CN104036033A - Certificate revocation list caching and checking method of digital certificate - Google Patents
Certificate revocation list caching and checking method of digital certificate Download PDFInfo
- Publication number
- CN104036033A CN104036033A CN201410303808.7A CN201410303808A CN104036033A CN 104036033 A CN104036033 A CN 104036033A CN 201410303808 A CN201410303808 A CN 201410303808A CN 104036033 A CN104036033 A CN 104036033A
- Authority
- CN
- China
- Prior art keywords
- crl
- digital certificate
- certificate
- basesn
- sequence number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
Abstract
The invention discloses a certificate revocation list caching and checking method of a digital certificate. The method comprises the steps that A. an initial value BaseSN is set; B. an internal storage for storing a certificate revocation list (CRL) is allocated, initialization is carried out, and the caching zone content of the CRL is reset; C. a latest-issued CRL is obtained from CA; D. the CRL is analyzed, and a TBSCertList is obtained from the CRL; E. a serial number (SN) of the digital certificate is obtained from the TBSCertList; F. the difference value delta SN of the SN and the BaseSN is computed; G. the delta SN is set to be an offset amount, and corresponding binary system positions in a CRL catching zone are 1; H. whether SNs of other digital certificates exist in the TBSCertList is judged, if no, the step I is carried out, and otherwise, the step E is carried out; and I. whether other CRL entities exist is further judged, if yes, the step C is carried out, and otherwise, the CRL caching process is over. According to the method, CRL searching efficiency from a cache can be improved.
Description
Technical field
The present invention relates to information security and digital certificate technique, relate in particular to a kind of CRL buffer memory and querying method of digital certificate.
Background technology
Application based on digital certificate, conventionally needs access certificate issuing organization (CA) to obtain CRL (CRL) and checks certificate status.Application software is conventionally by CRL buffer memory, and upgrades by default strategy.Along with the rapid growth of digital certificate quantity, the time overhead whether space expense of CRL buffer memory and retrieval certificate are revoked also becomes increasing.Therefore, urgently develop a kind of technology that can improve buffer memory and retrieval CRL efficiency.
At present, traditional CRL cache way is the entity of buffer memory CRL, or uses linear list, the Hash table structure digital certificate sequence number that mark " is revoked " in storage CRL.
Under existing CRL cache way, digital certificate serial number of buffer memory approximately needs 20 bytes, the certificate serial number being revoked in a buffer memory N CRL, and the space needing is about N * sequence number and comprises byte number.
Under traditional CRL cache way, whether the digital certificate sequence number (SN) of an appointment of retrieval is included in revocation list, and the data structure of buffer memory is retrieved and need to repeatedly be compared, and could confirm in buffer memory, whether to have comprised sequence number (SN).For the buffer memory that is assumed to be n for data number, the time complexity of searching is O (n), if adopt dichotomy to search, required time complexity is O (log (n)).
Therefore, adopt traditional approach after digital certificate quantity and the quantity that is revoked certificate reach 1,000,000 to ten million orders of magnitude, required storage space and required time of retrieval, all can increase rapidly, and this will produce more serious impact to the promptness of the operational efficiency of system and response.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of CRL (CRL) buffer memory and querying method of digital certificate, using under the scene of the digital certificate of magnanimity and the CRL of digital certificate, application software or encryption device for digital certificate are verified use, significantly to reduce the expense of CRL buffer memory and the recall precision of raising CRL.
For achieving the above object, technical scheme of the present invention is achieved in that
A CRL caching method for digital certificate, the method comprises:
A, according to the strategy of digital certificate and actual conditions, the initial value BaseSN of a certificate serial number is set;
B, to system application, distribute one section for storing the internal memory of CRL CRL, and this section of internal memory carried out to initialization, by the buffer area content zero clearing of CRL;
C, from digital certificate issuing organization, obtain the CRL of a up-to-date issue;
D, the described CRL of parsing obtain TBSCertList from CRL;
E, from TBSCertList, obtain the sequence number of a digital certificate;
F, calculate the difference DELTA of described sequence number and BaseSN
sN;
G, establish described Δ
sNfor side-play amount, by corresponding binary location 1 in described CRL buffer area;
H, judge in described TBSCertList the sequence number that whether also has other digital certificates, if do not have, perform step I; Otherwise, return to step e;
I, step I: further judge whether other CRL entities in addition, if having, return to step C; Otherwise, finish the process of caching of described CRL.
