【作者】 张帆；

【导师】 马建峰；

【作者基本信息】 西安电子科技大学 ， 计算机系统结构， 2004， 硕士

【摘要】 无线传输的安全问题引起人们的重视。在2000年，WAP论坛公布了WPKI技术规范，作为一个开放的标准，该规范可用于解决无线环境下的安全问题。 本文介绍了无线传输的背景，对无线IP网络安全中的关键技术——WPKI进行了深入的分析和研究，重点分析了无线Internet的应用需求和目前的主要实现技术；介绍了系统中涉及的实现技术规范，详细讨论了用户证书管理；另外在论文中还详细介绍了PKI技术及其实现细节，涉及到一些对PKI服务产生影响的策略、标准及新兴应用。 本文提出了一套完整可行的适合宽带无线IP网络环境的WPKI方案，即基于WAP的WPKI体系结构。在对标准的X.509证书进行了优化和压缩后，给出了WPKI体系的证书格式。提出将现有的有线CA认证中心扩展到无线领域的方法来构建无线环境下的CA认证中心的建议。采用一种简便、实用的安全协议来实现WPKI证书的生成，即分布式生产方式下的证书管理协议—CMP(Certificate Management Protocol)，并对此协议进行了形式化证明。针对移动设备获取证书难度大、时延长的特点，通过借鉴哈希链的思想，设计了一种安全性比较高，可以抵抗现有大部份攻击，且适用于无线环境的证书状态查询方案——用户端部分缓存的OCSP(CPC-OCSP)方案。该方案可以有效减少客户端及服务器端的计算量以及减轻带宽负荷。最后在论文中还引入了CA信任路径构建的新思路。更多还原

【Abstract】 Security brings our aware and concern on wireless transaction. In 2000, WAP forum published a series of WPKI technical specifications, which are open standards, to solve the wireless security issues.The background of wireless transaction is introduced in this paper and a detailed analysis and study on WPKI-the key point of wireless security, is made, with emphases on the requirements of wireless Internet and the mainly relative technologies. In addition, user certificate management is mainly focused.General PKI technology and concepts are also detailedly explained. For the sake of orientation, policies and standards and some of the new and exciting applications that will consume PKI services are also touched on.An integrated and feasible WPKI architecture based on WAP (wireless application protocol), which suits the broadband wireless IP environment, is introduced in this paper. Optimized and compressed from the traditional X.509 certificate, the format of WPKI certificate is also proposed. The way of building a certificate authority is proposed as extending the existing CA of wired to the field of wireless. To implement the creation of WPKI certificate, a simple but efficient protocol, CMP (Certificate Management Protocol) is adopted and analyzed with formalized way to prove its validity. Making reference to the thought of HASH chain, a modification over traditional OCSP, client partially cached-OCSP, is proposed which can efficiently reduce not only the computation at the client and server side but also the band load. Finally a new way of building belief path of CA is introdued.更多还原