| In 2004, China promulgated the Electronic Signature Law and the Administration of Electronic Accreditation Service. It greatly promotes the development of Public Key Infrastructure (PKI) as the base of iformation scurity. Indispensable to e-commerce, e-government, it has become the foundation for the development of China's information technology.But according to the ways of storing private keys, there are mainly two types of digital certificates. One is kept in a storage medium, such as floppy disks or hard disks; the other is kept in a smart card, such as IC card or USB Key. The critical limitation of both types lies in the portability and cross-region usability.Therefore, in order to solve the carrying and storage of digital certificates, in the past few years most major PKI technology vendors have released products which allow digital certificate holders with"soft certificates"to have their private keys stored at a central server and uploaded when needed to their local machine. This allows users to"roam"from one machine to another without having to manually manage the export and import of their keys onto temporary media like diskettes. Thus users gain much of the portability and usability advantages of hardware key media like smart cards and USB storage media but without the associated cost. In the future, PKI applications with roaming certificates will grow quickly in China.Foreign major PKI technology vendors have released roaming PKI products, and their products have become increasingly mature. But by contrast, domestic roaming technology is still at its early stage of development. Domestic vendors have not released any mature product of roaming certificate with our own intellectual property rights. Therefore, this thesis highlights the engineering and deployment considerations by presenting a systematic design of the common roaming architecture. From the basic principles of the roaming certificate, a prototype is designed for the development of China PKI certificate.The overall objectives of designing a certificate roaming on the Internet are to provide services such as roaming digital certificate services, PKI standards in support of VPN, secure e-mail, web security and application programming interface, and to provide users with convenient, highly portable, low-cost, relatively safe service platforms. The design of certificate roaming system must comply with international standards, particularly with the CA system interface and with PKI framework requirements; the design of system, especially the design of client roaming system, shoule be transparent to users and independent of specific applications; corresponding security services should be provided for all types of applications to reduce the difficulties for user applications as well as for engineering development.Roaming System consists of roaming server, security key storage directory service system and client software. The roaming server provides services of application, downloading and uploading of roaming certificate; security key directory service system is responsible for storing user key and issuing roaming certificate; client system roaming user certificates; The client software is responsible for the local registration and cryptography services of certificate, and also responsible for deletion of private key after roaming certificate being used.Security of roaming system is focused on the identity authentication, data communication and key storage. Double authentication of both roaming password and private key password is employed for accessing the key storage server while the verification of identity is confirmed by previously issued digital certificate. SSL avoids the vulnerability of transmitting clear text passwords over the network. SSL is adopted for communications between roaming server and LDAP server to ensure the security. SPKM protocol is used for communications between roaming server and CA Server to ensure security.A roaming server uses component-based, B/S-distributed J2EE construction. J2EE framework has been adopted because it is an independent, portable enterprise-standard security platform for multiple users, which is easy for seamless connection between CA products with different structures.To support large-scale concurrent users'roaming requests, the LDAP is selected for the preservation of roaming accounts, e-mail addresses, private keys, etc. This system will establish an independent directory service in high-performance, high availability independent of the physical equipment. All the operations related to certificates roaming request interface with the directory service system. Efficient directory service can be achieved with limited network bandwidth and limited system resources. The roaming client software consists of a plug-in module and a Crypto Service Provider. The browser plug-in is primarily responsible for generation of application infromation, uploading of local document certificates and downloading roaming certificates. Roaming CSP performs cryptography algorithms for authentication, encoding, and encryption. Such a design is adopted mainly to adjust to the Windows coding framework so that the client software provides a transparent security infrastructure for all applications. Roaming certificates can be incorporated into the way an organization does its business without changing applications or any old processes.According to prototype design and realization of the above, we will be able to further develop a superior roaming system with low-cost storage certificates, both easy to use and highly portable, just as the smart cards. Of course, the proposal of certificate roaming system still needs to be further improved and optimized. Identity authentication on roaming server, cryptography service on roaming server, etc. still require further research and exploration. |
PDF Full Text Request