基于PKI的身份认证技术的研究和实现
|
摘要
身份认证是证实一个声称的身份是否真实有效的过程,是网络安全技术的一个重要组成部分。本文详细讨论了基于X.509证书格式的PKI认证技术的原理和实现过程,分析了这种认证技术的安全性,针对当前企业级CA众多,急需进行互操作的情况,提出了一种新的信任模型,对现有的PKI系统进行互联,并给出了一个优化的信任路径构建方案。最后,使用数字证书,运用对称和非对称密码体制等密码技术建立起一套严密的身份认证系统,实现信息传输中的身份认证、机密性、完整性和不可否认性。
Authentication is an important part in the network security, which allows each party to a communication to be sure of the identity of the other. This article makes a profound study on the principle and realization of the authentication method of PKI and analyses its security. With the development of the enterprise CAs, the existing trust fields need to be integrated, so how to process the trust path has been the main difficulty of it, this article puts forward a new scheme to process the trust path. Finally, an authentication system is constructed based on digital certificate and cryptography technology, and it can provide a better authentication than the non-cryptographic one which are currently used, and guarantees the Confidentiality, Integrity, Non-Repudiation of the information.
Pan Juan(Computer Applied Technology) Directed by prof. Song Yu
Authentication is an important part in the network security, which allows each party to a communication to be sure of the identity of the other. This article makes a profound study on the principle and realization of the authentication method of PKI and analyses its security. With the development of the enterprise CAs, the existing trust fields need to be integrated, so how to process the trust path has been the main difficulty of it, this article puts forward a new scheme to process the trust path. Finally, an authentication system is constructed based on digital certificate and cryptography technology, and it can provide a better authentication than the non-cryptographic one which are currently used, and guarantees the Confidentiality, Integrity, Non-Repudiation of the information.
Pan Juan(Computer Applied Technology) Directed by prof. Song Yu
引文
[1] Carlisle Adams,Steve Lloyd,公开密钥基础设施—概念、标准和实施,北京:人民邮电出版社,2001,3~98
[2] 保证网络安全的认证技术,http://tech.china.com/zh_cn/netschool/net/
[3] 李中献,詹榜华,杨义先,认证理论与技术的发展,电子学报,1999,27(1):99~102
[4] Marc Branchaud, A survey of public-key infrastructures, (Master thesis), Montreal, Department of Computer Science McGill University, 1997
[5] 杨建明,有悦,孔雷,基于PKI的园区网络安全系统平台设计,计算机工程与应用,2001,37(10):68~70
[6] Network Working Group, RFC1510, The Kerberos Network Authentication Service(V5), 1993
[7] 冯登国,PKI技术及其发展现状,http://www.nsc.org.cn/
[8] Bruce Schneier,应用密码学协议、算法与C源程序,北京:机械工业出版社,2000,1~412
[9] William Stallings,密码编码学和网络安全:原理与实践(第二版),北京:电子工业出版社,2001,46~62
[10] Symeon (Simos) Xenitellis, The Open-source PKI Book: A guide to PKIs and Open-source Implementations, http://ospkibook.sourceforge.net/, 2000
[11] Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, 1976
[12] The Open Group, Architecture for Public-Key Infrastructure (APKI), http://www.opengroup.org/, 1999
[13] Ian Curry, An Introduction to Cryptography and Digital Signatures, http://www.entrust.com/, 2001
[14] Kohnfelder, Loren M., Towards a Practical Public-Key Cryptosystem, MIT S. B. Thesis, 1978
[15] 林枫,电子商务安全技术及应用,北京:北京航空航天大学出版社,2001,17~90
