Construction of SSL-based information security channels on IIS
http://91mail.51.net
Summary: This article details how to build an SSL-based information security channel with the IIS server on Windows 2003 Server, including the configuration of DNS, Active Directory, and CA services, application for web server-side certificates and client certificates. , Installation, and configuration, certificate chain acquisition and installation, etc. Encrypted experimental solution.
Abstract: This paper exhaustivly introduced the total course of implementing the secure information passageway based on SSL by Internet Information Service on Windows 2003 server, including the configuration of DNS, Active Directory and CA, the requestion, installation and configuration of WEB server_end certificate and client_end certificate, the obtaining and installation of Certificate chain etc. Sketch the principle and application based on SSL infoimation secure passageway. expound the reason for transmitting information by the secure infoimation passageway.Put forward the experimental scheme of overtopping 128-bit encrypted on IIS.
Keywords: SSL, Windows 2003 Server, Safety Information Channel, OpenSSL, IIS
CLC number: TP3 literature sign identification code B
The so-called SSL (Secure Socket Layer) is a secure tape layer protocol, a protocol for providing a secure channel between two computers, which has the function of transmitting data and identifying the communication machine. In the protocol stack, the SSL protocol is located under the application layer, and the API of the TCP layer and the entire SSL protocol API and Microsoft's API are very similar. Because many protocols are running on TCP, while SSL connectivity is very similar to TCP connections, so that the existing protocol is attached to SSL to ensure that its security is a very good design. So far, the protocols above SSL have HTTP, NNTP, SMTP, Telnet, and FTP, in addition, domestic software vendors have also started the proprietary agreement with SSL. The most practical SSL software development package is the OpenSSL development kit provided by the OpenSSL software organization, and the user can call the encrypted decryption of the API to implement data transmission and identification. Microsoft's IIS server also provides support for SSL protocols, which mainly describes build SSL-based security information channels on IIS under Windows 2003 Server.
We use a simple working environment: operating system is Windows 2003 Server; web server is IIS; CA Certification Center uses Windows 2003 Server's own "certificate service" component; the browser is IE5.0 (the user must be in actual application Install patch for IE and Windows 2003 Server, because they have a lot of security vulnerabilities); configure Windows 2003 Server DNS service and Active Directory services. 1 Configure DNS, Active Directory, and CA services
To create a single-stand-alone CA authentication server requires DNS and Active Directory services on Windows 2003 Server, it is essential to configure these two services. These two configurations are not the focus of this article. Users as long as they follow The Configure Server wizard is OK. In addition, for the convenience of experimentation, the issuance of the CA Certification Center is set to "always issued".
2 Getting and installation of server-side certificates 2.1 How to get a Web site digital certificate
• Start the "Internet Information Service" of the web server; right-click the site you want to apply for a digital certificate in the Internet Information Services interface, select Properties in the shortcut menu that pops up, and the Site Properties dialog box appears.
• Click the Directory Security tab in the Properties dialog box, and then click the Server Certificate to press New.
The "IIS Certificate Wizard" dialog box appears, and the wizard is prompted to generate a certificate request, saved in the file form in C: / Certreq.txt.
• The content in the generated Certrep.txt should be saved in the form of PKCS # 10, open this file, all select and then copy to the clipboard.
• Open the IE browser and enter the http: // CA authentication server name / CERTSRV in the address bar;
• Select the "Application Certificate", click Next, then select the application type as "Advanced Application", click Next.
• Submit a certificate application using the base64 encoded CMC or PKCS # 10 file or use the base64 encoded PKCS # 7 file renewal application. As shown below.
• Right-click on "Base-64 Certificate Application (CMC or PKCS # 10 or PKCS # 7)" Edit box, then paste, and select the "Web Server" template in the certificate template, then submit.
Due to the certification centers of certification, the CA Center will issue the certificate to you immediately, and the "certificate has been released" on the screen, click "Download CA Certificate", saved as "C: / Certnew." CER "file.
2.2 Install the Web Site Digital Certificate
Go to the Site Properties dialog box, click Server Certificate, in the IIS Certificate Wizard dialog box, press the prompt to install the server certificate. Proceed as follows:
• Select "Processing the Request and Install Certificate";
• When entering the certificate file name, click Browse, select the CERTNEW.CER under the CERTNEW.CER, follow the wizard until the installation is complete.
2.3 Setting "Secure Communication" attribute
Select "Edit" in the website properties dialog box, select "Apply for Secure Channel" and "Apply for Customer Certificate", and then click OK. (If you need to link the client certificate and the specific account on the server to select "Enable Client Mapping", if you have more specific needs for the client certificate, you can select the Enable Certificate Trust List.)
3 Get and installation of client certificates
Client If you want to access a security-certified website through information security channel, you must have a client certificate issued by this website trusted by this website and a certificate chain of CA certification agencies. Let's take a look at how to apply for a client certificate.
3.1 Apply for a client certificate
• Open the IE browser, enter the http: // CA authentication server name / certsrv in the address bar and enter the return; • Select the "Application Certificate", click Next, then select "User Certificate", click " step";
? In the following, the customer certificate is made more detailed, and then click Submit;
• The server generates a client certificate according to the user's request, and as an ActiveX control embedded in the response web page, the user can click "Install this certificate".
3.2 Install the certificate chain or CRL
The CA certification body's certificate chain is a way to a certificate. The browser can find the client certificate through this path, and verify the legality of the user certificate, so you must install the CA certification body at the client.
? Enter http: // CA authentication server name / CACERTSRV / DEFAULT.ASP in the browser, load the CA certification center page, click "Download a CA certificate, certificate chain or CRL"
• Select the installation "this certificate chain"
4 Access the web website via a safety information channel
After the client is installed and the certificate chain, we can access the website that requires client authentication, but must ensure that the client certificate and server certificate is issued with the same CA. We entered the following URL https: // web server address: SSL port /index.htm, where https indicate that the browser wants to access the Web site via the security information channel (ie SSL, the security sleeve layer), and if the server's SSL The port is not the default 443 port, then indicate the SSL port when access is accessed. When the connection is just now, the browser will pop up a security alert dialog, which is the analysis of the server-side certificate before the browser is established. After the user clicks "OK", the browser currently existing user certificates. All listed (as shown in the following figure), for user selection, select the correct certificate and click "OK" to this security channel is formally established.
5 Why access the Web site through a security information channel
At present, most of the information on the Internet is express, and the user's various sensitive information can be easily obtained by some sniffing software (such as Snort). The network users have no way to protect their legitimate rights, the network can not fully play Its facilitates and efficient and efficient performance, hinders the construction of e-commerce and e-government in my country, hindering the promotion of B / S system software.
Through the research of various network security solutions, we believe that the latest SSL (Security Sockets) technology to build a security information channel is a very good solution for security, stability, and reliability.
6 Conclusion
This article implements the construction of SSL-based security information channels in an extremely simple network environment. This web server can only achieve 128-bit encryption, which is far less than users with higher security needs. . Users can choose your web server software and CA authentication software according to their needs. The most practical is the OpenSSL's own secure authentication component that enables higher number of encryption to meet the needs of users.
references:
[1] William Stallings, Yang Ming, etc., Network Coding and Network Security: Principles, Practice, Electronic Industry Press, October 2001 Second Edition
[2] Eric Rescorla, Translated, SSL and TLS, China Electric Press, October 2002, First Edition
How to Implement A Secure Information Passageway That Based On SSL IIS
