网际安全技术构架

Contents FOREWORD 4 CONTENTS 7 PART ONE 18 AUTHENTICATION TECHNIQUE 18 CHAPTER 1 19 BASIC CONCEPTS 19 1.1 PHYSICAL WORLD AND DIGITAL WORLD 19 1.2 A WORLD WITH ORDER AND WITHOUT ORDER 20 1.3 SELF-ASSURED PROOF AND 3RD PARTY PROOF 22 1.4 CERTIFICATION CHAIN AND TRUST CHAIN 24 1.5 CENTRALIZED AND DECENTRALIZED MANAGEMENT 25 1.6 PHYSICAL SIGNATURE AND DIGITAL SIGNATURE 27 CHAPTER 2 31 AUTHENTICATION LOGIC 31 2.1 BELIEF LOGIC 31 2.2 STANDARD PROTOCOL 32 2.3 TRUST RELATIONSHIP 33 2.3.1 Direct Trust 33 2.3.2 Axiomatic Trust 34 2.3.3 Inference Trust 35 2.4 TRUST LOGIC 36 2.4.1 The requirement of Trust Logic 36 2.3.2 The Progress in Public Key 37 2.4.3 Entity Authenticity 38 2.4.4 The Characteristics of Trust Logic 39 2.5 CPK PROTOCOL 40 2.5.1 One-way Protocol 40 2.5.2 Two-way Protocol 41 CHAPTER 3 43 IDENTITY AUTHENTICATION 43 3.1 COMMUNICATION IDENTITY AUTHENTICATION 44 3.2 SOFTWARE IDENTITY AUTHENTICATION 45 3.3 ELECTRONIC TAG AUTHENTICATION 46 3.4 NETWORK MANAGEMENT 47 3.5 HOLISTIC SECURITY 48 PART TWO 51 CRYPTO-SYSTEMS 51 CHAPTER 4 52 COMBINED PUBLIC KEY （CPK） 52 4.1 INTRODUCTION 52 4.2 ECC COMPOUND THEOREM 53 4.3 IDENTITY-KEY 53 4.3.1 Combining Matrix 53 4.3.2 Mapping from Identity to Matrix Coordinates 54 4.3.3 Computation of Identity-Key 54 4.4. KEY COMPOUNDING 54 4.4.1 The Compounding of Identity-Key and Accompanying-Key 54 4.4.2 The Compounding of Identity-Key and Separating-key 55 4.5 CPK DIGITAL SIGNATURE 55 4.5.1 Signing with Accompanying-Key 55 4.5.2 Signing with Separating-key 55 4.6 CPK KEY EXCHANGE 56 4.6.1 Key Exchange with Separating-key 56 4.6.2 Key Exchange with Accompanying-Key 56 4.7 CONCLUSION 56 CHAPTER 5 58 SELF-ASSURED AND 3RD PARTY PUBLIC KEY 58 5.1 NEW REQUIREMENTS OF THE CRYPTO-SYSTEM 58 5.2 DEVELOPMENT OF CRYPTO-SYSTEMS 59 5.3 DIGITAL SIGNATURE MECHANISM 60 5.3.1 IBC Signature Scheme 60 5.3.2 CPK Signature with Separating-key 61 5.3.3 CPK Signature with Accompanying-Key 61 5.3.4 PKI Signature Scheme 61 5.3.5 IB-RSA Signature Scheme 62 5.3.6 mRSA Signature Scheme 63 5.3.7 Comparison of Schemes 63 5.4 KEY EXCHANGE SCHEME 64 5.4.1 IBE Key Exchange 64 5.4.2 CPK Key Exchange 64 5.4.3 Other Key Exchange Schemes 65 5.4.4 Performance Comparison 65 5.5 DISCUSSION ON TRUST ROOT 66 CHAPTER 6 68 BYTES ENCRYPTION 68 6.1 TECHNICAL BACKGROUND 68 6.2 CODING STRUCTURE 70 6.2.1 Transposition Table （disk） 70 6.2.2 Substitution Table （subst） 72 6.3 8-BIT OPERATION 74 6.3.1 Assumptions 74 6.3.2 Key Derivation 75 6.3.3 Combination of Data and Keys 75 6.3.4 Left Shift Accumulation 76 6.3.5 Transposition Conversion 76 6.3.6 Single Substitution Conversion 77 6.3.7 Re-combination of Data and Keys 77 6.3.8 Right Shift Accumulation 78 6.3.9 Re-transposition 78 6.4 7-BIT OPERATION 79 6.4.1 Given Conditions 79 6.4.2 Key Derivation 79 6.4.3 Combination of Data and Key 80 6.4.4 Left Shift Accumulation 81 6.4.5 Transposition Conversion 81 6.4.6 Single Substitution Conversion 82 6.4.7 Re-combination of Data and Key 82 6.4.8 Right Shift Accumulation 83 6.4.9 Re-composition 83 6.5 SAFETY EVALUATION 84 6.5.1 Key Granularity 84 6.5.2 Confusion and Diffusion 85 6.5.3 Multiple-level Product Conversion 85 PART THREE 86 CPK SYSTEM 86 CHAPTER 7 87 CPK KEY MANAGEMENT 87 7.1 CPK KEY DISTRIBUTION 87 7.1.1 Authentication Network 87 7.1.2 Communication Key 88 7.1.3 Classification of Keys 88 7.2 CPK SIGNATURE 89 7.2.1 Digital Signature and Verification 89 7.2.2 Signature Format 90 7.3 CPK KEY EXCHANGE 90 7.4 CPK DATA ENCRYPTION 91 7.5 KEY PROTECTION 92 7.5.1 Password Verification 92 7.5.2 Password Change 93 CHAPTER 8 94 CPK-CHIP DESIGN 94 8.1 BACKGROUND 94 8.2 MAIN TECHNOLOGY 94 8.3 CHIP STRUCTURE 96 8.4 MAIN FUNCTIONS 100 8.4.1 Digital Signature 100 8.4.2 Data Encryption 101 CHAPTER 9 104 CPK ID-CARD 104 9.1 BACKGROUND 104 9.2 ID-CARD STRUCTURE 106 9.2.1 The Part of Main Body 106 9.2.2 The Part of Variables 106 9.3 ID-CARD DATA FORMAT 107 9.4 ID-CARD MANAGEMENT 110 9.4.1 Administrative Organization 110 9.4.2 Application for ID-Card 111 9.4.3 Registration Department 112 9.4.4 Production Department 113 9.4.5 Issuing Department 115 PART FOUR 116 TRUST COMPUTING 116 CHAPTER 10 117 SOFTWAREID AUTHENTICATION 117 10.1 TECHNICAL BACKGROUND 117 10.2 MAIN TECHNOLOGY 118 10.3 SIGNING MODULE 119 10.4 VERIFYING MODULE 121 10.5 THE FEATURE OF CODE SIGNING 123 CHAPTER 11 125 CODE SIGNING OF WINDOWS 125 11.1 INTRODUCTION 125 11.2 PE FILE 125 11.3 MINI-FILTER 126 11.3.1 NT I/O Subsystem 126 11.3.2 File Filter Driving 127 11.3.3 Minifilter 128 11.4 CODE AUTHENTICATION OF WINDOWS 129 11.4.1 The System Framework 129 11.4.2 Characteristics Collecting 129 11.5 CONCLUSION 130 CHAPTER 12 131 CODE SIIGNING OF LINUX…………………………………131 12.1 GENERAL DESCRIPTION 131 12.2 ELF FILE 131 12.3 LINUX SECURITY MODULE （LSM） FRAMEWORK 132 12.4 IMPLEMENTATION 133 PART FIVE 135 TRUST CONNECTING 135 CHAPTER 13 136 PHONE TRUST CONNECTING 136 13.1 MAIN TECHNOLOGIES 136 13.2 CONNECTING PROCEDURE 137 13.3 DATA ENCRYPTION 138 13.4 DATA DECRYPTION 139 CHAPTER 14 140 SOCKET LAYER TRUST CONNECTING 140 14.1 LAYERS OF COMMUNICATION 140 14.2 SECURE SOCKET LAYER （SSL） 141 14.3 TRUSTED SOCKET LAYER （TSL） 144 14.4 TSL WORKING PRINCIPLE 145 14.5 TSL ADDRESS AUTHENTICATION 147 14.6 COMPARISON 148 CHAPTER 15 150 ROUTER TRUST CONNECTING 150 15.1 PRINCIPLE OF ROUTER 151 15.2 REQUIREMENTS OF TRUSTED CONNECTION 152 15.3 FUNDAMENTAL TECHNOLOGY 154 15.4 ORIGIN ADDRESS AUTHENTICATION 154 15.5 ENCRYPTION FUNCTION 157 15.5.1 Encryption Process 158 15.5.2 Decryption Process 158 15.6 REQUIREMENT OF HEADER FORMAT 158 15.7 TRUSTED COMPUTING ENVIRONMENT 159 15.7.1 Evidence of Software Code 159 15.7.2 Authentication of Software Code 159 PART SIX 161 TRUST E-COMMERCE 161 CHAPTER 16 162 E-BANK AUTHENTICATION 162 16.1 BACKGROUND 162 16.2 COUNTER BUSINESS 163 16.3 BUSINESS LAYER 164 16.4 BASIC TECHNOLOGY 166 16.5 BUSINESS AT ATM 167 16.6 COMMUNICATION BETWEEN ATM AND PORTAL 167 16.7 THE ADVANTAGES 169 CHAPTER 17 171 E-BILL AUTHENTICATION 171 17.1 BILL AUTHENTICATION NETWORK 171 17.2 MAIN TECHNOLOGIES 172 