CA认证系统设计与实现
摘要
CA系统是通过为用户提供证书来确认用户身份,保证在大型开放式网络环境下网络和信息安全而被广泛采用的有效体系。它是在公开密钥基础设施(PKI)技术研究和发展的基础上建立起来的。它应用各种加密技术,使人们通过网络传递的信息成为安全、可靠、和可以信任的。
本文通过分析网络安全和用户对CA系统的需求,完成对系统的架构分析和详细设计,其实现分为CA和RA两部分,参考OpenCA系统的实现,通过.NET技术完成了关于用户申请,创建和发布证书等一系列完整流程。
本文论述了CA系统开发的背景和现状。介绍了系统的需求分析和安全架构、系统架构的分析和设计,数据库的设计,密码学的应用和.NET的开发实践,介绍了系统的测试和部署。
设计和实现过程中主要涉及以下问题:
第一、实现了开发过程的控制。为了保证系统的快速开发,同时保证系统的可扩展性,采用迭代开发模型。使系统能够分阶段逐步完成功能,同步进行测试,不断得到完善,同时可以及时改正错误。
第二、完成了密码学算法和国际标准的实现。系统中用到的RSA等非对称加密算法,身份确认算法以及公钥加密标准(PKCS)和X.509证书标准,均用C#算法实现。生成的证书符合国际标准,以便互连网上通用。
第三、完成系统整体结构的设计。根据软件开发和实施的经验,系统在设计过程中应用了策略模式等设计模式,保证系统的模块化,可配置,可扩展和易维护。本系统按功能分为认证中心(CA)和注册中心(RA)两部分,采用ASP.NET和C#技术实现。密钥和证书的生成与管理在CA部分实现,用户的注册在RA部分实现。密钥、证书和用户信息等用SQL SERVER2000数据库存储,用ADO.NET技术连接数据库。设置LDAP服务器,证书和证书撤消链表信息运用轻量级目录访问协议(LDAP)发布。用户可采用浏览器使用系统的功能。为保证信息传输的安全,客户与服务器之间采用加密套接层(SSL)协议,可通过ⅡS服务器配置实现。
第四、实现业务流程的建模。采用业务过程建模技术,对证书申请,发放等过程进行分析,将各个过程定义为一系列状态,由程序根据业务执行情况自动实现其状态转变。
第五、实现对系统的审核和管理功能。为保证整个系统的管理和监控,需要有系统日志记录功能。对管理员的身份认证和权限进行严格限制。
第六、提供应用程序接口。除提供用户访问功能外,还通过Web Service服务对应用程序提供访问接口以便开发人员使用。
安全的CA系统还要求公司规范操作人员管理,制定各种规章制度,加强防护等,这些都是保证CA系统安全的重要措施,但不在本文论述范围。
CA system is a widely adopted effective architecture to assure security of network and information under large open network environment. It is built on the research and development of Public Key infrastructure (PKI) technology. It applies cryptographic algorithms to make information through network be secure, reliable and trustworthy.
This text analyses the requirements of network security and user's requirements and finish the analysis and detailed design CA system. The implementation is composed of two parts of CA and RA. It uses .NET technology and refer to OpenCA system's implementation. It can handle the entire workflow related to requesting, creating and delivering X.509 Digital Certificates.
In this paper, the system development background has been discussed, as well as current research status of CA system. It introduces the analysis and design of security and system structure, database design, application of cryptography and .NET development practice. Also it introduces the test and deployment of the CA system.
The key problems solved in this paper are as follows:
First, realizing process control of development. In order to develop quickly and keep the system flexible, the method of iterative development is applied. So the system functions can be built gradually, at the same time it can be test so the errors can be corrected at the earliest opportunity.
Second, completing the implementation of encryption algorithms and international criterions. The algorithms and standards adopted by the system are completed by using C#. The certificates produced by the system are conformed to international standards so that it can be used globally.
Third, designing the system structure. By experiences of software developing and deploying, several design patterns is applied in system to make the system configurable, modular, flexible and easy to maintain. According to functions, the system is separated into Certificate Authority (CA) and Registration Authority (RA). They were realized by using ASP.NET and C#. The CA is responsible to the management and creation of certificates and keys and the RA carry out the user's registration. The information is stored in SQL SERVER2000 database by means of ADO.NET to access it. A LDAP server should be set up to publish certificates and CRL information. Through web browser the user can use the system functions. In security for information transmission, the Security Socket Layer protocol (SSL) is used between client and server, which can be realized by configuring IIS server.