Wherein, location-independent with in internal memory of the initial value BaseSN of described digital certificate sequence number.
Described in step D, TBSCerList is a field in CRL, and this field is a sequence, the person's of containing digital certificate issued name, issuing date, the issuing date of next CRL, the expansion of revoking list of cert and optional CRL.
In described CRL buffer area, corresponding binary position is 1 or 0, in order to indication, whether the state of digital certificate that should position is revoked.
A querying method of verifying digital certificate state described in claim 1~4, comprising:
The sequence number SN of a, acquisition digital certificate;
The difference of the initial value BaseSN of b, calculating SN and digital certificate sequence number, calculates Δ
sN=SN-BaseSN;
C, get Δ in CRL CRL buffer area
sNlocational binary value b;
D, judge whether the b value of this binary digit is 1, if 1, prove that this certificate is revoked; Otherwise b is not 1, prove that this certificate is effective.
CRL buffer memory and the querying method of digital certificate provided by the present invention, have the following advantages:
The in the situation that of mass digital certificate and mass digital CRL, application based on digital certificate or equipment, for efficiency reasons, need in the situation of buffer memory revocation list, use technology of the present invention, can effectively reduce the required request memory of buffer memory CRL, and, the efficiency of retrieving CRL from buffer memory can be improved.
Accompanying drawing explanation
Fig. 1 is that the present invention carries out the process schematic diagram of buffer memory to the CRL of digital certificate;
Fig. 2 is that the present invention adopts binary digit to preserve the data structure storage view of the information whether digital certificate be revoked;
Fig. 3 is the query script schematic diagram that the present invention verifies digital certificate state.
Embodiment
Below in conjunction with accompanying drawing and embodiments of the invention, method of the present invention is described in further detail.
Fig. 1 is that the present invention carries out the process schematic diagram of buffer memory to the CRL of digital certificate (CRL).In the present invention, adopt 1 binary digit to preserve the information (with reference to figure 2) whether 1 certificate is revoked.
The process of as shown in Figure 1, CRL being carried out to buffer memory comprises the steps:
Step 101: according to the strategy of digital certificate and actual conditions, the initial value BaseSN(of a certificate serial number is set with reference to figure 2).
Here, the actual conditions of described digital certificate, mainly refer to certificate size, storage space etc.
Step 102: distribute one section for storing the internal memory of CRL (CRL) to system application.
Step 103: to one section of described internal memory initialization, by the buffer area content zero clearing of CRL (CRL).
Step 104: the CRL (CRL) that obtains a up-to-date issue from digital certificate issuing organization.
Step 105: resolve described CRL (CRL), obtain TBSCertList from CRL (CRL).
Here, described TBSCerList is a field in CRL, and this field is a sequence, the person's of containing digital certificate issued name, issuing date, the issuing date of next CRL (CRL), the expansion of revoking list of cert and optional CRL.Wherein, revoke list of cert by a series of digital certificate sequence number, cancel the expansion of date and optional CRL entrance and form.
Step 106: the sequence number (SN) that obtains a digital certificate from TBSCertList.
Step 107: calculate the difference of described sequence number (SN) and BaseSN, according to following formula:
Δ
SN=SN-BaseSN。
Step 108: establish described Δ
sN=SN-BaseSN is side-play amount (offset), by corresponding binary position in CRL (CRL) buffer area, is that 1(is with reference to figure 2).
Step 109: judge the sequence number (SN) that whether also has other digital certificates in described TBSCertList, if do not have, perform step 110; Otherwise, return to step 106;
Step 110: further judge whether other CRLs (CRL) entity in addition, if having, return to step 104; Otherwise, execution step 111.
Step 111: the process of caching that completes described CRL (CRL).
