A Compatible Public Service Platform for Multi-Electronic Certification Authority

Similar documents
Design and Implementation of unified Identity Authentication System Based on LDAP in Digital Campus

Research on Full-text Retrieval based on Lucene in Enterprise Content Management System Lixin Xu 1, a, XiaoLin Fu 2, b, Chunhua Zhang 1, c

Constructing an University Scientific Research Management Information System of NET Platform Jianhua Xie 1, a, Jian-hua Xiao 2, b

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Application of Face Recognition Technology in the Exam Identity Authentication System Li-jun YU 1,a,* and Ke-feng LI 2,b

The Analysis and Research of IPTV Set-top Box System. Fangyan Bai 1, Qi Sun 2

Research Of Data Model In Engineering Flight Simulation Platform Based On Meta-Data Liu Jinxin 1,a, Xu Hong 1,b, Shen Weiqun 2,c

Research on the Application of Digital Images Based on the Computer Graphics. Jing Li 1, Bin Hu 2

The Analysis of the Loss Rate of Information Packet of Double Queue Single Server in Bi-directional Cable TV Network

Serial Communication Based on LabVIEW for the Development of an ECG Monitor

A New Method Of VPN Based On LSP Technology

Research on Heterogeneous Communication Network for Power Distribution Automation

Study and Design of CAN / LIN Hybrid Network of Automotive Body. Peng Huang

Research and Design of Crypto Card Virtualization Framework Lei SUN, Ze-wu WANG and Rui-chen SUN

The Design of CAN Bus Communication System Based on MCP2515 and S3C2440 Jinmei Liu, Junhong Wang, Donghui Sun

The Application Analysis and Network Design of wireless VPN for power grid. Wang Yirong,Tong Dali,Deng Wei

Key Technology of Distributed E-commerce System Architecture

Construction of the Library Management System Based on Data Warehouse and OLAP Maoli Xu 1, a, Xiuying Li 2,b

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

Intelligent Terminal System Based on Trusted Platform Module

Study on the Quantitative Vulnerability Model of Information System based on Mathematical Modeling Techniques. Yunzhi Li

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Shape Optimization Design of Gravity Buttress of Arch Dam Based on Asynchronous Particle Swarm Optimization Method. Lei Xu

A Digital Menu System Based on the Cloud client Technology Lin Dong 1, a, Weibo Li 1, b, Ping He 2,c,Jia Liu 1,d

AN WIRELESS COLLECTION AND MONITORING SYSTEM DESIGN BASED ON ARDUINO. Lu Shaokun 1,e*

Research on Power Quality Monitoring and Analyzing System Based on Embedded Technology

The Research and Application of the Fingerprint Key based USB-Key Pin Number Protection System Yu Lu 1, a, Zhong Liang 2, b, Chen Yue 3, c

Design and Implementation of Inspection System for Lift Based on Android Platform Yan Zhang1, a, Yanping Hu2,b

Some Lessons Learned from Designing the Resource PKI

The Design of Distributed File System Based on HDFS Yannan Wang 1, a, Shudong Zhang 2, b, Hui Liu 3, c

The RTP Encapsulation based on Frame Type Method for AVS Video

Research on WSN Secure Communication Method Based on Digital Watermark for the Monitoring of Electric Transmission Lines

Implementing Security in Windows 2003 Network (70-299)

A Test Sequence Generation Method Based on Dependencies and Slices Jin-peng MO *, Jun-yi LI and Jian-wen HUANG

Simulation Technology of Light Effect Based on Catia and Workbench Software HongXia Hu

Implementation and Design of Security Configuration Check Toolkit for Classified Evaluation of Information System

Research on Heterogeneous Network Integration in Distribution Communication Network

Application of Redundant Backup Technology in Network Security

A Static-Dynamic Conjunct Windows Process Integrity Detection Model

Design on Office Automation System based on Domino/Notes Lijun Wang1,a, Jiahui Wang2,b

Authentication and Authorization of End User in Microservice Architecture

The Internet of Things for Petroleum Transportation

Research Article. Three-dimensional modeling of simulation scene in campus navigation system

