also can be used in other fieldes with little modification.
引文
1.宋玲,王小延.电子商务战略[M].第一版.北京:中国金融出版社,50,125-126.
2.Ahdrew Nash,William Duane.PKI implementing and Managing E-Security PKI 实现和管理电子安全.清华大学出版社.2002.
3.胡红钢.中国PKI的现状和面临的问题.信息网络安全.Vo3 2002.
4.卢开澄.计算机密码学——计算机网络中的数据保密与安全(第2版).清华大学出版社.1998.
5.Bruce Schneier,吴世忠等.应用密码学——协议、算法与C源程序.机械工业出版社.2000.
6. RSA Laboratories. PKCS#1: RSA Encryption Standard. Version 1.5, Nov 1993.
7. W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, V. IT-22, n. 6, Nov 1976.
8. RSA Laboratories. PKCS#5: Password-Based Encryption Standard. Version 1.5, Nov 1993
9. CCITT, Recommendation X. 509. The Directory-Authencicatioon Framework. Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Genera, 1989.
10. B.S. Kaliski. The MD2 Messagc Digest Algorithm. RFC 1319, Apr 1992.
11. R.L. Rivest. The MD5 Message Digest Algorithm. RFC 1321, Apr 1992.
12. Internet Public Key Infrastructure-X. 509 Certificate and CRL Profile Section 6 PKTXWorking Group Internet Draft.
13. M Myers, R Ankey, A Malpani, et al. X. 509 Internet Public Key-Infrastructure Online Certificate Status Protocol-OCSP . IETF X. 509 PKIC Working Group, 1998. 9 (draft).
14. R. L. Rivest, A.Shamir, and L. M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, v.21, n. 2, Feb 1978.
15. R. L. Rivest, A.Shamir, and L. M. Adleman. On Digital Signatures and Public Key Cryptosystems. MIT Laboratory for Computer Science. Technical Report, MIT/LCS/TR-212, Jan 1979.
16. Kohnfelder. Toward a practical Public Key Cryptosystems. Bachelor' s thesis, MIT Department of Electrical Engineering, May 1978.
17. B. Schneier. A Primer on Authentication and Digital Signatures. Computer Security Journal, v. 10, n. 2, 1994.
18. National Institute of Standards and Technology, NIST FIPS PUB 186. Digital Signature Standard, U. S. Department of Commerce, May 1994.
19. D.Chaum. Group Signatures. Advances in Cryptology-EUROCRYPT' 91 Proceedings, Springer-Verlag 1991.
20. RSA Laboratories. PKCS#6: Extended-Certificate Syntax Standard. Version 1. 5, Nov 1993.
21. RSA Laboratories. PKCS#9: Selected Attribute Types. Version 1. 1, Nov 1993.
22. RSA Laboratories. PKCS#10: Certification Request Syntax Standard. Version 1.0, Nov 1993.
23. RSA Laboratories. PKCS#11: Cryptographic Token Interface Standard. Version 1.0, Apr 1995.
24. RSA Laboratories. PKCS#12: Public Key User Information Syntax Standard. Version 1.0, 1995.
25. T. Dierks. The TLS Protocol Version 1.0. Network Working Group. January 1999
26.廖俊,李世收,蔡瑞英.PKI技术在信息安全中的应用.南京化工大学学报.Vol.23,No.5,Sep.2001.
27. C. Adams. The Simple Public-Key GSS-API Mechanism (SPKM) rfc2025. Network Working Group. October 1996
28. Entrust Company. Administering Entrust/PKI 5.0 on Windows NT[R] Entrust Technology Limited.
29. Entrust Company. Entrust Session Toolkit C ++ Programmers' Guide[R] Entrust Technology Limited.
30.张炯.UNIX网络编程实用技术和实例分析.清华大学出版社.2002.
31.钱能.C++程序设计教程.清华大学出版社.1999.
