| In the process of automated trust negotiation, when the negotiating parties are not in the same security domain, the protection of sensitive information has become a key issue of automated trust negotiation. The protection of certificates is one of key issues of the protection of sensitive information. There are two main ways of disclosure of the sensitive information in certificates:(1) when certificates were transported through the unsafe physical channel, the sensitive information of certificates was disclosed; (2) when the same certificates were used repeatedly in process of negotiation, the sensitive information of certificates was disclosed. Today, most of researches of the information transmission adopt various encryption methods, which are inefficient and have large amount of transmitted information; for problems of disclosure of the sensitive information in repeated uses of the same certificates, the certificate revocation list is adopted, which has of higher inquiry cost and larger memory capacity. Therefore, how to design a transmission scheme which is effective and low information transmission capacity in unsafe channels, and how to achieve a certificate revocation program which is low inquiry cost and low memory capacity are the focus of this paper. In this paper, a certificate revocation system would be implemented based on both of the schemes.In this paper, a new certificate revocation system was designed, and the total design of a transmission scheme based on magic cube algorithm and KCRL based on the bit key tree was presented. At the same time, the CA, the server and the client of the certificate revocation system were implemented.The transmission scheme based on the magic cube algorithm solves the problem of transmitting certificates and other resources through the unsafe physical channel during an automated trust negotiation. Through the magic cube algorithm, a transformation sequence was formed in terms of the request or the resource of negotiation initiator, followed by the digital digest to generate the information transformation sequence. According to the logical expression composed of certificates which represent the condition of success of negotiation, the information transformation sequence was shuffled to form an information transmission sequence, which was sent to the negotiation receiver. The information transmission sequence was reciprocally transformed by the negotiation receiver according to his own certificates. Finally, through the analysis of experiments, the security and correctness of the magic cube algorithm were verified.Through certificate revocation list was built, the problem of the high inquiry cost and large memory capacity is solved by certificate revocation scheme based on KCRL. The number of certificates is used to form a key figure, and the key figure is inserted in the empty bit vector key tree during the process of creating KCRL. The validation process of the certificate revocation is to find whether the number of the certificate is in the bit vector key tree.Finally, by the experiment of magic cube algorithm comparing to hidden credentials, the advantages of magic cube algorithm are fully reflected in the transmission efficiency and information transmission capacity. By the experiment of KCRL comparing to other credentials revocation schemes, the advantages of KCRL are fully reflected in inquiry cost and memory capacity. At last, through the certificate revocation system which was designed in this paper compared with other CRL systems, the advantages of the certificate revocation system in this paper were reflected in the security, information transmission capacity, inquiry cost and real-time. |
PDF Full Text Request