Analysis And Research On Certificate Revocation Scheme In PKI

In PKI, CA binds the public key and other identified information of the subscriber by digital certificate, to verify the subscriber's identity. In advance of the certificate's natural expiry, it has to be revoked for some reasons such as the subscriber's secret key revealing, some identified information being changed and so on. CA must enable all the subscribers to receive the status of the digital certificate which has been revoked but within the expiry date. That is certificate revocation scheme of the PKI system. Certificate revocation scheme is often neglected but essential part of the PKI system. Weather the certificate revocation scheme is well-designed or not directly affected the scale of PKI.Efforts of the thesis as follow:(1)Through research and analysis to CRL (Certificate Revocation List) and its improved scheme, OCSP(Online Certificate Status Protocol), CRT (Certificate Revocation Tree), 2-3 CRT from performances, timeliness, scalability, security, Standards compliance, this thesis has pointed out their advantages and disadvantages.(2)Improvement on 2-3CRT—ECRT. The response foe non-revoked certificates in the 2-3CRT must include the path of Cminor and Cmajor. There is overlap between the two paths. in ECRT, path optimization which is omitting the cryptographic values in the path of Cmajor that were already included in the path of Cminor.All together, CRF(by dividing a big CRT into several small CRTs), re-utilization of the digest, response update is used to receive a response size reduction.(3)Improvement on response speed of OCSP responser to user's validity request. The traditional OCSP checking is a procedure of comparing the certain certificate serial number with the ones in certificate revocation database. The certificate serial number in certificate revocation database is inorder, which condition the response speed of OCSP responser to user's validity request. Under this circumstance, this thesis proposes the check based on certificate revocation hash table and generate pre-signature for the revoked certificate.The scheme improves the response speed of OCSP responser to user's validity request in different degrees.(4)Develop a mini CA programe which include certificate applying, certificate auditing, certificate mading, certificate revocation,certificate status checking.Certificate revocation and certificate status checking implement ECRT and certificate revocation Hash table.