CN103973452A - PKI trust model construction method based on modified resource locating model CAN - Google Patents
PKI trust model construction method based on modified resource locating model CAN Download PDFInfo
- Publication number
- CN103973452A CN103973452A CN201410203683.0A CN201410203683A CN103973452A CN 103973452 A CN103973452 A CN 103973452A CN 201410203683 A CN201410203683 A CN 201410203683A CN 103973452 A CN103973452 A CN 103973452A
- Authority
- CN
- China
- Prior art keywords
- path
- node
- pki
- execution step
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A PKI trust model construction method based on a modified resource locating model CAN comprises the following steps that (1) nodes are divided into groups according to physical locations of the nodes, wherein the nodes with adjacent physical locations are divided into the same group; (2) according to the searched-for frequency of the nodes, the nodes are divided into different hot levels, and the nodes with adjacent physical locations are further grouped according to the hot levels; (3) resource locating is carried out in combination with a minimum-cost path; (4) a certificate path construction algorithm is obtained according to the groups of the nodes and the minimum-cost path, so that a digital certificate path is constructed rapidly and safely. According to the PKI trust model construction method based on the modified resource locating model CAN, interconnection and interworking between different types of PKI architectures can be realized, and the digital certificate path can be constructed rapidly and safely.
Description
Technical field
Patent of the present invention belongs to field of information security technology, particularly digital certificate encryption technology.
Background technology
Along with the development of network and ecommerce, it is more and more important that safety certification is compiled.Become just gradually now the main flow of network ID authentication and the system of mandate taking digital certificate X.509 as basic public key infrastructure PKI (Public Key Infrastructure) system.In authentication system X.509, certification authority (CA) CA issues digital certificate as a believable third party for entity.Communicating pair uses the correctness of the PKI check digit certificate of CA by obtaining the other side's digital certificate, thereby know which special entity the PKI in digital certificate corresponds to, then judge whether the other side holds private key corresponding to PKI in digital certificate, thereby complete the authentication of entity.
In PKI trust model, verify the authenticity of communicating pair certificate, first need to construct the certificate trust path of a communicating pair.Trust path refers in the time that an entity need to be confirmed another entity identities, first to determine the object (trust anchor) that it is trusted, find out one by trust anchor again and arrive each certificate of confirming entity root CA, the path of these certificate compositions is called trust path.Trust path by structure judges that whether the other side is credible.Trust model has been described the rule of how to carry out certification path foundation and searching between different authentication mechanism.
As the ripe solution of the one of information safety protection, PKI is widely used in some industries and place with himself peculiar advantage.Because these application are to ensure to a certain extent these industries and local information security in mode independently, and along with the continuous increase of informationalized development and the demand to information sharing, these independently PKI system become gradually and can only trust of self system and trust isolated island, this also makes can not interconnect and say beneficial giving prominence to the continuous contradiction strengthening of the shared demand of information resources between PKI, thereby the range of application of PKI has been played to the effect of blocking.The main cause that can not interconnect between each PKI system is owing to cannot carrying out interactive authentication between PKI, and the trust model of PKI plays an important role to realizing interactive authentication between PKI.Therefore study a kind of can adaptation and carry out mutual trust model for promoting that PKI development is significant between each PKI system.
Thus, it is important research content and the study hotspot of information security field that PKI trust model builds, and has great scientific meaning and application prospect.Therefore, there are a large amount of scholars and research institution to carry out a large amount of research to PKI trust model both at home and abroad.Current industry main approaches and present situation are as follows:
(1), in order to solve interoperability issue, some scholars and researcher have set up different PKI trust models and certification path building method and have solved the interoperability issue of PKI.Wherein more representational research is, by people such as Cooper, the path configuration of certificate is divided into positive structure and reverse structure abroad, and its main thought is: divide according to certificate structure path direction, be divided into forward and reverse two kinds of Algorithm of Certificate Path Constructions.Forward certification path structure is from object CA node, compares and searches along structural grain forward by the attribute of the person of signing and issuing to certificate, and be trusted entities until find the person of signing and issuing of certificate, the trust path that the path producing is certificate.Reverse certification path building method is to begin from trusted entities according to the defined digital certificate extended attribute of standard X.509, and the IssuedByThisCA attribute of cross-certificate is searched along counter movement.(2) mode that the people such as flat, the Wang Yumin of Wang Shang has proposed to deposit by certification path table certificate by introducing the mode of certification path table is at home carried out certification path structure, has provided the verification algorithm of certification path simultaneously.Its main thought is: according to the breadth-first search of figure, from the initiator of certification, tandem node is searched for, then the node adjoining each other is deposited to the next line in routing table, forwarding next line to deletes terminal node in this row again, and the node deletion of deleted child node in lastrow is fallen, in this row by the breadth-first search of figure to not having deleted node to carry out cascade, then the cascade node searching is deposited in next line, repeat aforesaid operations until find destination node, finally the row order by table in certification path table is arranged to last lower node, just can draw final certification path.(3) efficiency that some scholars construct for the certification path improving under complicated PKI architecture has been carried out a large amount of research and has been drawn some conclusions: the people such as Elley have drawn the more excellent conclusion of reverse certification path structure after constructing pluses and minuses separately by comparative analysis forward path structure and inverse path; How Lloyd can construct certification path more efficiently if having proposed some, and in its article, particularly point out for strict hierarchical structure trust model forward direction certification path structural scheme and be more suitable for, and is more suitable for for the reverse certification path structural scheme of distributed trust model; The people such as Russd are by analyzing structure and the checking performance of longer certification path in PKI cross-certification system, drawn for fear of the conclusion that repeatedly repeats certification path structure and checking and can adopt virtual certificate and synthetic certificate.
