基于P2P的分布式PKI技术研究
|
摘要
公钥基础设施(Public Key Infrastructure, PKI)能够保障网络安全,解决网络通信中的信息安全问题。目前存在集中式和分布式两种PKI技术。分布式PKI作为一种新的技术方案,较好地解决了集中式PKI中扩展性较差和单点失效问题,但分布式系统中数字证书如何分发、系统安全性如何保证,这些问题都有待研究解决。
基于对等网络(Peer-to-Peer, P2P)的分布式PKI体系可以解决分布式PKI存在的问题。它采用P-Grid技术组织和管理系统中的实体,完成证书信息的搜索和传输;采用多重数字签名技术颁发证书,保证加入系统实体的安全性,并利用证书中包含的多个信任关系,形成多条信任链,加强总体信任强度;采用信任度量化实体间信任关系,建立信任模型并定义相关运算法则,通过信任度的计算验证实体是否可信,提高信任关系处理的准确性。
基于P2P的分布式PKI体系支持证书申请、证书查询、证书撤销和证书验证四种操作。通过定义新的证书格式和申请流程,实现有效证书的申请;改造P-Grid搜索算法,实现证书信息的高效查询;采用新的证书撤销信息格式,使得实体能够撤销自身证书,简化整个撤销过程;利用证书的数字签名和信任度信息,综合运用信任度运算法则,完成证书的验证。
分析表明,搜索算法提高了系统的性能,信任模型保证了系统的安全性,分布式体系架构使得系统具有较强的扩展能力。另外,较集中式PKI而言,系统在容错性、灵活性等方面也具备一定的优势。
Public Key Infrastructure (PKI) can safeguard the security of network and settle information security problems in network communication. Current PKI can be classified in two main groups: centralized and decentralized. As a new solution, decentralized PKI can well solve the defections of centralized PKI such as weaker expansibility and single fault point, but it also remains some problems to be solved on distribution of the certificate and security of the system.
A system of decentralized PKI based on Peer-to-Peer (P2P) can solve the problems of decentralized PKI. It adopts P-Grid to organize and manage entities of the whole system, completes certificates’discovery and transmission; uses multiple digital signatures to issue certificate, guarantee the security of the entity entering the system and strengthen the trust by several trust chains coming from the certificate; introduces trust metrics to evaluate the trust relationship between entities, builds trust models and defines formulas to calculate trust value and verify trust relationship of the entity which would improve accuracy of the system on processing of trust relationship.
The decentralized PKI based on P2P supports four kinds of certificate operations: requisition, search, revocation and validation. The system defines a new certificate format and process to complete the requisition of valid certificate; changes search algorithm of P-Grid to seek certificate efficiently; simplifies the process of revocation by adopting a new revocation information format of certificate; validates certificate securely using information of digital signatures and trust value comprised in the certificate and the defined trust formulas.
Analysis indicates that search algorithm can improve the performance of the system, trust models ensure system’s security, and distributed architecture makes the system have strong expansibility. Moreover, comparing with centralized PKI, the system has some advantages in flexibility and fault tolerance.
基于对等网络(Peer-to-Peer, P2P)的分布式PKI体系可以解决分布式PKI存在的问题。它采用P-Grid技术组织和管理系统中的实体,完成证书信息的搜索和传输;采用多重数字签名技术颁发证书,保证加入系统实体的安全性,并利用证书中包含的多个信任关系,形成多条信任链,加强总体信任强度;采用信任度量化实体间信任关系,建立信任模型并定义相关运算法则,通过信任度的计算验证实体是否可信,提高信任关系处理的准确性。
基于P2P的分布式PKI体系支持证书申请、证书查询、证书撤销和证书验证四种操作。通过定义新的证书格式和申请流程,实现有效证书的申请;改造P-Grid搜索算法,实现证书信息的高效查询;采用新的证书撤销信息格式,使得实体能够撤销自身证书,简化整个撤销过程;利用证书的数字签名和信任度信息,综合运用信任度运算法则,完成证书的验证。
分析表明,搜索算法提高了系统的性能,信任模型保证了系统的安全性,分布式体系架构使得系统具有较强的扩展能力。另外,较集中式PKI而言,系统在容错性、灵活性等方面也具备一定的优势。
Public Key Infrastructure (PKI) can safeguard the security of network and settle information security problems in network communication. Current PKI can be classified in two main groups: centralized and decentralized. As a new solution, decentralized PKI can well solve the defections of centralized PKI such as weaker expansibility and single fault point, but it also remains some problems to be solved on distribution of the certificate and security of the system.
