PKI安全性分析

:2006-08-24:(2005YYCXHNST095);2005:(1967-),,,,;,,,PKI史伟奇1,张波云2(11湖南公安高等专科学校计算机系,湖南长沙410006;21国防科技大学计算机学院,湖南长沙410073):(PKI),PKIPKI,PKIX.509,,,PKI:PKI;;;X.509;:TP309:A:1673-629X(2007)06-0166-04SecurityAnalysisonPKISHIWe-iqi1,ZHANGBo-yun2(11ComputerDepartment,HunanPublicSecurityCollege,Changsha410006,China;21SchoolofComputer,NationalUniversityofDefenseTechnology,Changsha410073,China)Abstract:ItbecomesmoreandmorepopulartosettleinformationsecurityproblemswithPKI(PublicKeyInfrastructure)onthelargescalenetwork,buttherearesomepitfallsinthecurrentPKIsolutions.Thispaperintroducesbasicstructure,evaluationstandard,Public-keycryptography,X.509standardandmajordesignproblemsofPKI.ThesecurityproblemsintheprocessofapplyingPKIarediscussed.Andsomesolutionsoftheseproblemsaregivenalso.Keywords:PKIsecurity;policy;usage;X.509;publickeytechnology0PKI(PublicKeyInfrastructure)2080,,,)))CA(CertificateAu-thority),,Internet[1],PKIX.509,,,PKI,PKI,PKI,,PKI,PKI,PKI,PKI,PKI(VPN)Web,PKI,,,,PKI,,1PKI,,,,,1.1PKI,17620076COMPUTERTECHNOLOGYANDDEVELOPMENTVol.17No.6Jun.2007PKI[2]:1),,,2)PKI,,,,,PKI,PKI,PKI,,PKI90PKI,,PKI,PKI,3)PKI,,,,,,4)1.2,PKI,,,[3],[2]:1),,,2)CRL(Certif-icateRevocationList),3)4)PKI,,5),,6),,,,,,CRLCRL[4]CRLPKI,,CRL,IETFOCSP(OnlineCertificateStatusProtocol),(),CRL,HTTPWeb,,OC-SP/,,OCSP,OCSP,CRLOCSP1.3X.509X.509(ITU-T)(ISO)ITU-ISO,X.509PKI,,X.509,1988v1,199319972000X.509v3,,[5]X.509,[6]:1)X.509CA,,,,CA,CACACA,,CACA#167#6:PKI,,CA,,X.5092)CarlEllisonBruceSchmeier,:/???0,,X.509,,PKICA,,X.509,X.509(globlenamespaces),DN(DistinghuishedName),X.509DN,,,X.509DN,DN,,,3)X.509,AB,BC,AC,PKI,CA,CA,,CA,PKI,PKI,(Web),,:/0,,,;(),4)CA,CA,,,,X.509CA,,CA5),[7]CA,CA,,,CA,,,1.4PKI,,[2],,,18,2020,,,,,,,1999,512;2004817,(Crypto.2004),MD5,HAVAL-128,MD4RIPEMD,MD5PKISHA-1,SHA-224,SHA-256,SHA-384,SHA-512,,,PKI1.5,PKI[8]1)PKIPKI,,PKI,,,,PKI,,PKI2)PKIPKI,,,;PKI#168#17,;,,,PKI3)PKIPKI,CA,,,PKI,PKI,PGP,PEM,,4),,,,,2,PKIPKI,PKI,,PKIPKI,PKI:[1]NashA,DuaneW,JosephC,etal.(PKI):,[M].,,,.:,2002.[2].PKI[J].,2002(9):53-54.[3],,.PKI[J].,2003,25(2):27-30.[4]FoxB,LaMacchiaB.CertificateRevocation:MechanicsandMeaning[C]//Proc:FinancialCryptology-CRYPTO.98.LNCS1465.Berlin:Springer-Verlag,1998:158-164.[5],,.InternetX.509PKI[J].,2003(2):97-99.[6],.PKIPKI[J].,2004(1):13-15.[7].PKI[J].,2004(3):14-15.[8],,.PKI[J].,2006,22(2):39-41.(上接第165页),:,,,,userinfor-mation(name,passwordexponent,visitrange),vis-itrange,URL,URL,,visitrange512,,,1,0,512512,4,Web,,,,HTTP,,IPCookie,,IP(Cookie):[1]WilliamS.)))()[M].4.:,2006.[2]FieldingR.HypertextTransferProtocol)))HTTP/1.1(rfc2068)[EB/OL].1997.[3].:[D].:,2000.[4],.[J].,2005,26(7):1735-1736.[5],,.[M].:,2001.[6]BruceE.Java[M].3.:,2005.#169#6:PKI