Fourth, modeling workflow. By using Business Process Modeling techniques, the process of certificates request and otherwise is defined as a series of states, the program can automatically transfer the states according to the user actions.
Fifth, the functions of system management and auditing are realized. To control and manage the whole system, the system log is needed to record every user's operations. The administrator's identify authentication and authorization should be verified strictly.
Sixth, affording application interface. For the developer to access the functions of the CA system, Web Service is used to provide the convenience.
本文通过分析网络安全和用户对CA系统的需求,完成对系统的架构分析和详细设计,其实现分为CA和RA两部分,参考OpenCA系统的实现,通过.NET技术完成了关于用户申请,创建和发布证书等一系列完整流程。
本文论述了CA系统开发的背景和现状。介绍了系统的需求分析和安全架构、系统架构的分析和设计,数据库的设计,密码学的应用和.NET的开发实践,介绍了系统的测试和部署。
设计和实现过程中主要涉及以下问题:
第一、实现了开发过程的控制。为了保证系统的快速开发,同时保证系统的可扩展性,采用迭代开发模型。使系统能够分阶段逐步完成功能,同步进行测试,不断得到完善,同时可以及时改正错误。
第二、完成了密码学算法和国际标准的实现。系统中用到的RSA等非对称加密算法,身份确认算法以及公钥加密标准(PKCS)和X.509证书标准,均用C#算法实现。生成的证书符合国际标准,以便互连网上通用。
第三、完成系统整体结构的设计。根据软件开发和实施的经验,系统在设计过程中应用了策略模式等设计模式,保证系统的模块化,可配置,可扩展和易维护。本系统按功能分为认证中心(CA)和注册中心(RA)两部分,采用ASP.NET和C#技术实现。密钥和证书的生成与管理在CA部分实现,用户的注册在RA部分实现。密钥、证书和用户信息等用SQL SERVER2000数据库存储,用ADO.NET技术连接数据库。设置LDAP服务器,证书和证书撤消链表信息运用轻量级目录访问协议(LDAP)发布。用户可采用浏览器使用系统的功能。为保证信息传输的安全,客户与服务器之间采用加密套接层(SSL)协议,可通过ⅡS服务器配置实现。
第四、实现业务流程的建模。采用业务过程建模技术,对证书申请,发放等过程进行分析,将各个过程定义为一系列状态,由程序根据业务执行情况自动实现其状态转变。
第五、实现对系统的审核和管理功能。为保证整个系统的管理和监控,需要有系统日志记录功能。对管理员的身份认证和权限进行严格限制。
第六、提供应用程序接口。除提供用户访问功能外,还通过Web Service服务对应用程序提供访问接口以便开发人员使用。
安全的CA系统还要求公司规范操作人员管理,制定各种规章制度,加强防护等,这些都是保证CA系统安全的重要措施,但不在本文论述范围。
CA system is a widely adopted effective architecture to assure security of network and information under large open network environment. It is built on the research and development of Public Key infrastructure (PKI) technology. It applies cryptographic algorithms to make information through network be secure, reliable and trustworthy.
This text analyses the requirements of network security and user's requirements and finish the analysis and detailed design CA system. The implementation is composed of two parts of CA and RA. It uses .NET technology and refer to OpenCA system's implementation. It can handle the entire workflow related to requesting, creating and delivering X.509 Digital Certificates.
In this paper, the system development background has been discussed, as well as current research status of CA system. It introduces the analysis and design of security and system structure, database design, application of cryptography and .NET development practice. Also it introduces the test and deployment of the CA system.
The key problems solved in this paper are as follows:
First, realizing process control of development. In order to develop quickly and keep the system flexible, the method of iterative development is applied. So the system functions can be built gradually, at the same time it can be test so the errors can be corrected at the earliest opportunity.
Second, completing the implementation of encryption algorithms and international criterions. The algorithms and standards adopted by the system are completed by using C#. The certificates produced by the system are conformed to international standards so that it can be used globally.
