| With the development of information technology, the Internet has been wisely used in the national defense, telecom, finance, news media, commercial trade and other fields, but the issues of information security are becoming more important. PKI can guarantee to realize identity authentication, security transmitting, undeniable, data integrality in the course of trade technically, provide protection for e-commerce. PKI has got fast development in the foreign. It has certain size and obtains certain result in China, but it has some problems, such as there is not a cross-certification of all CA systems. PKI manage the public key by certificate, it bundle users' public key and users' other identifications information together, by third party authority (certificate authority, namely CA). CA is the most important part in the entire PKI system, it takes the responsibility to create or prove identity, validate the applier's identity and issue, update, revoke the digital certificate that can be used to prove the identity. So how to defense the CA's root private key from disclosure and destruction in the attack unavoidable circumstances is a priority. Threshold mechanism is a kind of method to resolving the problem. It means that the key was taken care of by many members together instead of taken by one person, through secret sharing scheme. Therefore even if individual or the minority member's secret share divulges, there will be no affection to the key security of overall system. This article develops an enterprise CA system which implement its basic operation by using OpenSSL toolkit, its root private key is protected by Shamir threshold scheme and it makes the intrusion to be insignificance. This article's first part introduces the theory involved in the CA system, including concept, architecture, theoretical foundation of PKI/CA system. The second part introduces the OpenSSL toolkit's composition architecture and functions encapsulated by the CA's implementation, the third part studies Shamir Threshold Scheme and it prepares to find a suitable implementation to protect the CA's root private key in the latter paper. The fourth part elaborates the CA system's design and implementation, the system involves four modules that are initialize module, operational module, root private key's division and resumption module, networking transmit module, the system has some functions such as apply, issue, update, revoke the digital certificate, issue the CRL and so on. At last this article analyses the system's security. At last it makes a conclusion for the paper, points out the existent inadequate and outlook the following work. This article's significance is it implement a system that can be applied to enterprise. In security aspect of CA, it discuss a scheme that combine the secret shared, utilize the divide up mechanism to key, protect the safety of CA' s signature key. I took part in the design and development work of DEAN's enterprise CA update project during my studying for master's degree, it give me a big help to complete the paper. |
PDF Full Text Request