摘要
依赖方对证书的有效验证是公钥基础设旌(PKI)在安全通信中能够广泛应用的基础。在大规模分布式环境中需要有效、安全构建证书路径来获得证书。本文介绍了证书路径处理的基本原理,并对比分析了现有的几种典型的证书路径处理机制,指出各自的缺陷,总结得出使用服务器可以有效简化客户端的运行和维护,另一方面在客户端进行证书路径构建和验证可以增加整个PKI系统抵抗拒绝服务攻击和欺骗攻击的能力。
本文针对动态证书路径处理机制存在的问题:动态证书路径处理是基于交叉认证技术实现不同信任域间的联系,交叉认证证书数目会以平方的速度增加,不利于管理和维护。对此,本文提出了基于证书收集服务器的动态证书路径构建机制,新的机制是基于桥CA技术实现不同信任域间的联系,交叉证书和证书路径的数目以线性速度增加。对此为了简化客户端,本文使用证书收集服务器,支持多种目录访问协议,使客户端在证书路径构建和验证时不需要频繁访问目录服务器;使用新的路径构建算法处理桥CA模型下多条证书路径的情况。本文还对此进行了比较和分析,以及模拟实验分析了改进方案的性能。
分析介绍BBK主观信任模型,针对其推荐信任合成算法采用简单的算术平均,平等的对待恶意推荐路径和善意推荐路径。注意到推荐路径中善意推荐路径数量远大于恶意推荐路径数量,恶意推荐信任值和善意推荐信任值相差很大,采用相似程度参数S_(degree)对推荐信任值分类,选择其中所占比例最大的一类信任值进行合成,有效地排除占少数的恶意推荐,从而有效抵制恶意推荐带来的影响。
针对证书路径构建中现采用的优化措施,主要是针对于证书中的信息,为证书路径验证挑选最有可能通过的证书路径,但是现有的优化措施存在最高优先级与较高优先级之间如何取值可能无法确定,不能再在0到最高分值之间细分。本文引入改进的BBK主观信任模型,首先通过信任计算引擎得到信任值,把得到的信任值乘以最高分,这样为证书路径构建的优化提供进一步细化的方法。
Relying Party can efficiently validate certificate is the base that Public Key Infrastructure can widely be used in secure communication. In distributed environment we need efficiently and secure constructue certificate path to obtain object certificate.We present the thory of certification path process and analyse some typical certification path process mechanism . We present these mechanism's drawbacks.We draw a conclusion that using server can efficiently simply client's run and maintenance and implementing certification path construction and validation in client can improve the PKI's ability to resist Defuse Of Server and spoofing attack.Dynamic Path Determination is based on cross-certification to achieve inter-domain interoperatibility. The drawback is that the number of cross-certification will squarely increase with the increase.of domain's number and it is bad for management and maintenance. We put forward Dynamic Path Determination based on Certification Chooser Server. The new method achieve inter-domain interoperatibility with Bridge Certification Authority. So the number of cross-certification will lineably increase with the increase.of domain's number. And we use cerficate chooser server to access depository with HTTP,LDAP and FTP etc. So client need not to access despository when we process certificate path. And we simplify client in this way. At the same time we present an algorithm about path construct in BCA environment. Then we analyse the new method and contrast new one with old one. And we analyse the new method's capability through a simulated experiment.We present and analyse BBK subject trust model.BBK present a method for the valuation of trustworthiness,but the combination of recommendation trust of it can not effectively resist the effect of malicious recommendation.In this article in term of the assumption that the quantity of benign recommendation paths is much bigger than malicious ones and the value of benign recommendation is much bigger than malicious ones,it classifies the recommendation values in term of similar degree parameter S_(degree) and choose the bigger group to combine,so it can exclude malicious recommendation which is smaller and can effectively resist the effect of malicious recommendation.Certification path construction optimization is a method that use certificates' message to choose the most possible certificate path which can be validated. And now the problem is that all methods can not distinguish between the most possible and the more possible. For the purpose of solve this problem we introduce improved BBK subject trust model into certification path construction optimization.
引文
[1] M,Medina.E-MAIL Security-Public Key Distribute and Certification Paths: [MSC].Dissertation:Catholic University of Rio de Janeiro,1996,23-45
[2] RFC2632.S/MIME Version 3 Certificate Handling
[3] Ilva A R, Stanton M A. Pequi: A PKIX Implementation for Secure Communication.In:Proceedings of the 1999 International Networking Conference, San Jose: ACM Press, 1999
[4] A Admas,R Zuccherato.Internet X.509 Public Key Infrastructure-Data Certification Server Protocols. http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft/-ietf-pikx-dcs-01.txt.1998-09-12
[5] Steven. certificate path services. http://www.imc.org/ietf-pkix/old-entire-arch-98.txt. 1998-10-15
[6] D.Pinkas. Delegated Path Validation and Path Discovery Protocols. http://www.ietf.org/proceedings/02mar/I-D/draft-ietf-pkix-dpv-dpd-00.txt. 2001-07-25
[7] RFC3379.Delegated Path Validation and Delegated Path Discovery Protocol Requirements
[8] B.Hunter. Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses .In: Proceedings of the 13th IEEE Workshop on Database and Expert Systems Applications. Aix-en-Provence, France: IEEE Computer Society Press ,2002,505-510
[9] M Halappanavar, R Mukkamala. ECPV: Efficient Certificate Path Validation in Public-key Infrastructure. In:Proceedings of 17th IFIP WG11.3 Working Conference on Database and Application Security. Estes Park, Colorado, U.S.A:IEEE society Press, 2003,4-6
[10] M Cooper, Y Dzambasow, P Hesse, et al. Internet X.509 Public Key Infrasture: Certification Path Building. http://bgp.potaroo.net/ietf/html/ids-wg-pkix.html.2005-01-07.
