分布式交叉认证中证书委托验证的研究
摘要
在分布式环境下,传统证书验证模式把证书的路径构建与路径验证两部分工作交给客户端来完成存在诸多不足。一、会降低PKI应用程序的工作效率。二、降低对用户的透明性。三、客户端的工作量就会成倍的增长,验证效率将会变得十分低下,甚至使得客户端不能完成证书验证工作。四、客户端的证书状态判定工作完全依赖于证书撤销列表的完成程度以及及时更新周期等。
为解决上述不足该文设计了基于证书验证委托模式证书验证委托服务器方案。该方案的主要特点是由证书验证委托服务器来执行复杂的证书路径构建和证书路径验证的工作,客户端通过向服务器发送验证请求就可以得到相关的结果。该方案的主要目是减轻客户端的证书路径构建与验证的工作量,减少网络流量,提高证书验证效率。
该文讨论PKI的基本结构、信任模型,分布式信任模型等概念。在委托路径发现与证书验证的基础了上详细地给出了证书验证委托服务器的总体设计方案,模块划分及其工作流程。其重点有两个,一是客户端与服务器端交互模块,二是证书路径构造与验证模块。
该服务器采用RFC5055草案中的SCVP协议作为客户端与服务器之间的交互规范。本文详细地讨论SCVP的格式,封装形式,并用开源工具OpenSSL实现了SCVP报文及其封装。
该服务器采用动态路径构建算法,目的是去解决在分布式环境中构建跨信任域的证书路径以及进行路径验证的问题。该文详细地分析该算法,给出了算法的流程,并讨论了该算法了效率。
In distributed PKI environment, work of the certificate path construction and certificate path validation is carried out by client in traditional pattern of certification validation. There exits many weak points. Firstly this will reduce the efficiency of PKI program. Secondly this will deduce the transparency to the client also. Thirdly the efficiency of validation will be very low. Finally the status of certificate is complete depended on CRL. The workload of client of traditional certificate cross-validation becomes very heavy, which is not beneficial to deploy PKI in a variety of applications and environment.
This paper proposes a scheme of certification Validation delegate Server System (CVDSS) for certification path construction and certificate validation.
The main feature of the CVDSS is that the complex work of the certificate path construction and certificate path validation is carried out by CVDSS. The client can get a related result through sending a validation request package. The main purpose of CVDSS is to reduce the workload of client in certificate path construction and certificate path validation, deduce the related network flow and improve the efficiency of certificate validation.
This paper discusses the basic structure of PKI and trust models, the concept of distributed trust model.
On the base of delegate path discovery and delegate certificate validation, the paper introduces specially the scheme and workflow of CVDSS.
The CVDSS takes the SCVP protocol draft in RFC5055 as interaction norms between the client and the server. This paper discusses specially the format of SCVP, encapsulation of the SCVP and the realization of the SCVP and its implementation by OpenSSL.
In this paper, the CVDSS uses the dynamic path construction(DPC) algorithm to resolve the problem of certificate path construction and cross-validation in distributed PKI environment. This paper discusses specially the algorithm, its workflow. This paper analyzes the efficiency of the algorithm.
为解决上述不足该文设计了基于证书验证委托模式证书验证委托服务器方案。该方案的主要特点是由证书验证委托服务器来执行复杂的证书路径构建和证书路径验证的工作,客户端通过向服务器发送验证请求就可以得到相关的结果。该方案的主要目是减轻客户端的证书路径构建与验证的工作量,减少网络流量,提高证书验证效率。
该文讨论PKI的基本结构、信任模型,分布式信任模型等概念。在委托路径发现与证书验证的基础了上详细地给出了证书验证委托服务器的总体设计方案,模块划分及其工作流程。其重点有两个,一是客户端与服务器端交互模块,二是证书路径构造与验证模块。
该服务器采用RFC5055草案中的SCVP协议作为客户端与服务器之间的交互规范。本文详细地讨论SCVP的格式,封装形式,并用开源工具OpenSSL实现了SCVP报文及其封装。
该服务器采用动态路径构建算法,目的是去解决在分布式环境中构建跨信任域的证书路径以及进行路径验证的问题。该文详细地分析该算法,给出了算法的流程,并讨论了该算法了效率。
In distributed PKI environment, work of the certificate path construction and certificate path validation is carried out by client in traditional pattern of certification validation. There exits many weak points. Firstly this will reduce the efficiency of PKI program. Secondly this will deduce the transparency to the client also. Thirdly the efficiency of validation will be very low. Finally the status of certificate is complete depended on CRL. The workload of client of traditional certificate cross-validation becomes very heavy, which is not beneficial to deploy PKI in a variety of applications and environment.
This paper proposes a scheme of certification Validation delegate Server System (CVDSS) for certification path construction and certificate validation.
The main feature of the CVDSS is that the complex work of the certificate path construction and certificate path validation is carried out by CVDSS. The client can get a related result through sending a validation request package. The main purpose of CVDSS is to reduce the workload of client in certificate path construction and certificate path validation, deduce the related network flow and improve the efficiency of certificate validation.
