CN103973452A - PKI trust model construction method based on modified resource locating model CAN - Google Patents

Abstract

A PKI trust model construction method based on a modified resource locating model CAN comprises the following steps that (1) nodes are divided into groups according to physical locations of the nodes, wherein the nodes with adjacent physical locations are divided into the same group; (2) according to the searched-for frequency of the nodes, the nodes are divided into different hot levels, and the nodes with adjacent physical locations are further grouped according to the hot levels; (3) resource locating is carried out in combination with a minimum-cost path; (4) a certificate path construction algorithm is obtained according to the groups of the nodes and the minimum-cost path, so that a digital certificate path is constructed rapidly and safely. According to the PKI trust model construction method based on the modified resource locating model CAN, interconnection and interworking between different types of PKI architectures can be realized, and the digital certificate path can be constructed rapidly and safely.

Description

A PKI trust model construction method based on the improved resource location model CAN

technical field

The patent of the present invention belongs to the field of information security technology, and particularly relates to digital certificate encryption technology.

Background technique

With the continuous development of network and e-commerce, security certification becomes more and more important. Now the public key infrastructure PKI (Public Key Infrastructure) system based on X.509 digital certificate is gradually becoming the mainstream of the network identity authentication and authorization system. In the X.509 certification system, the certification authority CA, as a trusted third party, issues digital certificates for entities. The two parties in the communication obtain the other party's digital certificate and use the CA's public key to verify the correctness of the digital certificate, so as to know which specific entity the public key in the digital certificate corresponds to, and then determine whether the other party holds the private key corresponding to the public key in the digital certificate , so as to complete the identity authentication of the entity.

To verify the authenticity of the certificates of both communicating parties in the PKI trust model, it is first necessary to construct a certificate trust path for both communicating parties. The trust path means that when an entity needs to confirm the identity of another entity, it must first determine the object it trusts (trust anchor), and then the trust anchor finds out a certificate that reaches the root CA of the confirmed entity. The path composed of these certificates is called for the trust path. Judge whether the other party is credible through the constructed trust path. The trust model describes the rules of how to establish and find certification paths between different certification authorities.

As a mature solution for information security protection, PKI has been widely used in some industries and places due to its unique advantages. Because these applications are used independently to protect the information security of these industries and places to a certain extent, and with the continuous development of informatization and the increasing demand for information sharing, these independent PKI systems have gradually become only An isolated island of trust in its own system, which also makes the contradiction between PKI interoperability and the increasing demand for information resource sharing increasingly prominent, thus hindering the application range of PKI. The main reason why various PKI systems cannot be interconnected is that interactive authentication cannot be performed between PKIs, and the trust model of PKI plays an important role in realizing interactive authentication between PKIs. Therefore, it is of great significance to study a trust model that can adapt to the interaction between various PKI systems to promote the development of PKI.

Therefore, the construction of PKI trust model is an important research content and research hotspot in the field of information security, which has great scientific significance and application prospects. Therefore, a large number of scholars and research institutions at home and abroad have done a lot of research on the PKI trust model. The main research methods and current status of the industry are as follows:

