Public Key Infrastructure:Study Of Certificate Status Information Distribution Method And System Design

ABSTRACTThe most comprehensive solution to information security is public key Infrastructure (PKI for short) related. Among them, the distribution of revocation information of certificate has the potential to be the most costly aspect of running a large scale PKI. We are devoted to studying certificate distribution therefore. The main results achieved are listed below:1. An innovative Over-Issued CRL model is developed based on the original one that is proposed by David A. Cooper. There are three nice features in our model: (1) A proof of the system to the steady status in the case of W=2, and some concrete simulations in the setting W >2 are presented; (2) A new approach that accelerates the system reaching the steady state with minimum costs, as well as the illustration of the data simulation, is presented. (3) Comprehensive theoretical analysis with the help of the explored rules available in section 5 is provided.2. A new certificate status information distribution approach based on client access control is studied by means of the improved Over-Issued CRL model. The method insists on distributing new CRLs within its validity period so that the client-side cache CRL revoked at different time. It ensures the reduction of the peak loads of the repository. In addition, the new scheme neither change the traditional operation flow of the access repository nor increase any additional cost when it is implemented since the original characteristics, both in the aspect of CRL time and space optimization are reserved.3. We attack the reduction of peak load problem at repository side applying Queue Theory. Our new idea makes the users queue in the buffer at the time of peak access to avoid the economic losses for the sake of refusing client-side access in the case that no buffer is available at the repository 's side. As argued in this report, the new method reduces the peak loads of repository effectively. Since the technique that the priority queue service in the buffer and responding firstly high- priority certificate over others are adopted, the new scheme ensures certificate security, which is applied to important business effectively.4. A new kind of mixed approach that optimizes repository performance is put forward with thorough analysis both the advantages and disadvantages of the previous three models, which are devoted to improve repository performance. The new method syntheses the advantage of the model based on client-side access control and that based on repository-side cache. In addition, all characteristic of previous method in the aspect of CRL time and space optimization are reserved.5. We design the component structure, function structure, and application structure of enterprise PKI system according to PKI standards, which is comprehensive, extensible, high-performance, total solution for developing PKI system. A novel solution to the four key components of PKI system design, i.e., certificate policy and practice state, security mechanisms of CA center, system interoperability, and costs analysis is deduced. The new scheme is quite different from the former one since it shares strong performance, cheap implementation costs. To practical application, ZJU enterprise PKI system is presented with the aids of the above design principles to supply the security services that the member management system and trade system of china direct sale network are needed.