电子政务中基于X509的证书认证中心的设计与分析研究

湖南大学硕士学位论文电子政务中基于X.509的证书认证中心的设计与分析研究姓名：张南申请学位级别：硕士专业：控制工程指导教师：张大方;廖钢20051030X.509-I-PKI(PublicKeyInfrastructure)PKI(CA-CertificationAuthority)X.509PKIPKIPKICRLCAPCIUKeyCA-II-AbstractFortheswiftdevelopingofcomputernetworktechnology,peoplecancommunicateinaconvenientandrapidway.However,becauseoftheopendesignofcomputernetwork,whenpeopleprofitfromtheadvantagesbroughtbythenetworktechnology,theyhavetoconfronttheincreasinglyseriousproblemsoninformationsecurity.It'sagreatchallengeforallcountriestofulfilltheintegrality,confidentialityandnon-repudiationofdatainanopennetworkwhentheyplantopushE-businessforwardanddeveloptheirnetworkindustries.Publickeycryptography,combinedwiththetraditionalsymmetriccryptographandthemessagedigesttechnology,canprovideconfidentiality,integrityandproofoforigin.It'sthefoundationofmanysecureapplications.Inordertoapplypublickeycryptograpinalargescale,thePublicKeylnfrastructure(PKI)isrequiredtodistributeandmanagepublickeys.ThekernelcomponentofPKIisCertificationAuthority(CA),whichisatrustedthirdpartywithresponsibilityformanagingcertificatesintheirlifecycles.sodesigningandrealizingaCAsystemsoastoensuresensitivedatumtransferringbecomeshighlyneedurgently.ThisthesisanalyzesthecharacteristicsofX.509-basedPKIsystem,andelaboratesthetheoryofauthenticationbymeansofpublic-keycertification.Thenpaymuchemphasistocertificatedistributionandtrustmodelinthedesigningofcertificateauthority.Themainbodyofthisthesisdetailsthesoftwarearchitecture,primaryfunctionalmodules,datastructuresneededbythewholesystem.Atthesametime,thisthesisdiscussesandfinallyestablishesthematerialcertificatepoliciesandCRLpolicies.Mechanisminvolvingkeycreatingandmanagingisrealizedabsolutelythroughhardware:PCIandUKey.AstoCAmainkey,itmakesuseofPCIcardtoproduceandbackup;Withuserkey,alluserkeyismanagedbyUKey.Thiseliminatesnaturalsafedefectofkeysystemwherekeyiscreatedandmanagedthroughsoftware.Thetestandtheactualmovementindicates,thisCAcentermayfastandsafeproduceuserkeyandthecertificate,simultaneouslyhashighlyeffectiveandhasthepromptcharacteristicregardingthecertificatedistribution,usesthedoublecertificatemechanismbettermetthecurrentelectronicgovernmentaffairsactualneed.Keyword:Certificateauthority;Publickeyinfrastructure;Certificatedistributing;TrustmodelX.509-III-2.1CA.............................................................................................153.1.....................................................................................................304.1.........................................................................................................344.2CA..........................................................................................344.3CA......................................................................................354.4CA.....................................................................................374.5.....................................................................................................384.6.....................................................................................................384.7.....................................................................................................395.1.................................................................................................425.2.....................................................................................43-IV-4.1.....................................................................................................394.2.............................................................................................405.1UKey.................................................................435.2.........................................................................445.3.............................................................................................451______2-1-1.11.220006302000101[1]PKI[2]PKIPKIPKIX.509-2-PKIPKIPKIPKI1.3—[3][4]IDC(InternationalDataCorporation)Internet:PKIPKIBusiness-to-businessPKIPKIBaltimore,EntrustPKIVeriSignPKIPKIPKIPKPKI[5-15]PKICACAMicrosoftCertificateServicesforWindows2000CA-3-1.41.4.1PKIPKIPKIPKI1.CACA2.CAPCIUKey3.CA4.UKeyUKey1.4.2PKIUKeyPCICAX.509-4-2.1,PKIPKI[3]PKI2.22.2.1[16],,,,,DESDataEncryptionStandard)-5-2.2.2[17-18],,RSARivestShamirAdelmanRSARSARSARSARSARSA100200pqeep-1q-1dX.509-6-dnendpqmnn2pq100n200200cci2.2.3DSADigitalSignatureAlgorithm[19]DSADSADSApLL512102464q160p-1hp-11xqHmSHApqgxym1qk2rs3-7-v=rDSAp5121024q160p-1hp-11xqkqv=r2.3PKI“PublicKeyInfrastructure”“”PKICAX.509-8-2.3.1PKIPKIInternetInternetPKI[20]PKI--CAPKIPKI[21]CAInternetPKIPKIPKIPKIPKIPKIWWWInternetVPNPKI2.3.2PKIPKIPKIPKI[22]1X.2091988ASN.1ASN.1ISO8824/ITUX.208ISO8825/ITUX.2092X.5001993X.500ISOX.500-9-PKIX.500X.500X.5003X.5091993X.509ITU-TX.500X.509X.500X.5091988X.509CAX.509v34PKCSRSAPKCSPKIPKIPKIPKI1CACertificateAuthorityCAPKIPKIRARegistrationAuthorityCACACACACRL“”X.509-10-CA2X.509CA“”“”CA3PKICACACA4PKI“”PKIPKIPKI/CA2.3.3PKIPKIPKIPKICAPKIPKIBaltimoreEntrustPKIBaltimoreUniCERTUniCERTUniCERT:(1)-11-CA,CA