密码编码学与网络安全 ch14-认证应用系统.ppt

# user1 openssl genrsa -out userkey.pem 1024 openssl req -new -days 3650 -key userkey.pem -out userreq.pem openssl ca -in userreq.pem -out usercert.pem mv *.pem ./demoCA/newcerts/. 证书解析 手工演示 in windows use openssl.exe openssl x509 -in cert.pem -text 编程 参考 .\apps\x509.c 其他 证书厂商提供的解析库API 证书操作 (in OpenSSL) PEM_read_bio_X509_AUX() X509_get_version() X509_get_issuer_name() X509_get_subject_name() X509_get_pubkey() X509_verify() 解析证书例程 推荐阅读：CA运营机构及其它 请看IE中受信任的证书颁发机构 VeriSign / SDCA / Shop365 / SHECA / CFCA / CNCA (gd) Misc /dzsw_aqx/dzsw_aqx_ml.html 资料链接 Kerberos /kerberos/www/ X509 /TERM/X/X_509.html /rfc/rfc2459.txt 制作 SSL X.509 CERT http://www.imacat.idv.tw/tech/sslcerts.html.zh-cn PKI /Top/Computers/Security/Public_Key_Infrastructure/ /search?q=pkiie=UTF-8oe=UTF-8hl=zh-CNlr= 关键词 Key Terms authentication authentication server Kerberos Kerberos realm lifetime nonce propagating cipher block chaining (PCBC) mode public-key certificate realm sequence number subkey ticket ticket-granting server (TGS) X.509 certificate 小结 Kerberos适合在LAN上使用，Windows域就是用的它。PKI是互联网这种分布式环境安全的主要解决方法。PKI的核心是CA的建设，CA的优点在于其是离线中心。CA的一个麻烦事是证书黑名单(CRL/OCSP)的处理。PKI的部署较为繁琐，而且PKI主要帮助通信加密、抗抵赖等，对于系统安全问题(病毒和黑客)帮助不大，因此降低了用户部署的积极性。 Q A * 原版 “Cryptography and Network Security”, 4/e, by William Stallings 中译本 密码编码学与网络安全 第四版 PPT制作 林丰波 电子工业出版社 2006 - 2007 * In Greek mythology it is the three-headed dog that guarded the entrance to Hades. Designing an Authentication System: a Dialogue in Four Scenes \ /kerberos/www/dialogue.html :: Designing an Authentication System: a Dialogue in Four Scenes Copyright 1988, 1997 Massachusetts Institute of Technology. All Rights Reserved. Originally written by Bill Bryant, February 1988. Cleaned up and converted to HTML by Theodore Tso, February, 1997. An afterword describing the changes in Version 5 of the Kerberos protocol was also added. Abstract This dialogue provides a fictitious account of the design of an open-network authentication syst