1 / 169

PKI

teneil
Download Presentation

PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. PKI?????

    2. ???? ???? PKI???? PKI????? ???

    3. ????

    4. ?1? ??

    5. §1.1 What’s PKI? Public Key Infrastructure ???? PKI??????????????????????????????????.

    6. ????????? ??????? ???? ???? ??? ?????

    7. PKI???

    8. §1.2?????PKI ???? ???? ???? ???????

    9. §1.3 PKI????? (1) ?????? ?????(Public Key Cryptography) ?????????????????.

    10. §1.3 PKI????? (2) ??

    11. §1.3 PKI????? (3) ????(Directory Services) ????????????/?????????. ????(Digital Certificate)

    12. §1.4 PKI????????? ????? IETF PKIX?SPKI Workgroup;NIST,DOT (Department of the Treasury);TOG (The Open Group);and others (include WAPForum, etc) ????? From Pilot Projects to Practices, Various Vendors and Products PKI?? MS Outlook/Netscape Messanger (S/MIME), IE/Navigator (SSL/TLS), PGP

    13. §1.5 PKI?????? ???? ????????? ?????????? ??????? ???? ?????? ???? ???????????? ????????

    14. ?2? ?????

    15. §2.1 ????? ????? ????? ????? ????? ????? ????? ?????

    16. ????????? ?????? ????->????->???(???)->?????(??????????)->????? ??????????? ???? ??,??,??,????,??????

    17. ????? ????,??????????? ????:???????????? let C = Cipher text, P = Plain text, k is key, E()/D() is the encryption/decryption function, then C=E(P, k), P=D(C, k) ???? ??/?????

    18. §2.2 ??????

    19. ??:???,????? ??:1)???????? 2)???? 3)???????????? ?? 4)????????

    20. ?????? ???? ??????????????????????——??????64??? ???? ????????????????1???1????????

    21. DES DES???????????????; DES?????????,??????64?,???56?,??????64?; DES?????????,??Lucifer??,?????Feistel??(Feistel Network),? DES????,?????????; http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/RSA/RSA_Secret_Key_Challenge/

    22. IDEA Xuejia Lai?James Massey??; IDEA??????????,?????64?,???128?,??????64?; IDEA??????????,?????????,???????(?????????????????????); IDEA???????(??????),???Ascom-Tech AG??; PGP?????IDEA;

    23. RC?? RC???Ron Rivest?RSA??????????: RC1?????,?????????????Rivest?????; RC2?????????;(RC3???????RSADSI????); RC4?Rivest?1987?????????????; RC5?Rivest?1994????????????????????????????; DES(56),RC5-32/12/5, RC5-32/12/6,RC-32/12/7????1997????;

    24. AES Candidate?Rijndeal AES???? ???5?????:Mars, RC6, Rijndael, Serpent, and Twofish Rijndael??????Square??,???????????(Wide Trail Strategy),???????????? Rijndael???????,???????????????;????AES???,?????128bit,?????128/192/256bit,?????r?10/12/14?

    25. SDBI SDBI?????????????????????????????????????????????????

    26. ???????(One-time pad) ???????:???????????????? ????????? ???? ??

    27. Summary DES?????????????(???????????,DES??????????); IDEA???????; RC????????????(???SSL????); AES???????,??????????;

    28. §2.3 ??????? Whitefield Diffie,Martin Hellman,«New Directions in Cryptography»,1976 ????????????????????? – ?????????; ???????????????:?????????; ??????????? – ??????(troopdoor one-way function)

    29. RSA(1) Ron Rivest, Adi Shamir?Len Adleman?1977?????1978?????; RSA???????,?????????????????,???????????????; RSA??????,????????,???????; RSA?????????(?ISO?ITU?IETF?SWIFT?)??; RSA-155(512 bit), RSA-140?1999??????;

    30. RSA (2)—?/???? ???????,p?q; ?????????,?n = pq,??????????F(n)=(p-1)(q-1); ??????e,1=e<F(n), (F(n),e)=1; ??F(n)?,e??? ????n,e,???d.(p,q????,?????,??????); ??????? ?????

    31. DH/DSA Diffie-Hellman(DH)????????,????????????????????; DH???????,??????/????; DH?????????,?????????(IETF?)??; DSA?NIST?1991??????????(DSS),????1994?5?19????; DSA?Schnorr?Elgemal???????,DSA??????????????;

    32. Elgemal Elgemal?1985?????????????????????????????????;(?????????????NIST?????????DSS) Elgemal,Schnorr?DSA?????????????,??????????????????????????

    33. ECC ECC(Elliptic Curve Cryptography,????????)?N.Koblitz?Miller?1985???,????????????????? ??: ??????; ????,?????; ???????; ?????

