CN102263787B - Dynamic distributed certification authority (CA) configuration method - Google Patents
Dynamic distributed certification authority (CA) configuration method Download PDFInfo
- Publication number
- CN102263787B CN102263787B CN201110191949.0A CN201110191949A CN102263787B CN 102263787 B CN102263787 B CN 102263787B CN 201110191949 A CN201110191949 A CN 201110191949A CN 102263787 B CN102263787 B CN 102263787B
- Authority
- CN
- China
- Prior art keywords
- node
- certificate
- manager
- network
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention, which belongs to the network information security technology, provides a dynamic distributed certification authority (CA) configuration method. The invention provides a dynamic distributed CA configuration scheme. A manager node which keeps a CA private key is operated along with network and is dynamically selected by all network nodes. A basic realization method is characterized in that: every node in the network is given a credit value; the network always selects top n nodes of the nodes which possess highest credit values as CA private key managers; during the operation of the network, the adjacent nodes supervise behaviors of each other; when the node is found to behave abnormally, charge information is published to the network; when the charge information is confirmed to be effective, the credit value of the charged node is decreased; a subkey is needed to be updated when the manager node changes so as to guarantee security. In the invention, a manager identity is fuzzified and dynamic so that security is increased when external network attacker is nontransparent. The method of the invention can be used in the distributed network as a basic safety strategy.
Description
Technical field
The invention belongs to information security field, be specifically related to a kind of dynamic Distributed C A collocation method, can be used for distributed network as its basic security strategy.
Background technology
At information security field, the PKIX PKI based on client public key certificate (Public Key Infrastructure) has important application.In PKI system, the public key certificate that user has has identified the binding relationship between the PKI that user ID and user use, public key certificate is signed and is come into force by certificate center CA (Certification Authority), can carry out with the PKI of CA the legitimacy of authentication of users public key certificate.
International Telecommunications Union's telecommunication standards organizes the X.509 standard that ITU-T proposes to stipulate that complete PKI system should consist of CA, certificate repository, cipher key backup and recovery system, certificate revocation system and application interface, and the function completing mainly comprises the depositing of signature, certificate of certificate, the checking of the cancelling of the renewal of certificate, certificate, certificate etc.And the most important assembly of system of the management function such as realizing certificate signature, upgrade and cancelling is exactly certificate center CA.
When system scale hour, the management function such as CA can realize signature to user certificate, upgrade, cancel, Here it is the simplest single formula CA.User under single formula CA pattern can directly verify the public key certificate of communicating pair with common CA PKI.And when system scale is large or user distribution during in zones of different, need a plurality of CA to complete the management of certificate, wherein comparative maturity is the CA pattern of layer-stepping tree.
In the tree-shaped CA structure of layer-stepping, a plurality of CA have formed a tree together with user.Wherein root CA is the trusted party that system is the highest, and all use is root of trust CA per family.Root CA does not directly issue public key certificate to user, but issues public key certificate to the sub-CA of a plurality of one-levels; The sub-CA of each one-level issues public key certificate to respectively the more sub-CA of a plurality of secondarys of oneself, and the rest may be inferred, and the CA of bottom issues public key certificate directly to the user as leaf node.
In layer-stepping CA structure, the management of user certificate is directly completed by the CA of bottom.And the checking of certificate need to verify that set up a trust chain between both sides completes.By same bottom CA, issued between the user of certificate directly authentication certificate, the user that different bottom CA issue certificate need to upwards review a common CA, then successively authentication of users to this CA again to the certificate validity of all CA on this chain of another user, the validity of last authentication of users public key certificate.
For the distributed network that there is no Centroid, CA pattern single or layering is all no longer applicable.Node in distributed network is equal, cannot find suitable safe node as system CA.Some distributed networks as the safety research of mobile Ad Hoc network in, the PKIX of comparative maturity is the Distributed C A model that adopts threshold schemes.
In thresholding Distributed C A model, the function of system CA be no longer to be completed by one or several node disjoint, but completed by a plurality of node cooperations.Under (k, n) thresholding formula CA model, system is selected n manager, in the mode of threshold secret sharing, the private key of CA is divided into n sub-key and transfers to manager to separate certainly.The private key that only has at least k manager to cooperate could to recover CA is to complete the certificate authority of ordinary node and renewal.