(1) In order to solve the interoperability problem, some scholars and researchers have established different PKI trust models and certificate path construction methods to solve the PKI interoperability problem. Among them, the more representative research in foreign countries is that Cooper and others divide the certificate path structure into forward structure and reverse structure. The main idea is: according to the direction of the certificate structure path, it is divided into two types of certificate paths: forward and reverse Construction algorithm. The forward certificate path construction starts from the destination CA node, and compares and searches the attributes of the issuer of the certificate along the construction direction until the issuer of the certificate is found to be a trusted entity, then the generated path is the trust of the certificate path. The reverse certificate path construction method is to start from the trusted entity according to the extended attributes of the digital certificate defined in the X.509 standard, and search for the IssuedByThisCA attribute of the cross-certificate along the reverse direction. (2) In China, Wang Shangping, Wang Yumin and others proposed the method of storing certificates through the certificate path table to construct the certificate path by introducing the certificate path table, and at the same time gave the verification algorithm of the certificate path. Its main idea is: according to the breadth-first search algorithm of the graph, search the cascaded nodes from the initiator of the authentication, then store the adjacent nodes in the next row in the path table, and then turn to the next row to put the row in the next row. Delete the terminal node, and delete the node of the deleted child node in the previous row. In this row, the nodes that have not been deleted are cascaded according to the breadth-first search algorithm of the graph, and then the searched cascades are connected Save the points in the next line, repeat the above operations until the target node is found, and finally arrange the remaining nodes in the certificate path table according to the row order of the table to obtain the final certificate path. (3) Some scholars have done a lot of research in order to improve the efficiency of certificate path construction under the complex PKI architecture and have drawn some conclusions: Elley et al. obtained after comparing and analyzing the advantages and disadvantages of forward path construction and reverse path construction He came to the conclusion that the reverse certificate path construction is better; Lloyd proposed how to construct the certificate path more efficiently, and pointed out in his article that the forward certificate path construction scheme for the strict hierarchical trust model is more suitable, and for distributed trust The reverse certificate path construction scheme of the model is more suitable; Russd et al. analyzed the construction and verification performance of the longer certificate path in the PKI cross-certification system, and concluded that in order to avoid repeated certificate path construction and verification, virtual certificates and synthetic certificates can be used conclusion.

The above methods have their own advantages and disadvantages, and can improve the construction efficiency of the certificate path to a certain extent. Different path construction schemes also show different characteristics under different trust models, and we cannot talk about certificates without the PKI trust model. Therefore, for the current rapid expansion of PKI, the PKI system structure is more heterogeneous, and how to better intercommunicate between various PKI systems and quickly build certificate paths is particularly important.

Therefore, the industry has expectations for a method that can realize the interconnection of different PKI architectures and can quickly and safely build a digital certificate path.

Contents of the invention

The purpose of the present invention is to propose a PKI trust model construction method based on the improved resource location model CAN (content addressable network, content addressable network), to realize the interconnection and intercommunication of different PKI architectures and to build a digital certificate path quickly and safely.

In order to achieve the above object, the present invention provides a PKI trust model construction method based on the improved resource location model CAN. The method puts the CA groups of different trust domains in the virtual coordinate domain, and uses the minimum cost path algorithm to construct the security path of the digital certificate, so as to realize the fast and safe construction of the digital certificate path and the interconnection and intercommunication of different PKI architectures, including the following step:

(1) Group nodes according to their physical locations, and group nodes with close physical locations into one group; (2) Divide nodes into different hot levels according to how often they are searched and classify nodes with close physical locations Further grouping by hot level; (3) Combining the minimum cost path for resource location; (4) Realizing the certificate path construction algorithm according to the node grouping and the minimum cost path, so as to quickly and safely build the digital certificate path.

Since the PKI trust model formed by the method of the invention can achieve satisfactory results, the digital certificate path can be constructed quickly and safely and the interconnection and intercommunication of different PKI trust models can be realized.

Description of drawings

Figure 1 is the improved CAN resource location model.

Figure 2 is the PKI trust model based on the improved CAN.

Figure 3 is a comparison of the average number of paths in various trust models under different trust domains.

Figure 4 is a comparison of the average path construction time of various trust models under different trust domains.

Detailed ways

The above and other features and advantages of the present invention can be more clearly understood through the following detailed description in conjunction with the accompanying drawings.

The invention will be described in more detail hereinafter with reference to the accompanying drawings showing embodiments of the invention. However, this invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

Since the PKI trust model formed by the method of the invention can achieve satisfactory results, it can realize the fast and safe construction of digital certificate paths and the interconnection and intercommunication of different PKI trust models.

