信息安全中证书撤销机制的分析与研究

北京邮电大学硕士学位论文信息安全中证书撤销机制的分析与研究姓名：黄劲光申请学位级别：硕士专业：信号与信息处理指导教师：张惠民20040218信息安全中证书撤销机制的分析与研究作者：黄劲光学位授予单位：北京邮电大学相似文献(10条)1.外文期刊YutakaMiyake.JonathanMillen.GritDenke.ToshiakiTanaka.KoujiNakaoNotificationofcertificaterevocationstatusbetweendifferentdomainsunderPKIsystemWhenpublickeycertificatesareusedtocontrolaccessbyaclientinonedomaintoaserverinanotherdomain,thecertificaterevocationstatusshouldbedistributedtotheserverdomainalso.Forsecurityreasons,thedistributionofinformationtootherdomainsshouldbeminimized,andexternaldistributionpointsaresubjecttoattackfromthirdpartiesontheInternet.Inthispaper,weconsideramechanismtoconveythecurrentrevocationstatusofcertificatestootherdomainssecurelyunderPKI(PublicKeyInfrastructure)system.Wealsodiscussamethodtoadaptourproposedmechanismtothe(21)针对公钥基础设施PKI中证书吊销问题,提出一种B_树解决方案,将查询与更新时的最大时间复杂度始终保持在O(log_d/(n+1)/2)+1)量级,与其他方案相比,当数据量特别大时,更能显示其优越性,同时介绍基于B_树的证书管理方案.实验结果表明,该方案对工程实现具有一定指导意义.3.外文会议RaviMukkamala.SatyamDas.MahanteshHalappanavar.InternationalFederationforInformationProcessing.IFIP128RECERTIFICATION:ATECHNIQUETOIMPROVESERVICESINPKIEfficientandtimelydistributionofcertificaterevocationinformationisamajorchallengecurrentlyfacingtheprovidersofPublic-keyInfrastructure(PKI).Allofthecurrentschemes,includingtheCertificateRevocationList(CRL)anditsvariants,placeaconsiderableprocessing,communication,andstorageoverheadontheinfrastructureelements(e.g.,CertificationAuthorities(CAs)anditsrepositories)aswellastherelyingparties.Inthispaper,wedescribeschemestoimprovethecurrentsituationusingrecertificationconcept.Here,acertificateneedstoberecertifiedfrequentlyafteritsinitialissuance.Asaconsequence,thesizeoftheCRLsgetmuchshorterandsubsequentlyitispossibletopublishthemmorefrequently.Inaddition,itprovidesopportunitiestoofferdifferenttypesofservices(withdifferentQoSrequirements)toarelyingparty.Forexample,itispossibleforarelyingpartytocompletelyplacetheburdenofproofofacertificatenon-revocationonthecertificate-holderitself.Alternately,forhigh-valuedtransactions,itmayverifyitselfasisdoneincurrentsystems.Inadditiontothebasicprotocol,wedescribeanimplementationschemeandtheperformancegainsduetotherecertificationprocess.TheproposedprotocolsworkwithinthecurrentPKIstandards(e.g.,X.509).4.外文会议DaeHyunYum.PilJoongLeeSeparableImplicitCertificateRevocationThepopularcertificaterevocationsystemssuchasCRLandOCSPhaveacommondrawbackthattheyareexplicitcertificaterevocation;thesendermustobtaintherevocationstatusinformationofthereceiver'scertificate,beforesendinganencryptedmessage.Recently,animplicitcertificaterevocationsystemcalled'certificate-basedencryption'wasintroduced.Inthismodel,areceiverneedsbothhisprivatekeyandanup-to-datecertificatefromtheCA(CertificationAuthority)todecryptaciphertext,whilesendersneednotbeconcernedaboutthecertificaterevocationproblem.Hence,thecertificate-basedencryptionsystemhastheadvantageoflightinfrastructurerequirement.However,thecertificate-basedencryptionsystemhasanimportantdrawbackthatitisinseparable;onlytheCAcanhandlethecertificaterevocationproblemandtheloadcannotbedistributedamongmultipletrustedauthorities.Inthispaper,weproposeaseparableimplicitcertificaterevocationsystemcalled'statuscertificate-basedencryption,'inwhichtheauthenticityofapublickeyisguaranteedbya(long-lived)certificateandthecertificaterevocationproblemisresolvedbya(short-lived)statuscertificate.Wepresentasecureconstructionbasedonbilinearmappingsaswellasdefinitionalworks.5.外文期刊NaokiTANAKA.YoichiroIINOVolumeofCommunicationsNecessaryforCertificateRevocationinPKIEstimatedBasedonProbabilityTheoryInPublicKeyInfrastructure(PKI),itisproposedthataverifierchecksavalidityofcertificatebyCertificateRevocationLists(CRLs).EachCRLincludesrevocationstatusesofcertificatesforapartofentities.AverifierobtainsonlyanecessarypartofCRLsand,bypreservingaCRLonceobtained,averifierneedsnotobtainthesameonemorethanonce.ThereforeCRLisexpectedtoreducethevolumeofcommunicationsnecessaryforcertificaterevocation.Inthispaper,forfull-CRLandδ-CRLmethods,wetakeintoaccountthefactthatoneCRLisobtainedbyoneverifieratmostonceandwederivethevolumeofcommunicationsnecessaryforcertificaterevocationbasedonprobabilitytheory.Theresultshowsthat,unlessthefrequencyofauthenticationsissufficientlylowcomparedtothatofCRLissuances,theeffectthataverifierobtainsonlyanecessarypartofCRLsisirrelevanttoreducethevolumeofcommunications.Furthermore,fortheδ-CRLmethod,itisprovedthatthereexistsanoptimalratiobetweenafrequencyofBaseCRLissuancesandafrequencyofδ-CRLissuancesindependentofthenumberofCAsifthefrequencyofauthenticationsishighenough.6.外文会议E.Faldella.M.PrandiniANEFFICIENTANDSECUREALTERNATIVETOOCSPFORPUBLIC-KEYCERTIFICATEREVOCATIONThispaperpresentsanon-linemethodforefficientauthenticationandverificationofcertificatestatuswithinPublic-KeyInfrastructures(PKIs).Theproposedmethodhasbeendevisedasanalternativetothewell-knownOnlineCertificateStatusProtocol(OCSP):itexhibitsthesamepositivefeaturesofasregardsscalability,s