Upload
femanist
View
73
Download
0
Embed Size (px)
Citation preview
: :0/1
2
: 0/1
1 .......................................................................................................................................................4 2 .........................................................................................................................................................4 3 ........................................................................................................................................................ 5 4 .................................................................................................................................. 7 5 ................................................................................................................................................ 61 5-1 ....................................................................................... 61 5-2 ........................................71 6 .......................................................................................................71 6-1 .....................................................................................................71 6-2 .........................................................81 6-3 ................................................. 91 7 .............................................................................................................................. 02 7-1 ........................................................................................ 02 7-2 ........................................................................................... 02 8 ............................................................................................................................... 12 8-1 21 ......................................................................................................... OCSP/LDAP/TSP 9 ..................................................................................... 32 9-1 ....................... 32 01 ........................................................................................................ 52 01-1 ....................................................................................... 52 01-2 ........... 52 01-3 ..................... 52
3
: 0/1
11 ......................................................................... 72 11-1 .................................................... 72 11-2 ................................. 82 21 ............................................................................................................................................ 82 21-1 ................................ 82 21-2 ...................................................................................... 82 21-3 )29 ............................................................................... (CMS 21-4 .................................................................... 92 21-5 .................................................................................... 92
4
: 0/1
1 . - - . . . . " " . : . . . .
2 .
5
: 0/1
1
PK-Enabling
DN Profile
Acceptable Algorithms
CMP
Security Token Requirements Security Token Validation Program
Requirements
Key Encryption )8#(PKCS#5 & PKCS
Certificate Profile
Local Algorithms
CSR/CRMF/CMC
Validation Program
CMS )7#(PKCS
CRL Profile
Two Factor Authentication
LDAP/OCSP/TSP
Acceptable Interfaces
PFX )21#(PKCS
Certificate Path Validation
CP/CPS
3 .2
-
--
6
: 0/1
-
-- - - PKI
7
: 0/1
4 . 4 . 3 .3
) ( . . .
8
: 0/1
4
CRL .
0825 RFC
0825 RFC
6522 RFC
)(DN
:
: RSA1#PKCS 2-681 FIPS 3-681 FIPS
9 - :ECDSA31#PKCS 2-681 FIPS 3-681 FIPS :AES
: 0/1
3-33081 ISO/IEC 791 FIPS NIST sp 800-38A NIST sp 800-38C NIST sp 800-38D
:TDES 3-33081 ISO/IEC 76-008 NIST sp
01
: 0/1
NIST sp 800-38A
2: SHA1 & SHA3-081 NIST sp :MAC 311 FIPS NIST 800-38B NIST 800-38C
: HMAC-SHA1-891 FIPS
11 : PRNG2-681 FIPS 13.9ANSI X
: 0/1
- PKE 691 FIPS
Cryptographic Algorithm )Validation Program (CAVP
21 0124 RFC
: 0/1
)(CMP
)PKCS#10 (CSR )RFC 4211 (CRMF ,3725 RFC 5272, RFC )RFC 5274 (CMC
)(CSR, CRMF, CMC
31 LDAP OCSP TSP
: 0/1
0652 RFC 1613 RFC
OCSP/LDAP/TSP
4943 RFC
PKE 0825 RFC
2-041 FIPS
C.C Smart card Protection Profile 11#PKCS
41 PKE
: 0/1
NIST Cryptographic Module Validation )Program (CMPV
-
11#PKCS Cryptographic Service )Provider (CSP )Key Storage Provider (KSP
) (PKE PK-Enabling DOD
)(PKE Applications )(PK-Enabling
PKE
PK-Enabling DOD
51 PKE
: 0/1
PKE PKE
7#PKCS 5132 RFC
)(CMS
CP CPS
7463 RFC
-
5#PKCS
8#PKCS
61
: 0/1
21#PKCS
) (
5 5-1 . . .
71
: 0/1
5-2 CRL CRL CRL Entry - ) SubjectName (IssuerName . .
6 6-1 : 1. : . 1 2 3 4 . 2. : .
1 2
Authentication Integrity 3 Non Repudiation 4 Privacy
81
: 0/1
. 3. : . 4. : . .
6-2 1 : " - ." : ( . ( .
1
Kerchoff
91
: 0/1
. .
6-3 " " ) ( . " " . . AAA 3 A : Authentication : A . Authorization :A . Accounting :A . 3 A ) (PKE. PKE . " " " " . . .
02
: 0/1
7 7-1 1CMP . . 1124 RFC CRMF . - 0124 RFC . .
7-2 . : 1. PKI 01# PKCS CSR ) (SubjectName. 2 2. PKI CRMF CSR 3 CMS ) CMS 31-3 (. 4CMC . PKI CSR ) 5(POP - 01# PKCS 1 2
Certificate Management Protocol Certificate Request Message Format 3 Cryptographic Message Syntax 4 Certificate Management over CMS 5 Proof of Possession
12
: 0/1
CSR RA CA RA CA CSR . PKI ) (RA . CSR CRMF 1124 RFC RA CA . : 1. ) (SubjectName RA . 2. ) (POP - . 3. POP RA - . 4. CA . . .
8 8-1 OCSP/LDAP/TSP8-1-1 OCSP
22
: 0/1
1OCSP ) ( CRL. OCSP ) (2OCSP ) (3OCSP . OCSP ) ( . OCSP 4 OCSP . OCSP - OCSP . OCSP ) (OCSP PKE
) (OCSP 0652 RFC . 8-1-2 LDAP 5 . ) (CRL CA . CRL . 6 . 7 LDAP . LDAP 4943 RFC . 8-1-3 TSP 8 TSP 905 X . .
1 2
Online Certificate Status Protocol OCSP Client 3 OCSP Responder 4 Status Request 5 Repository 6 Read Only 7 Lightweight Directory Access Protocol 8 Time Stamp Protocol
32
: 0/1
TSP 1613 RFC .
9 9-1 905 X . ) (1PKE . - . . PKE . . ) (User ) ( CA CA ) (Root CA ) (Root CA ) (Self_Signed.Root CA CA User
: 1. )(Name chaining 2. )(Signature chaining 3. )(Certificate Validity 4. CRL )(Full CRL 5. )(Check Status CRL ) 1
PK-Enabled
42
: 0/1
1 ( .2
. Key Usage Basic Constraints . . 0825 RFC .
1 2
Self Signed Extension
52
: 0/1
01 01-1 - . . 2-041 FIPS . - . .
01-2 . PKE . . .
01-3
62
: 0/1
. 11# PKCS Cryptoki . Slot .
1 Application
Application k
Other Security Layers
Other Security Layers
Cryptoki
Cryptoki
Device Contention/Synchronization
1 Slot
Slot n
1 Token )1 (Device
Token n )(Device n
. - HSM .
72
: 0/1
11 11-1 . ) (PK-Enabling . ) (PKI )-PK
Enabled PKE ( . : ) ( ActiveX Applet ) ( )(VPN
DOD PKE PKE . PKE PK-Enabling . PKE -
82
: 0/1
CRL PKE .
11-2 PKE PKE . - PKE . PKE . .
21 21-1 ) (CP ) (CPS . 7463 RFC .
21-2 .
92
: 0/1
. 5# PKCS .1
21-3 )(CMS
PKE signed-and-enveloped-data enveloped data Signed data data digested data
. CMS Signed-data . 7# PKCS .
21-4 8# PKCS . 5# PKCS . 8# PKCS .
21-5 21# PKCS . 21# PKCS 5# PKCS#7 PKCS 8# PKCS . . 21#PKCS
.
1
Cryptographic Message Syntax
03
: 0/1