密碼編碼學(xué)與網(wǎng)絡(luò)安全（第五版） 向金海 11-密鑰管理和分發(fā)

Chapter

14密鑰管理和分發(fā)《計算機與網(wǎng)絡(luò)安全》主要內(nèi)容9/7/20202華中農(nóng)業(yè)大學(xué)信息學(xué)院對稱加密的對稱密鑰分發(fā)非對稱加密的對稱密鑰分發(fā)公鑰分發(fā)X.509認(rèn)證服務(wù)公鑰基礎(chǔ)設(shè)施§14.1對稱加密的密鑰分發(fā)9/7/20203華中農(nóng)業(yè)大學(xué)信息學(xué)院

任何密碼系統(tǒng)的強度都與密鑰分配方法有關(guān)。?密鑰分配方法指將密鑰發(fā)放給希望交換數(shù)據(jù)的雙方而不讓別人知道的方法。密鑰分配9/7/20204華中農(nóng)業(yè)大學(xué)信息學(xué)院分配方法：A、B雙方通信密鑰由A選擇，親自交與B；第三方選擇密鑰后親自交與A和B；一方用雙方已有的密鑰加密一個新密鑰后發(fā)給 另一方；A和B與第三方C均有秘密通道，則C可以將密 鑰分別發(fā)送給A和B。密鑰分配9/7/20205華中農(nóng)業(yè)大學(xué)信息學(xué)院??對分配方法的分析方法1和2需要人工傳送密鑰，對鏈路加密要求不過分，對端到端加密則有些笨拙。方法3可用于鏈路加密和端到端加密。問題：■①攻擊者若已成功獲取一個密鑰；②初始密鑰的分配。對于端到端加密，方法4稍做變動即可應(yīng)用。需要一個密鑰分配中心（KDC）參與分配。■?用于支持任意端點間通信所需的密鑰數(shù)9/7/20206華中農(nóng)業(yè)大學(xué)信息學(xué)院§7.3密鑰分配9/7/20207華中農(nóng)業(yè)大學(xué)信息學(xué)院??密鑰分類會話密鑰（ks）末端通信時使用的臨時加密密鑰主密鑰（km）加密ks的密鑰層次式密鑰9/7/20208華中農(nóng)業(yè)大學(xué)信息學(xué)院一種透明的密鑰控制方案密鑰分發(fā)方案9/7/20209華中農(nóng)業(yè)大學(xué)信息學(xué)院密鑰分配模式9/7/202010華中農(nóng)業(yè)大學(xué)信息學(xué)院層次式密鑰控制9/7/202011華中農(nóng)業(yè)大學(xué)信息學(xué)院單個KDC在網(wǎng)絡(luò)規(guī)模很大時不實際層次式可提高效率并降低風(fēng)險會話密鑰的生命期9/7/202012華中農(nóng)業(yè)大學(xué)信息學(xué)院在安全性與通信時間之間折衷考慮對面向連接的協(xié)議，改變連接時，改用新的ks對非面向連接的協(xié)議，定期更改。面向連接的密鑰自動分發(fā)協(xié)議9/7/202013華中農(nóng)業(yè)大學(xué)信息學(xué)院分散式密鑰控制會話密鑰生成步驟：9/7/202014華中農(nóng)業(yè)大學(xué)信息學(xué)院密鑰的使用方法9/7/202015華中農(nóng)業(yè)大學(xué)信息學(xué)院???會話密鑰的類型數(shù)據(jù)加密密鑰，用于網(wǎng)絡(luò)中的通用通信PIN加密密鑰，用于電子資金轉(zhuǎn)賬和銷售點應(yīng)用的個人識別碼（PIN）文件加密密鑰，用于可公開訪問的加密文件§7.3.6

