資訊安全實務 : 傳輸安全 （ SSL 安全網站建置流程） 大華技術學院資管系 資訊安全實作（四）：系統傳輸安全規劃與設定

Network Transport 企業資訊安全架構 Physical Data link UTP FDDI… Ethernet 、 Frame relay 、 ATM 、 PPP… IP TCP/UDP Application HTTP 、 ODBC.. IT Systems Point to Point Encryption… Point to Point Encryption… BUS. – BUS. (NET – NET) Private NET SET 、 SMIME. SSL/TLS Firewall 、 VPN… IDV. – IDV. IDV. – BUS. PC – Server (CLIENT - SERVER) BUS. – BUS. (NET – NET) Private NET BUS. – BUS. (NET – NET) Internet Enterprise Information Systems Business Risk Asses. & Security Policy(ISO17799) Network Model Network Protocol Security Protocol Security Application TCP/UDP IP

Encryption / Decryption Cryptography is the science of protecting data. Cryptographic algorithms mathematically combine input plaintext data and an encryption key to generate encrypted data or cipher text. 加解密簡介

密碼學名詞定義  Algorithm : a set of steps to solve a mathematical problem.  Algorithms used in PKI : Asymmetric, Symmetric and Hashes.  Cryptographic Service Provider(CSP) : A library of cryptographic algorisms(encryption, signing algorism…)which can be called via a well-defined interface to perform a particular cryptographic function.  Key : Algorithm is open and The Keys…keep secret.  Certificate : Building trust of the keys usage.

Comparison of Key length and Algorithms Symmetric Key ECC Key RSA Key Time to Break minutes 600 Months 3 million years 10E16 years $10 millions for computer hardware and the universe is about 15X10E9 years

PKI-API Sender Receiver Cleartext Hash Result Cleartext Digital Signature RSA Ciphertext Digital Signature DES RSA Ciphertext Digital Signature DES RSA Encryped Key RSA Ciphertext Digital Signature DES RSA Encryped Key RSA Ciphertext Digital Signature DES RSA Cleartext Digital Signature Hash Result RSA Step1: Use Hash function to converge the Cleartext and get a Hash.Result Step2: Use Sender’s Private Key to encrypt the Hash Result with RSA algorithm as the sender’s Digital Signature. Setp3: Create a Random Key through a white-noise generator to encrypt the whole result of last step with DES algorithm. Step4: Use Receiver’s Public Key to encrypt the same Random Key and create an Encrypted Key with RSA algorithm. Step5: Send the encrypted message through a Secure Channel. Secure Channel Active the Security Mechanism Step1: Receive the encrypted message through a secure channel. Step2: Use Receiver’s Private Key to decrypt the Encrypted Key and get the Random Key with RSA algorithm. Setp3: Use the Random Key to decrypt the Ciphertext with DES algorithm and get the Cleartext. Step4: Use Sender’s Public Key to verify the Digital Signature and get the Hash Result with RSA algorithm and check authentication of the Sender. Step5: Use Hash function to converge the Cleartext and get a Hash.Result, compare two Results to check integrity of the Cleartext. Y/N YESNO System Error or the text has been changed.

Critical computation takes place in the card (signature & encryption) No-one but its holder can enter the smart card or use the information it keeps Smart card is a safe for the private key 公開金鑰結合智慧卡之運用

憑證中心運作流程 申請介面 憑證中心 (CA) Keys 管理 CRL LDAP ACL/DB ResourcesAPsMail 網路 WEBOn-site 憑證中心作業企業端憑證運用 註冊中心 (RA)           使用者提出憑證申請 RA 向 CA 申請作業 CA 簽署使用者憑證 RA 發放使用者憑證 憑證存入使用者憑證容器 憑證廢止清單發布 Cert_A 合法 CA 發放 Cert_A 沒被撤銷 Cert_A 在有效期內 Cert_B 合法 CA 發放 Cert_B 沒被撤銷 Cert_B 在有效期內 A B PKI 加解密 確認使用者權限

安裝 WEB 站台 一、點選控制台裡的新增移除程式二、選擇新增移除 Windows 元件 三、將 Certificate Service 與 IIS 打勾，再按下一步。 四、選擇獨立根 CA ，在按下一步。