共查询到20条相似文献,搜索用时 15 毫秒
1.
2.
3.
Salabat Khan Zijian Zhang Liehuang Zhu Mussadiq Abdul Rahim Sadique Ahmad Ruoyu Chen 《International Journal of Communication Systems》2020,33(15)
In classical public‐key infrastructure (PKI), the certificate authorities (CAs) are fully trusted, and the security of the PKI relies on the trustworthiness of the CAs. However, recent failures and compromises of CAs showed that if a CA is corrupted, fake certificates may be issued, and the security of clients will be at risk. As emerging solutions, blockchain‐ and log‐based PKI proposals potentially solved the shortcomings of the PKI, in particular, eliminating the weakest link security and providing a rapid remedy to CAs' problems. Nevertheless, log‐based PKIs are still exposed to split‐world attacks if the attacker is capable of presenting two distinct signed versions of the log to the targeted victim(s), while the blockchain‐based PKIs have scaling and high‐cost issues to be overcome. To address these problems, this paper presents a secure and accountable transport layer security (TLS) certificate management (SCM), which is a next‐generation PKI framework. It combines the two emerging architectures, introducing novel mechanisms, and makes CAs and log servers accountable to domain owners. In SCM, CA‐signed domain certificates are stored in log servers, while the management of CAs and log servers is handed over to a group of domain owners, which is conducted on the blockchain platform. Different from existing blockchain‐based PKI proposals, SCM decreases the storage cost of blockchain from several hundreds of GB to only hundreds of megabytes. Finally, we analyze the security and performance of SCM and compare SCM with previous blockchain‐ and log‐based PKI schemes. 相似文献
4.
Christian Stephan Bernd 《AEUE-International Journal of Electronics and Communications》2006,60(1):20-24
Security for ad hoc network environments has received a lot of attention as of today. Previous work has mainly been focussing on secure routing, fairness issues, and malicious node detection. However, the issue of introducing and conserving trust relationships has received considerably less attention. In this article, we present a scalable method for the use of public key certificates and their revocation in mobile ad hoc networks (MANETs). With the LKN-ad hoc security framework (LKN-ASF) a certificate management protocol has been introduced, bringing PKI technology to MANETs. In addition a performance analysis of two different revocation approaches for MANETs will be presented. 相似文献
5.
Kpatcha Bayarou Matthias Enzmann Elli Giessler Michael Haisch Brian Hunter Mohammad Ilyas Sebastian Rohr Markus Schneider 《Wireless Personal Communications》2004,29(3-4):283-301
Certificate-based authentication of parties provides a powerful means for verifying claimed identities, since communicating partners do not have to exchange secrets in advance for authentication. This is especially valuable for roaming scenarios in future mobile communications where users authenticate to obtain network access—service access may potentially be based thereon in integrated approaches—and where the number of access network providers and Internet service providers is expected to increase considerably. When dealing with certificates, one must cope with the verification of complete certificate paths for security reasons. In mobile communications, additional constraints exist under which this verification work is performed. These constraints make verification more difficult when compared to non-mobile contexts. Mobile devices may have limited capacity for computation and mobile communication links may have limited bandwidth. In this paper, we propose to apply PKI servers—such as implemented at FhG-SIT—that allow the delegation of certificate path validation in order to speed up verification. Furthermore, we propose a special structure for PKI components and specific cooperation models that force certificate paths to be short, i.e., the lenghts of certificate paths are upper-bounded to certain small values depending on the conditions of specific cases. Additionally, we deal with the problem of users who do not have Internet access during the authentication phase. We explain how we solved this problem and show a gap in existing standards. 相似文献
6.
7.
CA(certificate authority)是PKI中的重要组成部分,负责签发可以识别用户身份的数字证书.CA的私有密钥一旦泄露,它所签发的所有证书将全部作废.因此,保护CA私钥的安全性是整个PKI安全的核心.本文介绍的CA私钥安全管理方案主要基于门限密码技术.通过将不同的密钥份额分布在不同部件上、任何部件都无法重构私钥,来确保在密钥产生、分发及使用过程中,即使部分系统部件受到攻击或系统管理人员背叛,也不会泄漏CA的私钥,CA仍可以正常工作. 相似文献
8.
在PKI技术规范发展的过程中目前形成两种证书机制:单证书机制和双证书机制[1]。近年来,在欧洲等国家又掀起多证书协议的研究[2],但尚不成熟。单证书是目前广泛存在和应用的证书机制,但用证书的加密和签名在PKI中是两种应用,因为,在SSL协议的应用中都采用双证书机制。为此,论文重点讨论了双证书机制的实现与应用,以及它对SSL/TLS通信协议进行的安全性改进,如改进了TLS的访问控制、增加抵抗DoS攻击特性等相关研究。 相似文献
9.
在PKI系统中,机构证书的安全性在整个PKI系统中处于非常重要的地位。当机构证书到期、密钥泄漏时,应及时撤销机构证书并进行更新,避免机构证书的错误使用而影响整个PKI系统的安全性。文中根据现有PKI规范及现状,分析了基于分层认证模型的机构证书更新机制,并对机构证书更新提出了一种新的实现方案。 相似文献
10.