    34. Summary RSA???????; Elgemal????????; DSA?????????,??DSA????,??????; Diffie-Hellman???????????;

    35. §2.4 ??(??)?? ???? ??(Hash)??:?????????M???????????????H???,??????????????; ??????????? – (????collision-free); ??????????? ?????????????????,????????,????????????????????? ???????

    36. MD?? Ron Rivest???????????: MD4[Rivest 1990, 1992, 1995; RFC1320] MD5?MD4????[RFC1321] MD2[RFC1319],??Rogier??1995??? ????????IETF??,???????? ?????

    37. SHA?SHA-1 NIST?NSA???DSS???,?????????(SHS),????SHA[FIPS PUB 180],????????SHA-1[FIPS PUB 180-1] SHA/SHA-1????MD4???????,???????MD4,?????160bit ???????SHA?????

    38. HMAC HMAC??????????????? HMAC????????????????????????????

    39. SHA?MD4?MD5???

    40. ??????? ?????? ?/?????,????????? ??????? ?/??????,???????? ???? ?????,??????

    41. §2.5 ????????????

    42. ?????????????????

    43. ???? ???????????????????????????? ???????????????????????????? ????????????????,??????????????? ?????????????????????? ??????????????????,?????????????????

    44. ?????????

    45. ???????????????

    46. ??????????

    47. §2.6 ???? ???? ???? ???? ???? ????

    48. ?????? Bruce Schneier,«Applied Cryptography: Protocols, algorithms and source code in C»,1996 Simon Singh,«The Code Book»,1999 ???,???,«?????»,?????, 1999 ???,???,«?????? -- ?????»,???????????, 1999 ??,??,????,«???????? – ?????????????»,2000 William Stallings?,??,???,?????,«??????????:?????(???)»,???????,2001

    49. ?3? ????

    50. ???? ?? ??????? ???? ??????? ??????? X.509???? ????????

    51. §3.1 ?? ?????????????????????????? ???,?????????????????????????????

    52. §3.2 ???? ????(Digital ID),??“?????”?“?????”,???????????????????,??????????????????????????,??????????????????? ?????????? ? ???????????X.509?????

    53. §3.3 ???? ??????A???????B???,???????????????????A??????B?????(Certification Path)??????B???????????A????????????? ???????????A??????B?????? ???????????,????????????B????

    54. §3.4 ??????? ???????????????,?????????CA???????????????????????????????? ?????????????????????????????????????,??????????,????????CA?????????,??????????????

    55. §3.5 ??????? ??????????????????IC??CPU??? ??????????????,????,????????????????? ??????,???????????,???????,???????????????

    56. ??IC?????????,????????,??????,???????????????????? ??CPU??????,??????,?????,?????

    57. §3.6 X.509???? X.509, ITU-T Recommendation: Information Technology – Open System Interconnection – The Directory: Authentication Framework X.509?X.500????????,?PKI????,X.509??????????. X.509????????????????????. X.509?????????X.509 v3?X.509 v2 CRL???????????.

    58. X.509????

    59. §3.7 ???????? ???? ???? ???? ???? ????

    60. ??????????? ??????????? ??/?????? ?????:??????->?????->???????/????,????,???? ????:????,????,????,???? ????:????,????,????,????,????

    61. VeriSign CPS????????

    62. ?4? ????

    63. ????: ?? X.500 LDAP

    64. §4.1 ?? ???????????????,????????????????????????????????,???????????????????????? ???? ?????????(CRL)???(????X.509????) ?X.500??????????

    65. §4.2 X.500???? X.500, ITU-T Recommendation: The Directory – Overview of Concepts and Models. X.500??????????????????,?????-?????????????-??????????????????????????????????????????. X.500?PKI????.

    66. §4.3 LDAP?? LDAP, Lightweight Directory Access Protocol. LDAP??? LDAP v1, v2, v3, ldapbis, ldapext, ldup

    67. ??? PKI????

    68. ?5? PKI????

    69. ????: ?? CA?RA?EE PKI?? CA????? ??????RA ?????LRA CA????? PMI

    70. §5.1 ?? PKI????????????????????????????????????????????????? PKI???,PKI?????

    71. §5.2 CA?RA?EE

    72. ????CA ?????? ???? ????????????????; ????,?????????????????; ????,???????????????; ????,?????????????????? ????????????????; ???????????(CRL),??????; ??OCSP????????,??????; ??????,?????????????; ?????????????; …

    73. ????RA ??(????????)?CA????? ????????? ??????????

    74. ????EE ??PKI???????????,????????????

    75. §5.3 PKI?? PKI??? PKI?? PKI??

    76. §5.4 CA????? ?CA ????:  ???PKI????????;??????; ???????CA??;???CA?????????;????????; ?????????CRL; ?????????CRL;?????CRL??????;?????????;???????

