| 题名: | 目录服务与在线证书状态验证系统研究 |
| 作者: | 艾风
|
| 答辩日期: | 2004
|
| 专业: | 计算机应用技术
|
| 授予单位: | 中国科学院软件研究所
|
| 授予地点: | 中国科学院软件研究所
|
| 学位: | 博士
|
| 关键词: | 公钥基础设施
; 目录服务
; 轻型目录访问协议
; 在线证书状态验证
; 在线证书状态协议
|
| 摘要: | 基于公钥密码技术构建的公钥基础设施(PKI)是目前公认的解决大型开放网络环境下信息安全问题最可行、最有效的办法。以实用的企业级P心系统的设计与开发为背景,从理论和实际应用两个方面探讨PKI系统的两个核心组件:目录服务和在线证书状态验证系统。随着互联网的发展,目录服务的应用越来越广泛。本文总结了目录服务的标准-X.50O与轻型目录访问协议(LDAP);通过对LDAP目录协议模型、信息模型、命名模型、分布式模型、功能模型、安全模型的详细分析,较为深入地阐述了LDAP目录服务;接着给出了目录服务设计的要点,叙述了一个安全高效的PKI系统的目录服务设计方案;然后解决了目录服务的本地化问题。在线证书状态协议(OCSP)容许客户通过简单的查询获得实时的证书状态信息,目前在PKI实现中,OCSP已经成为证书撤销列表(CRL)的替代或补充机制,以克服基于CRL机制的延时性、可扩展性差、难于管理等缺陷。基于OCSP机制及其扩展(OCSP-X),本文提出了一种安全高效、可扩展的在线证书状态验证系统,此系统除了能提供基本的在线证书状态查询服务外,还能支持证书历史状态查询、委托路径验证和委托路径查找服务;然后本文探讨了提高此系统性能与可扩展性的因素,并给出了关于系统安全性的一些考虑。 |
| 英文摘要: | Now, Public Key Infrastructure (PKI) technology based on public-key cryptography is considered to be the most feasible and effective method to solve information security problems in large and open networking environment. With design and development of an enterprise PKI system, directory service and online certificate status validation system, two core component of PKI system, are discussed in this paper both theoretically and practically. Directory Services have recently proliferated with the growth of the Internet, and are being used in a wide variety of network-based applications. Standards of Directory Service, X.500 and Lightweight Directory Access Protocol(LDAP), are introduced in this thesis, and LDAP Directory is analyzed in details by all kinds of model, such as protocol model, information model, naming model, distribution model, function model, and security model. Sequentially a general design procedure of Directory Service and a secure, efficient directory service for PKI are conducted in this thesis. And then the principle of processing local laiigue information in LDAP directoiy service applications is analyzed. Online Certificate Status Protocol(OCSP) allows a client to query a responder for the status of one or more certificates and get up-to-date information on their validity. PKI implementations can use OCSP instead of, or as a complement to, Certificate Revocation Lists to overcome latency, scalability or manageability problems inherent in solutions based on CRLs. A secure, efficient and scalable online certificate status validation system based on OCSP and its extension(OCSP-X) is developed in this thesis. And this system can accommodate Online Revocation Service (ORS), Delegated Path Validation (DPV) service and Delegated Path Discovery (DPD) service. At last several factors in improving efficiency and scalability of this system are analyzed, and some security considerations are presented. |
| 语种: | 中文
|
| 内容类型: | 学位论文
|
| URI标识: | http://ir.iscas.ac.cn/handle/311060/7406
|
| Appears in Collections: | 中科院软件所
|
| File Name/ File Size |
Content Type |
Version |
Access |
License |
|
|---|
| LW014047.pdf(2902KB) | -- | -- | 限制开放 | -- | 联系获取全文 |
|
| Recommended Citation: | |
艾风. 目录服务与在线证书状态验证系统研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
|
|
|
