IR PKI Std Report V1.0 Publish

: :0/1

2

: 0/1

1 .......................................................................................................................................................4 2 .........................................................................................................................................................4 3 ........................................................................................................................................................ 5 4 .................................................................................................................................. 7 5 ................................................................................................................................................ 61 5-1 ....................................................................................... 61 5-2 ........................................71 6 .......................................................................................................71 6-1 .....................................................................................................71 6-2 .........................................................81 6-3 ................................................. 91 7 .............................................................................................................................. 02 7-1 ........................................................................................ 02 7-2 ........................................................................................... 02 8 ............................................................................................................................... 12 8-1 21 ......................................................................................................... OCSP/LDAP/TSP 9 ..................................................................................... 32 9-1 ....................... 32 01 ........................................................................................................ 52 01-1 ....................................................................................... 52 01-2 ........... 52 01-3 ..................... 52

3

: 0/1

11 ......................................................................... 72 11-1 .................................................... 72 11-2 ................................. 82 21 ............................................................................................................................................ 82 21-1 ................................ 82 21-2 ...................................................................................... 82 21-3 )29 ............................................................................... (CMS 21-4 .................................................................... 92 21-5 .................................................................................... 92

4

: 0/1

1 . - - . . . . " " . : . . . .

2 .

5

: 0/1

1

PK-Enabling

DN Profile

Acceptable Algorithms

CMP

Security Token Requirements Security Token Validation Program

Requirements

Key Encryption )8#(PKCS#5 & PKCS

Certificate Profile

Local Algorithms

CSR/CRMF/CMC

Validation Program

CMS )7#(PKCS

CRL Profile

Two Factor Authentication

LDAP/OCSP/TSP

Acceptable Interfaces

PFX )21#(PKCS

Certificate Path Validation

CP/CPS

3 .2

-

--

6

: 0/1

-

-- - - PKI

7

: 0/1

4 . 4 . 3 .3

) ( . . .

8

: 0/1

4

CRL .

0825 RFC

0825 RFC

6522 RFC

)(DN

:

: RSA1#PKCS 2-681 FIPS 3-681 FIPS

9 - :ECDSA31#PKCS 2-681 FIPS 3-681 FIPS :AES

: 0/1

3-33081 ISO/IEC 791 FIPS NIST sp 800-38A NIST sp 800-38C NIST sp 800-38D

:TDES 3-33081 ISO/IEC 76-008 NIST sp

01

: 0/1

NIST sp 800-38A

2: SHA1 & SHA3-081 NIST sp :MAC 311 FIPS NIST 800-38B NIST 800-38C

: HMAC-SHA1-891 FIPS

11 : PRNG2-681 FIPS 13.9ANSI X

: 0/1

- PKE 691 FIPS

Cryptographic Algorithm )Validation Program (CAVP

21 0124 RFC

: 0/1

)(CMP

)PKCS#10 (CSR )RFC 4211 (CRMF ,3725 RFC 5272, RFC )RFC 5274 (CMC

)(CSR, CRMF, CMC

31 LDAP OCSP TSP

: 0/1

0652 RFC 1613 RFC

OCSP/LDAP/TSP

4943 RFC

PKE 0825 RFC

2-041 FIPS

C.C Smart card Protection Profile 11#PKCS

41 PKE

: 0/1

NIST Cryptographic Module Validation )Program (CMPV

-

11#PKCS Cryptographic Service )Provider (CSP )Key Storage Provider (KSP

) (PKE PK-Enabling DOD

)(PKE Applications )(PK-Enabling

PKE

PK-Enabling DOD

51 PKE

: 0/1

PKE PKE

7#PKCS 5132 RFC

)(CMS

CP CPS

7463 RFC

-

5#PKCS

8#PKCS

61

: 0/1

21#PKCS

) (

5 5-1 . . .

71

: 0/1

5-2 CRL CRL CRL Entry - ) SubjectName (IssuerName . .

6 6-1 : 1. : . 1 2 3 4 . 2. : .

1 2

Authentication Integrity 3 Non Repudiation 4 Privacy

81

: 0/1

. 3. : . 4. : . .

6-2 1 : " - ." : ( . ( .

1

Kerchoff

91

: 0/1

. .

6-3 " " ) ( . " " . . AAA 3 A : Authentication : A . Authorization :A . Accounting :A . 3 A ) (PKE. PKE . " " " " . . .

02

: 0/1

7 7-1 1CMP . . 1124 RFC CRMF . - 0124 RFC . .

7-2 . : 1. PKI 01# PKCS CSR ) (SubjectName. 2 2. PKI CRMF CSR 3 CMS ) CMS 31-3 (. 4CMC . PKI CSR ) 5(POP - 01# PKCS 1 2

Certificate Management Protocol Certificate Request Message Format 3 Cryptographic Message Syntax 4 Certificate Management over CMS 5 Proof of Possession

12

: 0/1

CSR RA CA RA CA CSR . PKI ) (RA . CSR CRMF 1124 RFC RA CA . : 1. ) (SubjectName RA . 2. ) (POP - . 3. POP RA - . 4. CA . . .

8 8-1 OCSP/LDAP/TSP8-1-1 OCSP

22

: 0/1

1OCSP ) ( CRL. OCSP ) (2OCSP ) (3OCSP . OCSP ) ( . OCSP 4 OCSP . OCSP - OCSP . OCSP ) (OCSP PKE

) (OCSP 0652 RFC . 8-1-2 LDAP 5 . ) (CRL CA . CRL . 6 . 7 LDAP . LDAP 4943 RFC . 8-1-3 TSP 8 TSP 905 X . .

1 2

Online Certificate Status Protocol OCSP Client 3 OCSP Responder 4 Status Request 5 Repository 6 Read Only 7 Lightweight Directory Access Protocol 8 Time Stamp Protocol

32

: 0/1

TSP 1613 RFC .

9 9-1 905 X . ) (1PKE . - . . PKE . . ) (User ) ( CA CA ) (Root CA ) (Root CA ) (Self_Signed.Root CA CA User

: 1. )(Name chaining 2. )(Signature chaining 3. )(Certificate Validity 4. CRL )(Full CRL 5. )(Check Status CRL ) 1

PK-Enabled

42

: 0/1

1 ( .2

. Key Usage Basic Constraints . . 0825 RFC .

1 2

Self Signed Extension

52

: 0/1

01 01-1 - . . 2-041 FIPS . - . .

01-2 . PKE . . .

01-3

62

: 0/1

. 11# PKCS Cryptoki . Slot .

1 Application

Application k

Other Security Layers

Other Security Layers

Cryptoki

Cryptoki

Device Contention/Synchronization

1 Slot

Slot n

1 Token )1 (Device

Token n )(Device n

. - HSM .

72

: 0/1

11 11-1 . ) (PK-Enabling . ) (PKI )-PK

Enabled PKE ( . : ) ( ActiveX Applet ) ( )(VPN

DOD PKE PKE . PKE PK-Enabling . PKE -

82

: 0/1

CRL PKE .

11-2 PKE PKE . - PKE . PKE . .

21 21-1 ) (CP ) (CPS . 7463 RFC .

21-2 .

92

: 0/1

. 5# PKCS .1

21-3 )(CMS

PKE signed-and-enveloped-data enveloped data Signed data data digested data

. CMS Signed-data . 7# PKCS .

21-4 8# PKCS . 5# PKCS . 8# PKCS .

21-5 21# PKCS . 21# PKCS 5# PKCS#7 PKCS 8# PKCS . . 21#PKCS

.

1

Cryptographic Message Syntax

03

: 0/1

Documents

IR PKI Std Report V1.0 Publish