密碼編碼學(xué)與網(wǎng)絡(luò)安全培訓(xùn)課程

原原版版“Cryptography

andNetwork

Security”,4/e,by

William

Stallings中中譯譯本本密密碼碼編編碼碼學(xué)學(xué)與與網(wǎng)網(wǎng)絡(luò)絡(luò)安安全全第第四四版版PPT制制作作林林豐豐波波電電子子工工業(yè)業(yè)出出版版社社2006-2007密碼編碼學(xué)與網(wǎng)絡(luò)安全電子工業(yè)出版社2006-2007第14章認(rèn)證應(yīng)用系統(tǒng)???KerberosX.509/CA公鑰基礎(chǔ)設(shè)施PKI↓↓↓14.a

PKI

in

Windows*

14.b

EJBCA14.c

OpenCA14.d

CA

with

OpenSSL↓↓↓↓認(rèn)證系統(tǒng)

Kerberos主要是局域網(wǎng)上的認(rèn)證系統(tǒng)，它早期基于對(duì)稱算法，封裝了加密、鑒別等安全服務(wù)，提供了統(tǒng)一的用戶接口。后期

Kerberos也開始支持公鑰，使用證書。

PKI/CA好像是解決電子商務(wù)安全的正確道路。CA是一個(gè)離線中心，因此適合互聯(lián)網(wǎng)這種分布式又管理松散的環(huán)境。但是維護(hù)一個(gè)CA(不管是商用CA或自己獨(dú)立的CA)給人的感覺是過于復(fù)雜。14.1

KerberosLAN上的安全KerberosKerberos

in

WindowsKerberos

in

LinuxLAN上安全服務(wù)器、工作站、用戶用戶使用工作站訪問服務(wù)器資源局域網(wǎng)上安全問題竊聽導(dǎo)致泄密重放攻擊假冒用戶，用戶盜用工作站假冒工作站，工作站地址被盜用對(duì)應(yīng)的可能安全方法工作站核認(rèn)用戶身份工作站向服務(wù)器證實(shí)自己的身份(信任用戶身份)用戶和服務(wù)器相互認(rèn)證/鑒別Kerberos動(dòng)機(jī)目標(biāo)防竊聽，防假冒透明，只要輸入一個(gè)口令可靠，合法性的唯一標(biāo)識(shí)依據(jù)就是獲得KB訪問可擴(kuò)展伸縮性，適應(yīng)模塊化和分布式服務(wù)鑒別Authentication授權(quán)Authorization記帳AccountingIn

Greek

mythology

itis

the

three-headed

dog

that

guarded

the

entrance

to

Hades.KerberosThe

Network

Authentication

ProtocolKerberos

is

a

network

authenticationprotocol.It

is

designed

to

provide

strongauthentication

for

client/serverapplications

by

using

secret-keycryptography.A

free

implementation

of

this

protocol

isavailable

from

the

MIT.

Kerberos

isavailable

in

many

commercial

products

aswell./kerberos/www//faqs/kerberos-

faq/general/Designing

an

Authentication

System:

a

Dialogue

in

Four

Scenes

\/kerberos/www/dialogue.html::Designing

anAuthenticationSystem:a

Dialogue

inFour

ScenesCopyright

1988,

1997

Massachusetts

Institute

of

Technology.

All

Rights

Reserved.Originally

writtenby

Bill

Bryant,

February

1988.Cleaned

up

and

converted

to

HTML

by

Theodore

Ts"o,

February,

1997.

An

afterword

describing

the

changes

in

Version

5

of

theKerberos

protocol

was

also

added.AbstractThis

dialogue

provides

a

fictitious

accountofthe

design

of

an

open-network

authentication

systemcalled

"Charon."

As

the

dialogueprogresses,

the

characters

Athena

and

Euripides

discover

the

problems

of

security

inherent

in

an

open

network

environment.Eachproblemmust

be

addressed

in

the

design

of

Charon,

and

the

design

evolves

accordingly.

