Research On Certificate Revocation Scheme In PKI And Forward Security Signature

Public Key Infrastructure (PKI) offerring the general secure service is based on public key cryptography. It not only provides secure services for network, such as confidentiality, integrity, authentication and non-repudiation, but also generates, distributes, manages and withdraws digital certificate. The public key certificate binds public key and the user's ID information together through digital signature and encryption technique. The verification party verifies the validity of the certificate and ensures the lightness, validity and availability of the identity who holds the certificate before dealing with E-business affair. Thus the risk of transaction on Internet will be reduced and the security of the exchange in E-business can be ensured.After CA has issued a certificate, it probably changes to invalid for some special reasons over time passes. Therefore, CA must publish Certificate Revocation List (CRL) for customers to download and verify the validity of the certificate. In consequence, how to maintain and implement an efficient certificate revocation is very an important subject in PKI.Based on the analysis of several revocation schemes, such as Over-Issued-Segmented CRL, random CRL, improved Delta-CRL, CRT, Binary sorted certificate revocation tree and other traditional certificate revocation schemes, the study proposes a new binary sort certificate revocation tree scheme which compressed from root to leaf. The scheme can reduce both the work when CA updates the tree and communication between Directory and the verifier. It is a good revolution for certificate revocation in PKI. It can build a prompt, accurate and secure certificate revocation system which can offer good query service to users.In order to reduce loss when the secret key of the common digital signature is revealed, the forward secure signature scheme is proposed. After pointing out the flaws of the exist scheme, this paper proposes a forward secure digital signature scheme based on bilinear pairings. The study divides the signature course into several periods. In each period, the public key is steady, but private key always changes. Furthermore, the next private key is produced by one-way function on the current secret key, so this scheme satisfies forward security. The new signature scheme realizes easily and updates the secret key promptly. The thesis also gives the proof on security and efficiency forward security.