| The existing Internet is vulnerable to attacks because of the lack of security design initially.To achieve network trustworthiness,the most fundamental is to realize the trustworthiness of holding and use of network entities.That is to say,the network identity and the network behavior performed can truly identified to its owner,so as to avoid all kinds of spoofing attacks,and ensure that the network entity is trusted and the network behavior is credible.The trustworthy network relies on the trustworthy management of the network identity.It first assigns a public key to each network identity,and adds a trusted attestation to the network behavior of all identity assignments,authentication,authorization,and use by means of cryptographic authentication and encryption.The authenticability,integrity,and confidentiality of communications and services ultimately lead to credibility and accountability for network entities and behaviors.Currently,most of the existing network trusted identity management relies on the traditional PKI.When the identity holder is assigned the identity,the third party CA needs to sign a certificate of the identity.It has some problems in network control level and network application level:(1)For the relatively decentralized service entity identity management in the network application level,CA's security and trustworthiness issues are prominent.The issuance and revocation of certificate are easy to be maliciously performed and difficult to supervise;(2)Security resource management schemes relying on centralized trust institutions are often opaque,lack of auditing,and the abuse of centralized authority exists;(3)In network control level,the complexity of certificate management leads to the decrease of deployability.Complex certificate query and verification brings great speed delay and performance loss to the network;out-of-band security enhancement makes the original protocol more complex.In view of the above problems,this paper starts with the new cryptosystem and new trust infrastructure,and studies the network infrastructure resource management and cryptography technology.In order to get rid of the complex certificate management,the ID cryptography is applied to the network basic resource management.Firstly,the blockchain is introduced into the network infrastructure resource management,and an effective and secure management mechanism and infrastructure are designed for the numbering resource and certificate resource management respectively.Secondly,the key revocation problem is studied.Furthermore,a new authentication and granting mechanism based on ID cryptography is designed for inter-domain routing security.The main research work and contributions of this paper include:1.A scalable revocation and certificate transparency method BRT based on public block chain is proposed to enhance the security of SSL PKI,so as to effectively handle such issues as certificate revocation and update,certificate supervision and certificate transparency certificate certificate certification.Through an on-chain audit mechanism and an under-chain storage/computer mechanism,BRT does not need to record certificates directly on the block chain,but only records additional,auditable public logs and revocation information under the chain.BRT can resist malicious manipulation,DDos and mirror world attacks,through the incentive of log monitoring and behavior anomaly reporting mechanism,to achieve economic and effective certificate issuance transparency and revocation update.2.To solve the problem of lack of audit in centralized trust organization resource management,a trustworthy Internet Numbering Resource Management Infrastructure(BGPCoin)based on blockchain is proposed.It records resource allocation and authorization through decentralized infrastructure,and supports BGP routers to match source routing announcements,detect and discard prefix hijacking by tracking changes in ownership and usage rights of resource assets.BGPCoin meets transparency and audability,security,and can be deployed incrementally.3.The problem of revocation management of network resource identification cryptography is deeply studied.Two revocable identity-based encryption schemes are proposed.The anonymous revocable identity-based encryption scheme ARIBE and the unrestricted revocable hierarchical identity-based encryption scheme U-RHIBE are proposed.For the design of ARIBE,we overcome the difficulty of adding revocable function in the exponential inverse construction.We propose a Lagrange coefficient method to implement the construction,and use the complete subtree method to realize the key update of O(log N)magnitude.Then we propose the first hierarchically unrestricted revocable hierarchical encryption scheme U-RHIBE with adaptive identity security,which has the characteristics of anti-decryption key leakage and short public system parameters.Through careful formal proof,U-RHIBE covers six advantages: self-adaptive identity security,hierarchical unlimited key distribution,efficient revocation,stateless key update,anti-key leakage and anti-intrusion.4.To overcome the shortcomings of complex certificate management and insufficient deployment power of BGPsec,a network routing self-authenticated authorization notification and aggregated authentication mechanism SIRAA based on ID cryptography is proposed,which does not need to bind the identity and public key of BGP entity with the digital certificate issued by CA organization maintained by a trusted third party.The burden of managing PKI and the overhead of managing and authenticating public key certificates can reduce the computational and storage overhead of routers.We design a partially aggregated forward secure hierarchical identity aggregation signature HIBPAS,and propose SIRAA for BGP path notification and authorization certification and authentication based on HIBPAS.SIRAA can maintain the security that the classical BGP security scheme can achieve.Compared with other improved BGP Security Notification schemes,SIRAA can achieve a good balance in storage efficiency,computing overhead,and has a good feasibility. |
PDF Full Text Request