제 4 장 . 공개키 기반구조
description
Transcript of 제 4 장 . 공개키 기반구조
-
4 .
-
4.1 4.2 4.3 4.4 PKI(Public Key Infrastructure)4.5 X.509 4.6 4.7 PKI 4.9 4.10 4.11 PKI
-
(Public Key Infrastructure) , OID(Object Idnetifier), X.500 DN(Distinguished Name)(CPS : Certification Practice Statement), LDAP(Lightweight Directory Access Protocol), FTP(File Transfer Protocol), OCSP(Online Certificate Status Protocol)
-
4.1 , WWW, security application , CA(Certification Authority) end entity CA private key digital signature CA public key
-
AInternet A
-
() ID digital stream , , , (CA : Certificate Authority) CA (RA : Registration Authority) : X.509 1, 2, 3
-
(Version) : , 1988(Serial Number) : CA (Algorithm Identifier) : OID(Issuer) : CA(Period of validity) : (Subject) : (Public-key information) : (Signature) : CA
-
(PKI : Public Key Infrastructure) (Certificate), (Certification Authority), (RA : Registration Authority) End entity, CA , 1996
-
CA off-line users User CA CA CA root CA CA end user chain (Trusted Path) : CA CRL(Certificate Revocation List)
-
SET hierarchical CA structure
-
(subject field) X.500 directory DN(Distinguished Name) X.500 directory X.500 directory entry , , , , e-mail address, DN DN X.500 directory DIT(Directory Information Tree) Root node node RDN(Relative Distingusihed Name)
-
X.500 directory entry (Continued)Root node RDN ISO , , , entry entry unique RDN End organization entry Unique RDN
-
X.500 DNRootIBM CN : K.D.Hong : 0418-542-8819 : [email protected] : DN : {C=KR, O=SCH, CN=K.D.Hong }RDN = KRRDN = K.D.HongRDN = SCH
-
4.2 CA , CA CA (Cross-certification) PKI CA
-
CA YCA XCA ZAlice AliceBob Bob
-
CA PAA(Policy Approving Authority) PCA PCA(Policy Certification Authority) CA(Certification Authority) CA ID (Identity Authentication) (Credential Authentication)
-
(extention) , , , , X.509 3 1, 2 CA , 3
-
4.3 PKI : root CA root CA PKI 2 CA 2 CA CA 3 CA 3 CA CA CA
-
-CA2- CA 3 -CA
-
CA .
-
4.4 PKI PAA PKI , CA PCA , PAA ( ) PCA CRL PKAF ; PARRA GOC PKI ; PMA ICE TEL PKI ; ICE-TEL CA
-
PCAPAA (COI, Community of Interest) ? ? ? CRL ?
-
CAPAA/PCA CA PCA PCA CA PCA .
-
ORA(Organizational Registration Authority) CA CA GOC PKI LRA(Local Registration Authority) CA CA CA
-
4.5 X.509 X.509 ITU X.509 v1, v2 (CRL:Certificate Revocation List) X.509 v3
-
X.509 v11988 CA
-
X.509 v1 DTI(Directory Information Tree) CA CA CA
-
X.509 v2X.509 v1 ID(issuer unique identifier) CA X.500 ID(subject unique identifier) X.500
-
X.509 v3 X.509 (standard extension) , (subject) , , CRL , 3 , ,
-
X.509 v3
-
CA (Authority Key Identifier) CA (Key Attribute) (Certificate Policy) PKI (Key Usage Restriction) (Policy Mapping) CA
-
(Subject Alternative Name) ID, e-mail / IP , DNS (Issuer Alternative Name) , ID, E-mail / IP , DNS (Subject Directory Attribute) X.500
-
, , , (Basic Constraints) CA, (Name Constraints) CA . (Policy Constraints)PKI
-
CRL CRL CRL(delta-CRL) , CRL CRL (Distribution Points)CA : , CRL CRL(Delta-CRLs)CRL CRL CRL(Indirect CRLs) CA CRL . CRL
-
4.6 X.509 CRL : CRL ID : CA X.509 : (UTC Time) : (UTC Time) : CRL : CRL :
-
CRL : + CA : CRL : CRL (e-mail, IP )CRL : CRL : CRL CRL : CRL CRL : : : : CRL
-
CRL CRL CRL CRL , CA
-
4.7 PKI IETF , , PKI PKI CA , CA PKI (CA), (RA), (EE), (Repository) PKI , ,
-
(EE : End Entity) PKI (CA) CA CA : CA CA RA(Registration Authority)CA , , , , , RA , CA RA CA .
-
PKI -IETF , RA, CA , RA, CA E-mail, HTTP, TCP/IP, FTP CA CA CA RA , .
-
(1) / , , , , RA CA . PKI(RA, CA) . : , RA, CA
-
(1) / 3 / EE -
-
CADirectoryService5. 4. 6. LADP 2. Alice 1. Alice 3. Alice / Alice
-
AliceCADirectoryService6. LADP 1. Alice / Alice 2. Alice 4. Alice
-
(2) (POP, Proof of Possession)CA/RA . . , CA/RA CA/RA .
-
(3) CA CA CA . CA CA CA CA .
-
(4) . CA CA .CA CRL CRL CRL .
-
() CA CA CA , CA CA
-
() CRL CA CRL PKI CRL CA CRL CA CRL CRL , CRL DB CRL .
-
() . CA PKI .
-
4.9 CA RA CA self-certificate fingerprint CA CA CA
-
CA CA . CA .CRL CA CRL .PKI CA , . CA . :
-
CA : CA PKI CA CA CA
-
. CA CA .
-
4.10 --CPS :Certification Practice Statements , CA , , CA CPS CA
-
, CA, RA, EE , ,
-
, , ,
-
CA, RA, EE , , , CA : FIPS PUB 140-1 level 2 CA :CA 3 , 128 DES , CA :CA CA CA : 3
-
CA , , , , , , , , ,
-
CRL CRL OID(Object Identifier)CA, RA, EE CRL CRL , , , ,
-
4.11 PKI CRL LDAP(Lightweight Directory Access Protocol)FTP(File Transfer Protocol) OCSP(Online Certificate Status Protocol)PKI CA LDAP FTP CRL
-
LDAP(Lightweight Directory Access Protocol)PKI CRL PKI , LDAP LDAP , , (Repository Read)EE CA PKI (Repository Search) PKI
-
(Repository Modify) PKI , , .
-
FTP(File Transfer Protocol) CA CRL CRL FTP CRL CRL CRL FTP anonymous FTP FTP .cer : .crl : CRL