The Research On Certificate Revocation And Certificate Path Process Of Trust Regions In PKI

The PKI is one kind of safety mechanism based on cryptography technology. It is a public key manipulate platform to solve security problems in internet. It is the foundation and core of network security construction. It also becomes the basic guarantee of electronic business. Research and development of PKI becomes the hot topic in the field of information security nowadays. The core role of PKI is authentication. The large-scale application of the PKI is hindered because of the independence of PKIs. In order to realize authentication between the different PKIs, cross-certification should be adopted. The core technology of cross-certification is certification path process, but the certificate path process is extremely complex and time-consuming itself.Cryptography technology, structure and function of PKI, cross-certification are introduced in this paper. Some trust models of PKI and popular certification path construction algorithms are researched in this paper. On the basis of this, an optimized certificate path processing algorithm between different PKIs was proposed. And in this algorithm, a local path database was established to deposit the certificate path which is constructed successfully, the same certificate can be found easily in local path database directly if it is in the database when it appears again, the speed of certificate inquiry is enhanced therefore; And the invalid certificate is eliminated by a series of certificates strategy match, the number of invalid certificate to be processed is greatly reduced, it greatly enhanced the speed of certificate path construction; Because it has the possibility to produce circulation during period of the certificate search, the judgment was carried on by the processing of certificate strategy and strategy mapping. The algorithm is analyzed in detail at last.Two kinds of certificates revocation CRL and OCSP is studied, the merits and limitation of CRL and OCSP is compared in this paper. Unifies the merits of CRL and OCSP, one kind of useful certificate revocation mechanism is proposed, and the work flow chart of this mechanism has been designed in detail, the function of the mechanism has been analyzed in detail finally. If the client side and the server all in the local area network, it is impossible to carry on the certificate confirmation directly. The solution of passing through NAT was proposed in this article, and the passing through the experiment also was carried on at last.