A system of decentralized PKI based on Peer-to-Peer (P2P) can solve the problems of decentralized PKI. It adopts P-Grid to organize and manage entities of the whole system, completes certificates’discovery and transmission; uses multiple digital signatures to issue certificate, guarantee the security of the entity entering the system and strengthen the trust by several trust chains coming from the certificate; introduces trust metrics to evaluate the trust relationship between entities, builds trust models and defines formulas to calculate trust value and verify trust relationship of the entity which would improve accuracy of the system on processing of trust relationship.
The decentralized PKI based on P2P supports four kinds of certificate operations: requisition, search, revocation and validation. The system defines a new certificate format and process to complete the requisition of valid certificate; changes search algorithm of P-Grid to seek certificate efficiently; simplifies the process of revocation by adopting a new revocation information format of certificate; validates certificate securely using information of digital signatures and trust value comprised in the certificate and the defined trust formulas.
Analysis indicates that search algorithm can improve the performance of the system, trust models ensure system’s security, and distributed architecture makes the system have strong expansibility. Moreover, comparing with centralized PKI, the system has some advantages in flexibility and fault tolerance.
引文
[1] S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, 1989, 19(2): 32-48
[2] 廖俊, 李世收, 蔡瑞英. PKI 技术在信息安全中的应用. 南京化工大学学报, 2001, 23(5): 57-59
[3] M. Thompson, A. Essiari, S. Mudumbai. Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Information and System Security, 2003, 6(4): 566-588
[4] 肖凌, 李之棠. 公开密钥基础设施(PKI)结构. 计算机工程与应用, 2002(10): 137-139
[5] 江为强, 陈波. PKI/CA 技术的起源、现状和前景综述. 西南科技大学学报, 2003, 18(4): 75-78
[6] 张仕斌, 何大可, 代群. PKI 安全认证体系的研究. 计算机应用研究, 2005(7): 127-130
[7] Stephen Wilson. The Importance of PKI Today. China Communications, 2005(12): 15-21
[8] Karl Aberer, Anwitaman Datta, Manfred Hauswirth. A decentralized public key infrastructure for customer-to-customer e-commerce. International Journal of Business Process Integration and Management,2004, 10(10): 1-8
[9] Perlman R. An Overview of PKI Trust Models. IEEE Network, 1999, 13(6): 38-43
[10] 龚俭, 刘建航. 证书撤销机制的改进. 计算机工程, 1999, 25(特刊): 48-50
[11] R. Khare, A. Rifkin. Weaving a web of trust. World Wide Web, 1997, 2(3): 77-112
[12] 帅青红, 缪春池, 付强. 数字加密与数字证书. 西南民族学院学报(自然科学版), 2000, 26(2): 213-216
[13] Wilson S. Digital Signatures and the Future of Documentation. Information Management and Computer Security, 1999, 7(2): 83-87
[14] R. Housley, W. Polk, W. Ford et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC2459, IETF, 1999: 8-40
[15] R. Housley, W. Polk, W. Ford et al. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC3280, IETF, 2002: 7-46
[16] Dwaine Clarke, Jean-Emile Elien, Carl M. Ellison et al. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 2001(9): 285-322
[17] 彭银香. 基于 PKI 交叉认证的信任模型研究. 网络安全技术与应用, 2006(1): 31-33
[18] 杨艺. 基于 PKI 的分布式认证系统证书路径的构建. 重庆工商大学学报(自然科学版), 2004, 21(3): 258-261
[19] 沙瀛, 白硕. 当前公开密钥基础设施的主要问题分析. 微电子学与计算机, 2002(6): 18-21