For the high network of security requirement, single CA or layer-stepping CA have very large potential safety hazard, as long as having broken through CA node, assailant just can obtain the private key of this CA, thereby can issue certificate or refuse for illegal node, for the legal node in this CA service-domain, provide certificate update, this will cause PKI system crash.Distributed C A can resist this class assailant's attack to a certain extent, assailant has only broken through at least k manager just can obtain the private key of CA, as long as and exist k the carrying on an agreement of manager's loyalty not being broken just can continue to provide cert services in system.
Manager in Distributed C A model selects while being system initialization, and its identity is all disclosed for all users, is also disclosed equally for assailant.Therefore assailant can be defined as target of attack manager's node, if assailant's ability is enough strong, it is unsafe that system remains.
If the wireless network in unsafe conditions and the high network of security requirement are as the network of military use, must supposition assailant ability enough strong for pregnable network, therefore need further to improve the fail safe of CA.
The present invention has retrieved domestic and international correlation technique patent and has accepted situation, and retrieval obtains 6 patents altogether.In patent retrieval, following two patent databases have been adopted: Chinese patent information network and EUROPEAN PATENT OFFICE.
Patent since Chinese patent information network retrieval 1985-2010, concrete outcome is as follows:
With keyword " certificate AND is distributed ", retrieve, retrieve 2 of Patents.
Application number is that 200510084151 patent " a kind of distributed identity-card signature method " is that a kind of distributed certificate of static state is signed and issued method, and manager's node of keeping CA private key is changeless, and fail safe is poor.
Application number is the ' In System Reconfiguration Method that 200410015996 patent " distributed certificate verification method " provides a kind of application distribution certificate, and this patent emphasis is concrete application, and the static distributed certificate that is still adopting is signed and issued method.
With keyword " certificate AND is dynamic ", retrieve, retrieve 1 of Patents.
Application number is that 03129281 patent " dynamic password authentication method of realizing based on digital certificate " is a kind of dynamic password authentication method based on digital certificate, completely different from this project research contents.
EUROPEAN PATENT OFFICE's result for retrieval is as follows:
With keyword " Distributed AND certificate management ", retrieve, retrieve 3 of Patents.
Patent " Distributed management ofa certificate revocation list " is the invention about certificate revocation scheme, irrelevant with this project.
Patent " Method and system for distributed certificate management in ad-hoc networks " is the specific implementation about certificate management in Ad Hoc network, different from this project emphasis.
Patent " Method for distributed management of certificate revocation list " is the invention about certificate revocation scheme, irrelevant with this project.
Summary of the invention
In order to overcome existing CA model in the deficiency aspect fail safe, the dynamic distributed CA allocation models of the invention provides that a kind of CA sub-key manager node is opaque to external network, assailant cannot orientation management person node, to strengthen the ability that in distributed network, PKI system opposing opponent attacks.
The technical solution used in the present invention comprises the following steps:
(1) all nodes are set up certificate status table and credit value table in this locality, and network system administrator is determined management threshold person's node, and the private key of CA is divided into n one's share of expenses for a joint undertaking key, for each management threshold person's node is distributed a sub-key;
(2) behavior of all node supervision neighbor nodes, once have extremely, initiates the charge for this node, and all nodes are regularly monitored the charge information occurring in network;
(3) node processing that receives charge information is accused information, described charge information is stored in local certificate status table, and calculates respectively the node that sends charge information and the credit value of being accused of node, is stored in credit value table; Described credit value value is in an orderly manifold, and according to order from high to low, arranges in credit value table;
(4) whether all nodes change according to the credit value table decision node credit value sequence of this locality storage, if do not changed, forward step (2) to, otherwise continue following steps;
(5) the credit value table that all nodes are stored for this locality re-starts sequence, and selects the node of the front n of credit value table rank as new manager's node, replaces original manager's node;
(6) manager's node judges whether manager's node changes, if do not changed, forwards step (2) to, otherwise execution step (7);
(7) sub-key of manager's node updates CA, lost efficacy original sub-key, and was that the manager's node newly adding is distributed new sub-key.
Above step is a treatment cycle of this method, goes to step (2) and continue to monitor after completing, and with the operation of network, works simultaneously, with the gerentocratic dynamic change of sub-key, resists the attack of active attack person to CA private key.
