节点文献

分布式环境中基于服务器的证书路径处理的研究

The Research on Certificate Path Process Based on Server in Distributed Environment

【作者】 王列

【导师】 谢冬青;

【作者基本信息】 湖南大学 , 软件工程, 2005, 硕士

【摘要】 依赖方对证书的有效验证是公钥基础设旌(PKI)在安全通信中能够广泛应用的基础。在大规模分布式环境中需要有效、安全构建证书路径来获得证书。本文介绍了证书路径处理的基本原理,并对比分析了现有的几种典型的证书路径处理机制,指出各自的缺陷,总结得出使用服务器可以有效简化客户端的运行和维护,另一方面在客户端进行证书路径构建和验证可以增加整个PKI系统抵抗拒绝服务攻击和欺骗攻击的能力。 本文针对动态证书路径处理机制存在的问题:动态证书路径处理是基于交叉认证技术实现不同信任域间的联系,交叉认证证书数目会以平方的速度增加,不利于管理和维护。对此,本文提出了基于证书收集服务器的动态证书路径构建机制,新的机制是基于桥CA技术实现不同信任域间的联系,交叉证书和证书路径的数目以线性速度增加。对此为了简化客户端,本文使用证书收集服务器,支持多种目录访问协议,使客户端在证书路径构建和验证时不需要频繁访问目录服务器;使用新的路径构建算法处理桥CA模型下多条证书路径的情况。本文还对此进行了比较和分析,以及模拟实验分析了改进方案的性能。 分析介绍BBK主观信任模型,针对其推荐信任合成算法采用简单的算术平均,平等的对待恶意推荐路径和善意推荐路径。注意到推荐路径中善意推荐路径数量远大于恶意推荐路径数量,恶意推荐信任值和善意推荐信任值相差很大,采用相似程度参数Sdegree对推荐信任值分类,选择其中所占比例最大的一类信任值进行合成,有效地排除占少数的恶意推荐,从而有效抵制恶意推荐带来的影响。 针对证书路径构建中现采用的优化措施,主要是针对于证书中的信息,为证书路径验证挑选最有可能通过的证书路径,但是现有的优化措施存在最高优先级与较高优先级之间如何取值可能无法确定,不能再在0到最高分值之间细分。本文引入改进的BBK主观信任模型,首先通过信任计算引擎得到信任值,把得到的信任值乘以最高分,这样为证书路径构建的优化提供进一步细化的方法。

【Abstract】 Relying Party can efficiently validate certificate is the base that Public Key Infrastructure can widely be used in secure communication. In distributed environment we need efficiently and secure constructue certificate path to obtain object certificate.We present the thory of certification path process and analyse some typical certification path process mechanism . We present these mechanism’s drawbacks.We draw a conclusion that using server can efficiently simply client’s run and maintenance and implementing certification path construction and validation in client can improve the PKI’s ability to resist Defuse Of Server and spoofing attack.Dynamic Path Determination is based on cross-certification to achieve inter-domain interoperatibility. The drawback is that the number of cross-certification will squarely increase with the increase.of domain’s number and it is bad for management and maintenance. We put forward Dynamic Path Determination based on Certification Chooser Server. The new method achieve inter-domain interoperatibility with Bridge Certification Authority. So the number of cross-certification will lineably increase with the increase.of domain’s number. And we use cerficate chooser server to access depository with HTTP,LDAP and FTP etc. So client need not to access despository when we process certificate path. And we simplify client in this way. At the same time we present an algorithm about path construct in BCA environment. Then we analyse the new method and contrast new one with old one. And we analyse the new method’s capability through a simulated experiment.We present and analyse BBK subject trust model.BBK present a method for the valuation of trustworthiness,but the combination of recommendation trust of it can not effectively resist the effect of malicious recommendation.In this article in term of the assumption that the quantity of benign recommendation paths is much bigger than malicious ones and the value of benign recommendation is much bigger than malicious ones,it classifies the recommendation values in term of similar degree parameter Sdegree and choose the bigger group to combine,so it can exclude malicious recommendation which is smaller and can effectively resist the effect of malicious recommendation.Certification path construction optimization is a method that use certificates’ message to choose the most possible certificate path which can be validated. And now the problem is that all methods can not distinguish between the most possible and the more possible. For the purpose of solve this problem we introduce improved BBK subject trust model into certification path construction optimization.

  • 【网络出版投稿人】 湖南大学
  • 【网络出版年期】2005年 07期
  • 【分类号】TP393.08
  • 【下载频次】75
节点文献中: 

本文链接的文献网络图示:

本文的引文网络