Applied Mechanics and Materials Submitted: 2014-04-26 ISSN: 1662-7482, Vol. 610, pp 579-583 Accepted: 2014-05-26 doi:10.4028/www.scientific.net/amm.610.579 Online: 2014-08-11 2014 Trans Tech Publications, Switzerland A Compatible Public Service Platform for Multi-Electronic Certification Authority Yi Sun 1, a, Dunwei Liu 1, 2, b *, Peng Zhang 2, c, Xu Zhang 2, d and Tao Yu 2, e 1 Beijing University of Posts and Communications, Beijing 100876, China 2 School of Software and Microelectronics, Peking University, Beijing 100871, China a sun771068@sina.com, b dunweiliu@gmail.com, c pengzhang@sina.com, d xuzhang@gmail.com, e taoyu@gmail.com Keywords: Certificate Authority, Digital Certificate, Electronic Authentication Abstract. Electronic certification authority (CA) application has problem in compatibility. The validation between some certification authorities is indispensable. In this paper, special qualities of some overlapped authentication models are analyzed based on the operation application. Also, an electronic authentication public service platform has been designed for compatible application of Multi-CA. The platform is both efficient, and convenient. Introduction With the rapid development of information encryption technology, the technology of electronic certification authority is playing a more and more important role in the authority application. Traditional certification module usually follows such way: There is a certification authority institution provides appropriate and electronic authorities to various clients, electronic certification is deployed in the application system interface to implement the electronic certification login authentication, data encryption and electronic signatures and other security features. But some problems come up with the application of electronic authority. For instance, technology capability and management level of CA mechanism is uneven, so these exclusive CA mechanisms of traditional electronic certification application mode are not compatible, and cannot guarantee the quality certification a long time work, facing larger risk of operation. At the same time, more and more overlapped clients are making the process of making electronic authority is too complex to finish [1-3]. So it is a primary basis to build a new standard to satisfy the development of electronic authority. To realize the mutual recognition between CAs, cross authentication technology has been proposed recently [4-9]. Cross certification model of the trust domain has been studied in many researches. After analysis of some kinds cross authority modules, we conclude that list of trust model is a simple, efficient and reliable way to apply. From the perspective of practical business application, we publish an electronic certification public service platform to satisfy the requirement of CA. This platform is developed based on the traditional model of authority list. We raise the security level by controlling the trust source. And unifying interfaces solves the problems of information authority and deployment. Also we make some effort to raise the efficiency by localizing the certification revoke list (CRL). Cross Certification Model Introduction of Major Model. From the respect of CA, cross authority technology is used to beat the trust island problem caused by different CAs. From the respect of business application, this measure play a primary role in compatibility of various certification authorities [10]. The major kinds of cross authority model are as follow [11]: Tree model. This model is also called hierarchical model. There is only one root CA in this model, and it manages other CAs in a unified way. These CAs are the subordinate of the root CA. So all CAs constitute the corresponding trust paths by different level trust nodes. The essential characteristic of tree model is building a unified root certification to form various trust paths. And the key point of All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of Trans Tech Publications, www.ttp.net. (#69695037, Pennsylvania State University, University Park, USA-12/09/16,16:13:49)
580 Mechanics, Mechatronics, Intelligent System and Information Technology ensure the subordinate CAs mutual recognition is keeping all these CAs are in the same level of trust domain. Network Model. This model is known as peer-to-peer model. Compared with tree model, the relationship between each CA is loose coupled in network model. There is no definite trust center. Every CA can establish and cancel the trust relationship according to the business need. Network model is characterized by good flexibility and high security. It will destroy the whole authority system if one CA has broken. However, the various kinds of relationship will make a higher cost in trust management and implementation [12]. Bridge model (Also Called Hub-And-Spoke Model). Bridge model builds some links between each CA to form a bridge certification authority (BCA). And it is responsible for awarding cross authentication certification to CA in different trust domains. Then it could realize peer trust relationship between the CAs. Bridge CA core role is to build the trust of the sender domain and the receiver of the trust relationship between the trust domains. If BCA publishes that the CA is a credible part, then other CAs would believe it. And every single trust domain will extend to the whole system. So it is evident that bridge model is very fair for every CA. But BCA has the task to keep the security