一個建構在OSI網路環境上的數位簽章系統

Abstract

隨著通訊網路的逐漸形成，網路上的電腦系統必須能夠做到確定資料傳送 者身分的簽章行為，並在簽章資料的傳輸過程中保證資料的私密性及完整 性，這需要一可靠的數位簽章系統來完成。國家技術標準機構﹙NIST﹚ 在1991年提出數位簽章標準﹙DSS﹚，同時發表一套數位簽章演算法﹙DSA ﹚。不過它在金匙的保護﹙Key Protection﹚和機密性﹙ Confidentiality﹚，以及簽收問題﹙Proof of Delivery﹚和防治簽章訊 息的重複使用﹙Replay Detection﹚上並未列入考慮。此外，國際標準組 織﹙ISO﹚所定的開放網路連接﹙OSI﹚之通訊協定，目前尚無一適用之數 位簽章協定可供使用，顯示出數位簽章系統的開發實屬必要。本文提出一 個適用於OSI網路環境上的數位簽章系統，系統中並針對DSA的缺點加以改 進。本系統主要是在ISO/OSI的應用層﹙ Application Layer﹚上設計一 安全服務元件﹙Security Service Element 簡稱SSE﹚，提供簽章服務給 使用者。SSE使得數位簽章系統具有透通性﹙Transparency﹚，一方面將 保護金匙的問題隱身於作業系統的核心，增加其安全程度及系統實作的彈 性，一方面協定上不用時戳做為防治簽章訊息重複使用的依據，使網路各 主機間不需要有同步的時間，並增加簽收確認的功能，大幅提昇系統的實 用性。最後以一雛型系統說明此數位簽章系統的可行性，並以一實例說明 使用者如何達到骯數位簽章的服務。 In recent years, we have witnessed an increasing number of communication networks installed. The International Standard Organization (ISO)/Open System Interconnection (OSI) network of the future. With the advent of networking, the nature of privacy and integrity problems has changed radically. This change creates considerable interest in the use of digital signature. The Digital Signature Algorithm (DSA), one of the National Institute of Standards and Technology's proposals in 1991, has been adopted by many organizations. Despate its many strengths, DSA itself does not provide the service of key- protection, confidentiality, proof-of-delivery, and replay- detection. Therefore, it is highly insecure on multi-user hosts and infeasible on diskless workstations. Due to the absence of the OSI digital signature standards and the limitations of DSA, in this thesis, we first suggest solutions to overcome the shortcomings of DSA, and then incoporate the improved DSA into the proposed security service element (SSE), which is an application service element (ASE) residing in the OSI application layer. SSE has the following features: 1.It provides digital signature for the OSI network users. 2.It is easy to use. 3.No synchronized clock is needed. 4.It provides a more secure key-protection mechanism. Finally, a prototype is developed to show how the digital signature system works in the OSI network.