Fig. 2 is that the present invention adopts binary digit to preserve the data structure storage view of the information whether digital certificate be revoked.As shown in Figure 2,1 state whether digital certificate is revoked of each binary digit indication.Wherein, binary digit " 0 " represents that this corresponding digital certificate is effective at present; Binary digit " 1 " represents that this corresponding digital certificate is revoked.In step 108 as shown in Figure 1, side-play amount (offset) Δ
sN=SN-BaseSN, now, must be in CRL (CRL) buffer area corresponding binary digit assignment 1.Otherwise, in the corresponding binary digit assignment 0 of CRL buffer area.
Fig. 3 is the query script schematic diagram that the present invention verifies digital certificate state.When the state of certain digital certificate of checking, need the sequence number (SN) of this certificate of checking whether to be included in CRL (CRL), if be included in revocation list, think that this certificate is revoked; Otherwise think that this certificate status is for normal.As shown in Figure 3, this process comprises the steps:
Step 301: start digital certificate state verification.
Step 302: the sequence number SN that obtains certificate.
Step 303: calculate the difference of the initial value BaseSN of SN and digital certificate sequence number, calculate Δ
sN=SN-BaseSN.
Step 304: get in CRL buffer area Δ
sNlocational binary value b.
Step 305: whether the b value that judges this binary digit is 1, if 1, perform step 306; Otherwise, execution step 307.
Step 306:b is 1, proves that this certificate is revoked, returns.
Step 307:b is not 1, proves that this certificate is effective.
Below, in conjunction with specific embodiments the process of buffer memory digital certificate and inquiry are verified to the whether effective process of digital certificate describes respectively.
For example, the certificate that certain certificate verification mechanism issues, sequence number is from certificate serial number below, increases progressively one by one, we are defined as this sequence number the BaseSN of CRL buffer memory.
64?3F?7D?55?30?87?94?41?22?00?00?00?00?00?00?00?00?00?00?01。
According to the certificate capacity of current certificate verification mechanism and the certificate capacity in the time of expection, our default CRL cache size is 64 M, is divided into 64 sections, each section 1M.It is defined as follows:
CRL buffer memory program, according to the buffer update strategy of oneself, is obtained the CRL of the up-to-date issue of CA to CA, carry out the integrity verification of CRL, after this, from the TBSCertList of CRL, obtain all sequence numbers that are revoked, to each sequence number SN, adopt following steps to process.
Step a: calculate Δ
sN=SN-BaseSN.
Step b: calculate this SN corresponding buffer memory section segment=Δ
sN/ (1024 * 1024 * 8);
Step c: calculate this SN the byte location position=(Δ of corresponding buffer memory
sN% (1024 * 1024 * 8))/8;
Steps d: calculate this SN binary digit long offset2=position % 8 of corresponding buffer memory.
Step e: the value of putting this binary digit is 1.
The process of its authentication certificate state is as follows:
Steps A: resolution digital certificate, obtain digital certificate sequence number SN.
Step B: calculate Δ
sN=SN-BaseSN.
Step C: calculate this SN corresponding buffer memory section segment=Δ
sN/ (1024 * 1024 * 8).
Step D: calculate this SN the byte location position=(Δ of corresponding buffer memory
sN% (1024 * 1024 * 8))/8.
Step e: calculate this SN position long offset2=position % 8 of corresponding buffer memory.
Step F: get this binary value b, if b is 1, return to this certificate and be revoked, otherwise it is effective to return to this certificate status.
In the situation that having mass digital certificate and magnanimity CRL (CRL), application based on digital certificate or equipment are for efficiency reasons, need in the situation of buffer memory revocation list, use technology of the present invention, can effectively reduce the required request memory of buffer memory CRL, and, can improve the efficiency of retrieving CRL from buffer memory.
Be reflected in the storage size aspect needing:
Generally, consider the sequence number space of digital certificate, certification authority can adopt the sequence number of 10~20 bytes, in this case, imagine a system that digital certificate amount is 1,000,000,000, according to 1/5 estimated value being revoked, analyze, use traditional cache way, the spatial cache needing is about:
Spatial cache ≈ 1,000,000,000 * 1/5 * 20 bytes=4,000,000,000 byte ≈ 4G bytes.
