Transcript 資安實做(四)
資訊安全實作(四):系統傳輸安全規劃與設定 資訊安全實務:傳輸安全 (SSL安全網站建置流程) 大華技術學院資管系 企業資訊安全架構 Enterprise Information Systems Business Risk Asses. & Security Policy(ISO17799) Network Model Network Protocol Application HTTP、ODBC.. IT Systems SET、SMIME. Transport TCP/UDP TCP/UDP SSL/TLS IP IP Firewall、 VPN… BUS. – BUS. (NET – NET) Internet Ethernet、 Frame relay、 ATM、PPP… Point to Point Encryption… BUS. – BUS. (NET – NET) Private NET UTP FDDI… Point to Point Encryption… BUS. – BUS. (NET – NET) Private NET Network Data link Physical Security Protocol Security Application IDV. – IDV. IDV. – BUS. PC – Server (CLIENT - SERVER) 加解密簡介 Cryptography is the science of protecting data. Cryptographic algorithms mathematically combine input plaintext data and an encryption key to generate encrypted data or cipher text. Encryption / Decryption 密碼學名詞定義 Algorithm : a set of steps to solve a mathematical problem. Algorithms used in PKI : Asymmetric, Symmetric and Hashes. Cryptographic Service Provider(CSP) : A library of cryptographic algorisms(encryption, signing algorism…)which can be called via a well-defined interface to perform a particular cryptographic function. Key : Algorithm is open and The Keys…keep secret. Certificate : Building trust of the keys usage. Comparison of Key length and Algorithms Symmetric Key ECC Key RSA Key Time to Break 56 112 420 5 minutes 80 160 760 600 Months 96 192 1020 3 million years 128 256 1620 10E16 years $10 millions for computer hardware and the universe is about 15X10E9 years PKI-API Sender YES Active the Security Mechanism NO System Error or the text has been changed. Y/N Step1: Use Hash function to converge the Cleartext and get a Hash .Result Receiver Cleartext Cleartext Hash Result Cleartext Hash Result Hash Result Step2: Use Sender’s Private Key to encrypt the Hash Result with RSA algorithm as the sender’s Digital Signature. DigitalRSA Cleartext Signature Digital RSA Signature Cleartext Setp3: Create a Random Key through a white-noise generator to encrypt the whole result of last step with DES algorithm. DES DES Digital RSA Ciphertext Signature Digital RSA Ciphertext Signature Step4: RSA Use Receiver’s Public Key to encrypt the same Random Encryped Key and create an Encrypted Key Key with RSA algorithm. DES Digital RSA Ciphertext Signature DES Digital RSA Ciphertext Signature Step5: Send the encrypted message through a Secure Channel. Secure Channel Step5: Use Hash function to converge the Cleartext and get a Hash.Result, compare two Results to check integrity of the Cleartext. Step4: Use Sender’s Public Key to verify the Digital Signature and get the Hash Result with RSA algorithm and check authentication of the Sender . Setp3: Use the Random Key to decrypt the Ciphertext with DES algorithm and get the Cleartext. Step2: RSA Use Receiver’s Private Key Encryped to decrypt the Encrypted Key Key and get the Random Key with RSA algorithm. Step1: Receive the encrypted message through a secure channel. 公開金鑰結合智慧卡之運用 Smart card is a safe for the private key Critical computation takes place in the card (signature & encryption) No-one but its holder can enter the smart card or use the information it keeps 憑證中心運作流程 企業端憑證運用 憑證中心作業 確認使用者權限 LDAP CRL Keys 管理 ACL/DB Resources APs Mail CA簽署使用者憑證 憑證廢止清單發布 憑證中心(CA) RA 向 CA 申請作業 網路 註冊中心(RA) PKI加解密 憑證存入使用者憑證容器 A B Cert_A 合法CA發放 RA發放使用者憑證 申請介面 Cert_A 沒被撤銷 使用者提出憑證申請 Cert_A 在有效期內 Cert_B 合法CA發放 Cert_B 沒被撤銷 Cert_B 在有效期內 WEB On-site 安裝WEB站台 一、點選控制台裡的新增移除程式 三、將Certificate Service與IIS 打勾,再按下一步。 二、選擇新增移除Windows 元件 四、選擇獨立根 CA,在按下一步。