基于二次剩余问题的证书撤销方案

证书撤销状态发布是PKI一个最为关键的环节.评价一个证书撤销状态发布方案的指标主要包含证书状态发布通信量、发布的实时性、访问平稳性、目录服务器安全要求、状态验证计算复杂度等五个方面.在对目前已有证书状态发布方案分析的基础上,本文提出基于二次剩余难解问题的证书撤销状态发布方案.该方案在状态发布的实时性、发布数据通信量、访问发生平稳性、对目录服务器的安全要求等方面都有十分理想的效果,其计算复杂度也小于OCSP、CRT和CRL.     

一种改进型OCSP系统的设计与实现

CRL与OCSP是证书状态查询的两种重要机制。本文比较了CRL和OCSP协议,在对OCSP协议进行分析的基础上,针对OCSP系统面临的主要问题,给出了一种改进型OCSP系统的设计与实现,并对实现中使用的关键技术进行了详细地论述。     

基于分层信任模型的PKI机构证书更新研究

在PKI系统中,机构证书的安全性在整个PKI系统中处于非常重要的地位。当机构证书到期、密钥泄漏时,应及时撤销机构证书并进行更新,避免机构证书的错误使用而影响整个PKI系统的安全性。文中根据现有PKI规范及现状,分析了基于分层认证模型的机构证书更新机制,并对机构证书更新提出了一种新的实现方案。     

PKI机构证书撤销的研究

在PKI系统中,机构证书的安全性在整个PKI系统中处于非常重要的地位。本文根 据现有PKI规范及现状,分析了基于CRL的证书撤销机制,以及目前常用的机构证书撤销方法,并 对机构证书的撤销提出了一种改进的实现方案。     

证书撤销机制相关标准一致性验证

分析了已制定和正在制定的PKI系列标准之间存在的一致性问题;研究了CRL格式在证书撤销机制相关标准中存在的一致性问题;通过在标准验证平台上开发相应的仿真验证程序,对CRL格式和CA密钥更新时CRL签名的有效性进行了标准一致性仿真验证。     

GB/T 19713-2005《在线证书状态协议》简介

介绍了国家信息安全标准系列中的OCSP-GB／T19713-2005《在线证书状态协议》。OCSP-在线证书状态协议应用在确定X．509数字证书的（撤消）状态。OCSP可以提供比CRL更及时的证书的撤消信息，以满足一些操作的需求，还可以获取更多的证书状态信息。     

CRL分段-过量发布综合模型研究

提出了一种应用证书撤消列表CRL(Certificate revocation List)发布公钥基础设施PKI(Public key infrastructure)证书状态信息新模型:分段-过量发布综合模型,该模型采用先将CRL分段,然后各段独立过量发布的方式来实现.通过分析表明,该方式既可以减少CRL的长度,使存储库以更快的速度提供请求服务,又可以降低峰值请求率、峰值带宽和平均负荷,减少时间碎片,满足大规模PKI对证书撤消的要求.     

简易在线证书状态协议研究

OCSP协议是PKI中的关键技术,但是由于证书状态需要签名和验签操作,计算开销大而影响效率.SOCSP协议是为解决OCSP协议中存在的性能瓶颈问题,并满足我国PKI系统实际应用的需求由我国自主研发的标准.主要研究了SOCSP的关键技术,重点分析简化后的协议数据的可用性和可能存在的安全漏洞,针对存在的这些问题提出改进方案.     

证书撤销机制可扩展性定量评估模型

证书撤销是PKI系统中消耗资源最大的操作,它是PKI系统扩大化和普遍化的重点问题,证书撤销机制的可扩展性是评价其方案优劣的重要部分。为了解决PKI系统普遍化、大规模化的过程中存在的问题,许多证书撤销机制被提出和使用。一、证书撤销机制可扩展性分析对于证书撤销机制而言,可扩展性可以看做是该机制能够支持的最大PKI规模。PKI系统的规模由系统颁发     

基于二分法的完全分布式密钥证书撤销方案

针对完全分布式密钥证书撤销方案中存在通信量过大的问题,文章在二次控告证书撤销机制的基础上,利用二分法的思想,分析传统方案中存在的主要不足,提出了一种完全分布式密钥证书撤销方案。经分析,改进后的方案能够大大地减少通信量和网络带宽,这对Ad Hoc(源自于拉丁语,意为:for this purpose only)网络来说是十分必要的。     

A localized certificate revocation scheme for mobile ad hoc networks

The issue of certificate revocation in mobile ad hoc networks (MANETs) where there are no on-line access to trusted authorities, is a challenging problem. In wired network environments, when certificates are to be revoked, certificate authorities (CAs) add the information regarding the certificates in question to certificate revocation lists (CRLs) and post the CRLs on accessible repositories or distribute them to relevant entities. In purely ad hoc networks, there are typically no access to centralized repositories or trusted authorities; therefore the conventional method of certificate revocation is not applicable.In this paper, we present a decentralized certificate revocation scheme that allows the nodes within a MANET to revoke the certificates of malicious entities. The scheme is fully contained and it does not rely on inputs from centralized or external entities.     

