本文選題：SM2算法　切入點(diǎn)：PKI系統(tǒng)　出處：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：PKI體系作為信息安全領(lǐng)域成熟的解決方案,在國(guó)際上被廣泛采用。然而,隨著計(jì)算機(jī)技術(shù)的飛速發(fā)展,曾經(jīng)PKI體系中采用的公鑰密碼RSA算法在安全性上與密鑰位數(shù)成正比,RSA算法需要密鑰位數(shù)達(dá)到1024位以上才能滿足我國(guó)信息安全的要求,ECC算法作為更安全高效的公鑰密碼算法,在PKI應(yīng)用中比RSA算法更有優(yōu)勢(shì),同時(shí)我國(guó)基于ECC技術(shù)自主設(shè)計(jì)研發(fā)了國(guó)家商用密碼算法SM2算法,伴隨著SM2算法的公開(kāi),我國(guó)的商用密碼產(chǎn)品將步入由RSA向SM2更新的浪潮。PKI體系作為信息安全領(lǐng)域基礎(chǔ)設(shè)施,將我國(guó)的PKI體系中的公鑰RSA算法升級(jí)為SM2算法刻不容緩。本文采用Open SSL開(kāi)源庫(kù)實(shí)現(xiàn)了商密SM算法的擴(kuò)展,并通過(guò)Open SSL的X509接口實(shí)現(xiàn)了基于SM2證書的PKI系統(tǒng),PKI系統(tǒng)主要包括一套PKI安全管理策略、CA認(rèn)證中心和目錄服務(wù)器LDAP。其中,PKI安全管理策略主要涉及管理員的分權(quán)機(jī)制、KMC密鑰管理中心和安全審計(jì)。本文通過(guò)shamir門限機(jī)制實(shí)現(xiàn)管理員分權(quán)方案,同時(shí),通過(guò)分權(quán)USBKey管理員機(jī)制、密態(tài)存儲(chǔ)密鑰、校驗(yàn)密鑰文件、安全的備份/恢復(fù)機(jī)制等,實(shí)現(xiàn)了一套安全有效的密鑰管理方案。最后,為了保證管理日志安全,本文設(shè)計(jì)實(shí)現(xiàn)了一套安全審計(jì)模塊。CA認(rèn)證中心是PKI系統(tǒng)的核心部分,主要負(fù)責(zé)證書頒發(fā)和證書有效性驗(yàn)證等功能。本文CA認(rèn)證中心采用三層體系結(jié)構(gòu),同時(shí)為了簡(jiǎn)化PKI系統(tǒng)的設(shè)計(jì),將RA的設(shè)計(jì)融合在CA認(rèn)證中心部分。最后,為了加強(qiáng)在線頒發(fā)證書時(shí)CA認(rèn)證中心的安全,本文設(shè)計(jì)實(shí)現(xiàn)了CA的安全服務(wù)器。最后,本文介紹了PKI系統(tǒng)在實(shí)際項(xiàng)目中的具體應(yīng)用場(chǎng)景,描述了不同級(jí)別CA認(rèn)證中心頒發(fā)SM2證書的流程和實(shí)際運(yùn)作流程。在SM2證書的認(rèn)證方面,采用證書鏈的驗(yàn)證方式,對(duì)證書的完整性和有效性分別進(jìn)行驗(yàn)證,保證SM2證書的合法性。
[Abstract]:As a mature solution in the field of information security, PKI system is widely used in the world.However, with the rapid development of computer technology,In order to meet the requirement of information security in our country, the public key cryptographic RSA algorithm used in PKI system is proportional to the number of key bits in order to meet the requirements of information security in our country. It is a more secure and efficient public key cryptographic algorithm.In the application of PKI, it has more advantages than the RSA algorithm. At the same time, based on the ECC technology, our country has designed and developed the national commercial cryptographic algorithm SM2 algorithm, which is accompanied by the disclosure of the SM2 algorithm.Our country's commercial cryptography products will step into the tide of updating from RSA to SM2. As the infrastructure in the field of information security, it is urgent to upgrade the public key RSA algorithm in our country's PKI system to SM2 algorithm.In this paper, the open source library of Open SSL is used to implement the extension of the secret SM algorithm, and the PKI system based on SM2 certificate is implemented through the X509 interface of Open SSL. It mainly includes a set of PKI security management policy, CA authentication center and directory server LDAP.The PKI security management strategy mainly involves the manager's decentralization mechanism and the key management center of KMC and the security audit.In this paper, the scheme of administrator decentralization is implemented by shamir threshold mechanism. At the same time, a secure and effective key management scheme is implemented by decentralized USBKey administrator mechanism, secret key storage, verification key file, secure backup / recovery mechanism and so on.Finally, in order to ensure the security of the management log, this paper designs and implements a set of security audit module. CA authentication center is the core part of PKI system, which is mainly responsible for issuing certificates and verifying the validity of certificates.In order to simplify the design of PKI system, the design of RA is integrated into CA authentication center.Finally, in order to enhance the security of CA certification center when issuing certificates online, this paper designs and implements the CA security server.Finally, this paper introduces the application of PKI system in the actual project, describes the different levels of CA certification center issued SM2 certificate flow and actual operation process.In the aspect of SM2 certificate authentication, the integrity and validity of SM2 certificate are verified by certificate chain to ensure the validity of SM2 certificate.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TN918.4

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 許峰;齊玉國(guó);黃皓;王志堅(jiān);;基于開(kāi)放源碼的企業(yè)自建CA系統(tǒng)的研究與實(shí)現(xiàn)[J];計(jì)算機(jī)工程;2006年05期

，

本文編號(hào)：1696040