This paper discusses the basic structure of PKI and trust models, the concept of distributed trust model.
On the base of delegate path discovery and delegate certificate validation, the paper introduces specially the scheme and workflow of CVDSS.
The CVDSS takes the SCVP protocol draft in RFC5055 as interaction norms between the client and the server. This paper discusses specially the format of SCVP, encapsulation of the SCVP and the realization of the SCVP and its implementation by OpenSSL.
In this paper, the CVDSS uses the dynamic path construction(DPC) algorithm to resolve the problem of certificate path construction and cross-validation in distributed PKI environment. This paper discusses specially the algorithm, its workflow. This paper analyzes the efficiency of the algorithm.
引文
[1]Adams C, Lloyd S. Understanding PKI:Concept, Standards, and Deployment Consideration. Second Editon.Boston:Addison-Wesley Longman,2002:28.
[2]ISO/IEC 9594-8. The Directory:Public-Key and Attribute Certificate Frameworks. Inernational Organization for Standardization,2001.
[3]ITU-T. Recommendation X.208:Specification of Abstract Syntax Notation One[S]. 1988.
[4]R. Housley, W. Polk W. Ford, et al. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [S]. RFC 3280, April 2002.
[5]ITU-T. Recommendation X.509:Information Techology-Open System Interconnnection-The Directory:Public Key and Attribute Certification Frameworks[S],2000.
[6]X.209:Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1).
[7]R. Housley, W. Ford, W. Polk, et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile.RFC2459, January 1999.
[8]C. Adams, S. Farrell, et al.Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC2510, January 1999.
[9]S. Chokhani, W. Ford,et al. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC2527 March 1999.
[10]M. Myers, C. Adams, D. Solo,et al. Internet X.509 Certificate Request Message Format. RFC2511 March 1999.
[11]R. Housley, P. Hoffman. Internet X.509 Public Key Infrastructure Operational Protocols:FTP and HTTP. RFC2585, May 1999.
[12]C. Adams, P. Cain, D. Pinkas et al. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) RFC3161, August 2001.
[13]M. Wahl, M. Wahl, S et al. Kille Lightweight Directory Access Protocol (v3) RFC2251, December 1997.
[14]M. Cooper, Y. Dzambasow, P. Hesse,et al. Internet X.509 Public Key Infrastructure Certification Path Building [S].RFC4158, September 2005.
[15]M. Myers, R. Ankney, A. Malpani'et al. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol. June 1999
[16]Viega, John Messier,Matt Chandra,Pravir. Network Security With Openssl[M]. Oreilly & Associates Inc,2005
[17]D. Pinkas, R. Housley. Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC3379, September 2002.
[18]T. Freeman, R. Housley, A. Malpani, et al. Server-Based Certificate Validation Protocol. RFC5055[S], December 2007.
[19]PKCS#1:RSA Cryptography Specifications Version
[20]PKCS#3:Diffie-Hellman Key Agreement Standard
[21]PKCS#5:Password-Based Cryptography Standard
[22]PKCS#6:Extended-Certificate Syntax Standard
[23]PKCS#7:Cryptographic Message Syntax Standard
[24]PKCS#8:Private-Key Information Syntax Standard
[25]PKCS#9:Selected Attribute Types
[26]PKCS#10 Certification Request Standard
[27]PKCS#11:Cryptographic Token Interface Standard
[28]PKCS#12 Personal Information Exchange Syntax Standard X.509
[29]PKCS#15:Cryptographic Token Information Format Standard
[30]http://www.opnessl.org
[31]http://www.openca.org
[32]徐蕾 高博基于类桥CA结构证书路径构造与验证方法[J].计算机与数字工程,2007,35(10):73-74.
[33]杨绚丽.基于加权信任列表路径搜索的交叉认证的研究与应用[D].苏州大学,2005.
[34]刘保言 陈泳章.公钥基础设施的分区证书路径构造方法的研究[J].计算机工程与应用.2004,22:141-143.
[35]李卓凡 杨树堂 陆松年 基于Agent的证书路径构建方法[J].计算机工程.2006,32(18):127-129.
[36]牛艳芳 孟建良 史占成.改进的分流路径在CA交叉认证中的研究[J].信息安全,2008,24(1):71-71.
[37]杨杰 丁伟.一个基于逆向搜索的分布式证书路径构建算法[J].计算机工程,2008,33(1):178-180.
[38]张明武 杨波 张文政.信任委托证书图搜索研究[J].计算机工程与应用,2007,43(4):125-133.
[39]刘艳 杨绚渊 陆建德.一种基于分布式交叉认证的证书验证代理的设计[J].计算机应用与软件,2008,32(18):127-129.
[40]李卓凡 杨树堂 陆松年.基于Agent的证书路径构建方法[J].计算机工程,2006,32(18):127-129.
[41]杨绚渊 刘艳 陆建德.一种改进的交叉认证路径构造算法设计[J],计算机工程,2006,32(24):146-148.
[42]王智慧.网格环境下代理证书链认证机制的研究[D],大连理工大学,2008.
