一种高安全性的私钥保护方案

CA私钥的安全是数字证书可信性及签名有效性的保证。为了增强CA私钥的安全保护,采用基于RSA的(t,n)秘密共享将CA私钥安全分发到t个签名服务器,每个签名服务器拥有不同的私钥份额,并使用先应式秘密技术周期性更新私钥份额,避免长期攻击可能带来的危险性;同时,对私钥份额进行恢复和有效性验证;签名时,使用基于RSA的分步签名机制,每个签名服务器先计算出部分签名,最后由签名代理合成最终签名。整个过程都无需对CA私钥进行重构,增强了CA私钥和签名过程的安全性。最后,对存储私钥份额的服务器采用异构平台。方案通过VC和OPENSSL进行了实现。理论上的分析和实验结果表明,本方案有较高的安全性和效率。

A High-Security Scheme of Private Key Protection

The security of the CA private key guarantees the credibility of a digital certificate and the validity of the signature. In order to enhance the security protection of the CA private key, we distribute the CA private key to t signature servers with (t,n) secret sharing, each having a different private key sharing, and the private key sharing is  periodically updated using the proactive secret scheme. A phase based RSA signature mechanism is used, each server calculating part of the signature, and then the signed proxy gets the final signature. In the whole process, the CA private key never reconstructs, so it strengthens the safety of the CA private key and the signature. Finally, heterogeneous platforms are  used to store the CA secret. VC and OPENSSL are adopted to realize it.