Athena

and

Euripides

don"t

complete

theirwork

until

the

dialogue"s

close.When

they

finish

designing

the

system,

Athena

changes

the

system"s

name

to

"Kerberos,"

the

name,

coincidentally

enough,

of

theauthentication

systemthat

was

designed

and

implementedat

MIT"s

Project

Athena.

The

dialogue"s

"Kerberos"

systembears

astriking

resemblence

to

the

systemdescribed

in

Kerberos:

AnAuthentication

Service

for

OpenNetwork

Systems

presented

at

theWinter

USENIX

1988,

at

Dallas,

Texas.ContentsDramatis

PersonaeScene

IScene

IIScene

IIIScene

IVDramatis

PersonaeAthena

an

upand

coming

systemdeveloper.Euripides

a

seasoned

developer

and

resident

crank.Scene

IA

cubicle

area.

Athena

andEuripides

are

working

atneighboring

terminals.

Athena:

Hey

Rip,

this

timesharing

systemis

a

drag.

I閱讀

Designing

an

Authentication

System:

aDialogue

in

Four

Scenes–

/kerberos/www/dialogue.htmlKerberos

v4的啟發(fā)協(xié)議V4核心舉例C是客戶、V是服務(wù)器、AS是鑒別服務(wù)器C－>AS：IDc＋Pc＋I(xiàn)Dv，Pc是c的口令C

<－

AS：Ticket

＝

Ekv(IDc＋ADc＋I(xiàn)Dv)ADc是C的網(wǎng)絡(luò)地址，kv是AS和V的共享密鑰C

－>

V

：IDc＋Ticket問題Pc的明文傳輸用戶口令的一次輸入，重復(fù)使用票據(jù)的生存周期對(duì)服務(wù)器的鑒別Kerberos

v4

Overview?Kerberos

v4請求域間服務(wù)Kerberos

v4

Message?Kerberos

v5改進(jìn)不僅依賴于DES不僅使用IP協(xié)議使用ASN.1/BER數(shù)據(jù)編碼規(guī)則擴(kuò)展了票據(jù)有效期鑒別的轉(zhuǎn)發(fā)(代理/轉(zhuǎn)讓)加強(qiáng)了領(lǐng)域間的鑒別能力省去了不必要的雙重加密PCBC－CBC增強(qiáng)了抗口令攻擊的能力增加了一票據(jù)對(duì)會(huì)話密鑰的能力Kerberos

v5

MessageKerberos中的passwd、key、encpasswd

keyn個(gè)字符的串

7n個(gè)比特序列

往返56b折疊并xor56bit

DES

key－PCBC–

Cn＝Ek(Cn-1

XOR

Pn-1

XOR

Pn)Kerberos

DistributionThe

MIT

Kerberos

Team/kerberos/www/Kerberos

in

Linux#rpm

-qa

|

grep

krbConfiguring

a

Kerberos

5

ServerConfiguring

a

Kerberos

5

Client/docs/manuals/linux/RHL-

9-Manual/ref-guide/ch-kerberos.htmlKerberos

in

Windows密鑰發(fā)行中心(KDC)一種網(wǎng)絡(luò)服務(wù)，提供在Kerberos

V5身份驗(yàn)證協(xié)議中使用的會(huì)話票證和臨時(shí)會(huì)話密鑰。票證用于安全原則的標(biāo)識(shí)數(shù)據(jù)集，是為了進(jìn)行用戶身份驗(yàn)證而由域控制器發(fā)行的。Windows中的兩種票證形式是票證授予式票證(TGT)和服務(wù)票證。票證授予式票證(TGT)用戶登錄時(shí)，Kerberos密鑰分發(fā)中心(KDC)頒發(fā)給用戶的憑據(jù)。當(dāng)服務(wù)要求會(huì)話票證時(shí)，用戶必須向KDC遞交