[11] ISO/IEC 9594-8: NFORMATION TECHNOLOGY. OPEN SYSTEMS INTERCONNECTION. THE DIRECTORY:PUBLIC-KEY AND ATTRIBUTE CERTIFICATE FRAMEWORKS. 2000.
[12] Yassir Elley, Anne Anderson,Setve Hanna,etal. Building Certification Path:Forward vs.Reverse. http://www.isoc.org/isoc/conferences/ndss/01/2001/papers/elley.pdf. 2001-01-12
[13] Carlisle,Steve,冯国登译.公开密钥基础设施—概念、标准和实施。北京:人民邮电出版社,2001,87-97.
[14] RFC3280.Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
[15] RFC2251. Lightweight Directory Access Protocol (v3)
[16] RFC2538. Storing Certificates in the Domain Name System (DNS)
[17] T ,Beth, M ,Borcherd, B, Klein.Valuation of trust in open network. In: Proc. European Symposium on Research in Security(ESORICS). Brighton: Springer-Verlag, 1994, 3-18
[18] Raphael Yahalom, Birgit Klein,Thomas Beth. Trust Relationships in Secure Systems-A Distributed Authentication Perspecitve.In: Proc IEEE Symposium on Research in Security and Privacy .USA:IEEE, 1993,50-164
[19] 徐峰,吕建.Web安全中的信任管理研究与进展.软件学报,2002,13(8):1-6
[20] 陈华勇.信任计算模型及其在公钥基础设施中的应用研究:[硕士].湖南:湖南大学,2003,44-51
[21] Alfarez Abdul-Rahman.The PGP Turst Model. the Journal of Electronic Commerce, 1997,5(14):34-36
[22] Guillaume Pierre, Marrten van Steen. A Trust Model for Peer-to-Peer Content Distribution Networks. http://www.cs.vu.nl/~gpierre/publi/TMPTPCDN_draft.php3,2001- 11-12
[23] Abdul-Rahman, A., Hailes, S. A distributed trust model. In: Proceedings of the 1997 New Security Paradigms Workshop. Cumbria, UK: ACM Press, 1998, 48-60
[24] Tichard T.Simon ,Mary Ellen Zurko. Separation of duty in role-based environments. In :Proceedings of The 10th Computer Security Foundations Workshop(CSFW-10). Rockport, Massachusetts, USA: IEEE Computer Society Press, 1997,183-194
[25] Steve Lloyd. AKID/SKID Implementation Guideline. http://www.pkiforum.com/resources.html.2002-09-23
[26] A. Malpani, Bridge Validation Authority. http://www.valicert.com/corporate/library/pdfs/Bridge_VA_Whitepaper.pdf,2001-12-15
[27] T Freeman, R Housley, A. Malpani. etal. Simple Certificate Validation Protocol. http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-18.txt, 2005-02-13
[28] Omar Batarfi. ATV: An Efficient Method for Constructing a Certification Path. In: Proceedings of the 18th IFIP World Computer Congress.Toulouse, France: Kluwer Academic Publishers ,2004,67-74
[29] Omar Batarfi .Certificate Validation in Untrusted Domains. In: Proceedings of the On The Move to Meaningful Internet Systems. Lecture Notes in Computer Science. 2003,7(2889): 1057-1068
[30] 卢震宇,戴英侠,胡艳.分布式认证系统互联的信任路径构建分析和实现.计算机工程与应用,2002,38(10):155-158
[31] 王晓峰,王尚平.Internet公钥基础设施中的证书路径构造算法.计算机工程,2003,20(9):15-18
[32] 王晓峰,王尚平.公钥基础设施中的证书路径构造方法有验证算法.计算机工程与应用,2002,38(12):72-74
[33] Steve Lloyd. Understanding Certification Path Construction. http://www.pkiforum.org/pdfs/Understanding_Path_construction-DS2.pdf. 2002-9-27
[34] Shashi Kiran,Steve Lloyd. PKI Basics-A Technical Perspective. http://www.pkiforum.org/resourecs.html. 2002-11-17
[35] Eunjin Jung, Ehab S. Elmallah, Mohamed G. Gouda. Optimal Dispersal of Certificate Chains. In:Proceedings of the 18th International Symposium on Distributed Computing.Santa Fe, NM:IEEE ISSPIT. 2004,35-449
[36] Diana Berbecaru, Antonio Lioy. Towards Simplifying PKI Implementation: Client-Server based Validation of Public Key Certificates,IEEE IS SPIT.2002,10(32):277-282
[37] Steve Lloyd.CA-CA Interoperability. http://www.pkiforum.com/resourees.html/. 2001-03-09
[38] 李清玉,韦卫,候紫峰.认证路径构造算法研究与实现.微电子学与计算机,2003,20(9):15-18
[39] William T. Polk, Nelson E. Hastings, Ambarish Malpani. Security Track-Public Key Infrastructures that Satisfy Security Goals. IEEE Distributed Systems Online 2003,4(7):62-75
[40] William T. Polk, Nelson E. Hastings, Ambarish Malpani. Public Key Infrastructures that Satisfy Security Goals. IEEE Internet Computing ,2003,7(4):60-67
[41] Albert Levi, M. Ufuk Caglayan, Cetin Kaya Koc.Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure. ACM press.2004,7(1):21-59
[42] Albert Levi, M. Ufuk Caglayan. An Efficient, Dynamic and Trust Preserving Public Key Infrastructure.In :proc IEEE Symposium on Security and Privacy. Los Alamitos: IEEE Computer Society Press.2000,203-214
