【作者】 陈福生；

【导师】 李之棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2006， 硕士

【摘要】 公钥基础设施(Public Key Infrastructure, PKI)能够保障网络安全,解决网络通信中的信息安全问题。目前存在集中式和分布式两种PKI技术。分布式PKI作为一种新的技术方案,较好地解决了集中式PKI中扩展性较差和单点失效问题,但分布式系统中数字证书如何分发、系统安全性如何保证,这些问题都有待研究解决。基于对等网络(Peer-to-Peer, P2P)的分布式PKI体系可以解决分布式PKI存在的问题。它采用P-Grid技术组织和管理系统中的实体,完成证书信息的搜索和传输;采用多重数字签名技术颁发证书,保证加入系统实体的安全性,并利用证书中包含的多个信任关系,形成多条信任链,加强总体信任强度;采用信任度量化实体间信任关系,建立信任模型并定义相关运算法则,通过信任度的计算验证实体是否可信,提高信任关系处理的准确性。基于P2P的分布式PKI体系支持证书申请、证书查询、证书撤销和证书验证四种操作。通过定义新的证书格式和申请流程,实现有效证书的申请;改造P-Grid搜索算法,实现证书信息的高效查询;采用新的证书撤销信息格式,使得实体能够撤销自身证书,简化整个撤销过程;利用证书的数字签名和信任度信息,综合运用信任度运算法则,完成证书的验证。分析表明,搜索算法提高了系统的性能,信任模型保证了系统的安全性,分布式体系架构使得系统具有较强的扩展能力。另外,较集中式PKI而言,系统在容错性、灵活性等方面也具备一定的优势。更多还原

【Abstract】 Public Key Infrastructure (PKI) can safeguard the security of network and settle information security problems in network communication. Current PKI can be classified in two main groups: centralized and decentralized. As a new solution, decentralized PKI can well solve the defections of centralized PKI such as weaker expansibility and single fault point, but it also remains some problems to be solved on distribution of the certificate and security of the system.A system of decentralized PKI based on Peer-to-Peer (P2P) can solve the problems of decentralized PKI. It adopts P-Grid to organize and manage entities of the whole system, completes certificates’discovery and transmission; uses multiple digital signatures to issue certificate, guarantee the security of the entity entering the system and strengthen the trust by several trust chains coming from the certificate; introduces trust metrics to evaluate the trust relationship between entities, builds trust models and defines formulas to calculate trust value and verify trust relationship of the entity which would improve accuracy of the system on processing of trust relationship.The decentralized PKI based on P2P supports four kinds of certificate operations: requisition, search, revocation and validation. The system defines a new certificate format and process to complete the requisition of valid certificate; changes search algorithm of P-Grid to seek certificate efficiently; simplifies the process of revocation by adopting a new revocation information format of certificate; validates certificate securely using information of digital signatures and trust value comprised in the certificate and the defined trust formulas.Analysis indicates that search algorithm can improve the performance of the system, trust models ensure system’s security, and distributed architecture makes the system have strong expansibility. Moreover, comparing with centralized PKI, the system has some advantages in flexibility and fault tolerance.更多还原