[20] Gong Jian, Liu Jianhang. A Smooth Expansion Model for PKI. Journal of Southeast University(English Edition), 2000, 16(1): 1-5
[21] Carl Ellison, Bruce Schneier. Ten Risk of PKI. Computer Security Journal, 2000, 16(1): 1-8
[22] 李胜勇, 陈文元, 张卫平. PKI 技术及其存在问题的分析. 微计算机信息, 2005, 21(1): 171-172
[23] 管海明, 任朝荣. PKI 缺陷分析及新一代 PKI 的要求. 计算机安全, 2004(1): 13-15
[24] 范磊, 许崇详, 李建华. 基于二叉树的证书撤销管理. 计算机工程, 2002, 28(6): 33-35
[25] 胡春光, 何奇, 陈明宇. 一种基于 Agent 的 PKI 体系. 微电子学与计算机, 2002 (11): 29-32
[26] Gary William Flake, Steve Lawrence et al. Self-organization of the web and indentification of communities. IEEE Computer, 2002, 35(3): 66-71
[27] Karl Aberer, Manfred Hauswirth, Magdalena Punceva et al. Improving Data Access in P2P Systems. IEEE Internet Computing, 2002, 6(1): 58-67
[28] I. Stoica, R. Morris, D. Liben-Nowell, D. R. Karger et al. Chord:A Scalable Peer-to-Peer Lookup Protocol for Internet Applications. IEEE/ACM Transactions on Networking, 2003, 11(1): 17-32
[29] Karl Aberer, Philippe Cudré-Mauroux, Anwitaman Datta et al. P-Grid: A Self-organizing Structured P2P System. SIGMOD Record, 2003, 32(2): 179-194
[30] 卢震宇, 戴英侠. 分布式认证系统互联的信任路径构建分析和实现. 计算机工程与应用, 2002(10): 155-158
[31] 窦文, 王怀民, 贾焰. 构造基于推荐的 Peer-to-Peer 环境下的 Trust 模型. 软件学报, 2004, 15(4): 571-583
[32] 陈恺, 刘玮, 肖国镇. 公钥基础结构中的信任度. 西安公路交通大学学报, 2001,21(1): 109-112
[33] Paul Resnick, Ko Kuwabara, Richard Zeckhauser et al. Reputation Systems. Communications of ACM, 2000, 43(12): 45-48
[34] 杨静, 夏素贞, 顾君忠. 基于P-Grid的数字媒体信息共享研究. 计算机应用, 2004, 24(5): 10-13
[35] Roman Schmidt. Gridella:an open and efficient Gnutella-compatible Peer-to-Peer System based on the P-Grid approach:[Master’s Thesis]. Vienna: Technical University of Vienna, 2002
[36] Karl Aberer, Anwitaman Datta, Manfred Hauswirth. Efficient, self-contained handling of identity in Peer-to-Peer systems. IEEE Transactions on Knowledge and Data Engineering, 2004, 16(7): 858-869
[37] M. Reiter, S. Stubblebine. Authentication metric analysis and design. ACM Transactions on Information System Security, 1999, 2(2): 128-158
[38] 张京楣, 金妍. 基于对等网络的信任模型. 济南大学学报(自然科学版), 2002, 16(4): 343-345
[39] Ting Yu, Marianne Winslett, Kent E. Seamons. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Transactions on Information System Security, 2003, 6(1): 1-42
[40] 李之棠, 陈福生. 一种基于 Peer-to-Peer 的 PKI 体系. 计算机工程与科学, (已录用)
[41] Ninghui Li, William H. Winsborough, John C. Mitchell. Distributed credential chain discovery in trust management. Journal of Computer Security, 2003, 11(1): 35-86
[2] 廖俊, 李世收, 蔡瑞英. PKI 技术在信息安全中的应用. 南京化工大学学报, 2001, 23(5): 57-59
[3] M. Thompson, A. Essiari, S. Mudumbai. Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Information and System Security, 2003, 6(4): 566-588
[4] 肖凌, 李之棠. 公开密钥基础设施(PKI)结构. 计算机工程与应用, 2002(10): 137-139
[5] 江为强, 陈波. PKI/CA 技术的起源、现状和前景综述. 西南科技大学学报, 2003, 18(4): 75-78
[6] 张仕斌, 何大可, 代群. PKI 安全认证体系的研究. 计算机应用研究, 2005(7): 127-130
[7] Stephen Wilson. The Importance of PKI Today. China Communications, 2005(12): 15-21
[8] Karl Aberer, Anwitaman Datta, Manfred Hauswirth. A decentralized public key infrastructure for customer-to-customer e-commerce. International Journal of Business Process Integration and Management,2004, 10(10): 1-8
[9] Perlman R. An Overview of PKI Trust Models. IEEE Network, 1999, 13(6): 38-43
[10] 龚俭, 刘建航. 证书撤销机制的改进. 计算机工程, 1999, 25(特刊): 48-50