Above-mentioned method has advantages and disadvantages part separately, can improve to a certain extent the structure efficiency of certification path, different path configuration schemes also shows different features under different trust models, can not depart from PKI trust model and talk the structure of certification path, therefore at current PKI Quick Extended, PKI architecture presents the feature of isomery especially, how can better carry out the intercommunication between each PKI system and carry out the rapid build of certification path particularly important especially.
Thus, industry to can realize different PKI architectures interconnect and the method in structure digital certificate path that can be is fast and safely expected to some extent.
Summary of the invention
The object of the invention is to propose a kind of based on improved Resource Locating Model CAN (content addressablenetwork, content addressed network) PKI trust model construction method, to realize interconnecting and structure digital certificate path that can be fast and safely of different PKI architectures.
In order to reach above-mentioned purpose, the invention provides a kind of PKI trust model construction method based on improved Resource Locating Model CAN.Described method is by being placed on the CA grouping of different trust domain in virtual coordinates territory, utilize minimal cost path algorithm to build the secure path of digital certificate, to realize interconnecting of structure digital certificate path fast and safely and different PKI architectures, comprise the following steps:
(1) according to the physical location at node place, node is divided into groups, the approaching node of physical location is divided into one group; (2) frequency of being searched according to node is divided into different hot grades and the contiguous node of physical location is further divided into groups by hot grade; (3) carry out resource location in conjunction with minimal cost path; (4) realize Algorithm of Certificate Path Construction according to node grouping and minimal cost path, with structure digital certificate path fast and safely.
The PKI trust model forming due to method of the present invention can reach gratifying effect, therefore structure digital certificate path fast and safely and realize the interconnection and interflow of different PKI trust models.
Brief description of the drawings
Fig. 1 is CAN Resource Locating Model after improving.
Fig. 2 is the PKI trust model based on CAN after improving.
Fig. 3 is that under different trust domain, the average path at various trust models is counted comparison.
Fig. 4 is the average path structure time comparison at various trust models under different trust domain.
Embodiment
By reference to the accompanying drawings, by the detailed description of stating below, can more clearly understand above-mentioned and other feature and advantage of the present invention.
Referring to the accompanying drawing that the embodiment of the present invention is shown, the present invention below will be described in more detail.But the present invention can be with many multi-form realizations, and should not be construed as the restriction of the embodiment being subject in this proposition.On the contrary, it is abundant and complete open in order to reach proposing these embodiment, and makes those skilled in the art understand scope of the present invention completely.
The PKI trust model forming due to method of the present invention can reach gratifying effect, therefore can realize structure digital certificate path fast and safely and realize the interconnection and interflow of different PKI trust models.
Refer now to Fig. 1 and describe according to CAN Resource Locating Model after improvement of the present invention, described modified model CAN model Resource Locating Model is several groups by node division as required.The node of each grouping forms again a Small-sized C AN, claims these Small-sized C AN to be called Group.In system, first the grouping of node divides according to the physical location at node place, and node approaching physical location is divided into one group; On this basis, the frequency of being searched according to node is divided into different hot grades, the contiguous node of physical location further can be divided into groups by hot grade.Each node also will be deposited the information of the neighbor node in neighbor node and group except storage self information.Carry out resource location in conjunction with minimal cost path again.
