| PKI (public-key Infrastructure) is fast becoming the foundation for online commerce and other applications that require security, integrity, confidentiality, non-repudiation, authenticity ,authority in an open network. Though people have paid great attention to PKI , there are still some problem about PKI both in practice and in theory that prevent PKI to be widely used. The contributions of this dissertation are as follows:This thesis proposes that distributed computing environment is the trend, so we must think about how PKI provide security services under distributed computing environment. There are two fundamental issues of PKI must be solved: one is the interoperability, the other is trust evaluation criterion. So that the owner of the resources could implement access control, authority management, trust management using his security policies under the support of PKI.This thesis proposes that the essence of the network is the interaction of principals, rights, conditions, and resources. Accordingly, certificates must be able to represent this interaction. So this thesis points out that certificates could include: principal (name, public-key, or the hash of the public-key, the attributes of the principal), rights, conditions and resources. Their components and functions are also studied. It's also proposed that trust is an essential element and a major component of a PKI. So trust evaluation criteria should be added to the certificate.This thesis proposes that certificate should be researched using Object Oriented technology, classical certificate only include data. When certificate is a object, it includes not only data but also method. Certificate can be seen as a"rights agent"moving around the network, providing security services for applications.This thesis proposes that certificate could use XML as representation format. It is a trend that XML is a standard flexible data framework using in network. XML-based certificate could give great help to interoperability. The exchange of the certificates could use the protocols of XML directly. Clients can take advantage of many automated tools to create and handle XML-based certificates. By using XML technology, the general users could be shielded from the complexity of PKI. Users don't need to tightly combine to special PKI products and technologies.This thesis proposes that the secure interaction of the principals should be studied using the"relationship"conception. Relationship looks as a contract, restricts rights and obligations. In network, relationship can be used to represent trust, policy information and constraints etc. The new kind of certificate in this thesis could support this relationship. Using relationship, many kinds of relation can be implemented in order to achieve appropriate security control granularity.This thesis also proposes a new PKI architecture based on the new certificate as...
|
PDF Full Text Request