基于PKI的CA安全认证服务器的研究与实现
|
摘要
随着Internet以及电子商务的发展,人们对信息安全的需要越来越迫切。但
是在传统的信息加密技术中,密钥的分发一直没有得到很好的解决,而基于公钥
体制的PKI(Public Key Infrastructure,即公共密钥基础)技术通过CA认证中心
发布证书的方式较好地解决了这一问题。PKI可以为网络上的各种应用提供机密
性、完整性、身份鉴别和反否认的安全保障,而CA认证中心是PKI系统中的重
要组件。
本文阐述了PKI系统的模型、功能和应用,重点讨论了CA认证中心的证书
发布、层次结构、作废证书的发布机制等问题,以及它们对系统的可伸缩性和性
能的影响。最后详细阐述了在Linux下实现符合PKIX标准的CA服务器的设计
思想和方法。
With the development of Internet and Electronic Commerce, there is a high
demand for information safety. In the traditional encryption technique, the distribution
of key still hasn't a perfect solution. While PKI technique based public key system
resolves it through issuing the certificates by CA (Certification Authority). PKI is a
transparent and seamless platform for the network system provided the service of
confidentiality, integrity, authentication and non-repudiation, and CA is a necessary
and important component of PKI.
In this dissertation the author firstly describes PKI modules, function and
application, then emphatically discusses CA's certificates issuing and issuance
mechanism of revoked certificates and hierarchy of CA. Furthermore analyses the
influence impacted to the performance and scalable of the system. Finally presents the
realization of CA server for safe certification conforming to PKIX standard.
是在传统的信息加密技术中,密钥的分发一直没有得到很好的解决,而基于公钥
体制的PKI(Public Key Infrastructure,即公共密钥基础)技术通过CA认证中心
发布证书的方式较好地解决了这一问题。PKI可以为网络上的各种应用提供机密
性、完整性、身份鉴别和反否认的安全保障,而CA认证中心是PKI系统中的重
要组件。
本文阐述了PKI系统的模型、功能和应用,重点讨论了CA认证中心的证书
发布、层次结构、作废证书的发布机制等问题,以及它们对系统的可伸缩性和性
能的影响。最后详细阐述了在Linux下实现符合PKIX标准的CA服务器的设计
思想和方法。
With the development of Internet and Electronic Commerce, there is a high
demand for information safety. In the traditional encryption technique, the distribution
of key still hasn't a perfect solution. While PKI technique based public key system
resolves it through issuing the certificates by CA (Certification Authority). PKI is a
transparent and seamless platform for the network system provided the service of
confidentiality, integrity, authentication and non-repudiation, and CA is a necessary
and important component of PKI.
In this dissertation the author firstly describes PKI modules, function and
application, then emphatically discusses CA's certificates issuing and issuance
mechanism of revoked certificates and hierarchy of CA. Furthermore analyses the
influence impacted to the performance and scalable of the system. Finally presents the
realization of CA server for safe certification conforming to PKIX standard.