The improved CAN resource location model according to the present invention will now be described with reference to FIG. 1 . The resource location model of the improved CAN model divides nodes into several groups as required. The nodes of each group form a small CAN, and these small CANs are called Group. The grouping of nodes in the system is first divided according to the physical location of the nodes, and the nodes with close physical locations are divided into a group; on this basis, the nodes are divided into different hot levels according to the frequency of being searched, and the physical Neighboring nodes are further grouped by hot rank. In addition to storing its own information, each node also stores the information of neighbor nodes and neighbor nodes in the group. Combined with the minimum cost path for resource location.

As shown in Figure 1, the nodes are divided into four groups: GroupA, GroupB, GroupC, and GroupD, and each Group is divided into several groups, such as GroupA is divided into A1, A2, A3, A4, A5, A6, A7, A8 , A9. When A1 needs to send a message to C8, node A1 in Group A adopts the direct path finding method within the group, routes to A8 through the minimum cost path within the group, and then sends the message to the target node C8.

In this embodiment, the specific content of the realization of the minimum path is as follows:

(1) Let M={V ₀ }, then dist(V ₀ ,M')=min{dist(V ₀ ,V)+w(V,U)}=min{w(V ₀ ,U)}, where V ∈ M, U ∈ M'. Let the path satisfying dist(V ₀ ,M') be p=(V ₀ ,V _i ), let M=M+{V _i };

(2) Choose p=(V ₀ ,...,V _j ), such that dist(V ₀ ,M')=min{dist(V ₀ ,V)+w(V,U)}, where V∈M, U ∈ M'. Let M=M+{V _j }

(3) Repeat step (2) until p=(V ₀ , . . . , V _k ).

As shown in Figure 2, in the new trust model, the root CA of each trust domain is regarded as a node, and these root CAs are divided into several groups, such as GroupA, GroupB, GroupC, GroupD, GroupE, and then each A group is divided into several groups and placed in a virtual coordinate system. For example, GroupA is divided into 5 groups from A1 to A5. Each group occupies an area. For the convenience of certificate management, each group only stores one root CA, that is, each group has only one node, and each node has only one neighbor node above, below, left, and right respectively. Each node cross-certifies with neighboring nodes and neighboring nodes in the domain. The digital certificate of the root CA of each group is issued by the Group _CA and the digital certificate of the root CA manages the coordinates of its group. For example, if A1 wants to communicate with B4, A1 first finds the node A3 in the group closest to B4 through the minimum cost path method, and then A3 continuously finds neighbor nodes according to the coordinate position, and E4, D4, and C4 finally find B4.

In this embodiment, the specific content of the certificate path construction algorithm is as follows:

Two end entities A and B belong to CA _i and CA _j respectively, and the construction algorithm of the entire certificate path is described as:

(1) B sends a message and a certificate to A

A:K _B-1 (M),CA _j <<B>> (1-1)

(2) A obtains its coordinates (X _j , Y _j ) from CA _j <<B>>, and obtains the group's coordinates (X j , Y j ) through Group _CA And get the coordinates (X _i , Y _i ) of A and its group number And execute step (3).

A:V(CA _j <<B>>), CA _j <<B>>|→(X _j ,Y _j ),

${\mathrm{<span\; class="notranslate">\; Group</span>}}_{{\mathrm{<span\; class="notranslate">\; CA</span>}}_{\mathrm{<span\; class="notranslate">\; j</span>}}}<span\; class="notranslate">\; ,</span>{\mathrm{<span\; class="notranslate">\; CA</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; <</span><span\; class="notranslate">\; <</span>\mathrm{<span\; class="notranslate">\; A</span>}<span\; class="notranslate">\; ></span><span\; class="notranslate">\; ></span><span\; class="notranslate">\; |</span><span\; class="notranslate">\; \&Right\; Arrow;</span><span\; class="notranslate">\; (</span>{\mathrm{<span\; class="notranslate">\; x</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; ,</span>{\mathrm{<span\; class="notranslate">\; Y</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; ,</span>{\mathrm{<span\; class="notranslate">\; Group</span>}}_{{\mathrm{<span\; class="notranslate">\; CA</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; 2</span>}<span\; class="notranslate">\; )</span>}$

(3) Query along X _i to X _j Neighbor node CA _t within CA _i <<A>> group, if X _t is between X _j and X _i , execute step (3);

If the abscissa of CA _t is X _t ＝X _j , when Y _t ＝Y _j , that is, CA _t is CA _j <<B>>, then the certificate path construction is successful, and the algorithm ends; when Y _t ≠Y _j , let Y _i =Y _t continue to execute step (4);

If the abscissa X _t of CA _t ≠X _j , set X _i =X _t and execute step (6).

