| Public Key Infrastructure (PKI) is a base to provide Internet security services using public key certificate. Certificate may be revoked before expiration for secret key compromised and affiliation Changed etc. One of the highly sensitive problems is the validation of the digital certificate used. Certificate Authority is responsible for certificate status information distribution. It is reported that the distribution of revocation information is the bottleneck and the most costly aspect in developing a large scale PKI, about approximaly 90% among all costs.This paper analyzes existing Public key revocation mechanism, disscusses their merits, disadvantages and their adapting environment. Based on these, it compares CRL, Delta-CRL, segment CRL and over-issued CRL in peak request rate, peak bandwidth and user query cost in quantity .The results show that different schemes address different problems, while none of the schemes has proven perfect. Finally, a new hybrid revocation method is presented which has positive effects on the performance, scalability and timeliness, further more it can adapt to various PKI scales.Certificate Revocation Tree is an alternative revocation mechanism, which alleviates the process load involved in OCSP as well as the communication load involved in CRL, while it has the extra computational overhead in additions and deletions of nodes from tree, even worse repository can cheat users with no adjacent nodes and response information is large on valid certificate. This paper proposes an improved certificate revocation schame based on dynamic data structures, which can be implemented with Red-Black tree or AVL tree. Equiped with an algorithm to verify if two nodes are adjacent to prevent cheating and an improved verification algorithm about valid certificate, this scheme alleviates client computation cost, decreases communication cost between CA and repository, repository and client. Finally some simulation experiments are carried out to verify our conclusions.Finally, we design systems of CRL, Delta-CRL, segment CRL and over-issued CRL, offer a CRL encode and decode function interface. Based on AVL revocation tree, we design communication protocol and classes between client and server and a request/response online certificate revocation prototype system and analyze the system performance.
|
PDF Full Text Request