    77. ??CA ?????: ????CA??CA???????;????????????; ????????????;??????;??RA???????;?RA???????????????????;????????????????????;??????????CRL; ?????CRL?????????????;??????????CRL;?????????;???????

    78. §5.5 ??????RA ??????: ???????,?????????????????; ??????; ?????; ?????LRA?????; ????????????????

    79. §5.6 ?????LRA LRA???????: ??????????????; ??????????????; ????????????????; ????????????????????; ???????

    80. §5.7 CA?????

    81. §5.8 PMI PKI?? ???? ????

    82. PMI?TSA PMI, ?Privilege Management Infrastructure, ?ANSI, ITU X.509?IETF PKIX????? ??????(PKI Based)?????,????????????????????????(? ???????????????????). TSA, ?Time Stamp Authority[RFC3162, Time-Stamp Protocol] TSA????????????????,?????????????????????.

    83. ?????????? ??????????(PMI)?????,????????:

    84. PKI?? CA, RA, Directory, EE, PKI-enabled Applications, Certificate Status Checking PKI?????????

    85. ?6? ????

    86. ???? ???????????CA???????? ??????????,??????? ??????????? Subordinated Hierarchy,Cross-certified Mesh,Hybrid,Bridge CA,Trust Lists etc. ??????,?????? ?? ????,????,??????

    87. ??? ????? ???? ?CA

    88. ?7? CPS

    89. CP?CPS CP, Certificate Policy ????????????????????? CPS, Certification Practice Statement ???????CA?CPS???????CA????? RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

    90. PKI????? Certification Practice Statement ???? ?????????

    91. ???? ????? ????????? ???? ???? ??????? ????

    92. CPS???????? ???? ????? ?? ???? ???? ?????? ????? ???? ?????? CRL???? ????????(OCSP)

    93. ?8? PKI???

    94. ????: ??PKI????? ???????

    95. §8.1 ??PKI????? ???? ????

    96. §8.2 ??????? ?????? ??????? ???????? ??????? ?????

    97. ?9? PKI????? ???

    98. PKI???????? ????????? PKI????? ???,?????,??PKI(??PKI) ?????????(?????????)

    99. §9.1??PKI???????? ??? «???????» «??????????» ?? «???????????????» ?? “?????????” ?? ???????????????

    100. §9.3 ???????PKI?? ?? ???? ????????????; ???????????

    101. ????? ?????????????????????????? ???????????????????????????????? PKI???????? ?????????????????

    102. ??? ????

    103. ?10? PKI????

    104. ????: ITU-T X.509????? PKIX???? WPKI?? SSL/TLS SET OpenPGP?S/MIME PMI????

    105. §10.1 ITU-T X.509????? ITU-T X.509 Edition 1 ITU-T X.509 Edition 2 ITU-T X.509 Edition 3 ITU-T X.509 Edition 4 ITU-T?????

    106. §10.2 PKIX???? ???CRL??:RFC2459 PKI????????:RFC2559, RFC2560, RFC2585 PKI????: RFC2510, RFC2511, RFC2797 ??????????????: RFC2527 ???????????????:RFC3029, RFC3161

    107. PKI??????? CA:?????? ( ??, ??????? ); RA:??????(??CA???????????????,?????????????????????????); EE:PKI??????????????????; Repository:????????CRL???,?????EE??????CRL???;

    108. §10.3 WPKI?? WAP Forum???Wap????????: ??X.509?PKIX?????; ??????????(WTLS??),???????; ????????,??????; ????URL,?????????????URL,??????,???????????;

    109. §10.4 SSL/TLS SSL(Secure Socket Layer,??????))?netscape?????????web???????? IETF(www.ietf.org)?SSL?????,?RFC2246,?????TLS(Transport Layer Security)?

    110. §10.5 SET SET(Security Electronic Transaction) ?Visa?Master?????????Internet????????????????????? SET?????????: ???? ????

    111. §10.6 OpenPGP?S/MIME 1997?,????????IETF?????????,?PGP????????????OpenPGP???(RFC2440)? S/MIME???RSA???????1995??IETF????????? ??????????????????????????

    112. ?????: S/MIME???????????????????,?OpenPGP???????????????????,??????? S/MIME???????X.509?OpenPGP?????????:X.509???PGP???

    113. §10.7 PMI???? PMI(Privilege Management Infrastructure,????????) ???????????????????????? PMI??????????????????? X.509 2000??(v4)???PMI?????PMI?????????????????????

    114. ????: PMI??????: l  ????(object):???????? l  ?????(privilege asserter):??????,???????????????????? l  ?????(privilege verifier):?????????????????????

    115. ???? ???????: ??????????????????(object method)???????????

