|
Introduction
to BestTruest PKICA
Chapter
1 Introduction to the System and Description of Its Functions
1. PKI description
Generally, threats faced by network bank and electronic commerce
are mainly as follows:
Illegal
access
Illegal revision
Counterfeit goods
Refuse service
Denying
|
If
above-mentioned threats are fought with, electronic commerce
application system must meet the following safe requirements:
Data
encryption
Controlling access
Believable identification recognizing
Data integrality
Anti-denying
|
Public
key technology (PKT) respectively meet abovementioned fore two
and latter three safe requirements by means of such safe service
as encryption and digital signature and public key technology
possesses superiority that is unparalleled in with traditional
symmetrical password system. IN addition, such application as
electronic commerce and network bank pays special attention to
establishing high believable environment. Thus, for past years,
it has been taking the leading position in application of
electronic commerce step by step.
PKI ( Public Key Infrastructure) is a comprehensive safe
platform develop on based on PKT, which can transparently
provide safe service based on PKT such as encryption and digital
signature. Main aim of establishing PKI is to manage key and
certificate. A believable network computer environment can
easily be established and maintained by means of PKI so that the
people mutually confirm the identification of another one and
exchanged information in such environment in which they can not
directly face each other, so they can safely conduct commercial
activity. It is easy to see that establishing safe scheme based
on PKI is a good selection to such internal business as
paperless office on Intranet and internet commerce application
such as electronic commerce and network bank, etc.
2. Outline introduction to the system
BestTruest CA is the product of specialization enterprise-class
electronic certifying center, which operates on platform of
Windows NT/2000. Compared with pure CA products, it realizes
much breakthrough in thinking and functions and support several
kinds of formats, standards and algorithms.
3. Advantages of the system
BestTruest CA , based on PKI, face Kerberos CA based on private
key system to withdraw from historical stage. PKI CA has been a
standard solution program BestTruest CA. plans the powerful
functions:
Support
to issue many kinds of certificates synchronously,
including:
WEB certificate (BestTruest CA Person/common
certificate)
Enterprise certificate (BestTruest CA
enterprise/advanced certificate)
SET certificate (in development)
VPN certificate (in development)
WAP certificate (in development), etc.
Support to manage certificate and key in their
complete life cycle, including:
Issue, resume and abolish the certificate
Produce, store, renew and alternate keys
Auto-renew keys
Intercrossing confirming
Support time-seal
Support property of undediness
Certificate base, et.
Execute many kinds of international standards,
including X.509, SSL, SPKM, PKCS#10, PKCS#11, PKCS#12,
etc.
Support many kinds of standard algorithms, including
popular public key algorithms such as RSA, ECC, DSA
and private key algorithms such as DES, 3DES and CAST,
etc. (BestTruest possesses integral module that can
independently realize abovementioned algorithms.)
Synchronously support bargaining of B2B and B2c.
Because NON-SET certificate has no business with real
application and the certificate is fastened on some
card code or accounting code, it is possible to
synchronously support small-amount bargaining of B2C
and large-amount bargaining of B2B.
Provide many kinds of development tools, support the
partners to develop the applications based on
BestTruest CA.
RA system in BestTruest CA adopts browser and WEB
SERVER structure. As long as dealers that issue
certificates need install browsers and configure
necessary certificates and agent software, they can
issue certificates.
RA systen in BestTruest CA adopts units of browses and
WEB SERVER. As long as the dealers that issues
conficates install browsers and agent software, they
can issue certificates. With increasing of needs to
certificate quantity, it is easy to increase dealers.
|
4.
Composition of BestTruest CA/RA system
Structure of standard CA includes a root CA, a secondary CA and
a third-class CA, Of which root CA takes charge of designating
and approving general policy, issuing and managing the
certificates in secondary CA, performing intercrossing
conformation with other root CA; secondary CA takes charge of
issuing certificates of third-class CA and managing the
certificates issued by it and certificate recalling lists (CRL)
according to Concrete policies, management rules and operation
specifications and managing the business of third-class CA;
third-class CA takes charge of issuing and supporting all kinds
of digital certificates and managing the certificate issued by
it and CRL (The following fig. is a schematic diagram of more
complete CA structure.).
IN CA system, CA unit takes charge of producing keys and
certificates, maintaining and renewing CRL. But CA system
doesn't directly contact with applicants of the certificates.
Information of a lot of certificate applicants and certificate
recalling by the certificate applicants and abolishing is
transmitted from RA to CA. With help of a lot of branches, RA
system realizes contacting with certificate applicants.
|
Fig.
Integral multi-stage CA model
|
|
|
5.
Certificate types issued by the system
At three present, the system support to issue common and
advanced certificate, of which:
Suggest that common certificate is for SSL, S/MIME and
application based on SSL, e.g. network bank and purchase of
small amount.
Support that advanced certificate is for large-amount BTOP
bargaining.
As for other types of certificates such as VNP certificate and
WAP certificate, their application will be considered in future
development.
5.1 Application and characteristics of common certificate
Advantages of using common certificates are:
Relative
simple
Confirming by two parties
Perform e-mail encryption and digital signature to the
objects with user's terminal certificate
CRL auto-check of WEB SERVER
Shortcomings are:
The unmanageable certificates need user to renew them.
A pair of keys, if selecting alternative keys, don't
support undenieness (suggest key of e-mail is
alternated.).
Rely on password strength of browser itself.
|
5.2
Advantages of using advanced certificates are:
Confirming
by two parties
Integral management system of key and certificate life
cycle
Possess the features of easy using and transparent to
uses.
Automatically perform On-line CRL check on user's
terminal and server terminal.
Powerful key system
Double key pair system supports undeniableness
Support to trace all-text auditing for long time.
Have historical records.
Use solution program based on IETF standard (SPKM)
|
6.
Application for the certificate
6.1 Application for the certificate
A
user applies for the certificates
Applicant lands to CA web or a dealer through Internet
to fill application form and RA entering operator
enters user information in uncheck database.
Perform check by RA dealer
RA check operator checks user and decide if the
application is approved. If approved, he (or she)
register the user in BestTruest CA system. CA produces
reference code and authorizing code, which
respectively are sent to the applicant through two
ways.
Download and install the certificate
The applicant accesses web of BestTruest CA to
download WEB server certificate and CA certificate,
fill issued reference code and authorizing code in
downloading page of certificate and download the
certificate.
|
6.2
Logout the certificate
Logging-out the certificate mainly uses two ways:
positive logging-out and passive logging-out Positive
logging-out means that the user puts forward a
logging-out application and it requirement is treated
by the operator who has relevant rights I the dealer;
passive logging-out means operator in dealer or CA
operator stops certifying the certificate by means of
logging-out the certificate when he (or she) confirms
certificate holder has action of violating the rules.
|
7. Characteristics of the system
Overall certificate management functions: issuing, recalling and
abolishing.
Management mode suitable for such finance organizations as banks
: operations in the bank are respectively entering operators and
check operators and flexible configuration can be performed
according to bank conditions.
Realize several stages and classification, helpful for spreading
of certificate issuing.
Multi-authority control in RA system is helpful for management
of the system and control of certificate issuing.
Using the mode of browser is easy to configure and network is
easy to management.
It is realized that Set system is interfaced with in future
development.
|
|
