搜索
‹#›为了安全总是握奇2009年1月14日SecuritypaymentandtrustedcomputeproductionslinePKIintroduction‹#›为了安全总是握奇Content•InformationSecurityBackground•PKIFoundation•AWholePKISystem•Standardsandreference‹#›为了安全总是握奇theprimarytargetoftheinformationsecurity•assurethesenderishimself•defendthedocumentbereaded/writedwithouttheauthentication•defendtheamendfordocumentwithouttheauthentication•senderdon’tdeniedthedocuments•thearbitrationauthority‹#›为了安全总是握奇theessenceandcountermeasureofthesecuritythreatssecuritythreatscountermeasuresLawlesslyaccesssystemforoperatingdocumentsAccesscontrol/operationcontrolWiretaptheinformationorleakdocumentencryptForgerytransactionordeliverdocumentauthenticationthedocuments’sourcedocumentsbesophisticatedordeleteddocumentintegralitySenderorreceiverdenythedocumentsundeniable‹#›为了安全总是握奇PKI(PublicKeyinfrastructure)–PublicKeyInfrastructure(PKI)–Supplythesolutionsforthesecurityofelectronicworld‹#›为了安全总是握奇Content•InformationSecurityBackground•PKIFoundation•AWholePKISystem•Standardsandreference‹#›为了安全总是握奇PKI?•Infrastructure•InfrastructurebasedonPublicKey•Supplysecuritybasicarchitecturebypublickeyprincipleandtechnology‹#›为了安全总是握奇symmetricalKeyencrypt/decryptprocess•twopartsusethesamekey‹#›为了安全总是握奇problemsaboutthesymmetricalKeymanagethekeysandassureconfidentialityaretheimportantproblems‹#›为了安全总是握奇publicKeyencryptprinciple•publicKeyencrypt(asymmetricalKey)–apairofkeys(privateKeyandpublickey)insteadofthesymmetricalkey–sendedinformationisencryptedbypublickey,receivepartusetheprivatekeydecryptinformation–publickeymayspreadfreely–privateandpublickeydothedigitalsignatureandvalidatethesignature•Assuretheintegralityandauthenticationsender‹#›为了安全总是握奇asymmetricalkeyencryptprocess•onepublickeyandoneprivatekey‹#›为了安全总是握奇compareabouttwoencrypttypessymmetricalkeyasymmetricalkeykeycountsSinglekeyApairofkeys(privateandpublicKeys)statementKeymustsecrecyApublickeyandaprivatekeymanagementsimpleanddifficultyformanagementneeddigitalcertificationandtrustedthirdpartencryptvelocityquicklyslowlyapplicationmassdatainformationsmalldatainformation‹#›为了安全总是握奇Digestarithmeticverifytheinformationbenotsophisticated•outputresultiscomputedbythedigestarithmetic•Theresulthavethesamelength,usuallyis128bitsor160bits,nowwehavethe32*8bits-differentinput,thesameoutput-everybitdoeshash•thefileswithsamehashresultsisimpossible•Anychangewillhavethedifferenthashresult‹#›为了安全总是握奇DigitalSignatureOperationDataMD5\SHA1\SHA256‹#›为了安全总是握奇Terms•signature–privatekeyencrypt•validatesignature–publickeydecrypt•asymmetricalencrypt–publickeyencrypt•asymmetricalencryptdecrypt–privatekeydecrypt‹#›为了安全总是握奇Content•InformationSecurityBackground•PKIFoundation•AWholePKISystem•Standardsandreference‹#›为了安全总是握奇Scene•twopeople(parts)–小明jack–小华harry•event–小明写信给小华jackwritetheinformationtoharry•Keystype‹#›为了安全总是握奇‹#›为了安全总是握奇‹#›为了安全总是握奇asymmetricalKeymechanicalisenough?•wealsodothese:–informationsecuritypolicy-definetheruleofkeymechanicaloperation–generateKey、storeandmanage–howtogeneratetheKeyanddigitalcertificate,howtoissueanduse.‹#›为了安全总是握奇ThetargetofPKI–confidentiality•transactioninformationsecrecy–integrality•transactioninformationintegrity–reality•identityisrealityandmaybeverified–undeniable•transactionbehaviorisundeniable‹#›为了安全总是握奇ModulesinthePKISystem信息安全政策informationsecuritypolicy;注册管理中心(RegistrationAuthority,RA)证书管理中心(CertificateAuthority,CA);证书发布系统(DirectoryService,DS)PKI应用系统PKIapplicationsystem‹#›为了安全总是握奇RegistrationAuthority,RA•RAisthemiddleinterfacebetweenusersandCA,itacceptandauthenticatetheusers’documentsandbringforwardtheapplicationforcertification.‹#›为了安全总是握奇CA(certificateAuthority)•CAisthebasementofPKIsystem•Thedigitalcertificatelifecycle,CAinclude:–Issuethedigitalcertificatewithuser’sID、PublicKey、Digitalcertificate–availabledataofcertificate–CAmayabolishthecertificationaccordingtheCRL(CertificaterevocationList)‹#›为了安全总是握奇aboutdigitalcertificate•contentsincertification:–privateinformation–CAinformation–Publickeyofuser’s–Availabledata–DigitalsignatureforcertificationcontentsbyCA–……‹#›为了安全总是握奇X.509Digitalcertificateformat‹#›为了安全总是握奇Digitalcertificatesketchmap‹#›为了安全总是握奇DigitalcertificateandIDCardName:BrianLiuSerialnumber:484865Issuedby:ABCcorpCAIssuedate:19970102Expirationdate:19990102Publickey:38ighwejbDigitalSignature:hwefdsaf‹#›为了安全总是握奇Digitalcertificatelifecycle‹#›为了安全总是握奇CertificateIssuehowtogetthecertificate•RAortheapplication(smartcard\usbkey)generatethepublicandprivatekeys•RAtransferacertificaterequestwithpublickeytoCA(RAvalidatetheidentityofuser)•CAissuethecertificatetouser•applicationorsmartcardorusbkeystorethecertificate•CAreleasethecertificate‹#›为了安全总是握奇CertificationAuthentication•verifythevalidityofcertificate:•小华取得小明的证书??•applicationperformanceprocess–getjack’scertificationandCA’srootcertification–computethehashofjack’scertificatebyCA’srootpublickey–getthehashofjack’scertificate–comparetwohashdata–checkoutthetime‹#›为了安全总是握奇Certificateissuesystem•CertificatecanbeissuedbymultiplestylesunderthePKIframework–UserselforLDAP(目录服务)‹#›为了安全总是握奇PKIapplications•PKIappli