This method is given n manager's node keeping in the mode of threshold secret sharing by the private key of CA, manager's node by all nodes of network according to node credit value Dynamic Selection voluntarily.Because network node can be at the change manager node of internal dynamic, for internal nodes of network, manager's node is determined, but manager's node is uncertain for the assailant of network-external.
Realization of the present invention is also: charge information is initiated by node, it is according to being the intrusion detection mechanism of arranging in advance in network, its behavior of supervision mutually between network neighbor nodes, node is attacked or is launched a offensive or have other abnormal behaviour, be defined as abnormal nodes, the neighbor node that perceives abnormal nodes around initiates to accuse to it.Charge information issues to guarantee that to the whole network all nodes can receive this information with the form of broadcast.
Realization of the present invention is also: manifold is the real number between 0 and 1 in order, and the initial credit value of all nodes is endowed when netinit, and during the network operation, the credit value of node will change according to the charge information between node.
Realization of the present invention is also: the effective marker position that certificate status table has comprised all node certificate and all effective charge information, credit value table has comprised the current credit value of all nodes.
Realization of the present invention is also: send the node credit value of charge information according to formula
calculate, wherein N refers to network node number, β
inode sum for this node charge; Be accused of that the credit value of the node that information is accused is according to formula
calculate, wherein α
ifor accusing the node sum of this node.
Realization of the present invention is also: when ordinary node needs more new authentication, its step is as follows:
The credit value table that described in 6.1, ordinary node is preserved according to this locality is determined current manager's node and is selected at least k manager's node;
6.2 ordinary nodes are initiated certificate update application to selected manager's node;
The identity of 6.3 manager's node verification application certificate nodes;
6.4 manager's nodes generate new public key certificate for applying for certificate node;
6.5 manager's nodes carry out part signature to new public key certificate;
6.6 manager's nodes send to application certificate node by new public key certificate and part signature;
6.7 application certificate nodes are by the k receiving the synthetic complete certificate signature of part signature;
The legitimacy of 6.8 application certificate node verification certificate signature, does not reselect k manager's node and again initiates certificate update application if conform to rule.
Realization of the present invention is also: set in advance and cancel threshold value, when changing with charge information and be reduced to, the credit value of node cancels threshold value when following, the certificate of described node will be cancelled, and described in certificate status table, the mode bit of node is set to cancel.
Compared with the prior art, tool has the following advantages in the present invention:
1) because the present invention is each node setting credit value, during the network operation, arrange from high to low credit value table is sorted dynamically, manager's node is served as by n the highest node of credit value all the time, therefore for external network attack person, be opaque, assailant cannot orientation management person node, and this will improve the fail safe of network greatly;
2), when manager's node changes to some extent, being deprived of the sub-key that the node of manager's identity holds will lose efficacy, thereby had guaranteed fail safe.
3) when manager's node changes to some extent, a sub-key that obtains CA private key that new manager's node can be safe.
Accompanying drawing explanation
Fig. 1 is the configuration enforcement figure of the dynamic distributed CA of the present invention;
Fig. 2 is that node of the present invention is for the process chart of the information of charge;
Fig. 3 is the flow chart of manager's node updates sub-key of the present invention;
Fig. 4 is the flow chart that ordinary node of the present invention upgrades public key certificate.