TGT。因?yàn)門GT對(duì)于用戶的登錄會(huì)話活動(dòng)通常是有效的，它有時(shí)稱為“用戶票證”。票證授予服務(wù)(TGS)由“KerberosV5密鑰分發(fā)中心(KDC)”服務(wù)提供的一種KerberosV5服務(wù)，它在域中發(fā)行允許用戶驗(yàn)證服務(wù)的服務(wù)票證。Kerberos

in

Windows

(2k3)Kerberos

V5身份驗(yàn)證Kerberos

V5是在域中進(jìn)行身份驗(yàn)證的主要安全協(xié)議；同時(shí)要驗(yàn)證用戶的身份和網(wǎng)絡(luò)服務(wù)。Kerberos

V5工作原理概述Kerberos

V5身份驗(yàn)證機(jī)制頒發(fā)用于訪問網(wǎng)絡(luò)服務(wù)的票證。這些票證包含加密的數(shù)據(jù)，其中包括加密的密碼，用于向請求的服務(wù)確定用戶的身份。除了輸入密碼或智能卡憑據(jù)，整個(gè)身份驗(yàn)證過程對(duì)用戶都是不可見的。Kerberos

V5中的一項(xiàng)重要服務(wù)是密鑰發(fā)行中心(KDC)。

KDC作為Active

Directory目錄服務(wù)的一部分在每個(gè)域控制器上運(yùn)行，它存儲(chǔ)了所有客戶端密碼和其他帳戶信息。-–Kerberos

V5身份驗(yàn)證過程按如下方式工作：客戶端上的用戶使用密碼或智能卡向KDC進(jìn)行身份驗(yàn)證。KDC為此客戶頒發(fā)一個(gè)特別的票證授予式票證?？蛻舳讼到y(tǒng)使用TGT訪問票證授予服務(wù)(TGS)，這是域控制器上的

Kerberos

V5身份驗(yàn)證機(jī)制的一部分。TGS接著向客戶頒發(fā)服務(wù)票證?？蛻粝蛘埱蟮木W(wǎng)絡(luò)服務(wù)出示服務(wù)票證。服務(wù)票證向此服務(wù)證明用戶的身份，同時(shí)也向該用戶證明服務(wù)的身份。Kerberos

V5服務(wù)安裝在每個(gè)域控制器上，每個(gè)域控制器作為KDC使用。域控制器在用戶登錄會(huì)話中作為該用戶的首選KDC運(yùn)行。Kerberos客戶端安裝在每個(gè)工作站和服務(wù)器上?？蛻舳耸褂糜蛎?wù)(DNS)定位最近的可用域控制器。如果首選

KDC不可用，系統(tǒng)將定位備用的KDC來提供身份驗(yàn)證。Windows域了解以下概念Windows

ServerDomain

/

Active

DirectoryWorkstation

join

the

DomainLogin

into

a

DomainResource

in

a

Domain并練習(xí)驗(yàn)證相關(guān)概念使用虛擬機(jī)VmwareKerberos

in

LinuxKerberos

Infrastructure

HOWTO/HOWTO/Kerberos-

Infrastructure-HOWTO/index.htmlIn

Fedora

Core

based

GNU/Linuxthe

packages

required

to

provide

Kerberosservice

are:“#rpm

-qa

>

grep

krb”krb5-serverkrb5-libsAbout

choosing

a

realm

nameKerberos

in

Linux/etc/krb5.confdefault_realm

=

GNUD.IE[realms]GNUD.IE

=

{kdc

=

kerberos1.gnud.ie:88kdc

=

kerberos2.gnud.ie:88admin_server

=

kerberos1.gnud.ie:749default_domain

=

gnud.ie}[domain_realm].gnud.ie

=

GNUD.IEgnud.ie

=

GNUD.IEKerberos

in

Linux

To

initialize

and

create

the

Kerberos

database:#

/usr/Kerberos/sbin/kdb5_util

create

-sedit

the

acl

file

to

grant

administrative

access/etc/krb5.conf/var/Kerberos/krb5kdc/kdc.conf/var/Kerberos/krb5kdc/kadm5.acl