密鑰的使用方法9/7/202016華中農(nóng)業(yè)大學(xué)信息學(xué)院■會話密鑰的類型密鑰標(biāo)志(以DES為例)一位表示主密鑰或會話密鑰一位表示密鑰可否用于加密一位表示密鑰可否用于解密其余位未用■?????特點標(biāo)志含在密鑰中，密鑰分配時就被加密缺點：?■①位數(shù)少，限制了其靈活性和功能；②標(biāo)志不能以明文傳輸，解密后才能使用，限制了對密鑰的管理控制矢量方法■■9/7/202017華中農(nóng)業(yè)大學(xué)信息學(xué)院■?會話密鑰的類型密鑰標(biāo)志控制矢量方法思路會話密鑰的加密加密：H=h(CV)，Kc=Ekm⊕H[Ks]解密：H=h(CV)，

Ks=Dkm⊕H[Kc]?優(yōu)點控制矢量長度不限控制矢量以明文傳輸，可多次運用對密鑰的控制要求■■密鑰的使用方法⊕⊕9/7/202018華中農(nóng)業(yè)大學(xué)信息學(xué)院控制矢量的加密和解密§14.2非對稱加密的對稱密鑰分發(fā)9/7/202019華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰的分配公鑰密碼用于傳統(tǒng)密碼體制的密鑰分配采用前面的方法獲得公鑰可以提供保密和認(rèn)證但公鑰算法常常很慢用私鑰加密可以保護信息內(nèi)容因此，需要會話密鑰許多可選的方案用于協(xié)商合適的會話密鑰9/7/202020華中農(nóng)業(yè)大學(xué)信息學(xué)院簡單的秘密鑰分配9/7/202021華中農(nóng)業(yè)大學(xué)信息學(xué)院1979由Merkle提出?

A產(chǎn)生一個新的臨時用的公鑰對?

A發(fā)送自己的標(biāo)識和公鑰給B?

B產(chǎn)生一個會話密鑰，并用A的公鑰加密后發(fā)送給A?

A解密會話密鑰問題是容易受到主動攻擊，而通信雙方卻毫無察覺。利用公鑰加密建立會話密鑰9/7/202022華中農(nóng)業(yè)大學(xué)信息學(xué)院具有保密性和真實性的密鑰分配9/7/202023華中農(nóng)業(yè)大學(xué)信息學(xué)院假設(shè)雙發(fā)已安全交換了各自的公鑰:公鑰加密的密鑰分發(fā)混合方式的密鑰分配9/7/202024華中農(nóng)業(yè)大學(xué)信息學(xué)院保留私鑰配發(fā)中心(KDC)每用戶與KDC共享一個主密鑰用主密鑰分配會話密鑰公鑰用于分配主密鑰?在大范圍分散用戶的情況下尤其有用三層結(jié)構(gòu)基本依據(jù)?性能?向后兼容性§14.3公鑰分發(fā)9/7/202025華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰的分配公鑰密碼用于傳統(tǒng)密碼體制的密鑰分配公鑰的分配9/7/202026華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰分配方法?公開發(fā)布?公開可訪問目錄?公鑰授權(quán)?公鑰證書公鑰的公開發(fā)布9/7/202027華中農(nóng)業(yè)大學(xué)信息學(xué)院用戶分發(fā)自己的公鑰給接收者或廣播給通信各方?例如：把PGP的公鑰放到消息的最后，發(fā)布到新聞組或郵件列表中缺點：偽造?任何人都可以產(chǎn)生一個冒充真實發(fā)信者的公鑰來進行欺騙?直到偽造被發(fā)現(xiàn)，欺騙已經(jīng)形成無控制的公鑰分發(fā)9/7/202028華中農(nóng)業(yè)大學(xué)信息學(xué)院公開可訪問的目錄9/7/202029華中農(nóng)業(yè)大學(xué)信息學(xué)院通過使用一個公共的公鑰目錄可以獲得更大程度的安全性目錄應(yīng)該是可信的，特點如下：?

包含{姓名，公鑰}目錄項?

通信方只能安全的注冊到目錄中?

通信方可在任何時刻進行密鑰更替?

目錄定期發(fā)布或更新?

目錄可被電子化地訪問缺點：仍存在被篡改偽造的風(fēng)險公開的公鑰發(fā)布9/7/202030華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰授權(quán)9/7/202031華中農(nóng)業(yè)大學(xué)信息學(xué)院

通過更加嚴(yán)格地控制目錄中的公鑰分配，使公鑰分配更加安全。具有目錄特性每一通信方必須知道目錄管理員的公鑰

用戶和目錄管理員進行交互以安全地獲得所希望的公鑰?當(dāng)需要密鑰時，確實需要能夠?qū)崟r訪問目錄。公鑰目錄管理員成為系統(tǒng)的瓶頸。公鑰授權(quán)公鑰發(fā)布方案9/7/202032華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰證書9/7/202033華中農(nóng)業(yè)大學(xué)信息學(xué)院

用證書進行密鑰交換，可以避免對公鑰目錄的實時授權(quán)訪問證書包含標(biāo)識和公鑰等信息?通常還包含有效期，使用權(quán)限等其它信息含有可信公鑰或證書授權(quán)方(CA)的簽名

知道公鑰或證書授權(quán)方的公鑰的所有人員都可以進行驗證例如：X.509標(biāo)準(zhǔn)公鑰證書公鑰證書交換9/7/202034華中農(nóng)業(yè)大學(xué)信息學(xué)院X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.4

X.509認(rèn)證服務(wù)9/7/202035華中農(nóng)業(yè)大學(xué)信息學(xué)院CCITT

X.500目錄服務(wù)的一部分?維護用戶信息數(shù)據(jù)庫的分布式服務(wù)器定義了認(rèn)證服務(wù)的框架?目錄可存儲公鑰證書?由認(rèn)證中心簽名的用戶的公鑰定義了認(rèn)證協(xié)議使用了公鑰密碼和數(shù)字簽名技術(shù)?未作算法規(guī)定，但推薦使用RSAX.509證書已得到了廣泛地使用X.509認(rèn)證服務(wù)的應(yīng)用

X.509建議最 在1988年發(fā)布，1993年和1995年又分別發(fā)布了它的第二和第三個修訂版。X.509目前已經(jīng)是一個非常重要的標(biāo)準(zhǔn)，因為X.509定義的認(rèn)證證書結(jié)構(gòu)和認(rèn)證協(xié)議已經(jīng)被廣泛應(yīng)用于諸多應(yīng)用過程。?IPSec(提供了一種網(wǎng)絡(luò)層的安全性)?SSL/TLS(security

socket

layer/transport

layer

security，安全套接層，可用來解決傳輸層的安全性問題)?SET(電子商務(wù)交易，SET是一種開放的加密安全規(guī)范，用于保護Internet上的信用卡交易)?S/MIME(保證電子郵件安全，側(cè)重于作為商業(yè)和團體使用的標(biāo)準(zhǔn)，而PGP則傾向于為許多用戶提供個人電子郵件的安全性)9/7/202036華中農(nóng)業(yè)大學(xué)信息學(xué)院公鑰證書的使用9/7/202037華中農(nóng)業(yè)大學(xué)信息學(xué)院The

X.509

certificate

is

the

heartof

the

standard.

There

are

3

versions,

withsuccessively

more

info

in

the

certificate

-

must

be

v2

if

either

uniqueidentifier

field

exists,

must

be

v3

if

any

extensions

are

used.

These

user

certificates

are

assumed

to

be

created

bysome

trusted

certificationauthority

(CA)

and

placed

in

the

directory

by

the

CA

or

by

the

user.

The

directory

server

itself

is

not

responsible

for

the

creation

of

public

keys

or

for

the

certification

function;

it

merely

provides

an

easily

accessible

location

for

users

to

obtain

certificates.