And use the solution of the present invention, required spatial cache is about:
Spatial cache ≈ 1,000,000,000 * 1 bit=1,000,000,000 bit ≈ 125M bytes.
Visible, adopt method of the present invention, can greatly reduce the demand to storage space.
Be reflected in recall precision aspect:
Adopt method of the present invention, inquire about a digital certificate and whether be revoked.Whether only need to just can directly obtain side-play amount (offset) by the difference of sequence of calculation SN and BaseSN, according to the value of corresponding binary digit, can obtain its certificate is to revoke state.The time complexity of its calculating is constant O(1).Compare traditional approach and adopt linear list group, the retrieval O (n) of Hash table mode and the computation complexity of O (log (n)), greatly reduce the calculated amount of obtaining certificate status from buffer memory, thereby can make the efficiency of certification authentication process significantly be improved.
The above, be only preferred embodiment of the present invention, is not intended to limit protection scope of the present invention.
Claims (5)
1. a CRL caching method for digital certificate, is characterized in that, the method comprises:
A, according to the strategy of digital certificate and actual conditions, the initial value BaseSN of a certificate serial number is set;
B, to system application, distribute one section for storing the internal memory of CRL CRL, and this section of internal memory carried out to initialization, by the buffer area content zero clearing of CRL;
C, from digital certificate issuing organization, obtain the CRL of a up-to-date issue;
D, the described CRL of parsing obtain TBSCertList from CRL;
E, from TBSCertList, obtain the sequence number of a digital certificate;
F, calculate the difference DELTA of described sequence number and BaseSN
sN;
G, establish described Δ
sNfor side-play amount, by corresponding binary location 1 in described CRL buffer area;
H, judge in described TBSCertList the sequence number that whether also has other digital certificates, if do not have, perform step I; Otherwise, return to step e;
I, step I: further judge whether other CRL entities in addition, if having, return to step C; Otherwise, finish the process of caching of described CRL.
2. the CRL caching method of digital certificate according to claim 1, is characterized in that, location-independent with in internal memory of the initial value BaseSN of described digital certificate sequence number.
3. the CRL caching method of digital certificate according to claim 1, it is characterized in that, described in step D, TBSCerList is a field in CRL, this field is a sequence, the person's of containing digital certificate issued name, issuing date, the issuing date of next CRL, the expansion of revoking list of cert and optional CRL.
4. the CRL caching method of digital certificate according to claim 1, is characterized in that, in described CRL buffer area, corresponding binary position is 1 or 0, in order to indication, whether the state of digital certificate that should position is revoked.
5. a querying method of verifying digital certificate state described in claim 1~4, is characterized in that, comprising:
The sequence number SN of a, acquisition digital certificate;
The difference of the initial value BaseSN of b, calculating SN and digital certificate sequence number, calculates Δ
sN=SN-BaseSN;
C, get Δ in CRL CRL buffer area
sNlocational binary value b;
D, judge whether the b value of this binary digit is 1, if 1, prove that this certificate is revoked; Otherwise b is not 1, prove that this certificate is effective.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410303808.7A CN104036033A (en) | 2014-06-30 | 2014-06-30 | Certificate revocation list caching and checking method of digital certificate |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410303808.7A CN104036033A (en) | 2014-06-30 | 2014-06-30 | Certificate revocation list caching and checking method of digital certificate |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104036033A true CN104036033A (en) | 2014-09-10 |
Family
ID=51466803
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410303808.7A Pending CN104036033A (en) | 2014-06-30 | 2014-06-30 | Certificate revocation list caching and checking method of digital certificate |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104036033A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1312988A (en) * | 1998-08-07 | 2001-09-12 | 艾利森电话股份有限公司 | Group addressing in packet communication system |