any

account

which

ends

with

a

/admin

in

theGNUD.IE

realm

is

granted

full

access

privileges:*/admin@GNUD.IE

*Kerberos

in

LinuxCreate

administrative

user#

/usr/Kerberos/sbin/kadmin.local

-q

"addprincadmin/admin"To

start

automatically#

/sbin/chkconfig

krb5kdc

on#

/sbin/chkconfig

kadmin

onStart

up

manually#

/etc/rc.d/init.d/krb5kdc

start#

/etc/rc.d/init.d/kadmin

start

Create

the

user

principal#

kadmin.localKerberos

in

LinuxTime

SynchronizationThe

Network

Time

Protocol

(NTP)NTP

package/etc/ntp.conf–

server

Kerberos

in

Linux

Client

packagekrb5-workstation/etc/krb5.conf/var/Kerberos/krb5kdc/kdc.confTest

Kerberos

authentication

using

the

kini$

kinit

<username>the

KDC

log

(server

side)/var/log/Kerberos/krb5kdc.logKerberos

in

LinuxPAM

-

Pluggable

Authentication

Module/usr/share/doc/pam_krb5-1.55/pam.dauth

required

/lib/security/pam_krb5.so

use_first_passApache

Web

Server<Directory

"/home/httpd/htdocs/content">AllowOverride

NoneAuthType

KerberosV5AuthName

"Kerberos

Login"KrbAuthRealm

GNUD.IErequire

valid-user</Directory>vs.

wins–

/windows2000/techinfo/planning/security/k

rbsteps.aspAdditional

ResourcesRFC

1510

(2942/3244)http://www.rfc-/rfcsearch.htmlKerberos

FAQ/faqs/kerberos-faq/general/indexFermilab

Kerberos–

/docs/strongauth//docs/strongauth/html/

/docs/manuals/linux/RHL-9-

Manual/ref-guide/pt-security-reference.html14.2

X.509/CAX509定義了公鑰認(rèn)證服務(wù)框架。Certificate證書印象PKI/X.509CA

in

Win2kEJBCA>openssl

x509

-informder

-text

<

msroot.cerCertificate:Data:Version:

3

(0x2)Serial

Number:c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Signature

Algorithm:

md5WithRSAEncryptionIssuer:

OU=Copyright

(c)

1997

Microsoft

Corp.,

OU=Microsoft

Corporation,CN=Microsoft

Root

AuthorityValidityNot

Before:

Jan

10

07:00:00

1997

GMTNot

After

:Dec

31

07:00:00

2020

GMTSubject:

OU=Copyright

(c)

1997

Microsoft

Corp.,

OU=Microsoft

Corporation,

CN=Microsoft

Root

AuthoritySubject

Public

Key

Info:Public

Key

Algorithm:

rsaEncryptionRSA

Public

Key:

(2048

bit)Modulus

(2048

bit):00:a9:02:bd:c1:70:e6:3b:f2:4e:1b:28:9f:97:78:5e:30:ea:a2:a9:8d:25:5f:f8:fe:95:4c:a3:b7:fe:9d:a2:20:3e:7c:51:a2:9b:a2:8f:60:32:6b:d1:42:64:79:ee:ac:76:c9:54:da:f2:eb:9c:86:1c:8f:9f:84:66:b3:c5:6b:7a:62:23:d6:1d:3c:de:0f:01:92:e8:96:c4:bf:2d:66:9a:9a:68:26:99:d0:3a:2c:bf:0c:b5:58:26:c1:46:e7:0a:3e:38:96:2c:a9:28:39:a8:ec:49:83:42:e3:84:0f:bb:9a:6c:55:61:ac:82:7c:a1:60:2d:77:4c:e9:99:b4:64:3b:9a:50:1c:31:08:24:14:9f:a9:e7:91:2b:18:e6:3d:98:63:14:60:58:05:65:9f:1d:37:52:87:f7:a7:ef:94:02:c6:1b:d3:bf:55:45:b3:89:80:bf:3a:ec:54:94:4e:ae:fd:a7:7a:6d:74:4e:af:18:cc:96:09:28:21:00:57:90:60:69:37:bb:4b:12:07:3c:56:ff:5b:fb:a4:66:0a:08:a6:d2:81:56:57:ef:b6:3b:5e:16:81:77:04:da:f6:be:ae:80:95:fe:b0:cd:7f:d6:a7:1a:72:5c:3c:ca:bc:f0:08:a3:22:30:b3:06:85:c9:b3:20:77:13:Certificate證書印象證書是可靠發(fā)布公鑰的載體公鑰及其持有人信息其他信息(用途、有效期、)簽發(fā)人及其簽名(對(duì)上面信息)例子解析見備注行/rfc/rfc2459.txt

Internet

X.509

Public

Key

Infrastructure

Certificate

and

CRL

ProfileX.509分發(fā)公鑰證書格式內(nèi)容、格式和編碼、簽名鑒別協(xié)議X509中推薦的協(xié)議應(yīng)用IPSec、SSL/TLS、SET、S/MIME、PGP、…RFC

2459–

Internet

X.509

Public

Key

Infrastructure

Certificate

and

CRL

Profile從公鑰到證書審核證書格式版本序列號(hào)

簽名算法標(biāo)識(shí)其參數(shù)簽發(fā)者名字不早于，不遲于主題名(持有人名)

算法標(biāo)識(shí)其參數(shù)

公鑰簽發(fā)人標(biāo)識(shí)(重名)持有人標(biāo)識(shí)擴(kuò)展

簽名算法參數(shù)簽名X509v3擴(kuò)展V3以可選擴(kuò)展項(xiàng)的形式體現(xiàn)(擴(kuò)展名字，值，是否可忽略)密鑰標(biāo)識(shí)符密鑰用途簽名、加密、密鑰交換、CA等組合私鑰使用期限對(duì)應(yīng)的公鑰一般有更長的期限以用于驗(yàn)證策略信息等頒發(fā)者和持有人的更多信息證書路徑的約束信息ASN.1編碼解析#openssl

asn1parse

-in

root.pem

-dump證書中心CACertificate

Authority權(quán)威的證書簽發(fā)者接受請求、審核、(收費(fèi))、簽發(fā)商業(yè)CA機(jī)構(gòu)Certificate

Request申請人產(chǎn)生自己的公鑰(私鑰)提交PKCS#10格式的申請公鑰、自己的身份信息，用戶自己的簽名審核頒發(fā)面對(duì)面的交涉;代理RA證書發(fā)布X500目錄;在線交換證書的獲得等問題證書是公開的，不需保密這很好信任對(duì)證書的信任基于對(duì)中心的信任CA是分層次的以減輕負(fù)載和壓力(尤其是審核)對(duì)多個(gè)中心的信任分散了風(fēng)險(xiǎn)，也引入了風(fēng)險(xiǎn)證書的自證明前提:已經(jīng)有CA的公鑰CA公鑰一般是自簽名證書的形式必須可靠的獲得，離線手工取得對(duì)方的證書證書是公開的，不需保密查目錄；在線交換判斷證書是否有效驗(yàn)證證書中的簽名是否是CA的真實(shí)簽名(只是說這個(gè)證書是有效的)信任關(guān)系信任信任CA信任CA的簽名信任CA簽發(fā)的證書信任該持有人擁有這個(gè)公鑰<持有人，公鑰>層次CA組織成為層次關(guān)系信任鏈信任某CA則信任其子CA及其子CA簽發(fā)的證書CA之間的相互信任相互給對(duì)方的公鑰簽署一個(gè)證書比比如如,我我的的身身份份證證是是濟(jì)濟(jì)南南公公安安局局簽簽發(fā)發(fā)的的,你你的的身身份份證證是是北北京京公公安安局局簽簽發(fā)發(fā)的的,但但是是都都?xì)w歸中中國國公公安安部部管管,所所以以相相互互信信任任.但但是是,他他的的證證件件是是美美國國簽簽發(fā)發(fā)的的,對(duì)對(duì)不不起起,我我不不能能信信任任他他.CA

