| With the rapid development of network application, Information security of network issues is receiving increasing attention. How to protect open network system and data security is one of the key issues. The emergence of public key cryptography system,in particular public key infrastructure technology, provides a possible solution. With the technology developed day by day, many local certificate authorities were set up by governments and agencies. However, some potential problems appeared and PKI technology is also facing major challenges. The core of the challenge is to resolve the conflicts between the dynamic relationship of trust in open network environment, and the stable trust management of the traditional PKI model. The purpose of this paper is to resolve the interoperability by researching the technology of cross certification.In this paper, we propose a PKI Cross-domain Bridge Trust Model based on Validation Agent. The model is applicable in distributed environment. In this model, the certificates are verified by validation agents (VA is used to certify the certificate submitted by users within its own trust domain, and BVA is responsible for the authentication of all the VAs and the certificate information sent by VAs.) For those interactions between two users in different trust domains, we use temporary certificates which are issued by VAs to improve the efficiency of cross-domain access. In addition, we also propose dual-hash chain based certificate verification method, which is more efficient than original complex certificate verification.My main work of this paper includes:(1) Proposing cross-domain-based authentication agent bridge trust model based on the analysis of the existing trust models.The model defines a Bridge Validation Authority Center BVA which is responsible for the authentication of all the VAs and the certificate information sent by VAs.At the same time the Certificate Validation Authority VA is applied to this model which is used to certify the certificate submitted by users within its own trust domain and users in another trust domain.It avoids the time-comsuming process of certificate authentication and reduces the workload of users, and greatly improves the efficiency of certificate authentication.(2) To further improve the efficiency of cross-domain access, we proposed a new concept—" temporary certificate".When user A asks to commuticate with user B in different trust domains for the first time, if certification path and the certificate is valid,the user A is issued a temporary certificate. After that, user B only needs to verify whether user A's temporary certificate is valid which improves the efficiency and utilization of VA and greatly accelerated speed of cross-domain access between users.(3) In order to reduce the computational cost for certificate verification, this paper presents a certificate authentication scheme based on dual hash chain. VA constructs two hash chains to verify the credibility of the user. One of the hash chain points to the secret seed to ensure the safety of the seed, another one points to all the CA certificates on each link to ensure the integrity of the certificates. It effectively shorten the time of the digital signature verification and calculation cost.Furthermore, for the model we proposed, we also give detail analyses about cross-domain communication security, temporary certificate management strategies, and performance of dual hash chain. All of above certificate the feasibility of the proposed model. |
PDF Full Text Request