Design and implementation of a lightweight online certificate validation service

A PKI (public key infrastructure) provides for a digital certificate that can identify an individual or an organization. However, the existence of a certificate is a necessary but not sufficient evidence for its validity. The PKI needs to provide applications that use certificates with the ability to validate, at the time of usage, that a certificate is still valid (not revoked). One of the two standard protocols to check the revocation status of certificates is the Online Certificate Status Protocol (OCSP). In this article, we propose an OCSP-based implementation that enhances the performance of standard OCSP. In particular, we put special emphasis on those issues that affect security and performance when the validation service is deployed in a real scenario. Finally, we provide experimental results that show that our implementation outperforms standard OCSP.     

X.509 V4中基本CRL扩展研究

对X.509版本4中CRL扩展做了详尽的研究,给出了相关扩展满足ASN.1语法的形式化描述,并分析了CRL扩展的应用范围,指出今后研究方向。     

Certificate revocation and certificate update

We present a solution for the problem of certificate revocation. This solution represents certificate revocation lists by authenticated dictionaries that support: (1) efficient verification whether a certificate is in the list or not and (2) efficient updates (adding/removing certificates from the list). The suggested solution gains in scalability, communication costs, robustness to parameter changes, and update rate. Comparisons to the following solutions (and variants) are included: “traditional” certificate revocation lists (CRLs), Micali's (see Tech. Memo MIT/LCS/TM-542b, 1996) certificate revocation system (CRS), and Kocher's (see Financial Cryptography-FC'98 Lecture Notes in Computer Science. Berlin: Springer-Verlag, 1998, vol.1465, p.172-7) certificate revocation trees (CRT). We also consider a scenario in which certificates are not revoked, but frequently issued for short-term periods. Based on the authenticated dictionary scheme, a certificate update scheme is presented in which all certificates are updated by a common message. The suggested solutions for certificate revocation and certificate update problems are better than current solutions with respect to communication costs, update rate, and robustness to changes in parameters, and are compatible, e.g., with X.500 certificates     

Performance of PKI-based security mechanisms in mobile ad hoc networks

Security for ad hoc network environments has received a lot of attention as of today. Previous work has mainly been focussing on secure routing, fairness issues, and malicious node detection. However, the issue of introducing and conserving trust relationships has received considerably less attention. In this article, we present a scalable method for the use of public key certificates and their revocation in mobile ad hoc networks (MANETs). With the LKN-ad hoc security framework (LKN-ASF) a certificate management protocol has been introduced, bringing PKI technology to MANETs. In addition a performance analysis of two different revocation approaches for MANETs will be presented.     

公钥证书撤消机制综述

如何撤消证书一直是公钥基础设施(PKI)研究和应用中的一个难点问题。本文对目前应用和研究中的证书撤消机制进行了综述,详细描述了各种机制的工作原理,并对各种机制的优缺点进行了详细剖析。1     

Energy Efficient Clustering for Certificate Revocation Scheme in Mobile Ad-Hoc Network

Mobile ad hoc networks (MANETs) have a wide range of uses because of their dynamic topologies and simplicity of processing. Inferable from the autonomous and dynamic behavior of mobile nodes, the topology of a MANET frequently changes and is inclined to different attacks. So, we present certificate revocation which is an efficient scheme is for security enhancement in MANET. This certificate revocation scheme is used to revoke the certificate of malicious nodes in the network. However, the accuracy and speed of the certificate revocation are further to be improved. By considering these issues along with the energy efficiency of the network, an energy-efficient clustering scheme is presented for certificate revocation in MANET. For cluster head (CH) selection, an opposition based cat swarm optimization algorithm (OCSOA) is proposed. This selected CH participates in quick certificate revocation and also supports to recover the falsely accused nodes in the network. Simulation results show that the performance of the proposed cluster-based certificate revocation outperforms existing voting and non-voting based certificate revocation in terms of delivery ratio, throughput, energy consumption, and network lifetime.

     

Energy Efficient Enhanced OLSR Routing Protocol Using Particle Swarm Optimization with Certificate Revocation Scheme for VANET

In Vehicular ad-hoc networks (VANETs), routing and security are the mainchallenges. In our previous work, we have presented cluster-based secure communication with the certificate revocation scheme for securable communication between the vehicles.Cluster formation is done using the trust degree of each vehicle and this trust degree is calculated based on the direct and indirect trust degree of each vehicle. Information of eachvehicle is gathered by the corresponding cluster head (CH) in a cluster. This information is maintained by the Certificate Revocation List (CRL) in the Certificate Authority (CA). CA isolates a vehicle as an attacked node if it has less trust degree than the threshold trust value and it invalidates the certificate of attacked or revoked nodes. Before transmission, each vehicle in a cluster validates its certificate with the support of CA. After the validation, the other challenge of VANET i.e., efficient route is to be established so that Energy efficient enhanced OLSR routing protocol using Particle Swarm Optimization (PSO) algorithm is presented in this paper. After the establishment of the efficient route, the vehicle deploys the symmetric cryptography approach for securable transmission. Simulation results show that the performance of our proposed approach outperforms the performance of existing work in terms of energy efficiency.