TreeA和B之間如何達(dá)成相互信任證書的撤銷證書中的有效期證書提前作廢的原因

–私鑰泄密用戶自己的、CA的–持有人身份變化CRL

-

certificate

revocation

list由CA定期公布的證書黑名單作廢證書的序列號(hào)的表

(序列號(hào),撤銷時(shí)間)表的創(chuàng)建日期其他信息CRL位置、下次CRL更新時(shí)間簽名Online

Certificate

Status

ProtocolOCSP在線證書狀態(tài)協(xié)議–可以用在線方式查詢指定證書的狀態(tài)RFC

2560

–

OCSP使用證書進(jìn)行身份鑒別前提:已經(jīng)有某人的真實(shí)證書(公鑰)查目錄或在線交換鑒別鑒別對(duì)方是否是真實(shí)的持有人(某人)看對(duì)方是否擁有證書中公鑰對(duì)應(yīng)的私鑰使用挑戰(zhàn)－應(yīng)答機(jī)制舉例SSL協(xié)議這這個(gè)個(gè)協(xié)協(xié)議議的的執(zhí)執(zhí)行行流流程程當(dāng)當(dāng)然然可可以以更更優(yōu)優(yōu)化化些些，，比比如如SSL。。使用證書的鑒別過程鑒別－A要和B通信，A要弄清楚B是否是他所期望的真的BA－>B：A向B請求證書A<－B：B的證書A

：A檢查B的證書是否是A所信任的中心簽發(fā)的A－>B：A給B一個(gè)隨機(jī)報(bào)文，讓B簽個(gè)名來看看B

：B簽名，在簽名之前可施加自己的影響成分A<－B：B的簽名A

：檢驗(yàn)是否通過了B的證書里的公鑰的驗(yàn)證TerminologyITU

-

International

Telecommunication

Union/X.500

specInformation

technology

-

Open

Systems

InterconnectionThe

Directory:

Overview

of

concepts,

models

andservicesX.509

specInformation

technology

-

Open

Systems

InterconnectionThe

Directory:

Public-key

and

attribute

certificateframeworksOnline

Doc

($/CHF)/itudoc/itu-t/rec/x/x500up.html術(shù)語：X.500目錄服務(wù)DirectoryA

directory

is

a

database

optimized

for

read

operationsDirectories

often

support

powerful

search

and

browsingcapabilities.

A

directory

is

like

a

phone

book,

and

is

not

like

a

directory

(foldon

your

computer.

Like

a

phone

book,

the

directory

holdsinformation

about

a

thing,

like

a

doctor:

First,

you

find

the

phonebook,

then

you

find

"Doctors,"

then

you

look

for

the

type

ofdoctor,

then

you

decide

which

doctor

you

want

to

see.

The

directory

is

like

that.X.500

－

distributed

hierarchical

database分布式層次數(shù)據(jù)庫InterNIC發(fā)布人員信息（尤其是證書）An

Introduction

to

LDAP

/articles/intro_to_ldap.html（（中中譯譯本本））

/engineer/brimmer/html/LDAP.htm術(shù)語：LDAPLightweight

Directory

Access

Protocol–

is

an

open-standard

protocol

for

accessing

X.500

directory

services.