32.Peter Norton,Rob McGregor. MFC开发Wndows 95/NT 4应用程序.清华大学出版社.1998.
2.Ahdrew Nash,William Duane.PKI implementing and Managing E-Security PKI 实现和管理电子安全.清华大学出版社.2002.
3.胡红钢.中国PKI的现状和面临的问题.信息网络安全.Vo3 2002.
4.卢开澄.计算机密码学——计算机网络中的数据保密与安全(第2版).清华大学出版社.1998.
5.Bruce Schneier,吴世忠等.应用密码学——协议、算法与C源程序.机械工业出版社.2000.
6. RSA Laboratories. PKCS#1: RSA Encryption Standard. Version 1.5, Nov 1993.
7. W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, V. IT-22, n. 6, Nov 1976.
8. RSA Laboratories. PKCS#5: Password-Based Encryption Standard. Version 1.5, Nov 1993
9. CCITT, Recommendation X. 509. The Directory-Authencicatioon Framework. Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Genera, 1989.
10. B.S. Kaliski. The MD2 Messagc Digest Algorithm. RFC 1319, Apr 1992.
11. R.L. Rivest. The MD5 Message Digest Algorithm. RFC 1321, Apr 1992.
12. Internet Public Key Infrastructure-X. 509 Certificate and CRL Profile Section 6 PKTXWorking Group Internet Draft.
13. M Myers, R Ankey, A Malpani, et al. X. 509 Internet Public Key-Infrastructure Online Certificate Status Protocol-OCSP . IETF X. 509 PKIC Working Group, 1998. 9 (draft).
14. R. L. Rivest, A.Shamir, and L. M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, v.21, n. 2, Feb 1978.
15. R. L. Rivest, A.Shamir, and L. M. Adleman. On Digital Signatures and Public Key Cryptosystems. MIT Laboratory for Computer Science. Technical Report, MIT/LCS/TR-212, Jan 1979.
16. Kohnfelder. Toward a practical Public Key Cryptosystems. Bachelor' s thesis, MIT Department of Electrical Engineering, May 1978.
17. B. Schneier. A Primer on Authentication and Digital Signatures. Computer Security Journal, v. 10, n. 2, 1994.
18. National Institute of Standards and Technology, NIST FIPS PUB 186. Digital Signature Standard, U. S. Department of Commerce, May 1994.
19. D.Chaum. Group Signatures. Advances in Cryptology-EUROCRYPT' 91 Proceedings, Springer-Verlag 1991.
20. RSA Laboratories. PKCS#6: Extended-Certificate Syntax Standard. Version 1. 5, Nov 1993.
21. RSA Laboratories. PKCS#9: Selected Attribute Types. Version 1. 1, Nov 1993.
22. RSA Laboratories. PKCS#10: Certification Request Syntax Standard. Version 1.0, Nov 1993.
23. RSA Laboratories. PKCS#11: Cryptographic Token Interface Standard. Version 1.0, Apr 1995.
24. RSA Laboratories. PKCS#12: Public Key User Information Syntax Standard. Version 1.0, 1995.
25. T. Dierks. The TLS Protocol Version 1.0. Network Working Group. January 1999
26.廖俊,李世收,蔡瑞英.PKI技术在信息安全中的应用.南京化工大学学报.Vol.23,No.5,Sep.2001.
27. C. Adams. The Simple Public-Key GSS-API Mechanism (SPKM) rfc2025. Network Working Group. October 1996
28. Entrust Company. Administering Entrust/PKI 5.0 on Windows NT[R] Entrust Technology Limited.
29. Entrust Company. Entrust Session Toolkit C ++ Programmers' Guide[R] Entrust Technology Limited.
30.张炯.UNIX网络编程实用技术和实例分析.清华大学出版社.2002.
31.钱能.C++程序设计教程.清华大学出版社.1999.
32.Peter Norton,Rob McGregor. MFC开发Wndows 95/NT 4应用程序.清华大学出版社.1998.