CN101136098A (en) * | 2006-08-30 | 2008-03-05 | 阿里巴巴公司 | Method, device and system for accessing to certificate revocation list |
CN101699812A (en) * | 2009-07-21 | 2010-04-28 | 北京信安世纪科技有限公司 | Quick processing method of digital certificate revocation list |
CN103064794A (en) * | 2013-02-04 | 2013-04-24 | 烽火通信科技股份有限公司 | Method for realizing efficient multiple protocol label switching (MPLS) label management |
-
2014
- 2014-06-30 CN CN201410303808.7A patent/CN104036033A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1312988A (en) * | 1998-08-07 | 2001-09-12 | 艾利森电话股份有限公司 | Group addressing in packet communication system |
CN101136098A (en) * | 2006-08-30 | 2008-03-05 | 阿里巴巴公司 | Method, device and system for accessing to certificate revocation list |
CN101699812A (en) * | 2009-07-21 | 2010-04-28 | 北京信安世纪科技有限公司 | Quick processing method of digital certificate revocation list |
CN103064794A (en) * | 2013-02-04 | 2013-04-24 | 烽火通信科技股份有限公司 | Method for realizing efficient multiple protocol label switching (MPLS) label management |
Non-Patent Citations (3)
Title |
---|
FALDELLA, E ET AL.: "A flexible scheme for on-line public-key certificate status updating and verification", 《COMPUTERS AND COMMUNICATIONS, 2002. PROCEEDINGS. ISCC 2002. SEVENTH INTERNATIONAL SYMPOSIUM ON》 * |
PETRA WOHLMACHER: "Digital certificates: a survey of revocation methods", 《PROCEEDING.MULTIMEDIA "00 PROCEEDINGS OF THE 2000 ACM WORKSHOPS ON MULTIMEDIA》 * |
王常吉: "一个新的证书吊销列表设计方案", 《计算机工程》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106504091A (en) * | 2016-10-27 | 2017-03-15 | 上海亿账通区块链科技有限公司 | The method and device that concludes the business on block chain |
CN106504091B (en) * | 2016-10-27 | 2018-06-29 | 深圳壹账通智能科技有限公司 | The method and device merchandised on block chain |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhao et al. | Rest: A reference-based framework for spatio-temporal trajectory compression | |
EP3744064B1 (en) | Systems and methods for privacy management using a digital ledger | |
CN108965299B (en) | Data access method, access verification equipment and data storage system | |
JP6018695B2 (en) | Data synchronization method and apparatus | |
JP2010503118A5 (en) | ||
GB2513798A (en) | A method for optimizing processing of restricted-access data | |
JP2008267875A5 (en) | ||
CN105426408A (en) | Multi-index data processing method and apparatus | |
CN102479189B (en) | A kind of magnanimity timestamp type data high-speed uniform index of reference method in internal memory | |
JP2016032247A (en) | Authentication station apparatus, authentication station program and authentication station operation method | |
CN104090897A (en) | Method, server and system for accessing metadata | |
US20210067507A1 (en) | Information processing apparatus and processing method for the same | |
CN102510335A (en) | RFID (Radio Frequency Identification Device) mutual authentication method based on Hash | |
WO2018184447A1 (en) | Blockchain-based digital certificate deletion method, device and system, and storage medium | |
CN112347521A (en) | Medical data management method and system based on medical block chain | |
US8046345B2 (en) | Method and system for managing file metadata transparent about address changes of data servers and movements of their disks | |
JP2016505962A5 (en) | ||
CN108881261B (en) | Service authentication method and system based on block chain technology in container environment | |
CN106528844A (en) | Data request method and apparatus, and data storage system | |
CN104036033A (en) | Certificate revocation list caching and checking method of digital certificate | |
TW201426284A (en) | Data storage method, data storage system and demand node using the same | |
CN110557266A (en) | People-seeking inspiring publishing method, device, equipment and computer-readable storage medium | |
CN103425797B (en) | Implementation method of short dynamic code and application thereof | |
CN105337943A (en) | IOT authentication method and IOT system | |
WO2010062114A3 (en) | Device and method for sensor node management based on metadata |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140910 |
|
RJ01 | Rejection of invention patent application after publication |