Research Of Certificate Revocation Mechanism Based On Intrusion Tolerance Technology

Intrusion tolerance technology is a third-generation information security technology.Different from the traditional security methods that try to prevent intrusion by means ofintrusion prevention and intrusion detection, intrusion tolerance requires that the system, incase of intrusion, is still able to provide normal or degraded service. The availability of thesystem should be emphasized.PKI utilizes the digital certificate to provide basic guarantee for the network securitytransaction. Certificate must be revoked before invalidation due to exposure of private keys orvariation of the owner status. The certificate revocation list is one of the most widely usedcertificate revocation mechanisms. The reliability and validity of the certificate revocation listinformation is the premise of certificate safety.In this paper, a CRL mechanism based on intrusion tolerance technology on account ofthe latent threatening is proposed. And an intrusion-tolerance-based CRL system isconstructed. The system devides the CRL into sections according to the regions by using thesubsection and Over-Issued methods, which can speed up the query for certificate revokingand avoid the peak caused by CRL downloads.The system stores the CRL in multiple redundant servers, and the replication and votingalgorithms can ensure the data consistency and usage among the servers. Furthermore, apassive replication algorithm which can select the main sever randomly and a simpler votingalgorithm which can select the latest updated CRL is proposed. As a result, the respondingtime for the main sever’s collapse can be shortened relatively during the passive replication.And the voting algorithm can better solve the problem of selecting different data frommultiple redundant servers.Under the given experiment intrusion conditions, although the system expenses areincreased, the query accuracy of certificate revocation in an intrusion tolerant system is about20%higher than that without intrusion tolerance. The experiment demonstrates that adding more CRL servers properly can increase the query accuracy of certificate revocation andcontrol the system expenses.