[43]张立航 潘正运.在线证书有效性验证方法研究与改进[J].微计算机信息,2008,23(2):228-230.
[44]Andrew Nash,张玉清,陈建奇等译,公钥基础设施(PKI)实现和管理电子安全[M],北京:清华大学出版社,2002.12
[45]R. Housley. Cryptographic Message Syntax[S]. RFC3852, July 2004
[2]ISO/IEC 9594-8. The Directory:Public-Key and Attribute Certificate Frameworks. Inernational Organization for Standardization,2001.
[3]ITU-T. Recommendation X.208:Specification of Abstract Syntax Notation One[S]. 1988.
[4]R. Housley, W. Polk W. Ford, et al. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [S]. RFC 3280, April 2002.
[5]ITU-T. Recommendation X.509:Information Techology-Open System Interconnnection-The Directory:Public Key and Attribute Certification Frameworks[S],2000.
[6]X.209:Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1).
[7]R. Housley, W. Ford, W. Polk, et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile.RFC2459, January 1999.
[8]C. Adams, S. Farrell, et al.Internet X.509 Public Key Infrastructure Certificate Management Protocols. RFC2510, January 1999.
[9]S. Chokhani, W. Ford,et al. Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC2527 March 1999.
[10]M. Myers, C. Adams, D. Solo,et al. Internet X.509 Certificate Request Message Format. RFC2511 March 1999.
[11]R. Housley, P. Hoffman. Internet X.509 Public Key Infrastructure Operational Protocols:FTP and HTTP. RFC2585, May 1999.
[12]C. Adams, P. Cain, D. Pinkas et al. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) RFC3161, August 2001.
[13]M. Wahl, M. Wahl, S et al. Kille Lightweight Directory Access Protocol (v3) RFC2251, December 1997.
[14]M. Cooper, Y. Dzambasow, P. Hesse,et al. Internet X.509 Public Key Infrastructure Certification Path Building [S].RFC4158, September 2005.
[15]M. Myers, R. Ankney, A. Malpani'et al. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol. June 1999
[16]Viega, John Messier,Matt Chandra,Pravir. Network Security With Openssl[M]. Oreilly & Associates Inc,2005
[17]D. Pinkas, R. Housley. Delegated Path Validation and Delegated Path Discovery Protocol Requirements. RFC3379, September 2002.
[18]T. Freeman, R. Housley, A. Malpani, et al. Server-Based Certificate Validation Protocol. RFC5055[S], December 2007.
[19]PKCS#1:RSA Cryptography Specifications Version
[20]PKCS#3:Diffie-Hellman Key Agreement Standard
[21]PKCS#5:Password-Based Cryptography Standard
[22]PKCS#6:Extended-Certificate Syntax Standard
[23]PKCS#7:Cryptographic Message Syntax Standard
[24]PKCS#8:Private-Key Information Syntax Standard
[25]PKCS#9:Selected Attribute Types
[26]PKCS#10 Certification Request Standard
[27]PKCS#11:Cryptographic Token Interface Standard
[28]PKCS#12 Personal Information Exchange Syntax Standard X.509
[29]PKCS#15:Cryptographic Token Information Format Standard
[30]http://www.opnessl.org
[31]http://www.openca.org
[32]徐蕾 高博基于类桥CA结构证书路径构造与验证方法[J].计算机与数字工程,2007,35(10):73-74.
[33]杨绚丽.基于加权信任列表路径搜索的交叉认证的研究与应用[D].苏州大学,2005.
[34]刘保言 陈泳章.公钥基础设施的分区证书路径构造方法的研究[J].计算机工程与应用.2004,22:141-143.
[35]李卓凡 杨树堂 陆松年 基于Agent的证书路径构建方法[J].计算机工程.2006,32(18):127-129.
[36]牛艳芳 孟建良 史占成.改进的分流路径在CA交叉认证中的研究[J].信息安全,2008,24(1):71-71.
[37]杨杰 丁伟.一个基于逆向搜索的分布式证书路径构建算法[J].计算机工程,2008,33(1):178-180.
[38]张明武 杨波 张文政.信任委托证书图搜索研究[J].计算机工程与应用,2007,43(4):125-133.
[39]刘艳 杨绚渊 陆建德.一种基于分布式交叉认证的证书验证代理的设计[J].计算机应用与软件,2008,32(18):127-129.
[40]李卓凡 杨树堂 陆松年.基于Agent的证书路径构建方法[J].计算机工程,2006,32(18):127-129.
[41]杨绚渊 刘艳 陆建德.一种改进的交叉认证路径构造算法设计[J],计算机工程,2006,32(24):146-148.
[42]王智慧.网格环境下代理证书链认证机制的研究[D],大连理工大学,2008.
[43]张立航 潘正运.在线证书有效性验证方法研究与改进[J].微计算机信息,2008,23(2):228-230.
[44]Andrew Nash,张玉清,陈建奇等译,公钥基础设施(PKI)实现和管理电子安全[M],北京:清华大学出版社,2002.12
[45]R. Housley. Cryptographic Message Syntax[S]. RFC3852, July 2004