| On the basis of analysing public-key infrastructure(PKI), this paper also presents some mechanisms of the distribution of revocation certificate information, their advantages and disadvantages, and the network environment for which they are fit. I design the certificate revocation system which bases on OCSP. With the development of electronic commerce, information security has become a critical part of the burgeoning world of electronic transactions, and the presence of a supporting public-key infrastructure (PKI) has become the most viable option for this important component. A PKI is a dynamic system, the underlying framework that makes security technologies work together. It will include:Encryption; Digital Signature; Data Integrality mechanism; Digital Envelope; Double-Digital Signature. A PKI consists of the following elements: Security Policy; Certificate Authority (CA); Registration Authority (RA); Certificate Database; PKI application. X.509 is a certificate standard, many PKI system design Public-key certificate according to X.509. The period of certificate has three phases: initialization phase, issuing phase and revocation phase. According to different applications, PKI has following application standards: SSL, TLS, S/MIME, IPSEC and so on. Using these standards, we can realize VPN, security digital email and web security. Although digital certificates are just one element of a PKI, they are the essential components that can limit or extend the overall capabilities of a secure infrastructure. So users must be able to determine the validity of a certificate. There are two ways in which this can be accomplished:Periodicity distribution certificate status information, certificate revocation lists (CRLs). On base of traditional CRL, I introduces delta-CRL,segmented CRL,over-issuing CRL,certificate revocation1. tree(CRT),authority revocation list,indirect CRL. Because transmitting certificate revocation information needs a period of time, it give a opportunity to attacker.2. On-line query mechanism, for example, on-line certificate status protocol (OCSP). Response of OCSP must be signed by dependability party. Doing that can ensure that the response can not be modified. On the application aspect, OCSP has some weakness, I provide some improved schemes. Finally, I specify evaluating standard, and give different schemes for scenarios. I also provide appliance scheme about OCSP.
|
PDF Full Text Request