引文
1. Network Working Group, [RFC 2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile, January 1999
2. Network Working Group, [RFC 2510] Internet X.509 Public Key Certificate Management Protocols, March 1999
3. Network Working Group, [RFC 2511] Internet X.509 Certificate Requested Message Format , March 1999
4. Network Working Group, [RFC 2527] Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, March 1999
5. Network Working Group, [RFC 2528] Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates. March 1999
6. Network Working Group, [RFC 2559] Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2, April 1999
7. Network Working Group, [RFC 2560] X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP, June 1999
8. Network Working Group, [RFC 2585] Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, March 1999
9. Network Working Group, [RFC 2587] Internet X.509 Public Key Infrastructure LDAPv2, March 1999
10. Network Working Group, [RFC 1777] Lightweight Directory Access Protocol, March 1995
11. Dr.Carlisle Adams & Robert Zuccherato, A General, Flexible Approach to Certificate Revocation, Enstrust Technologies, June 1998
12. David A.Cooper, A Model of Certificate Revocation, In Proceedings of Fifteenth Annual Computer Security Application Conference, Pages 256-264, December 1999
13. David A.Cooper, A More Efficient Use of Delta-CRL, In Proceedings of Fourteenth Annual Computer Security Application Conference, October 1999
14. Nist PKI Project Team, Certificate Issuing and Management Componets Protection Profile, December 1999
15. W.Richard Stevens, UNIX Network Programming (Volume 1) -Networking APIs: Sockets and XTI, PRENTICE HALL Inc..., July 1998
16. Andrew Tanenbaum, Computer Networks (Volume 3) , PRENTICE HALL, July 1998
17. W.Richard Stevens, UNIX Network Programming (Volume 2) -Interprocess Communications, PRENTICE HALL,Inc., July 2000
18. (美)Kay A.Robbins&Steven Robbins,实用UNIX编程,机械工业出版 社,1999年10月
19. 周巍松等,Linux系统分析与高级编程技术,机械工业出版社,1999年 12月
20. (美)William Stallings,网络安全要素--应用与标准,人民邮电出 版社,2000年11月
21. (美)Bruce Schneier,应用密码学--协议、算法与C源程序,机械 工业出版社,2000年5月
22. 徐延明,林立志等,Linux编程指南与实例,人民邮电出版社,2000年 8月
23. (美)David Tansley,Linux与Unix Shell编程指南,机械工业出版社, 2000年6月
24. 樊宓丰,林东等,网络信息安全与PGP加密,清华大学出版社,1998 年8月
25. 陈莉君,Linux操作系统内核分析,人民邮电出版社,2000年3月
2. Network Working Group, [RFC 2510] Internet X.509 Public Key Certificate Management Protocols, March 1999
3. Network Working Group, [RFC 2511] Internet X.509 Certificate Requested Message Format , March 1999
4. Network Working Group, [RFC 2527] Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, March 1999
5. Network Working Group, [RFC 2528] Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates. March 1999
6. Network Working Group, [RFC 2559] Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2, April 1999
7. Network Working Group, [RFC 2560] X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP, June 1999
8. Network Working Group, [RFC 2585] Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, March 1999
9. Network Working Group, [RFC 2587] Internet X.509 Public Key Infrastructure LDAPv2, March 1999
10. Network Working Group, [RFC 1777] Lightweight Directory Access Protocol, March 1995
11. Dr.Carlisle Adams & Robert Zuccherato, A General, Flexible Approach to Certificate Revocation, Enstrust Technologies, June 1998
12. David A.Cooper, A Model of Certificate Revocation, In Proceedings of Fifteenth Annual Computer Security Application Conference, Pages 256-264, December 1999
13. David A.Cooper, A More Efficient Use of Delta-CRL, In Proceedings of Fourteenth Annual Computer Security Application Conference, October 1999
14. Nist PKI Project Team, Certificate Issuing and Management Componets Protection Profile, December 1999
15. W.Richard Stevens, UNIX Network Programming (Volume 1) -Networking APIs: Sockets and XTI, PRENTICE HALL Inc..., July 1998
16. Andrew Tanenbaum, Computer Networks (Volume 3) , PRENTICE HALL, July 1998
17. W.Richard Stevens, UNIX Network Programming (Volume 2) -Interprocess Communications, PRENTICE HALL,Inc., July 2000
18. (美)Kay A.Robbins&Steven Robbins,实用UNIX编程,机械工业出版 社,1999年10月
19. 周巍松等,Linux系统分析与高级编程技术,机械工业出版社,1999年 12月
20. (美)William Stallings,网络安全要素--应用与标准,人民邮电出 版社,2000年11月
21. (美)Bruce Schneier,应用密码学--协议、算法与C源程序,机械 工业出版社,2000年5月
22. 徐延明,林立志等,Linux编程指南与实例,人民邮电出版社,2000年 8月
23. (美)David Tansley,Linux与Unix Shell编程指南,机械工业出版社, 2000年6月
24. 樊宓丰,林东等,网络信息安全与PGP加密,清华大学出版社,1998 年8月
25. 陈莉君,Linux操作系统内核分析,人民邮电出版社,2000年3月