[16] 常晓林,冯登国,PKI的基本特征及其相关标准,密码与信息,1999(3):6~16
[17] RFC2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF PKⅨ, 1999
[18] Burton S, Kaliski Jr, A Layman's Guide to a Subset of ASN.1, BER and DER, RSA
Laboratories, 1993
[19] RFC2510: Internet X.509 Public Key Infrastructure Certificate Management Protocols, IETF PKⅨ, 1999
[20] RFC2511: Internet X.509 Certificate Request Message Format, IETF PKⅨ, 1999
[21] RFC2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, IETF PKⅨ, 1999
[22] RFC2528: Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates, IETF PKⅨ, 1999
[23] RFC2559: Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2, IETF PKⅨ, 1999
[24] RFC2560: Internet X.509 Public Key Infrastructure Online Certificate Status Protocol-OCSP, IETF PKⅨ, 1999
[25] RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, IETF PKⅨ, 1999
[26] RSA Laboratories, PKCS #7: Cryptographic Message Syntax Standard, 2000
[27] RSA Laboratories, PKCS #10: Certification Request Syntax Standard, 2000
[28] Trusted Public-Key Infrastructures, www.entrust.org
[29] RSA Laboratories, Frequently Asked Questions about Today's Cryptography, version 4.1, 2000
[30] Introduction to Public-Key Cryptography, http://developer.netscape.com/docs/
[31] RSA Laboratories FAQ, http://www.rsasecurity.com/, 2000, 5
[32] PKI——信息安全的基石,http://www.ccw.com.cn/search/theme/, 2000, 9
[33] 王曙,PKI漫谈.http://www.whizlabs.net/
[34] 李振民,赵锦蓉,园区网PKI的设计与实现,计算机工程与应用,2002,38(1):154~176
[35] The Concept of Trust in Network Security, Entrust Inc. White Paper, http://www.entrust.com, 2000,8
[36] Trusted Public-Key Infrastructures, Entrust Inc., http://www.entrust.com/, 2000, 8
[37] VeriSign Certification Practice Statement, VeriSign Inc. http//:www.verisign.com/, 2001, 8
[38] Carl Ellison, Bruce Schneier, Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure, http://www.pki-page.org/
[39] 龚俭,刘建航,证书撤销机制的改进,计算机工程,1999,25(10):48~50
[40] 王晓峰,王尚平,王育民,等,公钥证书撤销方法,计算机工程与应用,2002,38(13):162~165
[41] 李新,任传伦,杨义先,在线证书状念协议的改进及应用,计算机工程与应用,2002,38(10):21~22
[42] 孟桂娥,杨宇航,公钥基础设施PKI的信任机制,通信技术,2000(3):59~62
[43] 裴继奎,李大兴,X.509中身份认证协议的安全性描述,计算机应用 2001,21(10):64~66
[44] 朱树人,李伟琴,一种基于RSA加密的身份认证系统,小型微型计算机系统,2001,22(8):954~956
[45] 龚俭,刘建航,基于路径发现的PKI扩展方法,计算机工程与科学,2000,22(4):1~3
[46] PKI互操作性是电子商务通信的关键,http://www.cnw.com.cn/cnw/
[47] 冯运波,任金强,杨义先,传统PKI与桥CA认证体系,电信科学,2002,18(1):21~24
[48] 卢震宇,戴英侠,胡艳,基于附属层次型信任模型的多级认证中心的分析和构建,计算机工程与应用,2000,38(9):125~128
[49] 刘玉莎,张晔,张志浩,等,公钥基础设施在网络安全中的研究与应用,计算机工程与应用,2000,36(3):133~137
[50] 卢震宇,戴英侠,连一峰,建立于PKI之上的安全文件传输系统的分析与构建,计算机工程与应用,2002,38(11):146~148
[2] 保证网络安全的认证技术,http://tech.china.com/zh_cn/netschool/net/
[3] 李中献,詹榜华,杨义先,认证理论与技术的发展,电子学报,1999,27(1):99~102
[4] Marc Branchaud, A survey of public-key infrastructures, (Master thesis), Montreal, Department of Computer Science McGill University, 1997
[5] 杨建明,有悦,孔雷,基于PKI的园区网络安全系统平台设计,计算机工程与应用,2001,37(10):68~70
[6] Network Working Group, RFC1510, The Kerberos Network Authentication Service(V5), 1993
[7] 冯登国,PKI技术及其发展现状,http://www.nsc.org.cn/
[8] Bruce Schneier,应用密码学协议、算法与C源程序,北京:机械工业出版社,2000,1~412
[9] William Stallings,密码编码学和网络安全:原理与实践(第二版),北京:电子工业出版社,2001,46~62