LDAP

is

a

lightweight

alternative

toX.500

Directory

Access

Protocol

(DAP)for

use

on

theInternet.

The

protocol

runs

over

Internet

transportprotocols,

such

as

TCP.–

LDAP

was

defined

by

the

IETF

in

order

to

encourage

adoption

of

X.500

directories.ldapman/OpenLDAP/Actrive

Directory

in

win2k術(shù)語：DN-distinguished

nameo="FooBar,

Inc.",

c=US以X.500格式表示的基準(zhǔn)DNo=用公司的Internet地址表示的基準(zhǔn)DNdc=foobar,

dc=com用DNS域名的不同部分組成的基準(zhǔn)DNcn=Oatmeal

Deluxe,ou=recipes,dc=foobar,dc=com燕麥粥食譜…*

dn:

cn=Oatmeal

Deluxe,

ou=recipes,

dc=foobar,

dc=comcn:

Instant

Oatmeal

DeluxerecipeCuisine:

breakfastrecipeIngredient:

1

packet

instant

oatmealrecipeIngredient:

1

cup

waterrecipeIngredient:

1

pinch

saltrecipeIngredient:

1

tsp

brown

sugarrecipeIngredient:

1/4

apple,

any

type術(shù)語：ASN.1ASN.1a

notation

for

describing

abstract

types

and

valuesX.208Type

/

Tag

number

(decimal)

/

Tag

number

(hexadecimal)INTEGER202BIT

STRING303OCTET

STRING404NULL505OBJECT

ID606SEQUENCE1610SET

and

SET

OF1711PrintableString1913T61String2014IA5String2216UTCTime2317術(shù)語：BER/DERBasic

Encoding

Rules

(x.209)The

Basic

Encoding

Rules

for

ASN.1,abbreviated

BER,

give

one

or

more

ways

torepresent

any

ASN.1

value

as

an

octet

string.Distinguished

Encoding

RulesThe

Distinguished

Encoding

Rules

for

ASN.1,abbreviated

DER,

are

a

subset

of

BER,

and

giveexactly

one

way

to

represent

any

ASN.1

value

asan

octet

string.DER

is

defined

in

Section

8.7

of

X.509.*

layman.doc編碼例子30

82

xx

xx–

30

seq–8

隨后的半個(gè)字節(jié)指示了隨后的長度–2

2個(gè)字節(jié)14.3PKIPKIXIETF

PKIX

charter–

/html.charters/pkix-charte14.a

PKI

in

WindowsWindows中對(duì)PKI的支持一個(gè)簡陋但是可用的CA可在IE和IIS之間跑HTTPS（HTTP+SSL）可使用Outlook*Express收發(fā)加密+簽名郵件實(shí)驗(yàn)任務(wù)–自己配置一個(gè)CA發(fā)放若干個(gè)證書并在IIS、IE、OE中測試CA安裝需Windows

Server手工添加CA組件并配置參數(shù)給IE申請一個(gè)證書

如果要求客戶身份

IE中申請用戶證書在CA的IE界面申請給IIS申請一個(gè)證書安裝IIS，新建一個(gè)WebServer為啟用SSL產(chǎn)生RSA鑰和PKCS#10

Req通過CA的IE界面提交申請：PKCS#10

Req在CA管理器中頒發(fā)、導(dǎo)出cer/der回到IIS的WebServer 導(dǎo)入cer/der設(shè)置SSL端口讓該WebServer請求SSLHTTPS然后可以嘗試用HTTPS協(xié)議訪問IIShttps://localhost/http://localhost/收發(fā)安全郵件使用IE中的證書（個(gè)人證書）OExp中使用RSA證書保護(hù)郵件 在CA的IE界面申請?jiān)贠Exp中使用參見第15章PKI