[11] R. Khare, A. Rifkin. Weaving a web of trust. World Wide Web, 1997, 2(3): 77-112
[12] 帅青红, 缪春池, 付强. 数字加密与数字证书. 西南民族学院学报(自然科学版), 2000, 26(2): 213-216
[13] Wilson S. Digital Signatures and the Future of Documentation. Information Management and Computer Security, 1999, 7(2): 83-87
[14] R. Housley, W. Polk, W. Ford et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC2459, IETF, 1999: 8-40
[15] R. Housley, W. Polk, W. Ford et al. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC3280, IETF, 2002: 7-46
[16] Dwaine Clarke, Jean-Emile Elien, Carl M. Ellison et al. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 2001(9): 285-322
[17] 彭银香. 基于 PKI 交叉认证的信任模型研究. 网络安全技术与应用, 2006(1): 31-33
[18] 杨艺. 基于 PKI 的分布式认证系统证书路径的构建. 重庆工商大学学报(自然科学版), 2004, 21(3): 258-261
[19] 沙瀛, 白硕. 当前公开密钥基础设施的主要问题分析. 微电子学与计算机, 2002(6): 18-21
[20] Gong Jian, Liu Jianhang. A Smooth Expansion Model for PKI. Journal of Southeast University(English Edition), 2000, 16(1): 1-5
[21] Carl Ellison, Bruce Schneier. Ten Risk of PKI. Computer Security Journal, 2000, 16(1): 1-8
[22] 李胜勇, 陈文元, 张卫平. PKI 技术及其存在问题的分析. 微计算机信息, 2005, 21(1): 171-172
[23] 管海明, 任朝荣. PKI 缺陷分析及新一代 PKI 的要求. 计算机安全, 2004(1): 13-15
[24] 范磊, 许崇详, 李建华. 基于二叉树的证书撤销管理. 计算机工程, 2002, 28(6): 33-35
[25] 胡春光, 何奇, 陈明宇. 一种基于 Agent 的 PKI 体系. 微电子学与计算机, 2002 (11): 29-32
[26] Gary William Flake, Steve Lawrence et al. Self-organization of the web and indentification of communities. IEEE Computer, 2002, 35(3): 66-71
[27] Karl Aberer, Manfred Hauswirth, Magdalena Punceva et al. Improving Data Access in P2P Systems. IEEE Internet Computing, 2002, 6(1): 58-67
[28] I. Stoica, R. Morris, D. Liben-Nowell, D. R. Karger et al. Chord:A Scalable Peer-to-Peer Lookup Protocol for Internet Applications. IEEE/ACM Transactions on Networking, 2003, 11(1): 17-32
[29] Karl Aberer, Philippe Cudré-Mauroux, Anwitaman Datta et al. P-Grid: A Self-organizing Structured P2P System. SIGMOD Record, 2003, 32(2): 179-194
[30] 卢震宇, 戴英侠. 分布式认证系统互联的信任路径构建分析和实现. 计算机工程与应用, 2002(10): 155-158
[31] 窦文, 王怀民, 贾焰. 构造基于推荐的 Peer-to-Peer 环境下的 Trust 模型. 软件学报, 2004, 15(4): 571-583
[32] 陈恺, 刘玮, 肖国镇. 公钥基础结构中的信任度. 西安公路交通大学学报, 2001,21(1): 109-112
[33] Paul Resnick, Ko Kuwabara, Richard Zeckhauser et al. Reputation Systems. Communications of ACM, 2000, 43(12): 45-48
[34] 杨静, 夏素贞, 顾君忠. 基于P-Grid的数字媒体信息共享研究. 计算机应用, 2004, 24(5): 10-13
[35] Roman Schmidt. Gridella:an open and efficient Gnutella-compatible Peer-to-Peer System based on the P-Grid approach:[Master’s Thesis]. Vienna: Technical University of Vienna, 2002
[36] Karl Aberer, Anwitaman Datta, Manfred Hauswirth. Efficient, self-contained handling of identity in Peer-to-Peer systems. IEEE Transactions on Knowledge and Data Engineering, 2004, 16(7): 858-869
[37] M. Reiter, S. Stubblebine. Authentication metric analysis and design. ACM Transactions on Information System Security, 1999, 2(2): 128-158
[38] 张京楣, 金妍. 基于对等网络的信任模型. 济南大学学报(自然科学版), 2002, 16(4): 343-345
[39] Ting Yu, Marianne Winslett, Kent E. Seamons. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Transactions on Information System Security, 2003, 6(1): 1-42
[40] 李之棠, 陈福生. 一种基于 Peer-to-Peer 的 PKI 体系. 计算机工程与科学, (已录用)
[41] Ninghui Li, William H. Winsborough, John C. Mitchell. Distributed credential chain discovery in trust management. Journal of Computer Security, 2003, 11(1): 35-86