17.3 APPLICATION FOR BILLS 173 17.4 CIRCULATION OF BILLS 174 17.5 VERIFICATION OF CHECK 174 PART SEVEN 176 TRUST LOGISTICS 176 CHAPTER 18 177 E-TAG AUTHENTICATION 177 18.1 BACKGROUND 177 18.2 MAIN TECHNOLOGY 178 18.3 EMBODIMENT （Ⅰ） 180 18.4 EMBODIMENT （Ⅱ） 181 CHAPTER 19 183 THE DESIGN OF MYWALLET 183 19.1 TWO KINDS OF AUTHENTICATION CONCEPT 183 19.2 SYSTEM CONFIGURATION 185 19.3 TAG STRUCTURE 186 19.3.1 Structure of Data Region 186 19.3.2 Structure of Control Region 186 19.4 TAG DATA GENERATION AND AUTHENTICATION 187 19.4.1 KMC 187 19.4.2 Enterprise 187 19.4.3 Writer and Reader 188 19.5 PROTOCOL DESIGN 188 19.6 CONCLUSION 190 PART EIGHT 191 FILE & NETWORK MANAGEMENT 191 CHAPTER 20 192 E-MAIL AUTHENTICATION 192 20.1 MAIN TECHNOLOGIES 192 20.2 SENDING PROCESS 193 20.3 RECEIVING PROCESS 194 CHAPTER 21 196 DATA STORAGE AUTHENTICATION 196 21.1 SECURITY REQUIREMENTS 196 21.2 BASIC TECHNOLOGY 197 21.3 FILE UPLOADING PROTOCOL 198 21.4 FILE DOWNLOADING PROTOCOL 199 21.5 DATA STORING 200 21.5.1 Establishment of Key File 201 21.5.2 Storage of Key File 201 21.5.3 Documental Database Encryption 202 21.5.4 Relational Database Encryption 202 CHAPTER 22 205 SECURE FILE BOX 205 22.1 BACKGROUND 205 22.2 SYSTEM FRAMEWORK 206 22.3 FEATURES OF THE SYSTEM 207 22.4 SYSTEM IMPLEMENTATION 208 CHAPTER 23 211 E-SEAL OF CLASSIFICATION 211 23.1 BACKGROUND TECHNOLOGY 211 23.2 MAIN TECHNOLOGIES 212 23.3 WORKING FLOW 214 23.4 EMBODIMENT 215 23.5 EXPLANATION 216 CHAPTER 24 223 WATER-WALL FOR INTRANET 223 24.1 BACKGROUND 223 24.2 WORKING PRINCIPLES 224 24.3 THE DIAGRAM OF INTRANET WATER-WALL 225 24.4 WATER-WALL FOR INDIVIDUAL PC 228 24.5 GUARDING POLICY 229 CHAPTER 25 230 DIGITAL RIGHT AUTHENTICATION 230 25.1 TECHNICAL BACKGROUND 230 25.2 MAIN TECHNOLOGIES 231 25.3 MANUFACTURER’S DIGITAL RIGHT 232 25.4 ENTERPRISE’S RIGHT OF OPERATION 233 25.5 CLIENT’S RIGHT OF USAGE 234 REFERENCES 242 APPENDICES 244 APPENDIX A 245 WALK OUT OF MYSTERIOUS “BLACK CHAMBER” 245 APPENDIX B 251 IDENTITY AUTHENTICATION OPENING A NEW LAND FOR INFORMATION SECURITY 251 APPENDIX C 259 SEARCHING FOR SAFE “SILVER BULLET” 259 APPENDIX D 269 “ELECTRONIC ID CARD” ATTRACTS INTERNATIONAL ATTENTION 269 APPENDIX E 274 CPK SYSTEM GOES TO THE WORLD 274 APPENDIX F 278 IDENTITY AUTHENTICATION BASED ON CPK SYSTEM 278

CPK Cryptosystem changes ordinary elliptic curve public key into an identity-based public key with self-assured property. Self-assured public key can advance the authentication logic from object-authenticating "belief logic" to entity-authenticating "trust logic". Self-assured public key system and trust logic of authentication composes the key technique of cyber security. The construction of trust connecting，computing，transaction，logistics，counter-forgery and network management will be the main contents of the next generation of information security. Readers benefited from this book will be researchers and professors， experts and students， developers and policy makers， and all other who are interested in cyber security.