The Design and Implementation of Disaster Recovery in Dual-active Cloud Center

The design and implementation of data exchange based on XML

Utilizing Restricted Direction Strategy and Binary Heap Technology to Optimize Dijkstra Algorithm in WebGIS

Research on System Login Security Encryption Method Based on MD5

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

Realization of Automatic Keystone Correction for Smart mini Projector Projection Screen

LDAP-based IOT Object Information Management Scheme

A Network Disk Device Based on Web Accessing

A Novel Adaptive Proxy Certificates Management Scheme in Military Grid Environment*

Research on Two - Way Interactive Communication and Information System Design Analysis Dong Xu1, a

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Send documentation comments to

Server-based Certificate Validation Protocol

Public Key Establishment

The Research of Internet of Things in Operation and Maintenance for Distribution Grid

A Novel Data Mining Platform Design with Dynamic Algorithm Base

Certification Authority

Research on Data Transmission and Information Integration Technology in the Distributed Wind Farm SCADA System

The Research of Delay Characteristics in CAN Bus Networked Control System

CSE 565 Computer Security Fall 2018

A Finite State Mobile Agent Computation Model

In the City Part 6 MANDARIN. ENGLISH Ni hao wo jiao zhou zhou. Hello. My name is Jojo Ni hao lu lu. Hello Lulu. Ni hao zhou zhou. Ni hao ma?

Configuring Certificate Authorities and Digital Certificates

Study on GA-based matching method of railway vehicle wheels

Design and Implementation of LED Display Screen Controller based on STM32 and FPGA Chi Zhang 1,a, Xiaoguang Wu 1,b and Chengjun Zhang 1,c

Design of PC Remote Monitoring System for Standby Generators Chuanhong Zhou 1,a,Jinjie Xiao 1,b, Wei Ren 1,c

Computer Life (CPL) ISSN: Research on the Construction of Network and Information Security. Architecture in Campus

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN:

Keywords: Interactive electronic technical manuals; GJB6600; XML markup language; Automatic control equipment

Copyright

High Level Architecture and Agent Technology based Astronautics Simulation Platform and Cluster Computing Environment s Construction

Design and Implementation of CNC Operator Panel Control Functions Based on CPLD. Huaqun Zhan, Bin Xu

Public-Key Infrastructure NETS E2008

A New Evaluation Method of Node Importance in Directed Weighted Complex Networks

Network protocol for Internet of Things based on 6LoWPAN

Overview. SSL Cryptography Overview CHAPTER 1

The Design of Water Quality Monitoring Cloud Platform Based on. BS Architecture

Quality Assessment of Power Dispatching Data Based on Improved Cloud Model

When HTTPS Meets CDN

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

, ,China. Keywords: CAN BUS,Environmental Factors,Data Collection,Roll Call.

70-742: Identity in Windows Server Course Overview

Applied Mechanics and Materials Vol

Crop Production Management Information System Design and Implementation

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

The Application of Programmable Controller to Chip Design. Shihong Lan 1, Jian Zhang 2

International Conference on Information Sciences, Machinery, Materials and Energy (ICISMME 2015)

ASEAN e-authentication Workshop Balwinder Sahota

Construction Scheme for Cloud Platform of NSFC Information System

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

result, it is very important to design a simulation system for dynamic laser scanning

Axway Validation Authority Suite

Overview Brosix stringent corporate security requirements.

Technical Trust Policy

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

ENCRYPTED DATA MANAGEMENT WITH DEDUPLICATION IN CLOUD COMPUTING

Transcription:

