The Research On Key Technologies Of The Dynamic Trust Transitivity In Trust Management

With the increasing threats of fraud, defamation and collusion in the global IP networks, traditional security measures are not sufficient for resisting such attacks. The more valuable the resources are, the greater the risks will be. Without a centralized management facility gathering all the interactive information, risks of unlikelihood and uncertainty arise. Acknowledging the incompleteness of secure information and the necessity of third party's feedback in making security decision, trust management is the solution to this problem. With research focus on resources, this thesis establishes quantified trust evaluation system from the view of multi-granularity and multi-security requirement. Thus, the distributed system possesses the character of trust. This thesis also provides a new framework for security decision suitable for the multi-composite distributed IP network environment. We also make improvement on existing technology of the trust management to satisfy the diversified security requirements of the IP network.This thesis receives support from National Basic Research Program of China (973 Program) (No.2007CB310704), trust management architecture and theory》, National Natural Science Funds (No.90718001)《Research on the key technology of transitive signature and cryptographic primitive》, National high-tech research and development plan (863 No.2007AA012430)《Research on the secure and trustworthy access system》and carries out research on the dynamicity of the trust management model in the IP network and the realizable technology of trust transitivity using cryptographic primitives. The first version of the prototype system has been developed and deployed in the National Education and Research Network. Several trust values have been collected. Our research results can be summarized as follows:1. We analyze the basic semantic and relationship of the trust, and extend the definition of security. We analyze the merit and shortage of the trust management architecture based on the IP network with fields at the centre. We propose a distributed authorization method using an identity-based hierarchical signature scheme to solve the problem of centralized authorization in PKI.2. We make thorough analysis on many trust models and extract the basic elements of trust models. Existing models can only react to trust events of some mode and existing models can not make comprehensive judgment on the negative impact brought by the deterioration of IP network and the dynamic change in the nodes. We propose a new dynamic trust correction parameter to re-adjust existing trust model and get a more accurate and practical trust model.3. We summarize the forming method of trust chain through the research on the trust transitivity semantics. Formalized semantics is needed to descript the trust chain transfer methods because of the limitation of traditional authentication measures. Transitive signature is a better method for realizing the trust chain. It can resolve the oneness problem through efficient authentication on the dual relationship. The transitive signature simplifies the method of constructing trust chain and unites the two stages of tense logic and cryptographic authentication in the construction of the trust chain. We propose an algorithm of constructing trust chain through identity-based transitive signature. We give a concrete method of computing the trust chain.4. We construct a trust management architecture using identity-based public encryption algorithm because traditional PKI infrastructure has several potential security risks in managing trust certificate. We propose trust proof through traditional trust certificate based on the node identity. This method can reduce the complexity of the trust system and increase the flexibility of the trust transitivity in the large-scale network. In order to resist the attack of impostor, imputation and fraud, we propose an identity-based fair exchange protocol to ensure the security of information exchange. This protocol can guarantee the fairness, security and credibility of information exchange among system nodes. Thus, large amount of spending in the trust system is saved and the complexity in designing trust system is reduced. We propose an efficient on-line/off-line signature scheme to improve the efficiency of information exchange. Our signature scheme can run on the resource-constrained computing system and reduce the payload in the trust system node. 5. We analyze the significance of resources in the IP network and estimate the relationship between risks and resources. We define the concept model and computing method of risks in the trust system combined with national standards. Finally, using our method, existing distributed fields can accord with the risk grade and the trust information exchange can be realized on a generally-accepted interactive platform.6. We implement a prototype system of trust management based on IP network using the distributed trust architecture proposed in this thesis. We use communication middleware ICE as the system's communication method which can reduce the payload of the system and network. We give emulation on the system resource download service which is a major research direction in the trust management of the resource schedule and validate the capability of resisting fraud of malicious nodes in our prototype system of trust management.