基于PKI的电子政务安全性的研究与实现

上海交通大学硕士学位论文基于PKI的电子政务安全性的研究与实现姓名：张利荣申请学位级别：硕士专业：计算机技术指导教师：李小勇20070901-3--4--5-(PublicKeyInfrastructurePKI)PKIPKIPKIPKIPKI-(SSL)CACAJavaServletPKI()-6-AbstractThetechnologyofE-Governmentisanewtechnologyofcomputerapplication,whichrealizestheelectronicgovernanceandsocialservicebytheinformationtechnologyandnetworktechnology.Itisanimportantbasetotheinnovationofthegovernmentsystemandthefunctionsofthegovernment.However,becauseoftheopendesignofcomputernetwork,whenpeopleprofitfromtheadvantagesbroughtbytheE-Government,theyhavetoconfronttheincreasinglyseriousproblemoninformationsecurity.HowtodispelthesecurityandtrustcrisisintheE-Governmentbuildinganddeveloping,ensuremanagementandservicefunctionofgovernmenteffective,becomeanurgentproblemsinthewayofE-Governmentpopularization.PublicKeyInfrastructure(PKI)isthemostcomprehensivetechnologyintheinformationsecurefield.Meantime,alotofnewtechnologyinPKI,suchasarchitecture,algorithm,Keymanagement,areappearingconstantly.Ourcountryisbigcountryinthefieldofnetwork.ItisverynecessaryandveryurgenttodevelopourownPKItechnology.Inviewofthis,thispaperisdevotedtothePKIandsecurityapplicationstudyintheE-Governmentfiled.Thisdisserationintroducessomebroadlyusedarithmeticintheworld,analyzesthetraitsofthearithmetic,anddiscussesthefunctionsofsymmetricalarithmeticandasymmetricalgorithm.Inthepaper,itthedefiniens,sortsandframeworkofcertificationareintroduced,andthepurposeofcertificationarediscussed.Thenweresearchesthefunction,standardandstructureofPKI,discussesthetraitsofsomesecurityprotocolsinPKI,especially,inSSL(SecureSocketlayer)protocol.Afterresearchingthesetheories,thisdissertationputsforwardthearchirecturaeschemaanddesignideaofWujiangcitymanagementbureauE-Governmentbasedontheauthors’background.Basedonthisidea,thispaperhastwopartsfordesigning.OneisthedesignandimplementofCAserver.Anotherisidentityauthority.IntheCAserver,thispaperputsforwarditsarchitecture;stuidiesfromfunctionanalyzetofunctionimplementent,designstheallauthoritymodulesusingJavaServlet.Inidentityauthoritysystem,itusesthesamestudyway,putsforthfromthearchirecturaeofidentityauthority,studiesthewholeschema,analyzesandimplementstheuserinformationmodule,datasychronicationandidentityauthoritysystemindeeply.KeyWordsInformationSecurityE-GovernmentPKI(PublicKeyInfrastructure)DigitalCertificationCertificateAauthenticationCenter-9-1.1[1][2][3]()1976W.DiffieM.HellmanNewDirectionsinCryptography-[4]PKIPublicKeyInfrastructure-10-PKIPKIPKIPKIPKIPKIPKI1.2PKIPKIPKIPKIVerisignRSAMicrosoftGTE(Baltimore)[7][8]PKIPKI1996PKI(FPKISteeringCommittee)FPKIPKIPKIFPKI1998CA(FPMA)PKI[9]20017(FederalBridge)PKI[10]FBCA(NASA)(USDA)200191[11]PKIB2B93/1999ECPKIPKIICE-TELICE-CARPKIPKICACA[11]90-11-199819992003191742004IT5[11][12][13][14]20901.3PKI1.4PKIPKI--12-(SSL)CACAJavaServlet-13-PKI2.1[15][16][17]2.1.1[17]()KEMC=()KDMC=()64-14-[18](())KKDEMM=5(2-1)2-1Fig2-1FlowofSymmetricalAlgorithm1)2)3)4)5)(//)1.DES(DataEncryptStandard)1977(AmericanNationalStandardsinstituteANSI)[19]DES64566464DESDES2.TDES(TripleDES)TDESDES1K2K3K1KDESP1()KEP2KDES21(())KKDEP3KDES321((()))KKKEDEPTDES64563168×=TDESDESTDESDES1/3TDES3.Blowfish-15-BlowfishBruceSchneier199332DES5K448[20]Blowfish642.1.2()RSAMcElieceDiffeHellmanRabinOngFiatShamirEIGamalRSA[21]2-22-2Fig2-2FlowofAsymmetricalAlgorithm1()KEMC=2()KDCM=21(())KKDEMM=AB1)ABBA2)AB3)AB-16-4)BCARSADES1001.RSARSA1978MITRonRivestAdiShamirLeonardAdleman[21]RSAPKIRSA1)pq2)npq=()(1)(1)npqφ=−−3)e(1)(1)pq−−4)d1mod(())ednφ=()mod(())ekExxnφ=()mod(())ekDxynφ=()en()dnn()(1)(1)npqφ=−−dRSAnpq=51210242.DHDifferHellmanDHDH10243.ECCECC(EllipticCurvesCryptography)-17-192ECCECCECCRSA2.1.3(Hash)128-256H123h()Hxh=4xyx≠()()HxHy=5()()HxHy=()xy(MAC)MD5SHA1.MD5MD5(Message-DigestAlgorithm-5)90MITLaboratoryforComputerScienceRSADataSecurityIncRonaldL.RivestMD2MD3MD4MD55121282.SHASHA(SecureHashAlgorithm)1993NISTNationalInstituteofStandardsandTechnology512160MD5MD2MD4HMACSHA-12.1.4-18-1.A()AHashM2.A3.A()()4.ABBkey()5.AB6.Bkey()7.BAA8.BAAA9.B()BHashM10.()AHashM()BHashMABRSARSA2.2PKIPKIPKI[21][22]PKI-19-PKIPKIPKIInternetPKI2.2.1PKIPKICARACRL2-3[24]1.CACAPKICAPKI()CA(CRL)2.RA(RegistrationAuthority)RACACAPKIRACA3.CAPKIX.500LDAPHTTPFTP4.PKICA5.PKICA-20-CACRL6.PKIPKICertificationAuthority(CA)RegistrationAuthority(RA)X.500direvtoryPCPCPC2-3PKIFig2-3ArchitectureofPKISystemPKI2.2.2PKIPKIPKIPKIPKCSRSAPKIPKI[25]IETFPKIXPKIX2-1PKIX-21-2-1PKIXTable2-1ComprehensiveofPKIXdatasheetAttributeAuthorityAAAttributeCertificateACCertificateCertificationAuthorityCACertificatePolicyCPCertificationPracticeStatementCPSEnd-EntityEEPublicKeyCertificatePKCPublicKeyInfrastructurePKIPrivilegeManagementInfrastructurePMIRegistrationAuthorityRARelyingPartyRootCACASubordinateCACASubjectPKIXPKIPMIPKIPMIPKCACPKIXX.509X.509CRLPKIPKI-22-LDAPv2(LDAPv3)FTPHTTPCPSCPCPSCPCPSCPSCPS/5RFC2-2[25][26][27]2-2RFCTable2-2DatasheetofRFCRFCX.509X.509RFC2459RFC3280RFC2875RFC3039RFC3281PKIXRFC2510RFC2511RFC2528RFC2797RFC2559RFC2585RFC2560RFC2587RFC2527/RFC3029RFC3161RFC33792.2.3PKIPKIPKIPKICACACA1)2-4CACACACACA-23-CACA1CA2CA212-4CAF