A: R(CA _i <<A>>,X _i X _j )→CA _t ,C(X _t ,X _j ) (1-3)

(4) Query along Y _i to Y _j Neighboring node CA _m within CA _i <<A>> group, if Y _m is between Y _j and Y _i , proceed to step (4);

If the vertical coordinate of CA _m is Y _m =Y _j , that is, CA _m is CA _j <<B>>, then the certificate path is constructed successfully, and the algorithm ends; otherwise, set Y _i =Y _m and execute step (5).

A:R(CA _i <<A>>,Y _i Y _j )→CA _m ,C(Y _m ,Y _j ) (1-4)

(5) Query CA _j <<B>> neighbor node CA _n along Y _i to Y _j , if Y _n is between Y _j and Y _i , proceed to step (5);

If Y _n =Y _j , that is, CA _n is CA _j <<B>>, then the certificate path is successfully constructed and the algorithm ends; otherwise, Y _i =Y _n continues to execute step (6).

A:R'(CA _i ＜＜A＞＞,Y _i Y _j )→CA _n ,C(Y _n ,Y _j ) (1-5)

(6) Query CA _i <<A>> neighbor node CA _k along X _i to X _j , if X _k is between X _j and X _i , execute step (6);

If X _k ＝X _j , when Y _k ＝Y _j , that is, CA _k is CA _j <<B>>, then the certificate path construction is successful, and the algorithm ends; when Y _k ≠Y _j , let Y _i ＝Y _k continue Execute step (4).

A:R'(CA _i <<A>>,X _i X _j )→CA _k ,C(X _k ,X _j ) (1-6)

Figure 3 is a comparison of the average number of paths in various trust models under different trust domains. It can be seen that the length of the certification path increases relatively slowly in the strict hierarchical trust model as the scale of the trust domain increases, and in the hybrid trust model as the trust domain increases. The length of the certificate path increases the fastest with the increasing scale of the scale, while the PKI trust model based on the improved CAN not only increases slowly but also has the shortest average number of paths with the increasing scale of the trust domain. It shows that the method proposed by the present invention is superior to the other two trust models in constructing the minimum path of digital certificates.

Figure 4 is a comparison of the average path construction time of various trust models under different trust domains. It can be found that the path construction time of the improved CAN-based PKI trust model proposed in this paper is more time-consuming than the strict hierarchical model. However, with the increase of the trust domain in the hybrid trust model, the construction time of the certificate path increases sharply, while the efficiency of the PKI trust model based on the improved CAN is slightly lower than that of the strict hierarchical model in the certificate construction path between the other two models. However, in terms of security, the strict hierarchical model only has a single trust anchor root CA. Once the root CA is attacked, the security of the entire network will be threatened. However, the new trust model disperses the trust anchors in the entire network, even if some of the root CAs are attacked, the entire trust network will not be greatly affected. It shows that the security of the method proposed by the present invention is higher than that of the other two models.

Those skilled in the art will appreciate that the present invention may be embodied in many other specific forms without departing from the spirit or scope of the invention. Although embodiments of the present invention have been described, it should be understood that the present invention should not be limited to these embodiments, and that changes and modifications may be made by those skilled in the art within the spirit and scope of the invention as defined by the appended claims.