As shown in Figure 1, node is divided into GroupA, GroupB, GroupC, tetra-groups of GroupD, are divided into some groups by each Group again, as GroupA has the A1 of being divided into, A2, A3, A4, A5, A6, A7, A8, A9.In the time that A1 need to send out message to C8, in Group A, direct pathfinding mode in node A1 employing group, routes to A8 by organizing interior minimal cost path mode, then message is mail to destination node C8.
In the present embodiment, the described minimal path particular content of realizing is as following:
(1) make M={V
0, dist (V
0, M') and=min{dist (V
0, V) and+w (V, U) }=min{w (V
0, U) }, wherein V ∈ M, U ∈ M'.If meet dist (V
0, M') path be p=(V
0, V
i), make M=M+{V
i;
(2) select p=(V
0..., V
j), make dist (V
0, M') and=min{dist (V
0, V) and+w (V, U) }, wherein V ∈ M, U ∈ M'.Make M=M+{V
j}
(3) repeating step (2), until p=(V
0..., V
k).
As shown in Figure 2, in new trust model, the root CA of each trust domain regards a node as, these roots CA is divided into some groups, as is divided into GroupA, GroupB, GroupC, GroupD, GroupE, then each group is divided into some groups is placed in a virtual coordinate system, as GroupA is divided into A1 to A5,5 groups.Each group accounts for a region.Convenient for certificate management, a root CA only deposits in each group, and each group only has a node, and each node upper and lower, left and right only have respectively a neighbor node.Neighbor node cross-certification in each node and neighbor node and territory, the digital certificate of the root CA of each Group passes through Group
cAbefore coming, sign and issue and its place group coordinate of digital certificate management of root CA.For example, A1 will communicate by letter with B4, and then first A1 find apart from the node A3 in the nearest group of B4 by A3 according to coordinate position by minimal cost path method, constantly looks for neighbor node, E4, and D4, C4 finally finds B4.
In the present embodiment, described Algorithm of Certificate Path Construction particular content is as following:
Two end entity A and B are under the jurisdiction of respectively CA
iand CA
j, the construction algorithm of whole certification path is described as:
(1) B transmission message and certificate are to A
A:K
B-1(M),CA
j<<B>> (1-1)
(2) A is from CA
jin < < B > >, obtain its coordinate (X
j, Y
j), and pass through Group
cAobtain place group
and obtain the coordinate (X of A
i, Y
i) and place group #
and execution step (3).
A:V(CA
j<<B>>),CA
j<<B>>|→(X
j,Y
j)、
(3) along X
ito X
jinquiry
interior CA
ineighbor node CA in < < A > > group
tif, X
tat X
jwith X
ibetween execution step (3);
If CA
tabscissa X
t=X
j, work as Y
t=Y
j, i.e. CA
tfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Work as Y
t≠ Y
jtime, make Y
i=Y
tcontinue execution step (4);
If CA
tabscissa X
t≠ X
j, make X
i=X
texecution step (6).
A:R(CA
i<<A>>,X
iX
j)→CA
t,C(X
t,X
j) (1-3)
(4) along Y
ito Y
jinquiry
interior CA
ineighbor node CA in < < A > > group
mif, Y
mat Y
jwith Y
ibetween, continue execution step (4);
If CA
mordinate Y
m=Y
j, i.e. CA
mfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Otherwise make Y
i=Y
mexecution step (5).
A:R(CA
i<<A>>,Y
iY
j)→CA
m,C(Y
m,Y
j) (1-4)
(5) along Y
ito Y
jinquiry CA
j< < B > > neighbor node CA
nif, Y
nat Y
jwith Y
ibetween, continue execution step (5);
If Y
n=Y
j, i.e. CA
nfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Otherwise make Y
i=Y
ncontinue execution step (6).
A:R'(CA
i<<A>>,Y
iY
j)→CA
n,C(Y
n,Y
j) (1-5)
(6) along X
ito X
jinquiry CA
i< < A > > neighbor node CA
kif, X
kat X
jwith X
ibetween execution step (6);
If X
k=X
j, work as Y
k=Y
j, i.e. CA
kfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Work as Y
k≠ Y
jtime, make Y
i=Y
kcontinue execution step (4).
A:R'(CA
i<<A>>,X
iX
j)→CA
k,C(X
k,X
j) (1-6)
Fig. 3 is that under different trust domain, the average path at various trust models is counted comparison, can find out that strict level trust model is along with the length that the scale of trust domain constantly increases certification path gathers way relatively slow, Hybrid Trust Model is the fastest along with the length of the continuous increase certification path of the scale of trust domain gathers way, and PKI trust model based on CAN after improving gathers way slow but also average path number is the shortest along with the scale of trust domain constantly increases not only certification path length.The method that the method structure digital certificate minimal path of the present invention's proposition is described is better than another two kinds of trust models.
