Research On The Trust Dispersed Public Key Infrastructure Technologies

With the rapid development of network technology,people fully enjoy the convenience brought by the network to all aspects of life.However,more and more cases in the real life indicate that the unsafe network connection leads to user information leakage or financial loss.Various application developers and service providers gradually recognize the importance of secure network connection.It is mainly embodied in two aspects.The first is the security of data transmission,and the second is the authenticity of the service provider's identity.Data security can be solved by cryptographic algorithms,the authenticity of service providers' identitis is guaranteed by Public Key Infrastructure(PKI).The latter is what we focus on.In PKI system,the identity certificate is issued to each service provider by a trusted third party called Certificate Authority(CA).When a client wants to establish a secure connection with the service provider,it needs to verify the server's certificate to ensure the authenticity of the identity.However,the current attacks indicate that PKI system is not secure.There are three factors.First,a CA is the target of attackers.CA's single-point-of-failure will lead to the proliferation of forged certificates,and clients will suffer information leakage or financial loss.Second,certificates public visibility has become one of the main methods of discovering malicious behavior of entities.However,the security of log servers who are responsible for certificates storage should not be ignored.Finally,before a client establishes the secure connection with a service provider,the client's access privacy needs to be preserved in the process of certificate status verification.Aiming at the single-point-of-failure of the certificate authority,we present a tripartite certificate management scheme.Domain Name Server and the integrity log servers are introduced in for the purpose of assisting certificate authorization and storing certificates respectively.The three types of entities supervise mutually.This tripartite PKI framework avoids the failure of either party.In addition,we designe a threshold signature algorithm to ensure that the system can provide sustainable certificate services under a small number of CAs' failures.Through safety analysis and experimental evaluation,we prove the safety and sustainability of our solutions.For the public audit of certificates,we designed a public and efficient certificate audit scheme based on blockchain.We define a data format called certificate operation to describe three certificate operations including certificate registration,update,and revocation.Our scheme can provide a complete certificate operation history by storing the certificate operations in the blockchain.In order to achieve the certificate revocation validation,we designed a dual counter bloom filter to record the status of all certificates and store it in the latest block to supprot accurate and efficient certificate status responses.In addition,the common consensus protocols such as Proof-of-Work(Po W)and Proof-of-Stake(POS)still cause centralization in practice,we have designed a dependability-rank based consensus protocol and incentive mechanism.The fairness of participants and the legitimacy of behavior can be guaranteed.Aiming at the large-scale certificate status validation and the user privacy preservation in this process,we designed a revoked certificate storage scheme with separate storage and control plane to avoid the problem of confined block capacity and excessive data redundancy.At the same time,we design an obscure response method to preserve clients' privacy in the certificates status validation.