基于门限ECC的容侵CA私钥保护方案

CA是PIG中的关键设施,负责签发用于鉴别用户身份的数字证书.CA的可信任性依赖于CA的私钥.CA的私钥一旦泄露,其签发的所有证书就只能全部作废.因此,保护CA私钥的安全是整个PKI安全的核心.基于椭圆曲线ECC算法和(t,n)门限密码技术,结合主动秘密共享方法,提出了一种容侵的CA私钥保护方案.方案确保私钥在任何时候都无需重构.同时,在私钥产生、分发及使用过程中,即使部分系统部件受到攻击,也不会泄漏,保护了CA私钥的安全性,从而保证了在线CA所签发数字证书的有效性.并通过Java和Openssl对系统进行了实现.     

了解数字证书

数字证书就是互联网通讯中标志通 讯各方身份信息的一系列数据,提供了 一种在Internet上验证身份的方式,其作 用类似于司机的驾驶执照或日常生活中 的身份证。它是由一个由权威机构—— CA机构,又称为证书授权(Certificate Authority)中心发行的,CA是负责签发证 书、认证证书、管理已颁发证书的机关。 它要制定政策和具体步骤来验证、识别 用户身份,并对用户证书进行签名,以确 保证书持有者的身份和公钥的拥有权。 CA也拥有一个证书(内含公钥)和私钥。 网上的公众用户通过验证CA的签字从     

证书及私钥漫游系统的设计与安全性分析

为解决网络信息的安全问题,数字证书得到了广泛的应用。针对现有的证书(包括其对应的私钥)移动性解决方案的缺点,文章提出了一种新的解决方案。其基本思想是将证书及私钥集中保存在一台漫游服务器上,用户需要时下载即可。文章给出了这种方案的设计框架,并对其安全性进行了详细分析。     

一种私钥容侵的数字签名方案

数字证书的可信任性取决于数字签名本身的有效性。为增强数字签名的有效性,提出一种认证中心(CA)签名私钥可以容忍入侵的高安全性签名方案。使用RSA算法产生CA私钥,保证私钥的不可伪造性。基于新的(t, n)秘密共享机制将CA私钥进行分存,使用其身份作为私钥份额的标识,提供私钥保护的容侵性。在进行数字签名时,基于RSA签名本身的特性,设计一种无需重构CA私钥的分步签名方案,进一步增强CA私钥的高容侵性。通过仿真实验对(t,n)门限取值结果的影响进行验证,表明方案的有效性。     

电子政务中的安全认证方案研究

文章基于国外电子商务管理解决方案的一般框架,针对当前电子政务发展中存在的主客观方面的主要安全问题,对电子政务的网络结构及安全认证方案进行了探讨;对数字证书服务进行了研究;对数字证书、CA树、证书链、可信数字证书等概念及数据结构作了形式化的定义,推导出了证书链的性质、判别证书链中可信数字证书的命题并加以证明。采用面向对象的建模方法建立了数字证书、签名者、证书链的对象模型。     

电子商务平台认证中心的研究与设计

CA认证系统是PKI的核心组成部分,它负责为PKI中的实体颁发公钥证书。公钥证书是将实体的身份和公开密钥绑定在一起的一种数据结构,数字证书是整个PKI的核心技术,管理证书的证书系统就成为PKI的核心部分。     

一种基于门限担保证书的分布式私钥元分配方案

由于动态拓扑等特点,Ad Hoc网络通常采用分布式CA认证模型为节点提供可靠的认证服务,但现有的方案没有解决私钥元分配之前的安全审核问题。为此,提出了一种基于门限担保证书的分布式私钥元分配方案,对申请私钥元的节点进行严格的审核,可以有效防止多个恶意节点合谋重构系统私钥,确保只有可信且服务质量好的节点能够得到私钥元。从理论上分析了方案的安全性以及成功率,并借助NS2仿真证实了方案的有效性。     

带有信任管理的漫游证书认证系统设计

利用漫游证书、私钥服务器和SSL协议构建了漫游证书认证系统，在客户浏览器上设计一个插件便可以使用现有的公钥基础没施PK1中的各种服务，没有VPN的复杂架构和高昂成本却可以到达到类似VPN的安全性。并在基于漫游证书认证系统的基础上增加了信任管理，解决安全系统中日益复杂的信任关系管理问题。     

轻量级目录访问协议在证书库中的应用

轻量级目录访问协议(LDAP)是互联网中的一门新技术,目录服务作为数字证书系统、统一认证和授权管理系统的核心基础设施,为公钥数字证书和公钥属性证书提供查询、证书废止列表查询.探讨了LDAP目录服务PKI/PMI中的应用方案,着重论述了如何建立证书库的应用.     

基于Android平台短信的来源认证系统设计与实现

针对短信接收方需要确定短信发送方的身份,系统应用非对称式加密算法RSA与消息摘要算法SHA-1相结合的签名算法、数字证书等技术进行身份来源的认证。首先研究了两种算法:RSA加密算法,SHA-1算法,然后利用数字签名以及数字证书对短信发送方的身份进行认证的系统设计,系统主要由本地电脑的数字证书、Web服务器、Android客户端组成。本地电脑生成自签名证书并经CA机构认证,Android客户端采用http协议通信方式向Web服务器发出请求,Web服务器接受请求后获取数字证书私钥、公钥,并返回给客户端。客户端利用接收到的私钥加密短信,并发送给接收方。接收方利用与私钥匹配的公钥对加密的短信解密,最后在Android手机平台以及本地tomcat服务器实现了该技术,对短信来源身份认证的问题具有很大应用价值。     

一种入侵容忍的CA方案

CA(certificate authority)是PKI中的关键设施.CA的私有密钥一旦泄露,该CA签发的所有证书就只能全部作废.保护在线服务CA的私钥也就成为一个非常重要的课题.不是从保护系统或检测入侵出发来保证CA的安全,而是确保当少数部件被攻击或占领后,CA系统的机密信息并没有暴露.通过将私钥分发给不同的部件,并保证任何一个在线的部件无法恢复CA的私钥,从而保护了CA私钥的保密性.     

Hungary's Electronic Signature Act: Enhancing economic development with Secure Electronic Commerce transactions

Hungary's Electronic Signature Act (ESA) became effective in 2001 and provides for legal recognition of electronic signatures (e-signatures) and electronic documents. Electronic documents and e-signatures are presumed to be admissible evidence in court and may not be challenged successfully based on the mere fact of their electronic form. An electronic document signed with an e-signature is deemed to be in compliance with a statutory requirement for a handwritten signature on a paper document. However, the ESA excludes family-related documents (e.g., marriage certificates and divorce decrees), and those documents must continue to be in paper form to have legal validity. Also, consumers are not obligated to accept the electronic form; if a consumer objects, a business firm must use paper documents. Hungarian government departments may elect to issue or accept electronic documents. Although all types of e-signatures are recognized, the digital signature enjoys most-favored status because it utilizes cryptographic methods resulting in a heightened degree of reliability and security. The ESA provides for the licensure of certification authorities (CAs). In order to get a CA license, an applicant applies to the Hungarian Communications Inspector (Authority) and must meet financial and knowledge requirements and not have a prior criminal record. The principal duties of CAs are to issue certificates to successful applicants and confirm the authenticity and integrity of e-signatures (and the electronic documents to which they are attached) to relying third parties. Before issuance of the certificate, the CA must confirm the identity of the applicant and ensure that all information received on the application is accurate. The CA is responsible for maintaining the security of all information that it receives from the applicant. For a CA to issue a 'qualified' certificate it must comply with higher security standards; the only type of e-signature that can meet these standards is the digital signature. When a qualified certificate is issued, the subscriber will be given the private key that will enable them to 'sign' electronic documents. CAs must maintain a publicly accessible repository of certificates and public keys that can be used to decrypt a subscriber's message. A CA may incur legal liability for publishing a certificate with inaccurate information or for issuing a private key that does not have an interactive relationship with its public key. The ESA provides for legal recognition of certificates issued by CAs in foreign countries if the foreign CA meets one of the five criteria.     

