The Inter-domain Internet Of Heterogeneous Trustworthy Domains

There are two kinds of the certification system. One is based on PKI technology and the other is based on IBE technology. But there are many differences between the two systems, for example: the PKI technology uses the certificate for authentication, but the IBE technology uses user-id for authentication; the public key of PKI stores in the certificate, but the public key of IBE is user-id and so on.As more and more enterprises, institutions have established their own certification systems, the whole enterprise or institution is a domain. They usually use the PKI certification system. However, with the advantage of IBE system which is without the need to save, more and more enterprises and institutions start to use the IBE certification system. The PKI and IBE are heterogeneous in the model, but since there are more and more contacts among the enterprises and institutions of the different domains, the interconnection's demand between them is growing. So the development of heterogeneous domain's trusted internet between the PKI and IBE system will become an inevitable trend.Take it as a sum that how to achieve intercommunication between the heterogeneous certification systems is becoming more and more important.The so-called internet between different domains is to achieve communication between the users and services of the heterogeneous certification systems, Based on which the users will not fell the difference between the two domains when they are accessing to the services of heterogeneous domains. It is transparent to access to services cross-domain for the users. As a certification system providing security mechanisms, when it achieve internet between the Heterogeneous Trustworthy Domains, it should also meet the following security services: privacy, data integrity, non-repudiation, and availability.At present, the identity-based encryption system is more suitable for the enterprises because it is without the overhead of the certificate's storage and authentication. However the IBE system is not perfect, so it can not be large-scale used. This leads to the coexistence of the IBE and PKI systems.This article firstly introduces the main features of the two certification systems. By comparing the IBE and PKI systems, explaining the advantages of the IBE system, it shows it is an inevitable trend to use the method of making the IBE system compatible to the deployed KPI systems to achieve the cross-domain authorization and the trusted internet between the heterogeneous domains. Trust is one-way and can not be measured, internet communication models require equality, coupled with the heterogeneity and asymmetric of the IBE and PKI domains (the PKI technology uses the certificate for authentication, but the IBE technology uses user-id for authentication). Therefore, on the premise of not compromising on their respective merits (maintain their own merits, use the PKI domain-domain trusted internet program), the paper presents an improved IBE system which is based on trusted services and can meet the requirement of the internet between the two domains. The system consists of four parts: Key Management Module, Identity Management Module, Privilege Management Module, as well as Inter-domain Interconnect Module. Inter-domain Interconnect Module plays an important role in the inter-domain internet communication. It provides scalability and interoperability for the inter-domain interconnect of the heterogeneous trusted domain, and solve how to form the chain of trust, how to verify the validity of the chain of trust which cross-domain authorization will face.This article is focused on the design and implementation of the inter-domain interconnect module.This inter-domain interconnect module designed in this paper consists of four components: the domain request management sub-module, cross-domain request management sub-module, the domain identity management sub-module, as well as cross-domain authorization management sub-module. They collaborate with each other to realize the inter-domain Internet mechanism under IBE system based on trust services.The domain request management sub-module is responsible for the domain user to complete the mapping and conversion in a heterogeneous domain. In order to facilitate the generation of the domain users'certificates, the domain request management sub-module registers a sub-CA in the heterogeneous domain. It will not only facilitate the sub-CA issues a valid certificate to the users that need to request the cross-domain service. It also reduces the burden of CA of the heterogeneous domain to manage the domain users. It achieves the transfer of the responsibility.The cross-domain request management sub-module completes the domain identity map and conversion for PKI users. How to assign a unique identity for heterogeneous domain user is the key of the module. This module requires a combination with domain identity management sub-module which using the hierarchical identity formulation rules to generate unique identity.The domain identity management sub-module is responsible for the unified management of identity for heterogeneous domains. It provides a basis mainly for the PKI users to generate a unique map-identity. The paper gives a global definition of the domain identification rule, which is the definition rule of"top-level domain logo + sub-level domain identity + ... ... + sub-level domains+ terminating domain identity"to define a domain identity.The cross-domain authorization management sub-module gives the appropriate role for user who requested cross-domain services In accordance with the user's rights to complete the transfer of authority in a heterogeneous domain. This cross-domain authorization management sub-module based on the role-based access management system; use the method that a user role is distributed into the interface role and the hierarchically ordinary role in the domain to achieve inter-domain cross-domain authorization management. These ordinary roles in the domain are those that do not need to inter-domain role conversion .however the interface role is divided into the role of internal and external rolesTo make the theory more feasible, this paper presented the specific realization of the environment and data stream transmission on the design scheme given above. The IBE system realized in this paper is developed with the EPOLL and the process pool as the pre-integration and the MySQL as the back-end database under the RHEL5 operating system. The Initialization of the system includes PKI system initialization and IBE system initialization. PKI system initialization process includes the initialization of CA, as well as the application and issuance of the certificate for users and services. IBE system initialization process includes the configuration of system parameters, the regularly replacement of users'private key and the registration for the users and services in the domain under the Identity management module.As a new trusted authentication technology, IBE is proposed to make up for the lack of PKI. Based on an improved IBE prototype system, this paper implements the inter-domain authentication system interconnect model between the improved IBE system and heterogeneous PKI system which provides a complete, secure inter-domain communication services for the existing IBE system; it makes the system more practical ,in line with the majority of business network requirements in the current network environment, and it is and ideal system for the requirements of high-efficiency and security to users on the Internet.This article only presents a feasible method of interconnection of PKI domain and IBE domain. There are still many areas for improvement. For example, some systems require user's identity to be hidden, how to design a more comprehensive cross-domain authorization system.