The

certificate

includes

the

elementsshown.The

standard

uses

the

notation

for

a

certificate

of:

CA<<A>>

where

the

CA

signs

the

certificate

for

user

A

with

its

private

key.X.509證書9/7/202038華中農(nóng)業(yè)大學(xué)信息學(xué)院由認(rèn)證中心發(fā)放(CA),包括:?

version

(1,

2,

or

3)?

serial

number

(unique

within

CA)

identifying

certificate?

signature

algorithm

identifier?

issuer

X.500

name

(CA)?

period

of

validity

(from

-

to

dates)?

subject

X.500

name

(name

of

owner)?

subject

public-key

info

(algorithm,

parameters,

key)?

issuer

unique

identifier

(v2+)?

subject

unique

identifier

(v2+)?

extension

fields

(v3)?

signature

(of

hash

of

all

fields

in

certificate)符號CA<<A>>表示由CA簽名的A的證書Stallings

Figure

14.4

shows

the

format

of

an

X.509

certificate

and

CRL.X.509證書9/7/202039華中農(nóng)業(yè)大學(xué)信息學(xué)院

在X.509中，證書機構(gòu)Y頒發(fā)給用戶X的證書表示為：Y<<X>>；Y對信息I進行的簽名表示為Y{I}。這樣一個CA頒發(fā)給用戶A的X.509證書可以表示為：CA<<A>>=CA{V,SN,AI,CA,TA,A,Ap

}V: 版本號，

SN：證書序列號，

AI：算法標(biāo)識，TA：有效期,

Ap

：

A的公開密鑰信息。9/7/202040華中農(nóng)業(yè)大學(xué)信息學(xué)院X.509證書User

certificates

generated

by

aCA

have

the

characteristics

that

any

user

with

access

to

the

public

key

of

the

CA

can

verifythe

user

public

keythat

was

certified,

and

no

party

other

than

the

certification

authority

can

modify

the

certificate

without

this

beingdetected.

Because

certificates

areunforgeable,

they

can

be

placed

in

adirectorywithout

the

need

for

the

directory

to

make

special

efforts

to

protect

them.獲得一個用戶證書9/7/202041華中農(nóng)業(yè)大學(xué)信息學(xué)院

任何可以訪問CA的用戶都可以得到一個證書只有CA可以修改證書

由于證書不能偽造，所以證書可以放到一個公共目錄中If

both

parties

use

the

same

CA,

they

knowits

public

key

and

can

verify

others

certificates.

If

not,

then

there

has

to

be

some

means

to

formachain

of

certifications

between

the

CA"s

used

by

the

two

parties,

by

the

use

of

client

and

parent

certificates.

It

is

assumed

that

each

client

trusts

itsparents

certificates.CA層次9/7/202042華中農(nóng)業(yè)大學(xué)信息學(xué)院如果兩個用戶共享同一個CA,則兩者知道彼此的公鑰否則，CA就要形成層次用證書將層次中的各CA鏈接?每個CA有對客戶的證書(前向)和對父CA的證書(后向)每一個客戶信任所有父證書

層次中的所有其它CA的用戶，可以驗證從一個CA獲得的任何證書Stallings

Figure

14.5

illustrates

the

use

of

an

X.509

hierarchy

to

mutuallyverifyclients

certificates.Track

chains

of

certificates:A

acquires

B

certificate

usingchain:

X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>B

acquires

A

certificate

usingchain:

Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>>CA層次的使用9/7/202043華中農(nóng)業(yè)大學(xué)信息學(xué)院Acertificate

includesa

period

of

validity.

Typically

a

newcertificate

is

issued

just

before

the

expiration

of

the

old

one.In

addition,

it

may

be

desirable

on

occasion

to

revoke

a

certificate

before

it

expires,

for

one

of

a

rangeof

reasons,

such

as

those

shown

above.To

support

this,

each

CA

must

maintain

alist

consisting

of

all

revoked

but

not

expired

certificates

issued

by

that

CA,

known

as

the

certificaterevocation

list

(CRL).When

a

user

receives

a

certificate

in

a

message,

the

user

must

determine

whether

the

certificate

has

been

revoked,

bychecking

the

directory

CRLeach

timea

certificate

is

received,

this

often

does

not

happen

in

practice.證書的撤銷9/7/202044華中農(nóng)業(yè)大學(xué)信息學(xué)院1.2.3.證書有效期過期前撤銷，例如:用戶的密鑰被認(rèn)為不安全了用戶不再信任該CACA證書被認(rèn)為不安全了CA維護一個證書撤銷列表?

