基于CSP的信息安全服务
|
摘要
随着网络的飞速发展,通讯变得更加频繁,信息安全技术变得越来越重要。CSP(Cryptographic Service Provider)是微软公司提出的安全服务基本框架之一,它参照了ASN.1、PKCS等一系列的国际安全标准,能够提供给用户加解密、验证信息的完整性等基本安全服务,具有简明、易于使用的优点。但鉴于我们现在可获得的一系列的CSP模块,均来自Windows系统自带的软件CSP,软件CSP可以以可执行性文件的形式存在、具有易携带性的优点,但是它在防篡改、远程登陆、用户的身份认证等领域有其不可克服的缺陷,安全等级比较低。为解决这些问题,本论文建立了一个具有国产自主产权CSP,它在功能上类似于Microsoft Strong Cryptographic Provider,并且在实现软件CSP的同时,引入硬件设备Watch IC卡和明华的EKEY,实现硬件CSP。论文主要工作如下所示:
(1)介绍了在信息安全的应用中CSP的发展现状及发展趋势,分析了当前流行的、比较稳定的密码算法的原理;
(2)在实现软件CSP的同时,特别的引入了Watch的IC卡、明华的EKEY两种硬件设备,实现了软件CSP和硬件CSP的兼容性;
(3)在密码算法方面,选择了当前比较流行的、稳定的、符合我国的加密标准的密钥算法和散列算法,其中软件CSP部分实现了3DES、RC4、RSA、MD5、SHA-1算法,硬件CSP部分额外的加入了我国自己的加密算法SSF33,以解决当前的应用需求;
(4)借鉴了Microsoft CSPs的优点,参照了它的数据对象格式、工作模式,构造了SIMPLEBLOB、PUBLICKEYBLOB、PRIVATEKEYBLOB等多种数据结构,实现了对统一接口CryptoSPI的支持;
(5)解决了Microsoft CSPs平台的局限性,成功地实现了CSP向Linux系统的移植工作,满足了当前基于PKI安全体系的实际应用需求。
上述的研究成果经过了反复的功能测试、性能测试和回归测试,具有较强的稳定性、高效性和实用性,并已初步用于CA系统中。
Along with fast development of Internet, the communicating degree of information is more frequent, the problem of information security is outstanding increasingly. Cryptographic Service Provider (CSP) is the base of Microsoft's security applications frame and services, which has ASN.l, the series of PKCS security standards as reference and provides the basic security services such as encryption, decryption, digital signature and verifying signature. It has a single interface---CryptoSPI, and easy to be used. Now the CSP modules that we can free avail all come from the software CSP shipped with the Windows system. These software CSPs are portable in that they can be carried as an executable file, but they inevitably have some limitations: the software CSPs have the less tamper-resistant and would be inconvenient in the fields of the interactive logon, e-mail signing, e-mail decryption and remote access authentication;'they have the lower level degree of security. To resolve these problems, in this thesis, we
have developed our own CSP module according to our own country's encryption standard. This module has strong cryptographic functions just like Microsoft Strong Cryptographic Provider. Especially this module implements the software CSP and also utilizes the Watch IC card and Minghua EKEY as hardware, make the software CSP and hardware CSP both possible. As a conclusion, the main works in this thesis includes:
(1) Introducing the current state and the outlook of CSP in the fields of information security and analyzing the principles of the popular and reliability key algorithms, hash algorithms.
(2) Excepting for implementing of the software CSP, completing the hardware CSP programming based on the Watch IC card and Minghua EKEY. It has a good compatibility for software and hardware CSP.
(3) For the cryptographic algorithm, selecting and implementing the popular and reliability key/hash algorithms in my CSP module, which include 3DES, RC4, RSA, MD5, SHA-1 algorithms in the software component and an extra algorithm-SSF33 in the hardware component.
With these algorithms, we can satisfy the users' security requirements.
(4) Using the Microsoft CSPs' advantages ,their data objects and work modes as reference, producing some data structures such as SIMPLEBLOB, PUBLICKEYBLOB, PRIVATEKEYBLOB, having the CryptoSPI interface implementation.
(5) Resolving the platform limitation of the Microsoft CSPs, and making our own CSP run on the Linux system. So that it could be conveniently used in the PKI security architecture.
After many times' testing, the above studies have strong stability, good efficiency and practicality. They have been tried to apply to the CA system.
