【作者】 黄旭波；

【导师】 刘晓洁；

【作者基本信息】 四川大学 ， 计算机软件与理论， 2005， 硕士

【摘要】 随着电子商务/电子政务的发展,网络安全技术日益受到人们的重视。公开密钥基础设施(Public Key Infrastructure,简称PKI)是目前较为成熟的网络安全解决方案,它能够为电子商务/电子政务提供五个主要的安全功能:身份认证,访问控制,数据保密性,数据完整性,不可否认性。PKI 的基础是公钥证书(PKC,Public Key Certificate),PKC 将用户的身份与公钥绑定,形成用户的数字身份证书。PKI 通过方便灵活的密钥和证书管理方式,提供了在线身份认证的有效手段,为系统安全性奠定了基础。但是在有些情况下,比如授权管理系统,单独的身份认证技术已经不能完全满足要求。授权管理系统不仅要求用户提供合法的身份证书用于身份认证,而且要求提供相应的授权管理机制,用于控制用户在系统中的行为和动作。授权管理基础设施(Privilege Management Infrastructure,简称PMI)是在PKI发展过程中被提出并逐渐从PKI 中分离出来的一个新的概念。与PKI 使用PKC证书一样,PMI 使用属性证书(AC ,Attribute Certificate)来完成基于角色的访问控制。PMI 利用属性证书灵活、有效期短的特点,更好地实现了安全、灵活、高效的授权管理。本文对整个PKI/PMI 体系进行了研究,首先对密码技术进行了阐述,接着介绍了PKI/PMI 的基本原理,包括体系结构、相关协议与标准、证书数据结构、系统组件和模型。在仔细研究PKI/PMI 基本原理的基础上,本文提出了一种PKI/PMI 系统的实现模型。本文设计的PKI/PMI 系统严格遵从X.509 规范,并且采用了访问控制、权限管理等安全机制,保证了系统权威性、公正性和可信赖性。具体来说,本文的主要工作有: (1)对PKI/PMI 体系进行了完备、详尽的分析和阐述。更多还原

【Abstract】 With the swift developing of electronic commerce and electronic government, people have taken more attendtions to the technology of network security. The PKI (Public Key Infrastructure) system is a mature network security solution for Internet, which can provide five security services for electronic commerce and electronic government, such as identity authentication, access control, data secrety, data integrity and non-repudiation. The basis of PKI is PKC(Public Key Certificate), which bind a user’s identity with a public key. PKI offers an effective method for online identity authentication by using the flexible Cryptographic-key and certificates management, and establishes a security environment for systems. But identity authentication can not meet all the demands under some conditions, such as privilege management system, which requires users not only to present PKC certificate, but aslo to present privilege management mechanism, so as to control users’behavior and action in system. The PMI (Privilege Management Infrastructure) is a new concept brought forward in the process of PKI’s development, and has now been separated from PKI. In PMI, Attribute Certificate (AC) is used instead of Public Key Certificate (PKC), which can help us to implement role-based access control. In addition, with its flexibility and short period validity, PMI even implements the authorization management better. This paper carefully researched the whole PKI and PMI system. First, cryptography of computer network is introduced. Secondly, the basic principle of PKI and PMI is detailed described, including system structure, relative protocols and standards, the data structure of the certificate, system component and system mode. Based on the research of the basic principle of PKI and PMI, an implentation model for PKI and PMI system is proposed. The design criterion of PKI and PMI system strictly keeps to the X.509 standards, and it picks the secure technique (i.e., the control of access and the management of right, etc) to ensure its authority, justness and trusty. Basically, the contributions of this paper are as follows: (1)This paper makes carefully researches on the whole PKI and PMI system. (2)The architecture of PKI and PMI system strictly keep to the X.509 standards, act according to the prescripts of the national secure department and has entire intellectual property. (3)In this paper, The CA (Certificate Authority) is established. It includes several major functionalities: certificate registering, certificate issuing, certificate publishing, certification revoking CRL publishing and certificate managing, etc. (4)In this paper, The PMI system is established. It includes several major functionalities: attribute certificate registering, attribute certificate issuing, attribute certificate publishing and policies of access control establishing, etc. In a word, the system with entire intellectual property can be generally used in finance industry, negotiable securities, telecommunications, military, government, education, etc. PKI and PMI can act as an optimal solution to build electronic commerce and electronic government system.更多还原