Embodiment
Embodiment 1
The present invention is a kind of dynamic distributed CA collocation method, in conjunction with Fig. 1, illustrates that its specific implementation process is as follows:
(1) system manager is that each node is selected an initial credit value during netinit, and this value is taken from interval [0,1].System manager is user or the program that creates network or have network authority at the highest level.System manager selects front n node that credit value is the highest as management threshold person's node, use (k, n) gate method is divided into n sub-key by the single private key of CA, for each management threshold person's node is distributed a sub-key, each node is set up certificate status table and credit value table in this locality, charge information when wherein certificate status table comprises the current effective marker position of all nodes and the network operation, the credit value that credit value table comprises all nodes, credit value is arranged according to the order from high to Low;
(2) intrusion detection of network arrangement maturation mechanism, has wherein stipulated the node abnormal behaviour in network.During the network operation, all nodes are according to the behavior of intrusion detection mechanism supervision neighbor node, once node a finds that node b is abnormal nodes, a generates the charge information for b, accuse that message comprises a and b No. ID, the public key certificate of accusing reason and a and b, a signs and it is broadcasted to the whole network accusing message with the private key of oneself, and the form of broadcast can adopt and flood or other effective broadcast mode;
(3) if node c receives the charge information for node b from a, first c accuses that by the public key verifications of a whether information is effective, if invalid, abandon this charge information, if effectively, described charge information is stored in the certificate status table of c, c calculates respectively the new credit value of a and b and is stored in the credit value table of c, now may cause certificate revocation, idiographic flow is referring to Fig. 2;
(4) all receiving after the node execution of step (3) of accusing message, according to the credit value table decision node credit value sequence of this locality storage, whether change, if do not changed, forward step (2) to and continue supervision, otherwise continue following steps;
(5) because there is variation in credit value, the credit value table that all nodes are stored for this locality re-starts sequence, adopt sort algorithm that credit value is arranged according to order from high to low, and select the node of n before credit value table rank as manager's node, ordinary node is more filed an application to these manager's nodes during new authentication;
(6) manager's node judges whether manager's node changes, and before current credit value rank, whether n node changes, if do not changed, forwards step (2) to, otherwise execution step (7);
(7) when before credit value rank, n node changes, wherein do not have to carry out sub key update algorithm between manager's node of change of status, former sub-key is cancelled, recalculate one's own sub-key, then for the manager's node newly adding calculates sub-key and sends it to new manager's node, detail is referring to Fig. 3.After being disposed, going to step (2) proceeds to monitor.
According to above step, manager's node is dynamically to change, and for external attacker, is opaque, therefore can effectively resist external attack.
Embodiment 2
Dynamic distributed CA collocation method, with embodiment 1, illustrates the flow process of node processing charge information below in conjunction with Fig. 2.
Step 1, node c monitors the charge information of broadcasting in network, once receive the charge information of the charge node b that node a sends, carries out following steps;
Step 2, receives after the charge information of the public key certificate that comprises node a, and node c is used the public key certificate of system public key verifications node a to sign to determine that whether its certificate is effective, if effectively, enters step 3, otherwise discards this information;
Wherein, in step 2, the public key certificate of node a can be to come from charge information, also can obtain by other approach such as inquiry certificate repositories.Certificate effectively refers to that described certificate is not cancelled, and described certificate does not exceed the term of validity simultaneously.
Step 3, node c extracts the PKI of node a from the public key certificate of node a, and the signature of checking charge information is to determine whether effectively, if information effectively, enters step 4, otherwise to discard this information;
Step 4, according to the result of step 3, by the charge information recording receiving in node certificate state table, and the new credit value of computing node a and node b on this basis.Use ω
aand ω
bthe credit value that represents respectively node a and node b, computing formula is as follows:
wherein N refers to network node number, β
anode sum for the charge of a node;
α wherein
bfor accusing the node sum of node b.
Step 5, the result of calculation according to step 4 for node a and node b credit value, the credit value of decision node a or node b, whether lower than cancelling thresholding, if it is performs step 6, otherwise end process.
Step 6 changes to credit value and cancels, end process lower than cancelling the node a of thresholding or the certificate status of node b in node state table.
Wherein, from step 4 to step 6, for this processing procedure of accusing information, formed a kind of distributed certificate revocation method.
Embodiment 3
Dynamic distributed CA collocation method, with embodiment 1, illustrates that below in conjunction with Fig. 3 manager upgrades the flow process of sub-key.
The cryptographic algorithm adopting according to network is different, and manager's node updates sub-key has different algorithms.Fig. 3 is that employing RSA Algorithm is the flow process that sub-key is upgraded in example explanation, and wherein the private key of CA is given the keeping of manager's node by (k, n) thresholding mode, and specific implementation adopts polynomial Lagrange's interpolation algorithm.
When the sub-key manager node of CA changes to some extent, there is part of nodes to exit manager's ranks, with A, represent these node set; There is part of nodes to become new manager's node, with C, represent these node set; Manager's node set that all the other remain unchanged represents with B.
First for guaranteeing that the sub-key that in A, node is held lost efficacy, in B, node first upgrades sub-key:
Step 1, each node v in B
igenerate an interim polynomial f
i(x), calculate with every other node v in B
jiD ID
jdescribed polynomial value f for variable-value
i(ID
j) and issued node v
j;
Step 2, receives the interim polynomial value that all the other nodes are sent, each node v in B
jaccording to formula
the sub-key value that calculating makes new advances, wherein d
jfor original sub-key.Thereby the former sub-key that in A, node is held was lost efficacy.
