Implementation of Enterprise CA Organization Based on PKI

(1)

ISSN(Online): 2320-9801

ISSN (Print) : 2320-9798

I

nternational

J

ournal of

I

nnovative

R

esearch in

C

omputer

and

C

ommunication

E

ngineering

(A High Impact Factor, Monthly, Peer Reviewed Journal)

Website:

www.ijircce.com

Vol. 7, Issue 1, January 2019

Implementation of Enterprise CA

Organization Based on PKI

Karishma Tyagi

1

, Prof. Deepak Agrawal

2

Research Scholar (Cyber Security), Department of Computer Science & Engineering, Takshshila Institute of

Engineering & Technology, Jabalpur [M.P] India

1

Assistant Professor & Head, Department of Computer Science & Engineering, Takshshila Institute of Engineering

& Technology, Jabalpur [M.P] India

2

ABSTRACT:

With the fast development of e-commerce in recent years, it brings unlimited opportunities for folks,

however it conjointly offers folks a awfully serious subject, namely, however to guarantee security of network.

applications. The PKI could be a technology platform that may be accustomed address the matter of e-commerce

security effectively. This paper presents a self-built CA system model for enterprise supported PKI, we have a tendency

to describe the structure and style model very well, and provides specific implementation strategies. Compared with

different CA system, some options of this technique include: open ASCII text file primarily based, low price to attain,

implementation of information technology, glorious compatibility with different enterprise application systems

, realization of twin key pairs, separating the signature

/ authentication key pairs from coding / decoding key pairs. This enterprise’s CA system will ideally solve the

authentication, sensitive knowledge transmission and different problems with network security, and promote the

method of e-commerce. the appliance has broad prospects.

I. INTRODUCTION

As a means of new type of business, e-commerce develops rapidly in recent years, and it brings unlimited

opportunities for people, but it also gives people a very serious subject, namely, how to ensure security of network.

applications. Traditional authentication mechanism that based on the user name and password can be easily attacked, it

is necessary to build a safe authentication mechanism. PKI

[1]

(Public CA

[2]

is the core of PKI system, It’s main task

is to issue and manage digital certificate. Digital certificate is a kind of authoritative electronic document, it can be

used to demonstrate the identity of a entity as well as ID card in network.

To cooperate with the informationization of the enterprise, we design a model of enterprise CA system based

on PKI. This system can realize electronic identity authentication, thus can guarantee the security of the Internet to

transmit information.

II. DESIGN OF ENTERPRISE CA SYSTEM

At present, enterprises mainly access digital certificate through commercial CA

[3][4]

, The shortcoming of this

approach is not flexible enough, commercial CA's expansion of the certificate may not be able to meet the needs

of enterprises; In addition, the cost of the purchase of certificates is also required serious consideration. Therefore,

because of the need for a large number of certificates, to establish their own enterprises CA is a relatively good way.

2.1. The overall structure of CA system

(2)

ISSN(Online): 2320-9801

ISSN (Print) : 2320-9798

I

nternational

J

ournal of

I

nnovative

R

esearch in

C

omputer

and

C

ommunication

E

ngineering

Website:

www.ijircce.com

(2) An enterprise is a main body of independent, all departments can trust the same authoritative institution. (3) All

departments of an enterprise are relatively independent.

Therefore CA system design uses a single CA

，

_{multi-RA structure. For each department, a RA is set [5]}

Key Infrastructure) is the infrastructure to provide,up, which is responsible for the registration and audit

information security technology. By use of public key technology it can guarantee the confidentiality, integrity,

authenticity and non-repudiation for online digital information.

of users. Finally, the certificate is issued and managed by the CA.

Taking into account the future development of enterprise, the system adds cross-authentication

module, through which to build relation of trust with other CA systems so as to achieve interoperability.

The system uses a PKI hybrid trust model, the overall structure is shown in Figure 1.

