中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
目录服务与在线证书状态验证系统研究
作者: 艾风
答辩日期: 2004
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 公钥基础设施 ; 目录服务 ; 轻型目录访问协议 ; 在线证书状态验证 ; 在线证书状态协议
摘要: 基于公钥密码技术构建的公钥基础设施(PKI)是目前公认的解决大型开放网络环境下信息安全问题最可行、最有效的办法。以实用的企业级P心系统的设计与开发为背景,从理论和实际应用两个方面探讨PKI系统的两个核心组件:目录服务和在线证书状态验证系统。随着互联网的发展,目录服务的应用越来越广泛。本文总结了目录服务的标准-X.50O与轻型目录访问协议(LDAP);通过对LDAP目录协议模型、信息模型、命名模型、分布式模型、功能模型、安全模型的详细分析,较为深入地阐述了LDAP目录服务;接着给出了目录服务设计的要点,叙述了一个安全高效的PKI系统的目录服务设计方案;然后解决了目录服务的本地化问题。在线证书状态协议(OCSP)容许客户通过简单的查询获得实时的证书状态信息,目前在PKI实现中,OCSP已经成为证书撤销列表(CRL)的替代或补充机制,以克服基于CRL机制的延时性、可扩展性差、难于管理等缺陷。基于OCSP机制及其扩展(OCSP-X),本文提出了一种安全高效、可扩展的在线证书状态验证系统,此系统除了能提供基本的在线证书状态查询服务外,还能支持证书历史状态查询、委托路径验证和委托路径查找服务;然后本文探讨了提高此系统性能与可扩展性的因素,并给出了关于系统安全性的一些考虑。
英文摘要: Now, Public Key Infrastructure (PKI) technology based on public-key cryptography is considered to be the most feasible and effective method to solve information security problems in large and open networking environment. With design and development of an enterprise PKI system, directory service and online certificate status validation system, two core component of PKI system, are discussed in this paper both theoretically and practically. Directory Services have recently proliferated with the growth of the Internet, and are being used in a wide variety of network-based applications. Standards of Directory Service, X.500 and Lightweight Directory Access Protocol(LDAP), are introduced in this thesis, and LDAP Directory is analyzed in details by all kinds of model, such as protocol model, information model, naming model, distribution model, function model, and security model. Sequentially a general design procedure of Directory Service and a secure, efficient directory service for PKI are conducted in this thesis. And then the principle of processing local laiigue information in LDAP directoiy service applications is analyzed. Online Certificate Status Protocol(OCSP) allows a client to query a responder for the status of one or more certificates and get up-to-date information on their validity. PKI implementations can use OCSP instead of, or as a complement to, Certificate Revocation Lists to overcome latency, scalability or manageability problems inherent in solutions based on CRLs. A secure, efficient and scalable online certificate status validation system based on OCSP and its extension(OCSP-X) is developed in this thesis. And this system can accommodate Online Revocation Service (ORS), Delegated Path Validation (DPV) service and Delegated Path Discovery (DPD) service. At last several factors in improving efficiency and scalability of this system are analyzed, and some security considerations are presented.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7406
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW014047.pdf(2902KB)----限制开放-- 联系获取全文

Recommended Citation:
艾风. 目录服务与在线证书状态验证系统研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[艾风]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[艾风]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace