作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2007, Vol. 33 ›› Issue (23): 179-181. doi: 10.3969/j.issn.1000-3428.2007.23.062

• 安全技术 • 上一篇    下一篇

CA系统安全性的分层多方面设计

兰丽娜1,杨涛海2   

  1. (1. 北京邮电大学网络教育学院,北京 100088;2. 信息产业部电信研究院,北京 100083)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2007-12-05 发布日期:2007-12-05

Multi-layer and Multi-aspect Design of CA System Security

LAN Li-na1, YANG Tao-hai2   

  1. (1. School of Network Education, Beijing University of Posts and Telecommunications, Beijing 100088; 2. Telecom Research Institute, Ministry of Information Industry, Beijing 100083)
  • Received:1900-01-01 Revised:1900-01-01 Online:2007-12-05 Published:2007-12-05

摘要: CA系统本身的安全性是影响Internet电子商务安全的关键问题。分析了CA系统的总体网络结构,提出了一种CA系统的分层多方面安全性设计方案,阐述了网络层安全设计和应用层安全设计。网络层安全采用划分安全区、多层防火墙保护、交换以太网等方法;应用层采用软件代码签名防篡改、数据包增加时间戳防重放攻击、敏感数据内存零化及数据库加密存储、集中监控等8个方面的安全性设计。该设计已实际应用于某CA中心,达到了良好的安全性目标。

关键词: CA系统, 网络层安全, 应用层安全, 防火墙, 时间戳

Abstract: CA system security is the key problem to influence the security in E-commerce. This paper analyzes the network architecture of CA system, and presents a multi-layer and multi-aspect security architecture of CA system. The security design focuses on the network layer and application layer. Firewalls divide CA system network into different security grade areas. The following methods are employed in the application layer for security protects: add the digital signature at the end of the software to prevent invalid code modify, add the sender time stamp in the packets to prevent repeat packets attack, clear to zero in memory and save the important data as encrypted in the database to prevent invalid reading, use central monitor system. The design is employed in a real CA system successfully.

Key words: certificate authority (CA) system, network layer security, application layer security, firewall, time stamp

中图分类号: