基于WebService的证书服务应用系统的研究与实现

上海交通大学硕士学位论文基于WebService的证书服务应用系统的研究与实现姓名：朱慧芳申请学位级别：硕士专业：通信与信息系统指导教师：杨树堂20080101ivWebServiceInternetPKIPublicKeyInfrastructurePKICACRLPKIPKIPKIPKIPKIPKIPKIv—WebServiceWebServiceLRALRAWebServiceLRAPKIWebServiceWS-SecurityviRESEARCHANDIMPLEMENTATIONONCERTIFICATESERVICEAPPLICATIONSYSTEMBASEDONWEBSERVICEABSTRACTThedevelopmentandprosperityofInternethasbroughtgreatconveniencetopeople'sstudy,workandlife.However,whenpeopleareenjoyingthebenefits,theyaremeanwhilesufferingfromthebitternessofthesecurityproblems.Securityissues,suchasfastspreadofvirus,Hacking,compromiseofconfidentialinformation,etc.,havereallyformedhugethreatstoavarietyofbusiness,aswellasthegovernments'infrastructures.Tofacetheseproblems,therehaveemergedalotoftechnologies,andoneofthemisPKItechnology.PKI,shortforPublicKeyInfrastructure,issecurityinfrastructurebasedonpublickeycryptographysystem,providingauthentication,encryption,digitalsigatureandtime-stampservices.ItscoremoduleisCA-CertificateAuthority,whosemainfunctionistheissuingandmanagementofcertificatesandCRLs.PKIhasbeenwidelyusedtosecurethewell-beingofE-commerceandE-government.However,notalltheorganizationshavetheconditionstosetuptheirownPKIsystem.Thosewhodon'thavetheconditionsalsowanttoenjoyviitheservicewithoutsettingupcorrespondingsystem.Tomeetthisneed,somecompaniesstartedtoprovidesuchservicesbasedonPKI.TheseservicesarecalledCertficateService(a.k.s.PKIService).ThisdissertationaddressitsresearchonthecurrentsituationofCertificateService,itsproblems,andcorrespondingsolutions.TheapplicationofWebService,integratingofManagedPKIServiceandPKIHostingService,securesettingbasedondifferentmodules--basedontheseanalysis,thedissertationdesignsaCertificateServiceSystembasedonWebService,andconductstheimplementation.Aftertheresearchandimplementation,wecanseethatthroughtthiscertificateservice,nomatterpersonalusers,serverusers,ManagaedPKIusers,orPKIHostingusers,canallenjoytheirtargetservice.Besides,withtheapplicationofWebServicetechnology,allmodules'implementataionsarelanguage-independentandplatform-independent.KEYWORDS:CertificateService,PKI,WebService,WS-Securityii20080110iii2008011020080110111.1InternetPKISoftwareasAServiceSOAPKIPKIPKIPKIPKIPKI1.2WebServiceSOAWebServiceSSLWS-SecurityS/MIMEWSDLWebsphere21.312PKIXMLWebServiceWS-Security3—/RA4WebService532PKIPKI2.1PKI2.1.1PKIInternetPKIPKI[1]PublicKeyInfrastructure-PKI--CACertificateAuthorityE-mail3PKI2.1.2X.509ITUInternationalTelecommunicationUnion1988OpenSystemInterconnection–TheDirectory:AuthenticationFrameworkX.509[2]ISOInternationalStandardsOrganizationISO9594-8X.509PublicKeyCertificate4SimpleAuthenticationStrongAuthentication[3]X.509PasswordX.509CertificateAuthorityCAX.5092-152-1X.509Figure2-1X.509CertificateX.509zz2.1.3PKIPKICARA1.CAPKICertificationAuthority,CACAPKIzzzzz(CRL)zOCSPzzCAzCAz2.RARACACARARAPKICARAPKIRA63.4.PKI5.2.1.4PKITrustModelPKIPKI·PKI··StrictHierarchyofCertificationAuthoritiesModelDistributedTrustArchitectureModelWebWebModelUserCentricTrustModel1.CAPKICA--CARootCATrustAnchor--CACAIntermediateCACASubordinateCACACACAPKIEndEntities7EndUsersCACACA2.PKICACAACA1BCA2CACAPKICACA1ACA2B(FullyPeeredArchitecture)CACAMultiLevelHierarchyFullyTreedArchitectureHybridTreedArchitecturePKIPKIPKINetworkingCA(PeerRootCA)CrossCertification3.WebWebInternetCACACACACACAWeb4.PrettyGoodPrivacy(PGP)8PGPCAWebofTrustPKI2.1.5PKI1.VPNVPNVPNVPNVPNVPNVPNVPNVPNPPTPL2TPPKIVPN()VPNVPNPKIIPSecVPNIPSecIPIPSec——IPv6IPSecIPSecVPN2.S/MIMEInternetInternetz9zPKIS/MIME(TheSecureMultipurposeInternetMailExtension)PKI3.WebSSLDigitalSignatureWebInternetWeb?WebzzzzWebDDOS()WebInternetExplorerNetscapeNavigatorSSL(TheSecureSocketsLayer)SSLPKISSL10SSLSSLPKIWebWeb4.SETPKIPKIPKIPKIPKIPKIPKIPKI2.2XML2.2.1XMLXML[4][5]ExtensibleMarkupLanguageW3CHTMLHypertextMarkupLanguageHTMLXMLSGMLStandardGeneralizedMarkupLanguageSGMLXMLXMLUnicodeXMLXMLXMLXMLWebXMLXML11XMLWebServiceWebServiceWebServicesSOAPWSDLUDDIXMLWebServiceWS-SecurityXMLXMLXMLXMLXMLWS-Security2.2.2XMLXMLXMLXMLXMLXMLXMLXMLXMLXML[6]1.ReferenceSignedInfoSignatureValue(1)Reference···ReferenceTransforms(2)Signature·SignedInfoSignatureMethodCanonicalizationMethodReference(s)·SignedInfoSignedInfoSignatureValue·SignatureSignedInfoObject(s)KeyInfoSignatureValue122.ReferenceReferenceDigestValueSignatureSignedInfoSignatureValue(1)Reference·SignedInfoCanonicalizationMethodSignedInfo·SignedInfoReference1)2)Reference3)ReferenceDigestValueSignature(2)Signature·KeyInfo·CanonicalizationMethodSignatureMethodSignatureMethodSignatureValue2.2.3XMLXMLXMLXMLXMLXMLXMLXML·XML·XML·XML·XMLgif·XML[7]1.(1)(2)1)URIds:KeyInfods:KeyNameds:KeyValueds:RetrievalMethod132)EncryptedKeyds:KeyInfo(3)1)UTF-82)3)(4)EncryptedType(EncryptedDataEncryptedKey)EncryptedType1)EncryptedTypeCipherDataBase64CipherValue2)EncryptedTypeURITransformsCipherReference(5)EncryptedDataEncryptedDataXMLXMLXML2.(1)EncryptedType(EncryptedDataEncryptedKey)(2)ds:KeyInfo(3)CipherData1)Cip