Claims (4)

1. A method for constructing a PKI trust model based on the improved resource location model CAN, is characterized in that it comprises the following steps: (1) Group nodes according to their physical locations, and group nodes with close physical locations into one group; (2) Divide nodes into different hot levels according to how often they are searched and classify nodes with close physical locations Further grouping by hot level; (3) Combining the minimum cost path for resource location; (4) Realizing the certificate path construction algorithm according to the node grouping and the minimum cost path, so as to quickly and safely build the digital certificate path. 2. The method for constructing a PKI model according to claim 1, characterized in that the nodes in each group also store the information of neighbor nodes and neighbor nodes in the group while storing their own information, and then combine the minimum cost path for resource allocation. position. 3. The method for constructing a PKI model according to claim 1, characterized in that the minimum cost path is realized in the following steps: (1) Let M={V ₀ }, then dist(V ₀ ,M')=min{dist(V ₀ ,V)+w(V,U)}=min{w(V ₀ ,U)}, Where V∈M, U∈M'; let the path satisfying dist(V ₀ ,M') be p=(V ₀ , V _i ), let M=M+{V _i }; (2) Choose p=(V ₀ ,...,V _j ), such that dist(V ₀ ,M')=min{dist(V ₀ ,V)+w(V,U)}, where V∈M, U∈M'; let M=M+{V _j } (3) Repeat step (2) until p=(V ₀ , . . . , V _k ). 4. according to the described construction PKI model method of claim 1, it is characterized in that go to realize certificate path construction algorithm according to the following steps: Two end entities A and B belong to CA _i and CA _j respectively, and the construction algorithm of the entire certificate path is described as: (1) B sends a message and a certificate to A A:K _B-1 (M),CA _j <<B>> (1-1) (2) A obtains its coordinates (X _j , Y _j ) from CA _j <<B>>, and obtains the group's coordinates (X j , Y j ) through Group _CA And get the coordinates (X _i , Y _i ) of A and its group number And execute step (3); A:V(CA _j <<B>>), CA _j <<B>>|→(X _j ,Y _j ), (3) Query along X _i to X _j Neighbor node CA _t within CA _i <<A>> group, if X _t is between X _j and X _i , execute step (3); If the abscissa of CA _t is X _t ＝X _j , when Y _t ＝Y _j , that is, CA _t is CA _j <<B>>, then the certificate path construction is successful, and the algorithm ends; when Y _t ≠Y _j , let Y _i =Y _t continue to execute step (4); If the abscissa of CA _t is X _t ≠X _j , set _Xi =X _t to execute step (6); A: R(CA _i <<A>>,X _i X _j )→CA _t ,C(X _t ,X _j ) (1-3) (4) Query along Y _i to Y _j Neighbor node CA _m within CA _i <<A>> group, if Y _m is between Y _j and Y _i , proceed to step (4); If the vertical coordinate of CA _m is Y _m =Y _j , that is, CA _m is CA _j <<B>>, then the certificate path is constructed successfully, and the algorithm ends; otherwise, set Y _i =Y _m and execute step (5); A:R(CA _i <<A>>,Y _i Y _j )→CA _m ,C(Y _m ,Y _j ) (1-4) (5) Query CA _j <<B>> neighbor node CA _n along Y _i to Y _j , if Y _n is between Y _j and Y _i , proceed to step (5); If Y _n =Y _j , that is, CA _n is CA _j <<B>>, then the certificate path is constructed successfully, and the algorithm ends; otherwise, set Y _i =Y _n and continue to execute step (6); A:R'(CA _i ＜＜A＞＞,Y _i Y _j )→CA _n ,C(Y _n ,Y _j ) (1-5) (6) Query CA _i <<A>> neighbor node CA _k along X _i to X _j , if X _k is between X _j and X _i , execute step (6); If X _k ＝X _j , when Y _k ＝Y _j , that is, CA _k is CA _j <<B>>, then the certificate path construction is successful, and the algorithm ends; when Y _k ≠Y _j , let Y _i ＝Y _k continue Execute step (4); A: R'(CA _i <<A>>,X _i X _j )→CA _k ,C(X _k ,X _j ) (1-6).