Transcript 資安實做(四)
資訊安全實作(四):系統傳輸安全規劃與設定
資訊安全實務:傳輸安全
(SSL安全網站建置流程)
大華技術學院資管系
企業資訊安全架構
Enterprise Information Systems
Business Risk Asses. & Security Policy(ISO17799)
Network Model
Network
Protocol
Application
HTTP、ODBC..
IT Systems
SET、SMIME.
Transport
TCP/UDP
TCP/UDP
SSL/TLS
IP
IP
Firewall、
VPN…
BUS. – BUS.
(NET – NET)
Internet
Ethernet、
Frame relay、
ATM、PPP…
Point to Point
Encryption…
BUS. – BUS.
(NET – NET)
Private NET
UTP FDDI…
Point to Point
Encryption…
BUS. – BUS.
(NET – NET)
Private NET
Network
Data link
Physical
Security
Protocol
Security
Application
IDV. – IDV.
IDV. – BUS.
PC – Server
(CLIENT - SERVER)
加解密簡介
Cryptography is the science of protecting data. Cryptographic algorithms
mathematically combine input plaintext data and an encryption key to
generate encrypted data or cipher text.
Encryption / Decryption
密碼學名詞定義
Algorithm : a set of steps to solve a mathematical problem.
Algorithms used in PKI : Asymmetric, Symmetric and Hashes.
Cryptographic Service Provider(CSP) : A library of cryptographic
algorisms(encryption, signing algorism…)which can be called via a
well-defined interface to perform a particular cryptographic function.
Key : Algorithm is open and The Keys…keep secret.
Certificate : Building trust of the keys usage.
Comparison of Key length and
Algorithms
Symmetric
Key
ECC
Key
RSA
Key
Time to
Break
56
112
420
5 minutes
80
160
760
600 Months
96
192
1020
3 million
years
128
256
1620
10E16
years
$10 millions for computer hardware and the universe is about 15X10E9 years
PKI-API
Sender
YES
Active the Security Mechanism
NO
System Error or the text has been changed.
Y/N
Step1:
Use Hash function to converge
the Cleartext and get a Hash
.Result
Receiver
Cleartext
Cleartext
Hash Result
Cleartext
Hash Result
Hash Result
Step2:
Use Sender’s Private Key to
encrypt the Hash Result with
RSA algorithm as the sender’s
Digital Signature.
DigitalRSA Cleartext
Signature
Digital RSA
Signature
Cleartext
Setp3:
Create a Random Key through
a white-noise generator to
encrypt the whole result of last
step with DES algorithm.
DES
DES
Digital RSA Ciphertext
Signature
Digital RSA Ciphertext
Signature
Step4:
RSA
Use Receiver’s Public Key
to encrypt the same Random Encryped
Key and create an Encrypted
Key
Key with RSA algorithm.
DES
Digital RSA Ciphertext
Signature
DES
Digital RSA Ciphertext
Signature
Step5:
Send the encrypted message
through a Secure Channel.
Secure
Channel
Step5:
Use Hash function to converge the
Cleartext and get a Hash.Result,
compare two Results to check
integrity of the Cleartext.
Step4:
Use Sender’s Public Key to
verify the Digital Signature and
get the Hash Result with RSA
algorithm and check authentication
of the Sender .
Setp3:
Use the Random Key to decrypt
the Ciphertext with DES
algorithm and get the Cleartext.
Step2:
RSA
Use Receiver’s Private Key
Encryped
to decrypt the Encrypted Key
Key
and get the Random Key
with RSA algorithm.
Step1:
Receive the encrypted message
through a secure channel.
公開金鑰結合智慧卡之運用
Smart card is a safe for the private key
Critical computation takes place in the card (signature & encryption)
No-one but its holder can enter the smart card or use
the information it keeps
憑證中心運作流程
企業端憑證運用
憑證中心作業
確認使用者權限
LDAP
CRL
Keys 管理
ACL/DB
Resources
APs
Mail
CA簽署使用者憑證
憑證廢止清單發布 憑證中心(CA)
RA 向 CA 申請作業
網路
註冊中心(RA)
PKI加解密
憑證存入使用者憑證容器
A
B
Cert_A 合法CA發放
RA發放使用者憑證
申請介面
Cert_A 沒被撤銷
使用者提出憑證申請
Cert_A 在有效期內
Cert_B 合法CA發放
Cert_B 沒被撤銷
Cert_B 在有效期內
WEB
On-site
安裝WEB站台
一、點選控制台裡的新增移除程式
三、將Certificate Service與IIS 打勾,再按下一步。
二、選擇新增移除Windows 元件
四、選擇獨立根 CA,在按下一步。