Fig. 4 is the average path structure time comparison at various trust models under different trust domain, can find that the PKI trust model path configuration time based on CAN after improving in this paper is more more than spent time than strict hierarchical model.And Hybrid Trust Model is along with the increase certification path structure of trust domain sharply increases the time, and PKI trust model based on CAN after improving on certificate structure path efficiency between two other model a little less than strict hierarchical model.But with regard to secure context discussion, strict hierarchical model only has unique trust anchor root CA, all can be on the hazard once root CA attacks the safety of whole network.Even and if that trust anchor is dispersed in whole network part root CA whole trust network impact under attack wherein by new trust model is little.Method safe in other two kinds of models that the present invention proposes is described.
Those skilled in the art can realize and not depart from the spirit or scope of the present invention with many other concrete forms because should be understood that the present invention.Although already described embodiments of the invention, should understand the present invention and should not be restricted to these embodiment, within the spirit and scope of the invention that those skilled in the art can define as appended claims, make changes and modifications.
Claims (4)
1. a method that builds PKI trust model based on improved Resource Locating Model CAN, is characterized in that comprising the following steps:
(1) according to the physical location at node place, node is divided into groups, the approaching node of physical location is divided into one group; (2) frequency of being searched according to node is divided into different hot grades and the contiguous node of physical location is further divided into groups by hot grade; (3) carry out resource location in conjunction with minimal cost path; (4) realize Algorithm of Certificate Path Construction according to node grouping and minimal cost path, with structure digital certificate path fast and safely.
2. structure PKI model method according to claim 1, is characterized in that allowing the node in every group also will deposit the information of the neighbor node in neighbor node and group in storage self information, then carries out resource location in conjunction with minimal cost path.
3. structure PKI model method according to claim 1, is characterized in that going as follows to realize minimal cost path:
(1) make M={V
0, dist (V
0, M') and=min{dist (V
0, V) and+w (V, U) }=min{w (V
0, U) }, wherein V ∈ M, U ∈ M'; If meet dist (V
0, M') path be p=(V
0, V
i), make M=M+{V
i;
(2) select p=(V
0..., V
j), make dist (V
0, M') and=min{dist (V
0, V) and+w (V, U) }, wherein V ∈ M, U ∈ M'; Make M=M+{V
j}
(3) repeating step (2), until p=(V
0..., V
k).
4. build according to claim 1 PKI model method, it is characterized in that going as follows to realize Algorithm of Certificate Path Construction:
Two end entity A and B are under the jurisdiction of respectively CA
iand CA
j, the construction algorithm of whole certification path is described as:
(1) B transmission message and certificate are to A
A:K
B-1(M),CA
j<<B>> (1-1)
(2) A is from CA
jin < < B > >, obtain its coordinate (X
j, Y
j), and pass through Group
cAobtain place group
and obtain the coordinate (X of A
i, Y
i) and place group #
and execution step (3);
A:V(CA
j<<B>>),CA
j<<B>>|→(X
j,Y
j)、
(3) along X
ito X
jinquiry
interior CA
ineighbor node CA in < < A > > group
tif, X
tat X
jwith X
ibetween execution step (3);
If CA
tabscissa X
t=X
j, work as Y
t=Y
j, i.e. CA
tfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Work as Y
t≠ Y
jtime, make Y
i=Y
tcontinue execution step (4);
If CA
tabscissa X
t≠ X
j, make X
i=X
texecution step (6);
A:R(CA
i<<A>>,X
iX
j)→CA
t,C(X
t,X
j) (1-3)
(4) along Y
ito Y
jinquiry
interior CA
ineighbor node CA in < < A > > group
mif, Y
mat Y
jwith Y
ibetween, continue execution step (4);
If CA
mordinate Y
m=Y
j, i.e. CA
mfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Otherwise make Y
i=Y
mexecution step (5);
A:R(CA
i<<A>>,Y
iY
j)→CA
m,C(Y
m,Y
j) (1-4)
(5) along Y
ito Y
jinquiry CA
j< < B > > neighbor node CA
nif, Y
nat Y
jwith Y
ibetween, continue execution step (5);
If Y
n=Y
j, i.e. CA
nfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Otherwise make Y
i=Y
ncontinue execution step (6);
A:R'(CA
i<<A>>,Y
iY
j)→CA
n,C(Y
n,Y
j) (1-5)
(6) along X
ito X
jinquiry CA
i< < A > > neighbor node CA
kif, X
kat X
jwith X
ibetween execution step (6);
If X
k=X
j, work as Y
k=Y
j, i.e. CA
kfor CA
j< < B > >, certification path is successfully constructed, and algorithm finishes; Work as Y
k≠ Y