證書撤銷列表，the

Certificate

Revocation

List

(CRL)用戶應(yīng)該檢查CA的CRLX.509

also

includes

three

alternative

authentication

procedures

that

are

intended

for

use

across

a

variety

of

applications,

used

when

obtainingandusing

certificates.

1-way

for

unidirectional

messages

(like

email),

2-way

for

interactive

sessions

when

timestamps

are

used,

3-way

for

interactivesessions

with

no

need

for

timestamps

(and

hence

synchronised

clocks).

See

Stallings

Figure

14.6

for

details

of

each

of

these

alternatives.認(rèn)證過程9/7/202045華中農(nóng)業(yè)大學(xué)信息學(xué)院X.509包括三種可選的認(rèn)證過程?

單向認(rèn)證?

雙向認(rèn)證?

三向認(rèn)證三種方法都采用公鑰簽名One

way

authenticationinvolvesa

single

transfer

ofinformation

fromone

user

(A)

to

another

(B),

and

establishes

the

details

shownabove.

Notethat

only

the

identity

of

the

initiating

entity

is

verified

in

this

process,

not

thatof

the

responding

entity.

At

aminimum,

the

message

includes

atimestamp,a

nonce,

and

the

identity

of

B

and

is

signed

with

A’s

private

key.

The

message

may

also

include

information

to

be

conveyed,

such

as

asession

key

for

B.單向認(rèn)證9/7/202046華中農(nóng)業(yè)大學(xué)信息學(xué)院1消息(A->B)完成單向認(rèn)證?A的標(biāo)識和A創(chuàng)建的消息?B所需要的消息?消息的完整性和原創(chuàng)性（不能多次發(fā)送）消息必須含有時間戳，臨時交互號和B的標(biāo)識，并由A簽名也可以包含B所需要的其它信息?例如，會話密鑰單向認(rèn)證9/7/202047華中農(nóng)業(yè)大學(xué)信息學(xué)院Two-wayauthentication

thus

permits

both

parties

in

a

communication

to

verify

the

identity

of

the

other,

thus

additionallyestablishing

the

abovedetails.

The

reply

message

includes

the

nonce

from

A,

to

validate

the

reply.

It

also

includes

a

timestamp

and

nonce

generated

by

B,

and

possibleadditional

informationfor

A.雙向認(rèn)證9/7/202048華中農(nóng)業(yè)大學(xué)信息學(xué)院2消息如上建立外(A->B,B->A)，還需:?B的標(biāo)識和B生成的應(yīng)答消息?A需要的消息?應(yīng)答的完成性和真實性應(yīng)答包括從A產(chǎn)生的臨時交互號，也有由

B產(chǎn)生的時戳和臨時交互號還可以包括其它A需要的附加信息雙向認(rèn)證9/7/202049華中農(nóng)業(yè)大學(xué)信息學(xué)院Three-Way

Authentication

includes

a

final

message

from

A

to

B,

which

contains

asigned

copy

of

the

nonce,

so

that

timestamps

need

not

bechecked,

for

use

when

synchronized

clocks

are

not

available.三向認(rèn)證9/7/202050華中農(nóng)業(yè)大學(xué)信息學(xué)院

3在沒有同步時鐘情況下，消息(A->B,B->A,A->B)可以完成認(rèn)證從A回到B的相應(yīng)包含B產(chǎn)生的臨時交互號時戳不必檢查了三向認(rèn)證9/7/202051華中農(nóng)業(yè)大學(xué)信息學(xué)院The

X.509

version

2

format

does

not

convey

all

of

the

information

that

recent

design

and

implementation

experience

has

shownto

be

needed.Rather

than

continue

to

add

fields

to

a

fixed

format,

standards

developers

felt

that

a

more

flexible

approach

was

needed.

X.509

version

3

includes

anumberof

optional

extensions

that

may

be

added

to

the

version

2

format.

Each

extension

consists

of

an

extension

identifier,

acriticalityindicator,

and

an

extension

value.

The

criticality

indicator

indicates

whether

an

extension

can

be

safely

ignored

or

not

(in

which

case

if

unknownthe

certificate

is

invalid).X.509

Version

39/7/202052華中農(nóng)業(yè)大學(xué)信息學(xué)院已經(jīng)認(rèn)識到證書中附加信息的重要性?email/URL,策略細節(jié),使用限制增加了一些可選的擴展項證書每一個擴展項都包括:?擴展標(biāo)識?危險指示（T/F）?擴展值The

certificate

extensions

fall

into

three

main

categories:key

and

policy

information

-

convey

additional

information

about

the

subject

and

issuer

keys,

plus

indicators

of

certificate

policysubject

and

issuer

attributes

-

support

alternative

names,

in

alternative

formats,

fora

certificate

subject

or

certificate

issuer

and

can

conveyadditional

informationabout

the

certificate

subjectcertification

path

constraints

-

allow

constraint

specifications

to

be

included

in

certificates

issued

for

CA’s

by

other

CA’s證書擴展項9/7/202053華中農(nóng)業(yè)大學(xué)信息學(xué)院密鑰和策略信息?傳達證書主體和發(fā)行商密鑰相關(guān)的附加信息，以及證書策略的指示信息，如密鑰用途證書主體和發(fā)行商屬性?支持可變的名字，以可變的形式表示證書主體或發(fā)行商的某些屬性，如公司位置，圖片等。證書路徑約束?允許限制由其它CA發(fā)行的證書的使用X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.5

公鑰基礎(chǔ)設(shè)施9/7/202054華中農(nóng)業(yè)大學(xué)信息學(xué)院

PKI系統(tǒng)是有硬件、軟件、人、策略和程序構(gòu)成的一整套體系（RFC

2822）

IETF的PKIX工作組在X.509的基礎(chǔ)上，建立一個可以構(gòu)建網(wǎng)絡(luò)認(rèn)證的基本模型。X.509

is

part

of

the

X.500

series

of

recommendations

that

define

a

directory

service,

being

aserver

or

distributed

setof

servers

that

maintains

adatabase

of

information

about

users.X.509

definesa

framework

for

the

provision

of

authentication

services

by

the

X.500

directory

to

its

users.

The

directory

may

serve

as

arepository

of

public-key

certificates.

In

addition,

X.509

defines

alternative

authentication

protocols

based

on

the

use

of

public-key

certificates.X.509

is

based

on

the

use

of

public-key

cryptography

and

digital

signatures.

The

standard

does

not

dictate

the

use

of

aspecific

algorithm

butrecommends

RSA.The

X.509

certificate

format

is

widelyused,

in

for

example

S/MIME,

IP

Security

and

SSL/TLS

and

SET.§14.5公鑰基礎(chǔ)設(shè)施9/7/202055華中農(nóng)業(yè)大學(xué)信息學(xué)院RFC

2822

(Internet

Security

Glossary)

defines

public-key

infrastructure

(PKI)

as

the

set

of

hardware,

software,

people,

policies,

and

proceduresneeded

to

create,

manage,

store,

distribute,

and

revoke

digital

certificates

based

on

asymmetric

cryptography.

The

IETF

Public

KeyInfrastructure

X.509

(PKIX)

workinggroup

has

setup

a

formal

(and

generic)

model

based

on

X.509

that

is

suitable

for

deployinga

certificate-based

architecture

on

the

Internet.Stallings

Figure

14.7

shows

the

interrelationship

among

the

key

elements

of

the

PKIX

model,

and

lists

the

various

management

functions

needed.Public

Key

Infrastructure，PKI9/7/202056華中農(nóng)業(yè)大學(xué)信息學(xué)院端實體簽證機構(gòu)CA注冊機構(gòu)RA證書撤銷列表發(fā)布CRL證書存儲庫RFC

2822