Applied Mechanics and Materials Submitted: 2014-04-26 ISSN: 1662-7482, Vol. 610, pp 579-583 Accepted: 2014-05-26 doi:10.4028/www.scientific.net/amm.610.579 Online: 2014-08-11 2014 Trans Tech Publications, Switzerland A Compatible Public Service Platform for Multi-Electronic Certification Authority Yi Sun 1, a, Dunwei Liu 1, 2, b *, Peng Zhang 2, c, Xu Zhang 2, d and Tao Yu 2, e 1 Beijing University of Posts and Communications, Beijing 100876, China 2 School of Software and Microelectronics, Peking University, Beijing 100871, China a sun771068@sina.com, b dunweiliu@gmail.com, c pengzhang@sina.com, d xuzhang@gmail.com, e taoyu@gmail.com Keywords: Certificate Authority, Digital Certificate, Electronic Authentication Abstract. Electronic certification authority (CA) application has problem in compatibility. The validation between some certification authorities is indispensable. In this paper, special qualities of some overlapped authentication models are analyzed based on the operation application. Also, an electronic authentication public service platform has been designed for compatible application of Multi-CA. The platform is both efficient, and convenient. Introduction With the rapid development of information encryption technology, the technology of electronic certification authority is playing a more and more important role in the authority application. Traditional certification module usually follows such way: There is a certification authority institution provides appropriate and electronic authorities to various clients, electronic certification is deployed in the application system interface to implement the electronic certification login authentication, data encryption and electronic signatures and other security features. But some problems come up with the application of electronic authority. For instance, technology capability and management level of CA mechanism is uneven, so these exclusive CA mechanisms of traditional electronic certification application mode are not compatible, and cannot guarantee the quality certification a long time work, facing larger risk of operation. At the same time, more and more overlapped clients are making the process of making electronic authority is too complex to finish [1-3]. So it is a primary basis to build a new standard to satisfy the development of electronic authority. To realize the mutual recognition between CAs, cross authentication technology has been proposed recently [4-9]. Cross certification model of the trust domain has been studied in many researches. After analysis of some kinds cross authority modules, we conclude that list of trust model is a simple, efficient and reliable way to apply. From the perspective of practical business application, we publish an electronic certification public service platform to satisfy the requirement of CA. This platform is developed based on the traditional model of authority list. We raise the security level by controlling the trust source. And unifying interfaces solves the problems of information authority and deployment. Also we make some effort to raise the efficiency by localizing the certification revoke list (CRL). Cross Certification Model Introduction of Major Model. From the respect of CA, cross authority technology is used to beat the trust island problem caused by different CAs. From the respect of business application, this measure play a primary role in compatibility of various certification authorities [10]. The major kinds of cross authority model are as follow [11]: Tree model. This model is also called hierarchical model. There is only one root CA in this model, and it manages other CAs in a unified way. These CAs are the subordinate of the root CA. So all CAs constitute the corresponding trust paths by different level trust nodes. The essential characteristic of tree model is building a unified root certification to form various trust paths. And the key point of All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of Trans Tech Publications, www.ttp.net. (#69695037, Pennsylvania State University, University Park, USA-12/09/16,16:13:49)

580 Mechanics, Mechatronics, Intelligent System and Information Technology ensure the subordinate CAs mutual recognition is keeping all these CAs are in the same level of trust domain. Network Model. This model is known as peer-to-peer model. Compared with tree model, the relationship between each CA is loose coupled in network model. There is no definite trust center. Every CA can establish and cancel the trust relationship according to the business need. Network model is characterized by good flexibility and high security. It will destroy the whole authority system if one CA has broken. However, the various kinds of relationship will make a higher cost in trust management and implementation [12]. Bridge model (Also Called Hub-And-Spoke Model). Bridge model builds some links between each CA to form a bridge certification authority (BCA). And it is responsible for awarding cross authentication certification to CA in different trust domains. Then it could realize peer trust relationship between the CAs. Bridge CA core role is to build the trust of the sender domain and the receiver of the trust relationship between the trust domains. If BCA publishes that the CA is a credible part, then other CAs would believe it. And every single trust domain will extend to the whole system. So it is evident that bridge model is very fair for every CA. But BCA has the task to keep the security of core trust path, so it is too complex to establish in practice. Certification Trust List (CTL). CTL is a supplication system which is constructed by maintenance or unified deployment. It distinguishes whether the certification client is credible or not and shields the path of wrong root CA. After this, it is easy to certificate some different CA s electronic certifications at the same time. Trust list mode is characterized by simple operation, and reduced the complicated steps and risk. But this model will also face some problems of distinguishing trust relationship, optimizing controllable security and developing authentication efficiency. The four ways above are different in technology, implementation, condition and actuating range. For the reason such as policy regulation, maturity and complexity, the first three ways are very difficult to realize at this stage. Certification trust list model can t solve the problem of mutual trust fundamentally. It just lets some CAs interchange in a designated application system by increasing some trust anchors [13], however, there are three advantages in certification trust list model. First, it does not involve the revolution of CA system. As long as CA issuing electronic authority according to national standard, it doesn t need any additional operation to develop their trust path. Easily connected to application system is the second one. Regardless of the type of password device, the underlying code application interface, the user's trust domain connectivity and the definition of CA organization, application system could choose the reliable certification path by deploying a trust list in the system end. Another important aspect is convenient management of trust source. Trust list can be defined by their application system, it can also be defined according to the needs of management, in a particular application domain, controlled by department of unified deployment and management. Therefore, from the perspective of technology on the reliability and the implementation feasibility, trust list is the key technology to realize the trust path of Multi-electronic CAs. Improved Trust List Model Of Cross Certification From the perspective of business applications, the main conditions of implement multiple compatible CA certification authentication are the efficiency of certificating process, improvement cost and control ability. So the traditional trust list model can t satisfy these requirements. We propose an improved model in certificating efficiency, security and optimized application. Optimize the Certificating Efficiency. Certificating efficiency of trust list model is determined by two points: constructing trust path to verify the root certification and checking the effectiveness of certification in CRL. Fixed the length of trust list leads the calculation about checking any CA s root is not a complex process. The retrieval efficiency of traditional certificating is efficient by the common query matching algorithm. However, CRL demands that CA should regularly update and publish in real time. This requirement involves remote data operation. So the CRL verification is a key step in the process of authenticating efficiency. This process has two modes, online authentication

Applied Mechanics and Materials Vol. 610 581 and local authentication. Online authentication mode: Business system verifies the CRL through accessing CA CRL publishing point or checking online certification status query (OCSP) server. Local authentication mode: CA announces a blacklist and synchronizes it to the latest business system. Business system authenticates the client certification by the local CRL latest file. Business system needs active network connection to access certification statue or invalid certification list service provided by the online CA. So the efficiency of system operation will be reduced by this. And the processing performance entirely depends on the CA organization and leads some chances to attacker. In this model, the whole system actively connects with outside by scheduling every system server to realize the strategy of network bound security. With some different CA models, the business system will exchange information with outside CA organization. The additional connections increase the risk of being attacked. On the contrary, Local authentication mode solves these problems easily. For example, on one side, the authentication of client certification can be accomplished by using the local CRL mechanism. It reduces the vulnerabilities without outside connection. On the other side, CA actively refurbishes the blacklist. So CA s active synchronization mechanism will control the outside service address and interface and keep the whole system from being attacked. Therefore, from the analysis of the improved trust list of cross certification model above, we find that this model is more efficient in Multi-electronic authentication. Enhancement of Security. Trust list is the data collection of root certification and certification chain in business system. It beats various illegal operations (tampering, increasing or reducing). In order to ensure the reliable trust list and blacklist file storage, we use file form of encryption or signature type to constitute a special safety storage area. Secure storage area storages every element according to the kind of CA's root certification and CRL file. To insure the security of the storage, every storage part is encrypted by special format and provided a dedicated interface to read and write. CA root certification management and the CRL update adopt strict authorization mechanism and schedule read and write interface by related instruction. Optimizing the Application of Transformation. Traditional trust list cross certification model uses the CA certification application interface library to realize the cross access certification validation work. This model causes problems like repeatedly calling the interface of CA, occupying source, complex management and increasing the risk of information transmission. However, in the improved trust list cross certification model, every CA organization will provide appropriate interface of encrypted equipment which satisfy the CSP and P11 standard. So it can be packaged with unified interface of CA. These unified interface is independent from every CA certification interface library and can take operation directly for electronic connection. Unified certification application interface ignores the difference of all kinds of equipment passwords (Encryption, encryption card, smart IC card and smart USB KEY) to realize the mutual verification of encrypted and signature data. Unified certification application interface provides timestamp function for the business system. In the aspect of interface application, the improved model only need to deploy a unified certification application interface library once in the business system, without having to deploy each CA existing interface library. So, it can simplify the deployment, optimization of interface development calls and reduce maintenance workload in practice. The Electronic Certification Public Service Platform Based On Improved Trust List Model The electronic certification public service platform can provide a compatible function of multiple CA electronic certifications for all kinds of business system. It includes the certification application interface and multi CA application support management in Figure 1. The certification application interface includes an application service layer, a core layer and a device interface layer. And it realizes adding, deleting or changing function on root certification and blacklist. In this platform various CAs are compatible for their functions like certification validation, certification analysis, CRL validation, digital encrypted, timestamp and XML operation. The management and configuration functions (the management of CA application, password service, root