in

Windows

Server課堂演示使用虛擬機(jī)基本環(huán)境服務(wù)器：windows

serverCA

serverIIS客戶端：windowsIEOutlook

Express安安裝裝EJBCA步步驟驟總總結(jié)結(jié)=================by

linfb@

22:40

2004-9-7安安裝裝EJBCA需需要要JDK

1.4.xJBOSS

3.2.x

or

3.0.xAnt

1.6.x安安裝裝JDK

安安裝裝Ant

安安裝裝JBoss設(shè)設(shè)置置環(huán)環(huán)境境變變量量：：

JAVA_HOMEANT_HOMEJBOSS_HOMEEJBCA_HOMEPATH%PATH%加加入入JDK,ANT,JBOSS的的bin路路徑徑//

%JAVA_HOME%\bin;%JBOSS_HOME%\bin;%ANT_HOME%\bin

in

windows//

$JAVA_HOME\bin:$JBOSS_HOME\bin:$ANT_HOME\bin

in

linux額額外外的的需需要要jce_policy/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html在在%EJBCA_HOME%,ant/buildant#注注意意得得有有提提示示：：BUILD

SUCCESSFULant

deploy#ejbca-ca.ear啟動(dòng)JBoss服務(wù)14.b

EJBCA

EJBCA是一個(gè)基于JAVA的CA，應(yīng)用較廣泛。請看安裝札記。14.c

OpenCAOpenCA，一個(gè)復(fù)雜的CA系統(tǒng)–

/閱讀材料：–

http://www-

900./developerWorks/cn/security/se-

pkiusing/index.shtml14.d

CA

with

OpenSSLOpenSSL下載、編譯、安裝、配置相關(guān)功能目錄./apps/demoCA，./certsopenssl子命令(證書相關(guān))asn1parse、ca、crl、crl2pkcs7、nseq、ocsp、pkcs12、req、x509*練習(xí)–配置一個(gè)該CA，頒發(fā)證書，并試用mkdir

-p

./demoCA/{private,newcerts}touch

./demoCA/index.txtecho

01

>

./demoCA/serialopenssl

genrsa

-out./demoCA/private/cakey.pem

1024openssl

req

-new

-days

10000

-key./demoCA/private/cakey.pem

-out

careq.pemopenssl

ca

-selfsign

-in

careq.pem

-out./demoCA/cacert.pem#CA

ready//REF

佚佚名名把把所所有有shell

命命令令放放到到一一起起縱縱覽覽一一下下：：

#建建立立CA

目目錄錄結(jié)結(jié)構(gòu)構(gòu)mkdir

-p

./demoCA/{private,newcerts}touch

./demoCA/index.txtecho

01

>

./demoCA/serial#生生成成CA

的的RSA

密密鑰鑰對(duì)對(duì)openssl

genrsa

-out

./demoCA/private/cakey.pem

1024#生生成成CA

證證書書請請求求openssl

req

-new-days

3650

-key

./demoCA/private/cakey.pem-out

careq.pem#自自簽簽發(fā)發(fā)CA

證證書書openssl

ca

-selfsign

-in

careq.pem-out

./demoCA/cacert.pem#以以上上兩兩步步可可以以合合二二為為一一openssl

req

-new-x509

-days

3650

-key

./demoCA/private/cakey.pem-out

./demoCA/cacert.pem#生生成成用用戶戶的的RSA

密密鑰鑰對(duì)對(duì)

openssl

genrsa-out

userkey.pem#生生成成用用戶戶證證書書請請求求openssl

req

-new-days

3650

-key

userkey.pem-out

userreq.pem#使使用用CA簽簽發(fā)發(fā)用用戶戶證證書書openssl

ca

-in

userreq.pem-out

usercert.pem#

user1openssl

genrsa

-out

userkey.pem

1024

openssl

req

-new

-days

3650

-keyuserkey.pem

-out

userreq.pem

openssl

ca

-in

userreq.pem

-outusercert.pemmv

*.pem

./demoCA/newcerts/.證書解析手工演示in

windowsuse

opens