2.2. CA system design model

(3)

ISSN(Online): 2320-9801

ISSN (Print) : 2320-9798

I

nternational

J

ournal of

I

nnovative

R

esearch in

C

omputer

and

C

ommunication

E

ngineering

Website:

www.ijircce.com

The secure server, end-user oriented, is responsible for the communication between the CA system and the outside world. It provides user registration, certificate application, certificate revocation application, certificate and CRL (Certificate Revocation List) download service.

RA server accepts some requests from the secure server such as application, revocation and update of the certificate, examines the true identity of the applicant, and then submits these requests to the CA after passing the examination. It can also to transmit digital certificates and CRL issued by the CA to secure server. In addition, the RA is also responsible for the administration of local user information. Depending on the specific circumstances, RA can be constituted by one or more servers.

CA server is the core of the whole CA system, its main functions include the development of the certificate issued strategy, initialization of CA, acceptting requests of application, revocation and update of the certificate from RA, to issue, update or revoke the certificate for the users, to announce the certificates list and CRL, to generate key pairs, to update or recovery the keys, as well as issue the cross-certificate.

Taking into account the compatibility with other enterprise application systems, the databases are applied to manage the certificates. Public information database is used to store user certificates, user information and CRL. CA database is used to store user keys and CA history certificates.

2.3. Security of enterprise CA system

Taking into account security, system design is as follows: a single server is responsible for security links with the outside world. RA server, CA server and database server connected on a LAN. Secure server equipped with two NIC, one linked with RA, the other access to the Internet and directly face the end-user. The system set up two firewalls, the first is set up between the secure server and the Internet; the second is set up between the secure server and RA server. Thus can effectively protect internal networks from external network attacks, and can prevent internal network users leaked out.

In this system, each server uses the Linux operating system. Apache Web Server is used as a WWW server software. CA, RA and security servers use mod_ssl module as SSL encryption transmission module. At the same time in the Apache configuration, restrictions of IP and digital certificate are added to the management interface directory, so that users only from the designated IP and with designated digital certificate can access the management interface, thus ensuring that only authorized administrators to access management interface.

III. SOME FEATURES OF THE SYSTEM

Using RSA algorithm, a key that can be used for both data encryption and digital signature. If the encryption private key were lost, the information encrypted with the public key can not be recovered, so the private key used to encrypt needs backup; On the other hand, the main purpose of digital signature is to get non-repudliation, therefore, signature private key needs not backup. Obviously, the demands of signature keys and encryption keys are conflicting. To solve this

problem, we have introduced a solution of dual key pairs. For each user, there are two separate pairs of keys, i.e., signature / authentication key pairs and encryption / decryption key pairs. This not only ensures non-repudliation of the user digital signature, but also offers encryption key backup and recovery functions.

The common way of informing the revocation of the certificate is that CA regularly published CRL. Its flaws: It can not truthfully reflect the certificate state during the period in the two publication. We propose an improved approach: using database to manage certificate, at the same time to add a field in the certificate table to show the status. Thus we can check the real-time status of the certificate and make up the defect of simply using CRL..

IV. REALIZATION OF ENTERPRISE CA SYSTEM

System is based on open source. Using the Linux operating system, servers are mainly used C as development tool, Web scripts use PHP, database uses MySQL; encryption algorithm, digest, and digital signature uses OpenSSL

toolkit to achieve.

4.1. Difficulties to achieve

PHP 4.2.0 and higher version has added some management capabilities for the key and digital certificate. but has not realized the function of certificate revocation and CRL generation. In addition, the function of issue certificate is not perfect. However, the certificate’s generation, revocation and the issue of CRL are most important and basic functions of CA system. So first of all, it is necessary to expand the functions of PHP, to add the following three functions in the source code, the program can reference openssl source.

revocation of the certificate ： bool openssl_crt_revoke(string infilename)

(4)

ISSN(Online): 2320-9801

ISSN (Print) : 2320-9798

I

nternational

J

ournal of

I

nnovative

R

esearch in

C

omputer

and

C

ommunication

E

ngineering

Website:

www.ijircce.com

x509, mixed priv_key, long days)

Self-signed certificate generation ： resource openssl_csr_selfsign(mixed csr, mixed priv_key, long days)

4.2. CA initialization

CA server generates root CA’s own pair of keys, and self-signed root certificate. The key steps are shown as the following:

<? php

// Set the root CA’s X.500 name $dn = array(

"countryName" => country, "stateOrProvinceName" => province , "localityName" => city, "organizationName" => organization, "organizationalUnitName" => unit, "commonName" => user,

"emailAddress" =>email )； //generation of root CA’s private key $privkey = openssl_pkey_new()； // Generation of certificate request $csr = openssl_csr_new($dn, $privkey) ； // Generating self-signed root certificate

$sscert = openssl_csr_selfsign($csr, $privkey, days)；

…… ? >

4.3. User registration and the certificate application

User fills registration form , RA will generate a unique PIN (Personal Identification Number) and return it to user.

After registration, user can apply for digital certificates. RA examine the applicant true identity, and then mail the audit result to user.

4.4. Certificate issue

The implementation of the plan is shown in Figure3.

4.5. certificate revocation and CRL issue

(5)

ISSN(Online): 2320-9801

ISSN (Print) : 2320-9798

I

nternational

J

ournal of

I

nnovative

R

esearch in

C

omputer

and

C

ommunication

E

ngineering

Website:

www.ijircce.com

revocation process, at the same time the state of this certificate will be noticed as R in the certificate table.

CRL, the essence of which is a document, in this file, the serial number of the revoked certificate has been stored

in, through regular CRL release, CA can notify the user which certificate has been invalid. CRL generated by this

system is compatible with standard X.509 V2. The key steps are as follows:

<? php

……

Connected to Database;

$cert= read the root certificate from the CA

database

；

// Analysis of X.509 certificate, return a resource identifier

$rid=openssl_x509_read($cert)

；

$pkey= read root private key from the file that store root private key

；

// Analysis and decryption of the private key, return a key resource identifier

$key=openssl_get_privatekey($pkey, password)

；

$days= time intervals between two CRL issuances, denoted by days

；

// new CRL generation openssl_issue_crl($rid,$key, $days)

；

…

implementation methods. This enterprise’s CA system can preferably solve the authentication, sensitive data

transmission and other issues of network security, and promote the process of e-commerce. Because we use database

to manage certificates, this system can integrate with other enterprise’s application systems, the application has

broad prospects.

4.6. Download certificate

Including download root certificate, others’ certificate and self certificate. The most crucial of all is to download the

self certificate. Realization of the process is as follows: User logins security server, fills the certificate serial number,

personal PIN, sets private key password. RA audit of user identity, after the adoption of audit, CA will combine the

encrypted (with a password set by the user) user's private key with the user’s digital certificate together, then

generate PKCS12 format document and return to the user. After that, user can import certificate into browser, and

export private key and preserve it.

V. CONCLUSIONS

In this paper, we take full advantage of open source, designed a enterprise’s CA system with relative lower cost.

We describe the overall structure and design model in detail, and give specific

REFERENCES

[1] Ning Yupeng, Chen Xin, PKI technology, China Machine Press, Beijing , 2004.

[2] Guan Zhensheng.. public key technology PKI and certificate authority CA, Publishing House of Electoronics Industry, Beijing, 2002.

[3] Li Yongjun, Zhou Wenhui, “Research and implementation for enterprise’s CA system and network security strategy”, Computer Engineering and Design,2006(8), pp 2728-2730

[4] Xu Feng, Qi Yuguo, “Research and Implementation of Private Enterprise CA Based on Open Source Code”, Computer Engineering, 2006 (3), pp 128-130