Third, designing the system structure. By experiences of software developing and deploying, several design patterns is applied in system to make the system configurable, modular, flexible and easy to maintain. According to functions, the system is separated into Certificate Authority (CA) and Registration Authority (RA). They were realized by using ASP.NET and C#. The CA is responsible to the management and creation of certificates and keys and the RA carry out the user's registration. The information is stored in SQL SERVER2000 database by means of ADO.NET to access it. A LDAP server should be set up to publish certificates and CRL information. Through web browser the user can use the system functions. In security for information transmission, the Security Socket Layer protocol (SSL) is used between client and server, which can be realized by configuring IIS server.
Fourth, modeling workflow. By using Business Process Modeling techniques, the process of certificates request and otherwise is defined as a series of states, the program can automatically transfer the states according to the user actions.
Fifth, the functions of system management and auditing are realized. To control and manage the whole system, the system log is needed to record every user's operations. The administrator's identify authentication and authorization should be verified strictly.
Sixth, affording application interface. For the developer to access the functions of the CA system, Web Service is used to provide the convenience.
引文
[1] 谢冬青,冷健 著.PKI原理与技术.北京:清华大学出版社,2004
[2] X.208: Specification of Abstract Syntax Notation One (ASN. 1)
[3] X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1)
[4] RFC2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile
[5] RFC2510: Internet X.509 Public Key Infrastructure Certificate Management Protocols
[6] RFC2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
[7] RFC2511: Internet X.509 Certificate Request Message Format
[8] RFC2560:X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP
[9] RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
[10] RFC3039: Internet X.509 Public Key Infrastructure Qualified Certificates Profile
[11] RFC3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
[12] draft-ietf-pkix-cmmf-02.txt Internet X.509 Public Key Infrastructrue. Certificate Management Message Formats PKIX Standard
[13] draft-ietf-pkix-dcs-00.txt Internet X.509 Public Key Infrastructure Data Certification Server Protocols. PKIX Standard
[14] draft-ietf-pkix-cmc-01.txt Internet X.509 Certificate Management Message over CMS..PKIX Standard
[15] draft-ietf-pkix-opp-LDAPv2-08.txt Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2. PKLX Standard
[16] X.500: The Directory's Overview of Concepts, Models and Services
[17] X.509: The Directory's Authentication Framework
[18] RFC1421: Privacy Enhancement for Internet Electronic Mail: Part Ⅰ: Message Encryption and Authentication Procedures
[19] RFC1422: Privacy Enhancement for Internet Electronic Mail:: Part Ⅱ: Certificate-Based Key Management
[20] RFC1423: Privacy Enhancement for Internet Electronic Mail: Part Ⅲ: Algorithms,Modes and Identifiers
[21] RFC1424: Privacy Enhancement for Internet Electronic Mail: Part Ⅳ: Key Certification and Related Services
[22] PKCS#1: RSA Encryption Standard. Version 1.5
[23] PKCS#3: Diffie-Hellman Key-Agreement Standard. Version 1.4
[24] PKCS#5: Password-Based Encryption Standard. Version 1.5
[25] RFC1319: The MD2 Message-Digest Algorithm. April 1992
[26] RFC1321: The MD5 Message-Digest Algorithm. April 1992
[27] PKCS#6: Extended-Certificate Syntax Standard. Version 1.5
[28] PKCS#7: Cryptographic Message Syntax Standard. Version 1.5
[29] PKCS#8: Private-Key Information Syntax Standard. Version 1.2
[30] PKCS#9: Selected Attribute Types. Version 1.1
[31] PKCS#10: Certification Request Syntax Standard
[32] PKCS#11: Cryptographic Token Interface Standard
[33] PKCS#12: Personal Information Exchange Syntax
[34] PKCS#15: Cryptographic Token Information Syntax Standard. Version 1.1
[35] NIST FIPS PUB 46* 1: Data Encryption Standard
[36] NIST FIPS PUB 81: DES Modes of Operation
[37] NIST FIPS PUB 180: Secure Hash Standard(SHS)
[38] ISO/IEC 9796: Digital Signature Scheme Giving Message Recovery
[39] CDSA : Open Group Common Data Security Architecture
[40] X.521: The Directory's Selected Object Classes
[41] William Stallings. Cryptography and Network Security: Principles and Practice.Second Edition. 北京: 清华大学岀版社, 2002
[42] http://www.openssl.org
[43] Craig Larman 著,方梁 等译.UML和模式应用 第二版 北京:机械工业出版社,2005
[44] 阎洪 著.JAVA与设计模式 北京:电子工业出版社,2002
[45] Erich Gamma 等著,李英军,马晓星等译.北京:机械工业出版社,2000
[46] Stephen Walther 著,马朝晖等译.ASP.NET 技术内幕 北京:机械工业出版社,2005
[2] X.208: Specification of Abstract Syntax Notation One (ASN. 1)
[3] X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1)
[4] RFC2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile
[5] RFC2510: Internet X.509 Public Key Infrastructure Certificate Management Protocols
[6] RFC2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
[7] RFC2511: Internet X.509 Certificate Request Message Format
[8] RFC2560:X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP
[9] RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
[10] RFC3039: Internet X.509 Public Key Infrastructure Qualified Certificates Profile
[11] RFC3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
[12] draft-ietf-pkix-cmmf-02.txt Internet X.509 Public Key Infrastructrue. Certificate Management Message Formats PKIX Standard
[13] draft-ietf-pkix-dcs-00.txt Internet X.509 Public Key Infrastructure Data Certification Server Protocols. PKIX Standard
[14] draft-ietf-pkix-cmc-01.txt Internet X.509 Certificate Management Message over CMS..PKIX Standard
[15] draft-ietf-pkix-opp-LDAPv2-08.txt Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2. PKLX Standard
[16] X.500: The Directory's Overview of Concepts, Models and Services
[17] X.509: The Directory's Authentication Framework
[18] RFC1421: Privacy Enhancement for Internet Electronic Mail: Part Ⅰ: Message Encryption and Authentication Procedures
[19] RFC1422: Privacy Enhancement for Internet Electronic Mail:: Part Ⅱ: Certificate-Based Key Management
[20] RFC1423: Privacy Enhancement for Internet Electronic Mail: Part Ⅲ: Algorithms,Modes and Identifiers
[21] RFC1424: Privacy Enhancement for Internet Electronic Mail: Part Ⅳ: Key Certification and Related Services
[22] PKCS#1: RSA Encryption Standard. Version 1.5
[23] PKCS#3: Diffie-Hellman Key-Agreement Standard. Version 1.4
[24] PKCS#5: Password-Based Encryption Standard. Version 1.5
[25] RFC1319: The MD2 Message-Digest Algorithm. April 1992
[26] RFC1321: The MD5 Message-Digest Algorithm. April 1992
[27] PKCS#6: Extended-Certificate Syntax Standard. Version 1.5
[28] PKCS#7: Cryptographic Message Syntax Standard. Version 1.5
[29] PKCS#8: Private-Key Information Syntax Standard. Version 1.2
[30] PKCS#9: Selected Attribute Types. Version 1.1
[31] PKCS#10: Certification Request Syntax Standard
[32] PKCS#11: Cryptographic Token Interface Standard
[33] PKCS#12: Personal Information Exchange Syntax
[34] PKCS#15: Cryptographic Token Information Syntax Standard. Version 1.1
[35] NIST FIPS PUB 46* 1: Data Encryption Standard
[36] NIST FIPS PUB 81: DES Modes of Operation
[37] NIST FIPS PUB 180: Secure Hash Standard(SHS)
[38] ISO/IEC 9796: Digital Signature Scheme Giving Message Recovery
[39] CDSA : Open Group Common Data Security Architecture
[40] X.521: The Directory's Selected Object Classes
[41] William Stallings. Cryptography and Network Security: Principles and Practice.Second Edition. 北京: 清华大学岀版社, 2002
[42] http://www.openssl.org
[43] Craig Larman 著,方梁 等译.UML和模式应用 第二版 北京:机械工业出版社,2005
[44] 阎洪 著.JAVA与设计模式 北京:电子工业出版社,2002
[45] Erich Gamma 等著,李英军,马晓星等译.北京:机械工业出版社,2000
[46] Stephen Walther 著,马朝晖等译.ASP.NET 技术内幕 北京:机械工业出版社,2005