Research And Implementation Of PKI System Based On LDAP And XKMS

With the population of Information Technology and Networks, people find it necessary and urgent to resolve the security problem. PKI (Public Key Infrastructure) is the leading solution to ensure the security in networks, but it still has some drawbacks in technique, such as bad interoperation between different systems and difficult deployment in client applications, etc. The complexity of PKI hinders its large-scale applications.This paper researches and analyzes XKMS and its relevant technology deeply, XKMS is one of the XML security standards that published by W3C. It provides a general purpose interface to use PKI, makes server do the complicated PKI tasks of instead of by the client. It can solve the inter-operation Problem and reduce the complexity of client application. This Paper designs and implements a PKI system which is based on LDAP and XKMS, and also implements a SDK by Java which can provide API to implement XKMS. This paper focuses on the discussion of design and implementation of XMKS server and LDAP server in the system, gives the analysis and solution of the security, efficiency and other keystone of the system. It improves the mechanism of how to validate the certificate revocation status, redesigns the Directory structure to sport XKMS service, insures the security of the LDAP by using the strict access control and SSL protocol, and also implements the LDAP connection pool to enhance the LDAP access efficiency. This system uses Web Service to provide XKMS service to transfer the complexity from client to server, and shields the process of underlying PKI. XKMS server adopts synchronous processing mode, using SSL protocol to insure the security of message transmission, employs two-phase request protocol to protect against denial of service attack. This paper makes the application analysis by there typical scene - certificate location, certificate validation and validation by two-phase request protocol.This System can offer safe and convenient key/certificate service directly for the application based on XML Signature and XML Encryption, it also can reduce the complexity of deployment of client PKI applications. This paper gives a reference for implementing XKMS in practice.