Node v in C
ineed to apply for new sub-key:
Step 3, node v
iselect in B at least k node and be subset T;
Step 4, node v
ito node in T, sub-key application is proposed;
Step 5, receives the node v of application in T
jthe credit value table of preserving by this locality is determined v
iafter being the legal new management person node of n before credit value rank, according to formula u
j, i=d
jl
j(ID
i) be the part value that described applicant generates sub-key, wherein d
jnode v
jthe sub-key of holding, l
j(x) be Lagrange coefficient;
Step 6, in T, node is partly worth the sub-key generating in step 5 and sends back to node v
i;
Step 7, node v
icollect the sub-key that in T, node is beamed back and be partly worth, obtain utilizing formula after k legal part value
calculate one's own sub-key.
Wherein, step 1 and 2 can complete any one time period before step 5.
Sub key update process does not need node in A to participate in.
Embodiment 4
Dynamic distributed CA collocation method is with embodiment 1-3.During the network operation, node v generally understands regular update public key certificate, or upgrade public key certificate due to private key leakage temporarily, under the single CA pattern of tradition, only need to propose certificate update application and cancel original certificate to CA, because the present invention has adopted dynamic distributed CA, when ordinary node v needs more new authentication, its flow process is different from traditional mode, need to do the design making new advances to certificate update and cancelling method accordingly.With reference to Fig. 4, with A, represent current manager's node set, node v more new authentication is implemented as follows:
The credit value table that 6.1 node v preserve according to this locality is determined current n manager's node and is selected at least k manager's node to form set B;
6.2 node v initiate certificate update application to manager's nodes all in set B, and application information comprises the PKI PK2 that the original public key certificate CERT1 of v and wish are upgraded, and application information is through original private key SK1 signature of v;
Manager's node in 6.3 set B extracts original PKI PK1 of v after receiving application from the public key certificate of v, and is used for verifying the validity of application information;
After 6.4 validation verifications successes, the manager's node in set B is that node v generates new public key certificate CERT2, and in this certificate, the public key setting of v is new PKI PK2, and drafts certificate effective time, the part using it as certificate for node v;
Manager's node in 6.5 set B carries out part signature to new public key certificate;
Manager's node in 6.6 set B sends to node v by new public key certificate and part signature after the new PKI PK2 encryption with v;
6.7 node v receive the new private key SK2 deciphering with oneself after the data of manager's node of k part, and use k the synthetic complete certificate signature of part signature;
The legitimacy of the public key verifications certificate signature of systems for 6.8 node v, does not reselect k manager's node and again initiates certificate update application as new set B if conform to rule.
Distributed revocation method about certificate arrives step 6 with step 4 in embodiment 2.
Embodiment 5
Dynamic distributed CA collocation method, with embodiment 1-3, is captured the probability of CA private key and is analyzed the present invention with respect to the fail safe of conventional method from assailant.
The probability that hypothesize attack person captures a node is p, and, for traditional (k, n) thresholding Distributed C A collocation method, assailant captures k manager's node, and the probability that obtains CA private key is p
k; And the dynamic distributed CA collocation method proposing for the present invention, assailant captures k manager's node, and the probability that obtains CA private key is
wherein N is network node sum.In general networking, N is far longer than n, and this probable value will be far smaller than p
k.Therefore in this method, the fail safe of CA private key will be far away higher than conventional method.As can be seen here, the present invention is better than traditional Distributed C A collocation method greatly for the resistivity of networking external attacker.
Core concept of the present invention is: for node, introduce credit value, determined the identity of node by the height of credit value.The initial credit value of node is designated when netinit.
Distributed C A of the present invention adopts (k, n) threshold schemes, wherein takes care of manager's node of CA private key along with the network operation is selected voluntarily by all nodes dynamically.Network selects front n node that credit value rank is the highest as the sub-key manager of CA private key all the time.During the network operation, node, according to the behavior of the intrusion detection mechanism supervision neighbor node of arranging in advance, is issued the charge information for this node to the whole network when noting abnormalities node.Once charge information is confirmed to be effectively, be accused of that the credit value of node will decline.When the node of n changes before rank, need to upgrade manager's sub-key that node is held to guarantee the fail safe of network.The present invention, by gerentocratic identity ambiguous, mobilism, is opaque for external network attack person, has increased fail safe, can be used for distributed network as basic security strategy.
