| Being a pervasive security fundamental platform, PKI has been developing quickly and used widely in various fields in the last decade. Certificate revocation mechanism, which is used to deal with the problem of certificate status in PKI, is a basic core problem of PKI. The research on Certificate revocation mechanism has not only important theory significance, but also practical application merit. In this thesis, we dig deeply into the certificate revocation mechanism and gain the following achievements:Performance evaluation and implementation analysis are carried out for CRL, CRS, CRT and OCSP. An intuitive performance evaluation result is given through qualitative analysis and quantitative comparison. Implementation analysis is done from various aspects, including timeliness, scalability, security, standards-based, complexity of realization. Some principles are pointed out, which ought to be obeyed when choosing certificate revocation mechanism in practical application.Based on the idea of Huffman coding, Huffman-based Certificate Revocation Tree (H-CRT) is proposed. H-CRT assigns shorter certificate validation path to more frequently queried response, therefore greatly reduces the H-CRT's average hash path length and optimizes the performance of certificate revocation system. H-CRT considers the distribution of certificate querying and is more valuable in practice.The logical structure model of CRT system is analyzed. Based on ASN. 1, a CRT Proof of Certificate Status (CRT-PCS) Request Protocol is proposed, which can efficiently realize the CRT-PCS service between directory and end entity. This protocol is general and efficient. To tackle the technical problems of protocol implementation, a convenient method of ASN. 1 DER encoding and decoding by utilizing OpenSSL is introduced. This method is applicable to any ASN.l-based protocol message's DER encoding and decoding.
|
PDF Full Text Request