of core trust path, so it is too complex to establish in practice. Certification Trust List (CTL). CTL is a supplication system which is constructed by maintenance or unified deployment. It distinguishes whether the certification client is credible or not and shields the path of wrong root CA. After this, it is easy to certificate some different CA s electronic certifications at the same time. Trust list mode is characterized by simple operation, and reduced the complicated steps and risk. But this model will also face some problems of distinguishing trust relationship, optimizing controllable security and developing authentication efficiency. The four ways above are different in technology, implementation, condition and actuating range. For the reason such as policy regulation, maturity and complexity, the first three ways are very difficult to realize at this stage. Certification trust list model can t solve the problem of mutual trust fundamentally. It just lets some CAs interchange in a designated application system by increasing some trust anchors [13], however, there are three advantages in certification trust list model. First, it does not involve the revolution of CA system. As long as CA issuing electronic authority according to national standard, it doesn t need any additional operation to develop their trust path. Easily connected to application system is the second one. Regardless of the type of password device, the underlying code application interface, the user's trust domain connectivity and the definition of CA organization, application system could choose the reliable certification path by deploying a trust list in the system end. Another important aspect is convenient management of trust source. Trust list can be defined by their application system, it can also be defined according to the needs of management, in a particular application domain, controlled by department of unified deployment and management. Therefore, from the perspective of technology on the reliability and the implementation feasibility, trust list is the key technology to realize the trust path of Multi-electronic CAs. Improved Trust List Model Of Cross Certification From the perspective of business applications, the main conditions of implement multiple compatible CA certification authentication are the efficiency of certificating process, improvement cost and control ability. So the traditional trust list model can t satisfy these requirements. We propose an improved model in certificating efficiency, security and optimized application. Optimize the Certificating Efficiency. Certificating efficiency of trust list model is determined by two points: constructing trust path to verify the root certification and checking the effectiveness of certification in CRL. Fixed the length of trust list leads the calculation about checking any CA s root is not a complex process. The retrieval efficiency of traditional certificating is efficient by the common query matching algorithm. However, CRL demands that CA should regularly update and publish in real time. This requirement involves remote data operation. So the CRL verification is a key step in the process of authenticating efficiency. This process has two modes, online authentication
Applied Mechanics and Materials Vol. 610 581 and local authentication. Online authentication mode: Business system verifies the CRL through accessing CA CRL publishing point or checking online certification status query (OCSP) server. Local authentication mode: CA announces a blacklist and synchronizes it to the latest business system. Business system authenticates the client certification by the local CRL latest file. Business system needs active network connection to access certification statue or invalid certification list service provided by the online CA. So the efficiency of system operation will be reduced by this. And the processing performance entirely depends on the CA organization and leads some chances to attacker. In this model, the whole system actively connects with outside by scheduling every system server to realize the strategy of network bound security. With some different CA models, the business system will exchange information with outside CA organization. The additional connections increase the risk of being attacked. On the contrary, Local authentication mode solves these problems easily. For example, on one side, the authentication of client certification can be accomplished by using the local CRL mechanism. It reduces the vulnerabilities without outside connection. On the other side, CA actively refurbishes the blacklist. So CA s active synchronization mechanism will control the outside service address and interface and keep the whole system from being attacked. Therefore, from the analysis of the improved trust list of cross certification model above, we find that this model is more efficient in Multi-electronic authentication. Enhancement of Security. Trust list is the data collection of root certification and certification chain in business system. It beats various illegal operations (tampering, increasing or reducing). In order to ensure the reliable trust list and blacklist file storage, we use file form of encryption or signature type to constitute a special safety storage area. Secure storage area storages every element according to the kind of CA's root certification and CRL file. To insure the security of the storage, every storage part is encrypted by special format and provided