Research On Certificate Path Discovery In PKI

Public Key Infrastructure provides the basic security for network transaction through digital certificate. In the first place, the terminal entity of PKI should confirm the authenticity of the counterpart's identity before carrying out the transaction, so it's necessary to validate the creditability of the counterpart's digital certificate. A certificate path should be constructed between both sides during the process of validating creditability of all relevant certificates on the path, therefore the credibility of communication destination's certificate can be ensured ultimately.The construction of certificate path is inseparable with the trust model where the terminal entity is in. Based on in-depth analysis of the typical trust models of PKI, the advantages and disadvantages of each model are pointed out ,as well as the construction methods of certificate path. The research lays emphasis on the improvement of efficiency of certificate path construction by transforming the architecture of PKI, then proposes a new trust model——Depender graph structure model and the construction method of certificate path under this model.In the depender graph trust model, the relationships between all CAs are equal. The newly-joining CA can join into the trust architecture only through authenticating with K CAs mutually which have been in the trust relationships and have satisfied certain conditions. It makes the expansion of trust field easy, and alleviates the certificate management burden of single CA at the same time. The depender graph trust model has good redundancy, and weakening the security of single CA will have not effect on the whole trust architecture seriously.The construction methods of certificate path under the existing trust models are studied in depth in this paper, and an interrelated method is brought forward combining with the paper proposed depender graph trust model. During the construction process of certificate path, some inefficient paths and certificate path loops are eliminated, hence the efficiency of the certificate path construction is improved by applying the breadth-first search of graph and the structure characteristics of depender graph fully.