中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
证书撤销机制的研究
作者: 薛源
答辩日期: 2004
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 证书撤销机制 ; 证书状态 ; 认证中心 ; 信息安全
其他题名: Research on Certificate Revocation Mechanisms
摘要: 作为一种普适性的信息安全基础平台,PKI技术近十年来发展迅猛,并在各领域得到了广泛的应用。证书撤销机制用于处理P心中的证书状态问题,是PKI的一个基础性核心问题。因此,研究证书撤销机制不仅具有重要的理论意义,而且有实际的应用价值。本文对证书撤销机制进行深入的研究和讨论,取得了以下几方面的主要成果:对CRL、CRS、CRT和OCSP四种常见的撤销机制做了性能分析和可实施性研究。通过定性分析和定量比较给出了直观的性能分析结果,并从不同角度(及时性、可扩展性、安全性、标准兼容性和实现复杂性)进行了可实施性研究。在此基础上提出了在实际应用中选择合适的证书撤销机制应遵循的一般原则。基于Huffman编码的思想,提出了一种基于Huffman的证书撒销树(H-CRT)。这种新方案能够使查询频繁的证书响应获得更短的证书验证路径,从而大大缩短了平均杂凑路径长度,优化了证书撤销系统的性能。由于H-CRT充分考虑了证书查询的分布,因而具有更强的应用价值。分析了CRT系统实现的逻辑结构模型;基于ASN.1语法提出了一种CRT证书状态证据请求协议。该协议能够有效地实现用户一目录之间的CRT证书状态证据请求服务,具有通用、高效的优点。针对该协议实现的具体技术细节,给出了一种使用OpenSSL对协议消息进行AsN.1 DER编解码的简便方法,这种方法适用于采用ASN.1来定义消息格式的所有协议。
英文摘要: Being a pervasive security fundamental platform, PKI has been developing quickly and used widely in various fields in the last decade. Certificate revocation mechanism, which is used to deal with the problem of certificate status in PKI, is a basic core problem of PKI. The research on Certificate revocation mechanism has not only important theory significance, but also practical application merit. In this thesis, we dig deeply into the certificate revocation mechanism and gain the following achievements: Performance evaluation and implementation analysis are carried out for CRL, CRS, CRT and OCSP. An intuitive performance evaluation result is given through qualitative analysis and quantitative comparison. Implementation analysis is done from various aspects, including timeliness, scalability, security, standards-based, complexity of realization. Some principles are pointed out, which ought to be obeyed when choosing certificate revocation mechanism in practical application. Based on the idea of Huffman coding, Huffman-based Certificate Revocation Tree (H-CRT) is proposed. H-CRT assigns shorter certificate validation path to more frequently queried response, therefore greatly reduces the H-CRT's average hash path length and optimizes the performance of certificate revocation system. H-CRT considers the distribution of certificate querying and is more valuable in practice. The logical structure model of CRT system is analyzed. Based on ASN.l, a CRT Proof of Certificate Status (CRT-PCS) Request Protocol is proposed, which can efficiently realize the CRT-PCS service between directory and end entity. This protocol is general and efficient. To tackle the technical problems of protocol implementation, a convenient method of ASN.l DER encoding and decoding by utilizing OpenSSL is introduced. This method is applicable to any ASN.l-based protocol message's DER encoding and decoding.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6730
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW014039.pdf(1800KB)----限制开放-- 联系获取全文

Recommended Citation:
薛源. 证书撤销机制的研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[薛源]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[薛源]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace