Study And Design Of Certificate Revocation Schemes In Security Platform Of Digital Campus

Digital campus is the digital extension of the real campus from both space and time through informaion technologies. It integrates separate information systems and resources on campus networks, providing a uniform platform for all kinds of information applications.Security is an important aspect of digital campus. Security supporting platform based on PKI is an indispensable component of digital campus, which provides basic security services for applications. Certificate revocation is an important problem must be addressed in PKI systems. Certificate revocation schemes in digital campus should fit the security environment of digital campus, be efficient and scalable, and be optimaized for the main digital campus applications.Based on the digital campus project of National University of Defense Technology, This paper make following contributions.(1) design and analyze a certificate revocation scheme for digital campus integrating CRL and OCSP According to the campus network environments of NUDT, a certificate revocation scheme integrating CRL and OCSP is put forward. In the scheme, there is an OCSP server in each CA domain, which updates CRL from all CAs and provides OCSP service for clients in the domain. The integration of CRL and OCSP lie in 2 aspects: 1) certificate status quering clients are divided into server nodes and client nodes, with the former relying on CRL and the latter relying on OCSP services. 2) CRL serves as the background mechanism for OCSP nodes of updating.This scheme puts the mobile embedded client nodes in campus into consideration, which have limited bandwidth, process and storage capabilities, as well as the sever nodes, which are popular and have much more powerful resources. It is an optimized scheme which is implementable and scalable.(2) design and analyze a P2P based CRL distribution scheme In order to improve performance of CRL distribution, a P2P based CRL distribution scheme is put forward. The basic idea is to divide CRL into many separate packages, with each requesting node downloading different packages. The downloading nodes act not only as clients of the CRL distribution node, but also as server for other downloading nodes, uploading locally downloaded packages. In this peer-to-peer way, the traditional one-to-many CRL distribution scheme is changed into many-to-many, and CRL distribution performance is improved.Both theoretical study and simulation show that, this P2P based CRL distribution sheme can largely reduce the distribution time.