CPKI中CA认证系统的设计与实现

【作者】 钟读杭；

【导师】 陈怀义；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2002， 硕士

【摘要】 Internet技术和电子商务的迅速发展，极大的改变了人们的生活和工作方式，同时也带来了许多安全隐患。因此，安全服务正在成为Internet和电子商务应用中的一种基本服务。能提供这种服务的基础设施就是公开密钥安全基础设施(PKI)。PKI的目的就是使不同的实体可以方便的使用公钥技术。 PKI是由一些相互关联的组件提供的服务的集合，这些组件共同为上层应用和用户提供基于公钥技术的安全服务。PKI为Internet和电子商务技术提供了三种主要的核心服务，首先，它可以提供数据的机密性，第二，它可以实现实体的身份认证，最后，PKI还可以保证数据的完整性。本文首先介绍了基本的PKI概念，包括与PKI相关的密码学知识，PKI的组成和提供的核心服务，PKI的结构框架和相关的各种技术标准。接下来对PKI中CA信任模型做了深入的研究，讨论了当前流行的四种信任模型，并且给出了各种模型的优缺点，以及在每种信任模型中证书路径处理的问题。 CA认证系统是PKI的核心组成部件，它负责为PKI中的实体颁发公钥证书。公钥证书是将实体的身份和公开密钥绑定在一起的一种数据结构。本文详细讨论了CA系统的设计和实现过程。在对当前各个CA认证系统进行分析的基础之上，我们利用Cryptlib工具包自行设计和实现了一个CA认证系统，它具有完整的密钥和证书管理功能。CA系统的实现遵循了国际上通用的证书标准和规范，并且具有良好的可扩展性，能够随着规模的扩大通过增加下级CA来扩展整个系统的规模。在文章的最后，还讨论了CA认证系统的运行要求。在实际运行过程中，CA认证系统，证书用户和依托方都必须承担相应的责任和义务。更多还原

【Abstract】 The rapid development of the Internet and electronic commerce has greatly changed people’s life style and working. Meanwhile,it brings many security problems. Therefore security service is becoming a basic service in the Internet and electronic commerce. The infrastructure which can provide security services is called Public Key Infrastructure (PKI).The purpose of PKI is to make it easy for entities to use public-key cryptography.PKI is a set of useful services provided by a collection of interconnected components,these Components work together to provide public-key-based security services to applications and users. PKI provides three kinds of services that are valuable to Internet and e-commerce. Firstly,it provides privacy for data. Secondly,it provides authentication of entities. Finally,it provides integrity for data. This paper first describes the fundaments of PKI,including the knowledge of cryptography,the components of PKI,the services provided by PKI,the structure and standards about PKI. Then the paper discusses the CA trust model,we will mainly describe four popular trust models,their advantage and disadvantages,and the certificate path in the trust model.Certificate Authority is the key component of PKI. which is responsible for issuing Public-key certificates to users. PKI is the data structure which bind the identity of entity with its public-key. So next,this paper discussed the design and implementation of certificate authority. Based on the analysis of many CA systems,we have designed and implemented a certificate authority,which has the full capability of certificate and key management. The design of the CA system follows the common International certificate standards,and has good scalability. In the end of this paper,we also discussed the operation requirements of certificate authority. Certificate authority,certificate holders and users that rely on the certificate all have corresponding responsibilities and obligations in the real life.更多还原