(1)介绍了在信息安全的应用中CSP的发展现状及发展趋势,分析了当前流行的、比较稳定的密码算法的原理;
(2)在实现软件CSP的同时,特别的引入了Watch的IC卡、明华的EKEY两种硬件设备,实现了软件CSP和硬件CSP的兼容性;
(3)在密码算法方面,选择了当前比较流行的、稳定的、符合我国的加密标准的密钥算法和散列算法,其中软件CSP部分实现了3DES、RC4、RSA、MD5、SHA-1算法,硬件CSP部分额外的加入了我国自己的加密算法SSF33,以解决当前的应用需求;
(4)借鉴了Microsoft CSPs的优点,参照了它的数据对象格式、工作模式,构造了SIMPLEBLOB、PUBLICKEYBLOB、PRIVATEKEYBLOB等多种数据结构,实现了对统一接口CryptoSPI的支持;
(5)解决了Microsoft CSPs平台的局限性,成功地实现了CSP向Linux系统的移植工作,满足了当前基于PKI安全体系的实际应用需求。
上述的研究成果经过了反复的功能测试、性能测试和回归测试,具有较强的稳定性、高效性和实用性,并已初步用于CA系统中。
Along with fast development of Internet, the communicating degree of information is more frequent, the problem of information security is outstanding increasingly. Cryptographic Service Provider (CSP) is the base of Microsoft's security applications frame and services, which has ASN.l, the series of PKCS security standards as reference and provides the basic security services such as encryption, decryption, digital signature and verifying signature. It has a single interface---CryptoSPI, and easy to be used. Now the CSP modules that we can free avail all come from the software CSP shipped with the Windows system. These software CSPs are portable in that they can be carried as an executable file, but they inevitably have some limitations: the software CSPs have the less tamper-resistant and would be inconvenient in the fields of the interactive logon, e-mail signing, e-mail decryption and remote access authentication;'they have the lower level degree of security. To resolve these problems, in this thesis, we
have developed our own CSP module according to our own country's encryption standard. This module has strong cryptographic functions just like Microsoft Strong Cryptographic Provider. Especially this module implements the software CSP and also utilizes the Watch IC card and Minghua EKEY as hardware, make the software CSP and hardware CSP both possible. As a conclusion, the main works in this thesis includes:
(1) Introducing the current state and the outlook of CSP in the fields of information security and analyzing the principles of the popular and reliability key algorithms, hash algorithms.
(2) Excepting for implementing of the software CSP, completing the hardware CSP programming based on the Watch IC card and Minghua EKEY. It has a good compatibility for software and hardware CSP.
(3) For the cryptographic algorithm, selecting and implementing the popular and reliability key/hash algorithms in my CSP module, which include 3DES, RC4, RSA, MD5, SHA-1 algorithms in the software component and an extra algorithm-SSF33 in the hardware component.
With these algorithms, we can satisfy the users' security requirements.
(4) Using the Microsoft CSPs' advantages ,their data objects and work modes as reference, producing some data structures such as SIMPLEBLOB, PUBLICKEYBLOB, PRIVATEKEYBLOB, having the CryptoSPI interface implementation.
(5) Resolving the platform limitation of the Microsoft CSPs, and making our own CSP run on the Linux system. So that it could be conveniently used in the PKI security architecture.
After many times' testing, the above studies have strong stability, good efficiency and practicality. They have been tried to apply to the CA system.
引文
[1]吴永英,黄凌翼,易宝林,PKI在电子商务中的应用,华中科技大学学报,2001,29(9):7~9
[2]李彪,张申生,动态公开密钥基础设施的构造和应用,上海交通大学学报,2002,36(9):1291~1293
[3]李建华,田梦瑾,基于PKI的电子商务安全密钥托管方案,上海交通大学学报,2000,34(2):262~265
[4]曹化工,梁宗炼,高小新等,基于智能卡的PKI体系实现框架,小型微型计算机系统,2003,24(6):1004~1008
[5]张伦,用CryptoAPI开发密钥,www.powerba.com/develop/net/article/
[6]杨晓东、李建华、诸鸿文,一种基于PKI的电子邮件系统安全方案的设计和实现,计算机工程,1999,25(8):34~36
[7]张井合,吴今培,张其善等,一种利用智能卡实现公钥基础设施核心服务的方案,遥测遥控,2003,24(2):46~50
[8]韦卫,杜炜,构造基于Ⅹ.509公钥证书的密钥管理系统,计算机工程,1999,25(10):133~135
[9]RSA Laboratories, Public-Key Cryptography Standards, RSA Security, www. rsasecurity, com
[10]谢希仁,计算机网络,北京:电子工业出版社,1999.4
[11]陈彦学,信息安全理论与实务,北京:中国铁道出版社,2001.4
[12]DES Encryption, www.tropsoft.com/strongenc/des.htm
[13]吴真,DES算法的介绍和实现,www.Vckbase.com
[14]William Stallings著,杨明、齐望东等译,密码编码学与网络安全:原理与实践(第二版),北京:电子工业出版社,2001.10
[15]Triple DES Encryption, www.tropsoft.com/strongenc/des3.htm
[16]RC4 Encryption Algorithm, www.ncat.edu
[17]贺卫红,曹毅,RSA公钥密码体制在数字签名中的应用,微机发展,2003,13(9):49~53
[18]The Mathematical Guts of RSA Encryption, http://world.std.com/~franl/crypto/
[19] Support & Troubleshooting of Microsoft Home. White Paper [810758] An
Introduction to the Windows 2000 Public Key Infrastructure [EB/OL]. http://support.microsoft.com. 1999.6
[20] The MD5 Message-Digest Algorithm, www.faqs.org/rfcs/
[21] Secure Hash Standard, www.itl.nist.gov/fipspubs/
[22] Platform SDK: Security, Architecture of a Cryptographic Service Provider, http://msdn.microsoft.com/library/
[23] Platform SDK: Security, Microsoft Cryptographic Service Providers, http://msdn.microsoft.com/library/
[24] Platform SDK: Security, Writing a CSP, http://msdn.microsoft.com/library/
[25] 许立,安全中间件的研究及相关模块的设计和实现[硕士论文],电子科技大学,2001.12
[26] 罗旭斌,智能卡在PKI中的应用[硕士论文],电子科技大学,2001.12
[27] RSA Laboratories, PKCS #5 - Password-Based Cryptography Standard, RSA Security, http://www.rsasecurity.com/rsalabs/pkcs/
[28] Anusba Nirmalananthan, The Smart Card Cryptographic Service Provider Cookbook, Microsoft Corporation, 2002.10
[29] Platform SDK: Security, Persistent Data Objects, Microsoft Corporation, http://msdn.microsoft.com/library/
[30] Platform SDK: Security, Volatile Data Objects, Microsoft Corporation, http://msdn.microsoft.com/library/
[31] Platform SDK: Security, BLOBHEADER, Microsoft Corporation, http://msdn.microsoft.com/library/
[32] Platform SDK: Security, Simple Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[33] Platform SDK: Security, Public Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[34] Platform SDK: Security, Private Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[35] RSA Laboratories, PKCS #1 RSA Cryptography Standard, RSA Security, http ://www.rsasecurity, com/rsalabs/pkcs/
[36] 齐竞艳,丁剑,崔伟等,一种安全的可恢复密钥管理机制,计算机应用,2004,24(3):46~48
[37]陈鲁川,李善平,Linux平台下公钥基础设施(PKI)的研究,计算机应用研究,2003.2:93~96
[38]肖琳杰,张文奇,唐小飞等,PK卡在Windows和Linux中兼容性问题的实验研究,电脑与信息技术,2003.5:59~62
[39]Platform SDK: Security, Writing a CSP, Microsoft Corporation, http://msdn.microsoft.com/library/
[40]谢冬青,谢志坚,PKI结构下网络安全协议模型及典型密码体制安全性分析,科技通报,2001,17(1):7~12
[41]刘明桥,徐东平,PKI系统设计与实现,现代计算机,2001,113(4):40~44
[42]邢启亮,陈晓苏,密钥管理服务及其在PKI中的设计与实现,通信技术,2003,136(4):93~94
[43]盛孟刚,刘学民,王健,基于校园卡CA的BS模式数字签名设计,电脑与信息技术,2002,2:51~55
[44]蒋韬,伍评,徐正文,一种基于PKI/PMI技术的安全的网上证券交易模型的研究与实现,信息安全与通信保密,2002,22(10):44~46
[45]卢震宇,戴英侠,分布式认证系统互联的信任路径构建分析和实现,计算机工程与应用,2002,104(10):156~158
[46]苏强,杨绍全,LDAP协议及其在PKI中的实现[学术论坛],电子科技,2002:42~45
[47]刘世栋,侯滨,杨林,PKI设计实现及在Web系统中的应用[专题.技术论坛],计算机安全,2003.8:12~13
[48]管海明,CPK与PKI的性能分析[专题.技术论坛],计算机安全,2003.8:17~18
[2]李彪,张申生,动态公开密钥基础设施的构造和应用,上海交通大学学报,2002,36(9):1291~1293
[3]李建华,田梦瑾,基于PKI的电子商务安全密钥托管方案,上海交通大学学报,2000,34(2):262~265
[4]曹化工,梁宗炼,高小新等,基于智能卡的PKI体系实现框架,小型微型计算机系统,2003,24(6):1004~1008
[5]张伦,用CryptoAPI开发密钥,www.powerba.com/develop/net/article/
[6]杨晓东、李建华、诸鸿文,一种基于PKI的电子邮件系统安全方案的设计和实现,计算机工程,1999,25(8):34~36
[7]张井合,吴今培,张其善等,一种利用智能卡实现公钥基础设施核心服务的方案,遥测遥控,2003,24(2):46~50
[8]韦卫,杜炜,构造基于Ⅹ.509公钥证书的密钥管理系统,计算机工程,1999,25(10):133~135
[9]RSA Laboratories, Public-Key Cryptography Standards, RSA Security, www. rsasecurity, com
[10]谢希仁,计算机网络,北京:电子工业出版社,1999.4
[11]陈彦学,信息安全理论与实务,北京:中国铁道出版社,2001.4
[12]DES Encryption, www.tropsoft.com/strongenc/des.htm
[13]吴真,DES算法的介绍和实现,www.Vckbase.com
[14]William Stallings著,杨明、齐望东等译,密码编码学与网络安全:原理与实践(第二版),北京:电子工业出版社,2001.10
[15]Triple DES Encryption, www.tropsoft.com/strongenc/des3.htm
[16]RC4 Encryption Algorithm, www.ncat.edu
[17]贺卫红,曹毅,RSA公钥密码体制在数字签名中的应用,微机发展,2003,13(9):49~53
[18]The Mathematical Guts of RSA Encryption, http://world.std.com/~franl/crypto/
[19] Support & Troubleshooting of Microsoft Home. White Paper [810758] An
Introduction to the Windows 2000 Public Key Infrastructure [EB/OL]. http://support.microsoft.com. 1999.6
[20] The MD5 Message-Digest Algorithm, www.faqs.org/rfcs/
[21] Secure Hash Standard, www.itl.nist.gov/fipspubs/
[22] Platform SDK: Security, Architecture of a Cryptographic Service Provider, http://msdn.microsoft.com/library/
[23] Platform SDK: Security, Microsoft Cryptographic Service Providers, http://msdn.microsoft.com/library/
[24] Platform SDK: Security, Writing a CSP, http://msdn.microsoft.com/library/
[25] 许立,安全中间件的研究及相关模块的设计和实现[硕士论文],电子科技大学,2001.12
[26] 罗旭斌,智能卡在PKI中的应用[硕士论文],电子科技大学,2001.12
[27] RSA Laboratories, PKCS #5 - Password-Based Cryptography Standard, RSA Security, http://www.rsasecurity.com/rsalabs/pkcs/
[28] Anusba Nirmalananthan, The Smart Card Cryptographic Service Provider Cookbook, Microsoft Corporation, 2002.10
[29] Platform SDK: Security, Persistent Data Objects, Microsoft Corporation, http://msdn.microsoft.com/library/
[30] Platform SDK: Security, Volatile Data Objects, Microsoft Corporation, http://msdn.microsoft.com/library/
[31] Platform SDK: Security, BLOBHEADER, Microsoft Corporation, http://msdn.microsoft.com/library/
[32] Platform SDK: Security, Simple Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[33] Platform SDK: Security, Public Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[34] Platform SDK: Security, Private Key BLOBs, Microsoft Corporation, http://msdn.microsoft.com/library/
[35] RSA Laboratories, PKCS #1 RSA Cryptography Standard, RSA Security, http ://www.rsasecurity, com/rsalabs/pkcs/
[36] 齐竞艳,丁剑,崔伟等,一种安全的可恢复密钥管理机制,计算机应用,2004,24(3):46~48
[37]陈鲁川,李善平,Linux平台下公钥基础设施(PKI)的研究,计算机应用研究,2003.2:93~96
[38]肖琳杰,张文奇,唐小飞等,PK卡在Windows和Linux中兼容性问题的实验研究,电脑与信息技术,2003.5:59~62
[39]Platform SDK: Security, Writing a CSP, Microsoft Corporation, http://msdn.microsoft.com/library/
[40]谢冬青,谢志坚,PKI结构下网络安全协议模型及典型密码体制安全性分析,科技通报,2001,17(1):7~12
[41]刘明桥,徐东平,PKI系统设计与实现,现代计算机,2001,113(4):40~44
[42]邢启亮,陈晓苏,密钥管理服务及其在PKI中的设计与实现,通信技术,2003,136(4):93~94
[43]盛孟刚,刘学民,王健,基于校园卡CA的BS模式数字签名设计,电脑与信息技术,2002,2:51~55
[44]蒋韬,伍评,徐正文,一种基于PKI/PMI技术的安全的网上证券交易模型的研究与实现,信息安全与通信保密,2002,22(10):44~46
[45]卢震宇,戴英侠,分布式认证系统互联的信任路径构建分析和实现,计算机工程与应用,2002,104(10):156~158
[46]苏强,杨绍全,LDAP协议及其在PKI中的实现[学术论坛],电子科技,2002:42~45
[47]刘世栋,侯滨,杨林,PKI设计实现及在Web系统中的应用[专题.技术论坛],计算机安全,2003.8:12~13
[48]管海明,CPK与PKI的性能分析[专题.技术论坛],计算机安全,2003.8:17~18