[10] Symeon (Simos) Xenitellis, The Open-source PKI Book: A guide to PKIs and Open-source Implementations, http://ospkibook.sourceforge.net/, 2000
[11] Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, 1976
[12] The Open Group, Architecture for Public-Key Infrastructure (APKI), http://www.opengroup.org/, 1999
[13] Ian Curry, An Introduction to Cryptography and Digital Signatures, http://www.entrust.com/, 2001
[14] Kohnfelder, Loren M., Towards a Practical Public-Key Cryptosystem, MIT S. B. Thesis, 1978
[15] 林枫,电子商务安全技术及应用,北京:北京航空航天大学出版社,2001,17~90
[16] 常晓林,冯登国,PKI的基本特征及其相关标准,密码与信息,1999(3):6~16
[17] RFC2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF PKⅨ, 1999
[18] Burton S, Kaliski Jr, A Layman's Guide to a Subset of ASN.1, BER and DER, RSA
Laboratories, 1993
[19] RFC2510: Internet X.509 Public Key Infrastructure Certificate Management Protocols, IETF PKⅨ, 1999
[20] RFC2511: Internet X.509 Certificate Request Message Format, IETF PKⅨ, 1999
[21] RFC2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, IETF PKⅨ, 1999
[22] RFC2528: Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates, IETF PKⅨ, 1999
[23] RFC2559: Internet X.509 Public Key Infrastructure Operational Protocols-LDAPv2, IETF PKⅨ, 1999
[24] RFC2560: Internet X.509 Public Key Infrastructure Online Certificate Status Protocol-OCSP, IETF PKⅨ, 1999
[25] RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP, IETF PKⅨ, 1999
[26] RSA Laboratories, PKCS #7: Cryptographic Message Syntax Standard, 2000
[27] RSA Laboratories, PKCS #10: Certification Request Syntax Standard, 2000
[28] Trusted Public-Key Infrastructures, www.entrust.org
[29] RSA Laboratories, Frequently Asked Questions about Today's Cryptography, version 4.1, 2000
[30] Introduction to Public-Key Cryptography, http://developer.netscape.com/docs/
[31] RSA Laboratories FAQ, http://www.rsasecurity.com/, 2000, 5
[32] PKI——信息安全的基石,http://www.ccw.com.cn/search/theme/, 2000, 9
[33] 王曙,PKI漫谈.http://www.whizlabs.net/
[34] 李振民,赵锦蓉,园区网PKI的设计与实现,计算机工程与应用,2002,38(1):154~176
[35] The Concept of Trust in Network Security, Entrust Inc. White Paper, http://www.entrust.com, 2000,8
[36] Trusted Public-Key Infrastructures, Entrust Inc., http://www.entrust.com/, 2000, 8
[37] VeriSign Certification Practice Statement, VeriSign Inc. http//:www.verisign.com/, 2001, 8
[38] Carl Ellison, Bruce Schneier, Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure, http://www.pki-page.org/
[39] 龚俭,刘建航,证书撤销机制的改进,计算机工程,1999,25(10):48~50
[40] 王晓峰,王尚平,王育民,等,公钥证书撤销方法,计算机工程与应用,2002,38(13):162~165
[41] 李新,任传伦,杨义先,在线证书状念协议的改进及应用,计算机工程与应用,2002,38(10):21~22
[42] 孟桂娥,杨宇航,公钥基础设施PKI的信任机制,通信技术,2000(3):59~62
[43] 裴继奎,李大兴,X.509中身份认证协议的安全性描述,计算机应用 2001,21(10):64~66
[44] 朱树人,李伟琴,一种基于RSA加密的身份认证系统,小型微型计算机系统,2001,22(8):954~956
[45] 龚俭,刘建航,基于路径发现的PKI扩展方法,计算机工程与科学,2000,22(4):1~3
[46] PKI互操作性是电子商务通信的关键,http://www.cnw.com.cn/cnw/
[47] 冯运波,任金强,杨义先,传统PKI与桥CA认证体系,电信科学,2002,18(1):21~24
[48] 卢震宇,戴英侠,胡艳,基于附属层次型信任模型的多级认证中心的分析和构建,计算机工程与应用,2000,38(9):125~128
[49] 刘玉莎,张晔,张志浩,等,公钥基础设施在网络安全中的研究与应用,计算机工程与应用,2000,36(3):133~137
[50] 卢震宇,戴英侠,连一峰,建立于PKI之上的安全文件传输系统的分析与构建,计算机工程与应用,2002,38(11):146~148
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |