Research Of Distributed Cross-Certification Based On PKI

Public Key Infrastructure (PKI) is the foundation and core of network security construction now. It also becomes the basic guarantee of electronic business. Research and development of PKI becomes the hot topic in the field of information security nowadays.The core of PKI is certification. In order to identify each other, digital signature is taken to validate partner's digital certificate. Otherwise, if the both communication sides are not in the same PKI trust domain, cross-certification should be adopted. The certification path process is the core technology of cross-certification, which is a set composed of certificates between the relying party's certificate and an established point of trust. Yet, due to the complexity and time-consuming of certification path process, it is very difficult for cross-certification. Also, this deeply affects the efficiency and wide application of PKI. Accordingly, it's very necessary and exigent for us to design a universal and high efficiency algorithm of certification path.Base on a stronger applicability cross-certification mode - Delegated Path Validation and Delegated Path Discovery, this paper brings forward an optimized certification path construction scheme, which can receive a balance on space/ time and efficiency/security.The main work of this paper includes:① The paper explains the theory, services, and main applications of PKI. X.509 digital certificate is also introduced;② The paper explains fundamental conception of trust model and its relationship with cross-certification. Some primary characteristics of the alternative trust models are summarized. A new cross-certification mode-- Delegated Path Validation and Delegated Path Discovery is introduced, including its features and principle in detail.③ As the main technology of cross-certification, some popular certification path construction algorithms are introduced. Advantages and disadvantages of them are also given.④ An optimized scheme of cross-certification across PKI domains is brought forward, which is discussed in detail from aspects of design idea, implement premises, key technical elements, PRI sorting, matching rules, loop detection, and so on. Algorithm description and main flow chart is also given. ⑤ At last, the optimized scheme is test out by an experiment. The experiment result is analyzed and contrasted against other algorithms. A conclusion can be drawn that the optimized scheme can redound to heighten the efficiency of cross-certification.