    116. ???? ???????:?????????(SOA)??????????????

    117. ???? ????????????????? ?????????????????????????????

    118. ???  ????

    119. ?11? PKI??

    120. ????: Web??????????PKI????? ????????????? VPN???????

    121. §11.1 Web???? ????: ???????????

    123. SSL/TLS ?Netscape,IETF TLS????? SSL/TLS?????????????????(??????),????????????????????? SSL????:SSL???

    124. §11.2 ?????? ?????????? ?????????? PGP S/MIME

    126. S/MIME & PGP PGP, Phil Zimmerman, 1991 PGP????????????????????? RFC2440, S/MIME RFC822 -> MIME -> S/MIME v2, v3 S/MIME??? S/MIME????? S/MIME??????? Signed receipt,Security Label?Security mailing list.

    127. SET 1996?2?,IBM, Microsoft, Netscape, RSA, Terisa?VeriSign???SET v1(??MasterCard?Visa??????????? SET???????????Internet?????????????? ????,SET???????: ??????????????????? ????X.509 v3?????????? ?????,?????????????????????????? ????:??????????????

    128. §11.3 VPN??????? VPN????????????????????????,??IPSec????????????PKI???????????????? IPSec

    129. IPSec IP???????3????:??????????? IPSec????? ????(AH), ????????(ESP), ????, ????, ????(SA), ?????(SA Bundle), ISAKMP. IPSec,IPv6?????(???????)??????

    130. IPSec IPSec???? IPSec???? ??,??,ISAKMP/Oakley

    131. IPSec??????

    132. ?12? PKI??

    133. ????: ???? ???? ????

    134. §12.1 ???? ???? ???? ????????? ???? ???? ???? :SSL ????????? :???? ????:????

    135. §12.2 ???? ???? ???? ???? ???? ???? ???? ????PKI???

    136. §12.3 ???? ???? ???? ????????? ???? ???? ????PKI???

    138. ?13? ??PKI????

    139. ????: ???? ????

    140. §13.1 ???? VeriSign (http://www.verisign.com/) Entrust (http://www.entrust.com/) Baltimore (http://www.baltimore.com/) RSA Security (http://www.rsasecurity.com/)

    141. VeriSign PKI???

    143. §13.2 ???? ????PKI(FPKI) ?????PKI(GOC PKI)

    144. ?14? ????????????

    145. ????: ??????????? ??????????? ????????? ??????????

    146. §14.1 ?????????? ? ????????????????????: ??PKI?????????; ????????????; ???????????; ?????????????????

    147. §14.2 ?????????? ? ????????????????????????????????????????????CA??,????????????? ???????????????????????????????????????

    148. ????????? ???????? ?????? ?????? ?????? ?????? ??????

    149. §14.3?????????(1) CA???? ???? ?????? ???? ?????? ??????

    150. ?????????(2) ?????? ?????? ???????? ???? ????? ????? ???????

    151. ?????????(3) ?????? ???? ???? ???? ???? ???? ???? ?????

    152. §14.4 ?????????? ?????????? ????????????????????????????????????????????????????????????

    153. ?????? ?????? ???????????

    154. ?????? ???? ?????? ?????????? ??????? ???????? ???????

    155. ?????? CA???? RA????????? ????????

    156. ?????? ???? ???? ????

    157. ???????? ???????? ??????? ????

    158. ?????? ???????? ?????? ??????? ????

    159. ?????? ????CA????????????????,???????? ???????????????????????????,????????? ???????????????????,???????????????????????? ????CA?????????????????,?????????????????? ?

    160. ?????? ????????? ???????

    161. ?????? ?????? ???? CA???? ?????

    162. ?15? ????????????

    163. ????: CA??????? ??????????

    164. §15.1 CA??????? GA/T387-2002«???????????????????» GA/T388-2002«?????????????????????» GA/T389-2002«????????????????????????» GA/T390-2002«???????????????????» GA/T391-2002«?????????????????»

    165. ???? ??????????????????????????????????????? ??????????????????????????

    166. ???? ?????? ??????? ??????? ????? ?????? ????????? ???????

    167. §15.2 ??????????

    168. ???PKI??(open source) OpenCA Project (http://www.openca.org/) OSCAR PKI Project (http://oscar.dstc.qut.edu.au/) Jonah PKIX (http://web.mit.edu/pfl/) pyCA (http://www.pyca.de/) Mozilla Open Source PKI Project(http://www.mozilla.org/projects/security/pki/)

    169. ???????Toolkit OpenSSL Project (Open Source) http://www.openssl.org/ CDSA (Open Source) http://developer.intel.com/ial/security/ RSA BSAFE (Commercial Version) http://www.rsasecurity.com/products/bsafe/index.html

More Related