Claims (7)
1. a dynamic distributed CA collocation method, is characterized in that: comprise following steps:
(1) in network, all nodes are set up certificate status table and credit value table in this locality, and network system administrator is determined management threshold person's node, and the private key of CA is divided into n one's share of expenses for a joint undertaking key, for each management threshold person's node is distributed a sub-key;
(2) behavior of all node supervision neighbor nodes in network, once have extremely, initiates the charge for this node, and all nodes are regularly monitored the charge information occurring in network;
(3) node processing that receives charge information is accused information, described charge information is stored in local certificate status table, and calculates respectively the node that sends charge information and the credit value of being accused of node, is stored in credit value table; Described credit value value is in an orderly manifold, and according to order from high to low, arranges in credit value table;
(4) whether all nodes of network change according to the credit value table decision node credit value sequence of this locality storage, if do not changed, forward step (2) to, otherwise continue following steps;
(5) the credit value table that all nodes of network are stored for this locality re-starts sequence, and selects the node of the front n of credit value table rank position as new manager's node, replaces original manager's node;
(6) manager's node judges whether manager's node changes, if do not changed, forwards step (2) to, otherwise execution step (7);
(7) sub-key of manager's node updates CA, and be that the manager's node newly adding is distributed new sub-key.
2. according to the dynamic distributed CA collocation method described in claim 1, it is characterized in that: the described charge information of step (2) is initiated by node, network neighbor nodes is according to the intrusion detection mechanism supervision behavior separately mutually of arranging in advance in network, node is attacked or is launched a offensive or have other abnormal behaviour, be defined as abnormal nodes, the neighbor node that perceives abnormal nodes around initiates to accuse to it.
3. according to the dynamic distributed CA collocation method described in claim 1, it is characterized in that: the described orderly manifold of step (3) is the real number between 0 and 1, the initial credit value of all nodes is endowed when netinit, and during the network operation, the credit value of node will change according to the charge information between node.
4. according to the dynamic distributed CA collocation method described in claim 1, it is characterized in that: the effective marker position that described certificate status table has comprised all node certificate and all effective charge information, credit value table has comprised the current credit value of all nodes.
5. according to the dynamic distributed CA collocation method described in claim 1, it is characterized in that: the node credit value of the charge information of sending that step (3) is described is according to formula
calculate, wherein N refers to network node number, β
inode sum for this node charge; Be accused of that the credit value of the node that information is accused is according to formula
calculate, wherein α
ifor accusing the node sum of this node.
6. according to the dynamic distributed CA collocation method described in claim 1 or 2 or 3 or 4 or 5, it is characterized in that: ordinary node needs more during new authentication its step as follows:
The credit value table that described in 6.1, ordinary node is preserved according to this locality is determined current manager's node and is selected at least k manager's node;
6.2 ordinary nodes are initiated certificate update application to selected manager's node;
The identity of 6.3 manager's node verification application certificate nodes;
6.4 manager's nodes generate new public key certificate for applying for certificate node;
6.5 manager's nodes carry out part signature to new public key certificate;
6.6 manager's nodes send to application certificate node by new public key certificate and part signature;
6.7 application certificate nodes are by the k receiving the synthetic complete certificate signature of part signature;
The legitimacy of 6.8 application certificate node verification certificate signature, does not reselect k manager's node and again initiates certificate update application if conform to rule.
