| Recent years, trusted computing, regarded as the fundamental resolution to terminal security, is getting interests of all the countries in the world. TCG introduces TPM as the trusted computing base and establishes a series of technical specifications on trusted computing. To develop trusted computing technologies with our own rights, we make use of TCM as the core of our trusted computing technologies and don't adopt TCG's standards immediately.To realize anonymous attestation among platforms, TCG proposes PrivacyCA system and DAA system, but both resolutions can't be implemented on TCM. So, we propose a certification system in the specification"Functionality and Interface Specification of Cryptographic Support Platform for Trusted Computing", which is similar to TCG PrivacyCA system. Our certification system introduces double certificates architecture and cryptographic algorithms, both of which are different from that of TCG PrivacyCA system. On one hand, it bears the same shortcomings with TCG PrivacyCA system: the Trusted Third Party is high loaded, may be subjected to DoS attacks and leak user's privacy. On the other hand, our specification only introduces the issuing of PIK certificates, but doesn't contain the issuing of PEK certificates and certificate revocation. For all the reasons, this thesis focuses on overcoming above shortcomings of PrivacyCA and establishing the protocols of issuance and revocation of double certificates, according to ourtrusted computing standards. The main works of this thesis are as follows: Firstly, we research deeply on the TCG PrivacyCA system and point out its shortcomings. Then, we research on the DAA system and our own certification system in trusted computing, conclude that DAA system is not suitable for our trusted computing technologies, and put forward the aims of this thesis by comparing our certification system with TCG PrivacyCA system.Secondly, on the basis of agents, we propose a PrivacyCA system which could trace platform's anonymity. Through introducing agents to issue PIK and PEK certificates, this system reduces PrivacyCA's payloads effectively, and enhances its abilities of resisting to DoS attacks and protecting user's privacy. We also design the issuing protocols of PIK and PEK certificates, propose suitable certificate revocation mechanisms, and analyze the system on security and other aspects.Thirdly, to satisfy the demand of untraceability to platform's anonymity, we propose a PrivacyCA system which couldn't trace anonymity based on partially blind signatures. This system adopts a partially blind signature protocol based on elliptical curve as the certificate issuing protocol, to guarantee untraceability to platform's anonymity. We design the issuing protocols of PIK and PEK certificates, and propose effective revocation mechanisms of them. At last, we combine agents and partially blind signature technologies to solve the problem of high payloads and DoS attacks to PrivacyCA.At last, on the basis of demand analysis to PrivacyCA system based on agents, we propose its designing aims, and then design its network architecture, function modules, work flows and database. Then, we program some critical modules of client, PrivacyCA and agents, completing the whole certificates issuing function. |
PDF Full Text Request