jtime, make Y
i=Y
kcontinue execution step (4);
A:R'(CA
i<<A>>,X
iX
j)→CA
k,C(X
k,X
j) (1-6)。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203683.0A CN103973452A (en) | 2014-05-15 | 2014-05-15 | PKI trust model construction method based on modified resource locating model CAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203683.0A CN103973452A (en) | 2014-05-15 | 2014-05-15 | PKI trust model construction method based on modified resource locating model CAN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103973452A true CN103973452A (en) | 2014-08-06 |
Family
ID=51242523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410203683.0A Pending CN103973452A (en) | 2014-05-15 | 2014-05-15 | PKI trust model construction method based on modified resource locating model CAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103973452A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104267988A (en) * | 2014-09-26 | 2015-01-07 | 北京飞流九天科技有限公司 | System and method for packing mobile applications |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030147537A1 (en) * | 2002-02-07 | 2003-08-07 | Dongfeng Jing | Secure key distribution protocol in AAA for mobile IP |
| CN1819587A (en) * | 2006-03-10 | 2006-08-16 | 四川大学 | Trusting method of network information system based on family genes |
| WO2013110669A2 (en) * | 2012-01-23 | 2013-08-01 | Youview Tv Limited | Authorisation system |
-
2014
- 2014-05-15 CN CN201410203683.0A patent/CN103973452A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030147537A1 (en) * | 2002-02-07 | 2003-08-07 | Dongfeng Jing | Secure key distribution protocol in AAA for mobile IP |
| CN1819587A (en) * | 2006-03-10 | 2006-08-16 | 四川大学 | Trusting method of network information system based on family genes |
| WO2013110669A2 (en) * | 2012-01-23 | 2013-08-01 | Youview Tv Limited | Authorisation system |
Non-Patent Citations (1)
| Title |
|---|
| 陈述: "PKI信任模型及证书路径构造的研究", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104267988A (en) * | 2014-09-26 | 2015-01-07 | 北京飞流九天科技有限公司 | System and method for packing mobile applications |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tangade et al. | Trust management scheme based on hybrid cryptography for secure communications in VANETs | |
| Zhao et al. | An efficient certificateless aggregate signature scheme for the Internet of Vehicles | |
| Gu et al. | Trust management mechanism for Internet of Things | |
| CN102055769B (en) | Multi- trust domain authentication system under lattice-based grid environment | |
| CN102833265B (en) | Network theory based signature scheme and secure linear network encoding method thereof | |
| CN112511350B (en) | Alliance chain multi-level consensus method, device and storage medium | |
| CN107908979B (en) | Method and electronic device for configuration and endorsement in blockchain | |
| Yang et al. | An efficient blockchain‐based batch verification scheme for vehicular ad hoc networks | |
| Al-Obaidi et al. | Cauchy density-based algorithm for VANETs clustering in 3D road environments | |
| CN106326637A (en) | Link prediction method based on local effective path degree | |
| CN109064348A (en) | A method of it blocking rumour community in social networks and inhibits gossip propagation | |
| Zhang et al. | A parallel consensus mechanism using PBFT based on DAG-lattice structure in the Internet of Vehicles | |
| CN105162654A (en) | Link prediction method based on local community information | |
| CN102880641A (en) | Parametric bus transfer method in consideration of short-distance walking station pair | |
| CN104317904A (en) | Generalization method for weighted social network | |
| CN113923217B (en) | Asynchronous Bayesian-busy family consensus method and system based on DAG | |
| Wang et al. | Quantum attack-resistant signature scheme from lattice cryptography for WFH | |
| Zhang et al. | A virtual bridge certificate authority‐based cross‐domain authentication mechanism for distributed collaborative manufacturing systems | |
| CN103973452A (en) | PKI trust model construction method based on modified resource locating model CAN | |
| CN114615006A (en) | Edge layer data security protection method and system for power distribution Internet of things and storage medium | |
| CN103442352B (en) | The secure data fusion method of low energy consumption and device | |
| Tseng et al. | Reliable broadcast with trusted nodes: Energy reduction, resilience, and speed | |
| CN109214656A (en) | A kind of node importance appraisal procedure for Urban Transit Network | |
| Hietalahti | A clustering-based group key agreement protocol for ad-hoc networks | |
| Li et al. | EBFT: A hierarchical and group-based byzantine fault tolerant consensus algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140806 |