7. according to the dynamic distributed CA collocation method described in claim 1 or 2 or 3 or 4 or 5, it is characterized in that:
Set in advance and cancel threshold value, when the credit value of node changes with charge information and is reduced to, cancel threshold value when following, the certificate of described node will be cancelled, and described in certificate status table, the mode bit of node is set to cancel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110191949.0A CN102263787B (en) | 2011-07-08 | 2011-07-08 | Dynamic distributed certification authority (CA) configuration method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110191949.0A CN102263787B (en) | 2011-07-08 | 2011-07-08 | Dynamic distributed certification authority (CA) configuration method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102263787A CN102263787A (en) | 2011-11-30 |
| CN102263787B true CN102263787B (en) | 2014-04-16 |
Family
ID=45010241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110191949.0A Active CN102263787B (en) | 2011-07-08 | 2011-07-08 | Dynamic distributed certification authority (CA) configuration method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102263787B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571794B (en) * | 2012-01-10 | 2015-07-22 | 北京邮电大学 | Method for selecting certificate storage nodes and network node |
| GB201405705D0 (en) * | 2014-03-31 | 2014-05-14 | Irdeto Bv | Secured printed electronics device |
| CN104159216B (en) * | 2014-07-21 | 2017-07-07 | 山东大学 | A kind of distributed certificate cancelling method under Ad Hoc networks environment |
| CN105846997A (en) * | 2016-03-24 | 2016-08-10 | 张玉臣 | Cooperative secret key revocation method based on arbitration |
| CN106888087B (en) * | 2017-03-15 | 2018-09-04 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of management certificate |
| CN107332858B (en) * | 2017-08-07 | 2020-08-28 | 深圳格隆汇信息科技有限公司 | Cloud data storage method |
| CN108881471B (en) * | 2018-07-09 | 2020-09-11 | 北京信息科技大学 | Union-based whole-network unified trust anchor system and construction method |
| TWI752747B (en) * | 2020-12-01 | 2022-01-11 | 洪啓淵 | Multimedia and complete file parallel transmission method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897518A (en) * | 2005-07-14 | 2007-01-17 | 华为技术有限公司 | Distributed identity-card signature method |
| CN101222331A (en) * | 2007-01-09 | 2008-07-16 | 华为技术有限公司 | Authentication server, method and system for bidirectional authentication in mesh network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8214884B2 (en) * | 2003-06-27 | 2012-07-03 | Attachmate Corporation | Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys |
-
2011
- 2011-07-08 CN CN201110191949.0A patent/CN102263787B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1897518A (en) * | 2005-07-14 | 2007-01-17 | 华为技术有限公司 | Distributed identity-card signature method |
| CN101222331A (en) * | 2007-01-09 | 2008-07-16 | 华为技术有限公司 | Authentication server, method and system for bidirectional authentication in mesh network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102263787A (en) | 2011-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102263787B (en) | Dynamic distributed certification authority (CA) configuration method | |
| Liu et al. | Establishing pairwise keys in distributed sensor networks | |
| CN111639361A (en) | Block chain key management method, multi-person common signature method and electronic device | |
| KR100519770B1 (en) | Method and apparatus for distributed certificate management for Ad-hoc networks | |
| CN109194702B (en) | Medical data recording method, system, computer device and storage medium | |
| CN109190384B (en) | Multi-center block chain fusing protection system and method | |
| CN113194469A (en) | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain | |
| CN110719165A (en) | Block chain distributed dynamic network key generation and encryption method | |
| KR101479973B1 (en) | Method for a public-key infrastructure providing communication integrity and anonymity while detecting malicious communication | |
| CN104980921B (en) | A kind of wireless sensor network key distribution method | |
| CN109391617B (en) | Block chain-based network equipment configuration management method and client | |
| CN112865962B (en) | Distributed identification authentication method and device based on block chain and electronic equipment | |
| CN111786787B (en) | Quantum key distribution post-processing method and system based on verifiable secret sharing | |
| CN112383393B (en) | Trusted communication system and method for software defined sensor network | |
| CN101494861A (en) | Method for pre-distributing wireless sensor network cipher key | |
| CN112019481A (en) | Block chain equipment management and data transmission system based on directed acyclic graph architecture | |
| CN110022312A (en) | One kind being used for the prolongable lightweight method of proof of internet of things equipment | |
| Itoo et al. | A robust ECC-based authentication framework for energy internet (EI)-based vehicle to grid communication system | |
| CN110602083A (en) | Secure transmission and storage method of digital identity authentication data | |
| CN112491845B (en) | Ordinary node admittance method, device, electronic equipment and readable storage medium | |
| CN111614462B (en) | Key calculation method and system based on blockchain | |
| CN110620668B (en) | Block chain based quantum computation resistant public key pool updating method and system | |
| Feng et al. | One-stop efficient PKI authentication service model based on blockchain | |
| KR100974628B1 (en) | Method and System of distributing group key using broadcasting message authentication on wireless sensor network and Recording medium using this | |
| CN113612758B (en) | Block chain-based Internet of things data security management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |