基于商密SM2算法的轻型PKI系统设计与实现

发布时间：2018-04-01 14:39

本文选题：SM2算法　切入点：PKI系统　出处：《西安电子科技大学》2014年硕士论文

【摘要】：PKI体系作为信息安全领域成熟的解决方案,在国际上被广泛采用。然而,随着计算机技术的飞速发展,曾经PKI体系中采用的公钥密码RSA算法在安全性上与密钥位数成正比,RSA算法需要密钥位数达到1024位以上才能满足我国信息安全的要求,ECC算法作为更安全高效的公钥密码算法,在PKI应用中比RSA算法更有优势,同时我国基于ECC技术自主设计研发了国家商用密码算法SM2算法,伴随着SM2算法的公开,我国的商用密码产品将步入由RSA向SM2更新的浪潮。PKI体系作为信息安全领域基础设施,将我国的PKI体系中的公钥RSA算法升级为SM2算法刻不容缓。本文采用Open SSL开源库实现了商密SM算法的扩展,并通过Open SSL的X509接口实现了基于SM2证书的PKI系统,PKI系统主要包括一套PKI安全管理策略、CA认证中心和目录服务器LDAP。其中,PKI安全管理策略主要涉及管理员的分权机制、KMC密钥管理中心和安全审计。本文通过shamir门限机制实现管理员分权方案,同时,通过分权USBKey管理员机制、密态存储密钥、校验密钥文件、安全的备份/恢复机制等,实现了一套安全有效的密钥管理方案。最后,为了保证管理日志安全,本文设计实现了一套安全审计模块。CA认证中心是PKI系统的核心部分,主要负责证书颁发和证书有效性验证等功能。本文CA认证中心采用三层体系结构,同时为了简化PKI系统的设计,将RA的设计融合在CA认证中心部分。最后,为了加强在线颁发证书时CA认证中心的安全,本文设计实现了CA的安全服务器。最后,本文介绍了PKI系统在实际项目中的具体应用场景,描述了不同级别CA认证中心颁发SM2证书的流程和实际运作流程。在SM2证书的认证方面,采用证书链的验证方式,对证书的完整性和有效性分别进行验证,保证SM2证书的合法性。
[Abstract]:As a mature solution in the field of information security, PKI system is widely used in the world.However, with the rapid development of computer technology,In order to meet the requirement of information security in our country, the public key cryptographic RSA algorithm used in PKI system is proportional to the number of key bits in order to meet the requirements of information security in our country. It is a more secure and efficient public key cryptographic algorithm.In the application of PKI, it has more advantages than the RSA algorithm. At the same time, based on the ECC technology, our country has designed and developed the national commercial cryptographic algorithm SM2 algorithm, which is accompanied by the disclosure of the SM2 algorithm.Our country's commercial cryptography products will step into the tide of updating from RSA to SM2. As the infrastructure in the field of information security, it is urgent to upgrade the public key RSA algorithm in our country's PKI system to SM2 algorithm.In this paper, the open source library of Open SSL is used to implement the extension of the secret SM algorithm, and the PKI system based on SM2 certificate is implemented through the X509 interface of Open SSL. It mainly includes a set of PKI security management policy, CA authentication center and directory server LDAP.The PKI security management strategy mainly involves the manager's decentralization mechanism and the key management center of KMC and the security audit.In this paper, the scheme of administrator decentralization is implemented by shamir threshold mechanism. At the same time, a secure and effective key management scheme is implemented by decentralized USBKey administrator mechanism, secret key storage, verification key file, secure backup / recovery mechanism and so on.Finally, in order to ensure the security of the management log, this paper designs and implements a set of security audit module. CA authentication center is the core part of PKI system, which is mainly responsible for issuing certificates and verifying the validity of certificates.In order to simplify the design of PKI system, the design of RA is integrated into CA authentication center.Finally, in order to enhance the security of CA certification center when issuing certificates online, this paper designs and implements the CA security server.Finally, this paper introduces the application of PKI system in the actual project, describes the different levels of CA certification center issued SM2 certificate flow and actual operation process.In the aspect of SM2 certificate authentication, the integrity and validity of SM2 certificate are verified by certificate chain to ensure the validity of SM2 certificate.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TN918.4

【参考文献】