a dedicated interface to read and write. CA root certification management and the CRL update adopt strict authorization mechanism and schedule read and write interface by related instruction. Optimizing the Application of Transformation. Traditional trust list cross certification model uses the CA certification application interface library to realize the cross access certification validation work. This model causes problems like repeatedly calling the interface of CA, occupying source, complex management and increasing the risk of information transmission. However, in the improved trust list cross certification model, every CA organization will provide appropriate interface of encrypted equipment which satisfy the CSP and P11 standard. So it can be packaged with unified interface of CA. These unified interface is independent from every CA certification interface library and can take operation directly for electronic connection. Unified certification application interface ignores the difference of all kinds of equipment passwords (Encryption, encryption card, smart IC card and smart USB KEY) to realize the mutual verification of encrypted and signature data. Unified certification application interface provides timestamp function for the business system. In the aspect of interface application, the improved model only need to deploy a unified certification application interface library once in the business system, without having to deploy each CA existing interface library. So, it can simplify the deployment, optimization of interface development calls and reduce maintenance workload in practice. The Electronic Certification Public Service Platform Based On Improved Trust List Model The electronic certification public service platform can provide a compatible function of multiple CA electronic certifications for all kinds of business system. It includes the certification application interface and multi CA application support management in Figure 1. The certification application interface includes an application service layer, a core layer and a device interface layer. And it realizes adding, deleting or changing function on root certification and blacklist. In this platform various CAs are compatible for their functions like certification validation, certification analysis, CRL validation, digital encrypted, timestamp and XML operation. The management and configuration functions (the management of CA application, password service, root
582 Mechanics, Mechatronics, Intelligent System and Information Technology certification, CRL and trust relation storage) of trust source and trust list are provided by management module of multi-ca application. The multi-ca management module can be used in a single application system or a single part of application to accomplish centralized management of multi-ca. Figure 1. The system structure of electronic certification public service platform. Conclusions This paper proposes an improved trust List model of Cross Certification based on the analysis of the traditional one. It optimizes the efficiency of certification, security and the configuration of application. Using these improved model we build a public service platform which has the practical value for electronic authentication. It can satisfy the requirement of a compatible platform for multi-electronic certification authority with more efficient management. Acknowledgements This work was financially supported by the National Natural Science Foundation of China (61179029). References [1] [1] YAN Hai-long, YU Jian-ping, HU Qiang, et al., A Trusted Third Party Inter-Domain Authentication Model Based on Trust Lists. Signal Processing. 2012, 28(9): 1278-1283. [2] SHEN Jie, JANG Cao-hui. A Realization and Implementation of Cross-Certified Based on SOA.Journal of Guizhou University (Natural Science), 2010, 27(1): 80-85. [3] Su Bing, Lv Fang-fang, You Jing, et al., Analysis and research on network trust models based on multi-ca [J]. Second International Conference on Information Technology and Computer Science, 2010: 390-393.
Applied Mechanics and Materials Vol. 610 583 [4] ZHU Peng-fei, DAI Ying-xia, BAO Xu-hua. A distributed trust model with high-compatibility based of bridge CA [J]. Journal of Software, 2006, 17(8): 1818-1823. [5] PENG Hua-Xi. An Identity2Based Authentication Model for Multi2Domain. CHINESE JOURNAL OF COMPU TERS, 2006, 29(8): 1271-1281. [6] Helena Rif-Pous, Jordi Herrera-Joancomarti. An Interdomain PKI Model Based on Trust Lists. EuroPKI 2007, LNCS 4582, 2007: 49-64. [7] LIU Yan, XI Jing, LU Jian-de. Proxy of Certificate Validation Based on Hybrid Trust Model. Computer engineering, 2008, 34(1): 170-172. [8] YANG Xuan-yuan, LU Jian-de, LIU Yan. The Research on Cross- certification Based on Path Sear ching Using Weighted Trust List. Microelectronics & Computer, 2006, 23(10): 165-172. [9] ZHOU Jing-quan, ZHANG Shun-yi, LI Ming. A method for authentication using multiple certificate paths. Journal on Communications, 2005, 26(1): 125-129. [10] Li Peng Zhang Changhong Zhou Libing. Research on PKI Trust Model Based on Cross Certification, Computer & Digital Engineering, 2010, 38(12): 100-103. [11] NASH A. Public Key Infrastructure: Implementing and managing electronic security [M]. 2002. [12] Mohan Atreya. Benjamin Hammond. Digital Signatures [M]. US: McGraw-Hill Companies, 2002. [13] Shi Weimin. Researches and Application on PKI and IBE Key Technology [D]. Beijing University of posts and telecommunications Ph.D. Thesis, 2006.