X.509 V3证书格式及语义 总被引:2,自引:0,他引:2
随着电子商务的广泛应用,公开密钥基础设施(PKI)建设和公开密钥密码学成为研究的热点,描述了公钥证书系统中,X.509V3版证书的结构及其语义,特别是对证书的扩展域的各个字段作了重点的分析,最后还对其它分钥证书结构作了简单的介绍。 相似文献
11.
The issue of certificate revocation in mobile ad hoc networks (MANETs) where there are no on-line access to trusted authorities, is a challenging problem. In wired network environments, when certificates are to be revoked, certificate authorities (CAs) add the information regarding the certificates in question to certificate revocation lists (CRLs) and post the CRLs on accessible repositories or distribute them to relevant entities. In purely ad hoc networks, there are typically no access to centralized repositories or trusted authorities; therefore the conventional method of certificate revocation is not applicable.In this paper, we present a decentralized certificate revocation scheme that allows the nodes within a MANET to revoke the certificates of malicious entities. The scheme is fully contained and it does not rely on inputs from centralized or external entities. 相似文献
12.
分析了PKI签发机制相关标准存在的一致性问题,设计和实现了基于信息安全关键标准验证平台的仿真程序模块,并对证书格式、证书编码和证书更新时的有效性开展了标准一致性仿真验证。 相似文献
13.
PKI-X.509公钥证书及其CA的研究进展 总被引:2,自引:0,他引:2
CA及公钥证书是目前Internet上各类安全应用系统的主要密钥管理方式。本文首先描述了用于在Internet分布式网络环境下管理公钥的PKIX.509证书管理模型及其研究进展,全面分析了构造PKI的主要协议,X.500目录协议和X.509基于证书的认证协议,并对证书存取协议及其最新发展进行了描述。 相似文献
14.
15.
16.
PKI的根CA证书的有效性和完整性是整个系统的基石,为了保证其有效性和完整性,根CA证书必须与其他证书一样,定期进行更新。根CA证书的有效期一般为10至15年,今后的2至3年时间将是根CA证书更新的第一个高峰。论文提出一种高效的证书更新的实现方法,基于X509v3证书扩展属性及LDAPv3目录服务器实现根证书的更新及验证,解决了现行方法中依靠系统更新以及用户误信假根证书的问题。 相似文献
17.
一种基于属性证书和角色的访问控制模型 总被引:3,自引:2,他引:3
基于角色的访问控制是安全系统中保护资源的有效手段之一.基于对面向对象RBAC模型的分析,引入PMI属性证书,提出一种面向对象的访问控制模型AC-ORBAC,给出形式化描述,该模型通过属性证书实现角色授权访问控制,使访问控制的管理更为灵活,对职责分离进行了讨论.同时结合PKI实现了一种面向对象的基于角色和属性证书的访问控制方法. 相似文献
18.
身份认证是P2P(peertopeer)网络安全的重要组成部分,但传统的PKI(金钥基础设施)认证方式因为具有静态的集中化控制和固定的证书内容等特点,不能很好地满足P2P网络安全认证的需要,且在公钥的分发过程中容易遭受中间人攻击。为此,提出了一种新型的公钥管理架构和身份认证方案,每个节点可以自己产生并分发公私钥,认证服务器仅在节点加入网络时参与完成公钥的分发。超级节点负责管理本组内全部节点的公钥,节点在相互认证时无需认证服务器的参与,仅通过超级节点来完成。分析结果表明,这种认证方案可以有效地抵抗中间人攻击,在保持高效率的基础上又保证了认证的安全性。 相似文献
19.
Certificate revocation and certificate update 总被引:7,自引:0,他引:7
We present a solution for the problem of certificate revocation. This solution represents certificate revocation lists by authenticated dictionaries that support: (1) efficient verification whether a certificate is in the list or not and (2) efficient updates (adding/removing certificates from the list). The suggested solution gains in scalability, communication costs, robustness to parameter changes, and update rate. Comparisons to the following solutions (and variants) are included: “traditional” certificate revocation lists (CRLs), Micali's (see Tech. Memo MIT/LCS/TM-542b, 1996) certificate revocation system (CRS), and Kocher's (see Financial Cryptography-FC'98 Lecture Notes in Computer Science. Berlin: Springer-Verlag, 1998, vol.1465, p.172-7) certificate revocation trees (CRT). We also consider a scenario in which certificates are not revoked, but frequently issued for short-term periods. Based on the authenticated dictionary scheme, a certificate update scheme is presented in which all certificates are updated by a common message. The suggested solutions for certificate revocation and certificate update problems are better than current solutions with respect to communication costs, update rate, and robustness to changes in parameters, and are compatible, e.g., with X.500 certificates 相似文献
20.
Bourka A. Polemi D. Koutsouris D. 《IEEE transactions on information technology in biomedicine》2003,7(4):364-377
One of the main problems in public key infrastructures (PKI) is currently the lack of interoperability at international level, which is greatly dependent on the automation of the cross-certification procedure using certificate policies (CP). This paper addresses the aforementioned need by presenting a method for the automated development and comparison of CPs, with main emphasis on healthcare environments. The basic elements of this method include standardization of the CP content for healthcare, a prototype decision-making algorithm for CPs comparison, representation of CPs in extensible markup language, as well as a JAVA-based CP comparison tool. The final aim of the paper is to contribute toward the technical implementation of an on-line automated cross-certification service, yielding PKI interoperability and promoting information exchange between healthcare establishments. 相似文献