无证书的环签名方案

在传统数字签名机制中,用户的公钥需要由经过可信第三方(TTP)签名的证书来保证其可靠性,而Shamir的基于身份的签名机制尽管不再需要证书,但用户的私钥将无法避免地被TTP所托管。在2003年Asiacrypt上无证书签名的概念被提出,采用这种签名机制不仅无需证书,而且也解决了密钥托管的问题。文章在此基础上,首次提出了无证书环签名的概念,并且给出了一种构造无证书环签名方案的一般性方法.安全性分析表明用该方法构造的方案是安全的.作为例子,文章中还给出了一个具体的无证书环签名方案的实例。     

一种基于鉴别的证书发放机制

论文介绍了一种基于数字签名和数字信封技术的证书申请和发放机制,该机制尤其适合离线式发放CA证书或关键任务端实体证书。文章完整描述了可鉴别的的证书申请、响应过程和交换信息结构,以及客户端应用程序的模块设计。文章论述了证书信息和发放过程的机密性、完整性、可鉴别性和不可否认性的实现,该机制对构架CA/RA和规划证书管理策略CMP有实际的指导意义。     

非对称加密算法在身份认证中的应用研究

随着计算机网络以及智能终端应用的不断普及,特别是网络金融以及二维码的快速普及,信息安全问题越来越突出。文中研究了对称加密算法数据加密标准DES,主要研究了公开密钥基础设施体系PKI,这是确保信息在传输过程中安全性的第三方平台,它主要负责颁发带有CA中心数字签名的证书以及管理RSA算法中需要的公钥和私钥;研究了几种非对称加密算法并分析了它们的性能;重点研究了CEE中基于有限域上的椭圆曲线离散对数算法和RSA非对称加密算法,提出了用私钥加密公钥解密方案来解决信息真伪鉴别即身份认证问题,编程实现了RSA的公钥生成以及信息的加密和解密,主要实现了RSA密钥生成器模块、加密模块和解密模块,设计了加解密图形界面,完成了文件路径加密和整个文件的加密。实验结果表明RSA算法的可行性和安全性是较高的。     

Highly private blockchain-based management system for digital COVID-19 certificates

As a result of the declaration of the COVID-19 pandemic, several proposals of blockchain-based solutions for digital COVID-19 certificates have been presented. Considering that health data have high privacy requirements, a health data management system must fulfil several strict privacy and security requirements. On the one hand, confidentiality of the medical data must be assured, being the data owner (the patient) the actor that maintain control over the privacy of their certificates. On the other hand, the entities involved in the generation and validation of certificates must be supervised by a regulatory authority. This set of requirements are generally not achieved together in previous proposals. Moreover, it is required that a digital COVID-19 certificate management protocol provides an easy verification process and also strongly avoid the risk of forgery. In this paper we present the design and implementation of a protocol to manage digital COVID-19 certificates where individual users decide how to share their private data in a hierarchical system. In order to achieve this, we put together two different technologies: the use of a proxy re-encryption (PRE) service in conjunction with a blockchain-based protocol. Additionally, our protocol introduces an authority to control and regulate the centers that can generate digital COVID-19 certificates and offers two kinds of validation of certificates for registered and non-registered verification entities. Therefore, the paper achieves all the requirements, that is, data sovereignty, high privacy, forgery avoidance, regulation of entities, security and easy verification.

     

Using asymmetric keys in a certified trust model for multiagent systems

We present a contribution based on encryption to the model for the certification of trust in multiagent systems. The originality of the proposal remains in the use of asymmetric keys that allow the local storage of testimonies with the service agents that were assessed. The aim is to raise the level of efficiency that client agents have when contracting specialized service agents. To reach this objective we make three hypotheses: (i) client agents are able to measure and inform the quality of a service they receive from a service agent; (ii) distributed certificate control is possible if every service agent stores the certificates it receives from its client agents and, (iii) the content of a certificate can be considered safe as long as the public and private keys used to encrypt the certificate remain safe. This approach reduces some weak points of trust models that rely on the direct interaction between service and client agents (direct trust) or those that rely on testimony obtained from client agents (propagated trust). Simulation showed that encrypted certificates of trust improved the efficiency of client agents when choosing their service provider agents. The reason seems to be that the reputation of a given service provider agent is based on the reputation it has among the totality of client agents that used its services.     

一种基于ECC签密的消息交换方案

提出一种基于ECC签密的消息交换方案.方案中对交换的消息进行数字签名和加密处理,其认证和保密的基础都是建立在ECC之上,利用有限域上椭圆曲线的点群中的离散对数问题难解性来增强方案的安全性.通信的各方产生自己的私钥和公钥对,用户的证书由CA(Certification Authority)签发后交给用户保存,交换的消息和其签名等信息采用压缩加密传输,避免了消息在传输的过程中被第三者窃取或篡改,保证了数据的机密性、完整性和不可否认性.