582 Mechanics, Mechatronics, Intelligent System and Information Technology certification, CRL and trust relation storage) of trust source and trust list are provided by management module of multi-ca application. The multi-ca management module can be used in a single application system or a single part of application to accomplish centralized management of multi-ca. Figure 1. The system structure of electronic certification public service platform. Conclusions This paper proposes an improved trust List model of Cross Certification based on the analysis of the traditional one. It optimizes the efficiency of certification, security and the configuration of application. Using these improved model we build a public service platform which has the practical value for electronic authentication. It can satisfy the requirement of a compatible platform for multi-electronic certification authority with more efficient management. Acknowledgements This work was financially supported by the National Natural Science Foundation of China (61179029). References [1] [1] YAN Hai-long, YU Jian-ping, HU Qiang, et al., A Trusted Third Party Inter-Domain Authentication Model Based on Trust Lists. Signal Processing. 2012, 28(9): 1278-1283. [2] SHEN Jie, JANG Cao-hui. A Realization and Implementation of Cross-Certified Based on SOA.Journal of Guizhou University (Natural Science), 2010, 27(1): 80-85. [3] Su Bing, Lv Fang-fang, You Jing, et al., Analysis and research on network trust models based on multi-ca [J]. Second International Conference on Information Technology and Computer Science, 2010: 390-393.

Applied Mechanics and Materials Vol. 610 583 [4] ZHU Peng-fei, DAI Ying-xia, BAO Xu-hua. A distributed trust model with high-compatibility based of bridge CA [J]. Journal of Software, 2006, 17(8): 1818-1823. [5] PENG Hua-Xi. An Identity2Based Authentication Model for Multi2Domain. CHINESE JOURNAL OF COMPU TERS, 2006, 29(8): 1271-1281. [6] Helena Rif-Pous, Jordi Herrera-Joancomarti. An Interdomain PKI Model Based on Trust Lists. EuroPKI 2007, LNCS 4582, 2007: 49-64. [7] LIU Yan, XI Jing, LU Jian-de. Proxy of Certificate Validation Based on Hybrid Trust Model. Computer engineering, 2008, 34(1): 170-172. [8] YANG Xuan-yuan, LU Jian-de, LIU Yan. The Research on Cross- certification Based on Path Sear ching Using Weighted Trust List. Microelectronics & Computer, 2006, 23(10): 165-172. [9] ZHOU Jing-quan, ZHANG Shun-yi, LI Ming. A method for authentication using multiple certificate paths. Journal on Communications, 2005, 26(1): 125-129. [10] Li Peng Zhang Changhong Zhou Libing. Research on PKI Trust Model Based on Cross Certification, Computer & Digital Engineering, 2010, 38(12): 100-103. [11] NASH A. Public Key Infrastructure: Implementing and managing electronic security [M]. 2002. [12] Mohan Atreya. Benjamin Hammond. Digital Signatures [M]. US: McGraw-Hill Companies, 2002. [13] Shi Weimin. Researches and Application on PKI and IBE Key Technology [D]. Beijing University of posts and telecommunications Ph.D. Thesis, 2006.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback