Title: | PKI理论与应用技术研究 |
Author: | 周永彬
|
Issued Date: | 2004
|
Major: | 计算机应用技术
|
Degree Grantor: | 中国科学院软件研究所
|
Place of Degree Grantor: | 中国科学院软件研究所
|
Degree Level: | 博士
|
Keyword: | 公钥基础设施
; 可信密钥管理中心
; 证书状态验证
; 公平交换协议
; 密码学
|
Alternative Title: | Research on PKI Theories and Application Technologies
|
Abstract: | 电子商务、电子政务等基于Internet的网络增值应用日新月异,这些应用对信息安全的需求也随之提升,诸如公平性、可追踪性等安全特性就是除了传统的保密性、完整性、非否认性、身份认证等基本安全要求之外的新需求。基于公钥密码技术构建的公钥基础设施(PKI)是目前公认的解决大型开放网络环境下信息安全问题最可行、最有效的办法。本文围绕着一个实际的企业级PKI系统的设计和开发,从理论和实践两个方面研究了实现安全、可靠、可扩展的PKI系统所涉及到的一些关键理论和技术问题。公平性是电子商务交易的基本要求之一,论文最后对一类重要的公平交换协议进行了深入的研究。论文取得了以下六个力一面的主要成果:第一,设计并实现了一个高度模块化、可扩展的企业级PKI系统—ErcistPKI系统。在系统设计和实现的过程中,考虑到PKI作为普适性安全基础平台的特点,特别强调PKI系统自身的安全性;第二,首次在PKI系统的设计中提出了“可信密钥管理中心(TKMC)”的概念,这一独特设计大大地强化了密钥管理功能的实施,为PKI向密钥管理基础设施(KMI)的平滑过渡提供了良好的技术准备:第三,对证书状态验证机制进行了深入研究,设计了证书状态模拟系统,以指导PKI系统和应用的部署和实施;在此基础上,基于时间约束首次给出了认证字典的一种新的分类方法;第四,对OCSP协议进行了形式化分析,设计和实现了一种高效、可扩展的 OCSP系统:第五,分析了WPKI工作环境对设计安全基础平台提出的特殊要求,结合无线移动设备的具体特点,基于可交换杂凑函数和动态Merkle杂凑树设计出了一种适用于WPKI环境的高效证书状态查询机制;第六,对一类公平交换协议进行了深入的研究,从设计公平交换协议的密码基础结构出发,提出了一种新型的基于RSA密码体制的高效CEMBS;在此工作的基础上,设计了一种基于RSA密码体制的最优化公平交换协议。 |
English Abstract: | Internet-based networking value-added applications (for instance, e-commerce and e-government) develop quickly with each passing day. These applications pose new requirements to information security. Such new requirements, like fairness and accountability, are beyond of the traditionally basic security requirements such as confidentiality, integrity, non-repudiation and authentication. Public Key Infrastructure (PKI) technology based on public-key cryptography theory is considered to be the most feasible and most effective method to solve information security problems in large and open networking environment. With design and development of an enterprise PKI system, some key technologies on implementing a secure, reliable and scalable PKI system are both theoretically and practically conducted in this thesis. Fairness is one of the basic information security requirements of e-commerce; and one important kind of fair exchange protocols is thoroughly examined at the end of the thesis. As a result, six principal achievements have been obtained. First, a highly modular and scalable PKI system (which we call ErcistPKI) is designed and implemented. The security of PKI system itself is especially emphasized during the system design and implementation process, which is in accordance with the pervasive characteristic of PKI. Second, the concept of a Trusted Key Management Center (TKMC) is introduced for the first time. This technology greatly strengthens key management practices and allows for smooth transition from PKI to Key Management Infrastructure (KMI). Third, certificate status mechanisms are investigated in depth, and a certificate revocation performance simulation system is devised. All these work will provide guides to practice and employment of PKI applications. Based on time constraints, a new taxonomy for authenticated dictionaries is proposed. Fourth, formal analysis of OCSP protocol is carried out; then an efficient and scalable OCSP system is developed. Fifth, the special requirements caused by the working environments of Wireless PKI (WPKI) are analyzed. Based on communicative hashing and dynamic Merkle hash tree, an efficient certificate status validation method suitable for WPKI is presented. Sixth, one important kind of fair exchange protocols is studied, and a new CEMBS based on RSA cryptosystem is proposed. Afterwards, a novel fair exchange protocol totally based on RSA signature scheme is devised. |
Language: | 中文
|
Content Type: | 学位论文
|
URI: | http://ir.iscas.ac.cn/handle/311060/7272
|
Appears in Collections: | 中科院软件所
|
File Name/ File Size |
Content Type |
Version |
Access |
License |
|
LW013923.pdf(1565KB) | -- | -- | 限制开放 | -- | 联系获取全文 |
|
Recommended Citation: |
周永彬. PKI理论与应用技术研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
|
|
|