The Research And Design Of A PKI End System

Building and using a PKI--Public Key Infrastructure system is a widely accepted and effective way to protect information and applications from invasion in Internet. PKI can provide a strong ability on authentication, integrity, confidentiality, and non-repudiation. The research on its theory is developed in all direction, and a series of international standards have finished already. Lots of PKI products have been developed by different companies and institutions for different purposes.Nowadays, disunion and imbalance of research work happed in this field, people focus their attention on management policy and the structure of public key certificate in CA server much more then things in end system used by customers. At present, the support of customer side certificate application almost relies on browser only (MS Internet Explorer and Netscape Navigator mainly), which limits the application development very much as the programming ability the browsers offered is quit few. On the other hand, this also means customer side security depends on the browser only, and users are unable to move their security to a high level by changing algorithms in the browsers because of the structure their used.On the discussion above, the thesis proposes research and design of PKI end system. With respect to information security and construction of certification trust path, the thesis proposes the scheme of safe intermediate layer and the Path Construction Based On Trust Certificate Tree (binary tree) separately. The design philosophy of the safe intermediate layer stems from of network layered methods and the transparent access thought of SSL protocol, but SSL protocol faces transport layer security and at the same time it ties HTTP protocol basically in application of PKI systems. In the thesis, the PKI end system realizes application security and variety by encapsuling SSL protocol into application layer and offering the application interface in it directly. Meanwhile, safe intermediate layer focuses on local information security and makes overall state management of files. According to the realization principle of middleware, the system acts for the function of security agency in information transmission and allocation. Client information security also includes the study of relative security of encryption algorithms and user's encryption interfaces in PKI end system. From the study of entity management and appliance management of customer's certificates, the PKI end system has set up the overall application scheme of customer's certificate on the mechanism of management of the certificates. The thesis also discusses the project that end system realizes certification path processing on the basis of certificate trust tree (binary tree) in contrast to certificate chain of the browsers and certificate picture scheme of the complicated trusting relationship. The building of trust tree is grounded on the consequence of trust logic and simplification of cross-certificate trust level. The thesis proves the method and gives the Path Construction Algorithm Based On Trust Certificate Tree (binary tree). The function enables the application to perform PKI tasks like searching for public-keys and certificates and the validation of digital signatures and certificates. The validation includes the construction and verification of complete certification paths and the checking of corresponding revocation lists. At last, according with current PKI standards and CA certificate standards the thesis realizes a PKI end system ---- CAClient. The system sets up the management of the certificate and encryption ofinformation, realizes good encapsulation, and also lets users act on own controlled encryption way and intensity, thus improves integrality of developing PKI system and independence of application. CAClient is composed of three layers: application layer, safe intermediate layer and transport layer. In application layer the API Specification describes an interface that makes the integration of public-key technology based security functions into applications easier. With the help of a few functions of the API developers are enabled to integrate complex security functions that require a PKI into applications. In the intermediate of the system, safe intermediate layer offers upwards to application layer interface of encapsulation, and it also offers downwards to transport layer the packets without difference. In addition, CAClient carries transmission in End-to-End mode, with which system can initiate and monitor connection request of peers, and set up the commutative file transfer of many tasks. In security, system adopts opening interface of encryption algorithm, which could be joined in by customer in their definition. So the system has the higher-level security and better adaptability.The thesis consists of five chapters. Chapter one sums up and discusses the technique backgrounds of online security and PKI system briefly, gives the direction of research and proposes the main work of the thesis. Chapter two discusses the scheme of information security of PKI end system, which includes safe intermediate layer of PKI end system, file state management and users'encryption interface. Chapter three discusses the schemes of certificate trust path construction of PKI end system and the Path Construction Algorithm based on Trust Certificate Tree (binary tree). Chapter four discusses CAClient system with the analysis of the modules and design, including system realization and structure, etc. Chapter five summarizes and looks into the distance.