摘要: 在大规模应用环境中,不合理的证书撤销方案会带来巨大的运算量和网络传输负担。该文分析几类主要的证书撤销列表(CRL)机制,提出PSHT-CRL方案,综合分段CRL、重定向CRL和重复颁发CRL方案的特点,采用Hash表、局部签名和链接等方法,在确保安全性的基础上,提高用户查询和证书更新时的效率,以解决其他证书撤销方案中遇到的问题。对PSHT-CRL方案的安全性和效率进行分析,与其他CRL方案作了比较。
关键词:
公钥基础设施,
哈希表,
公钥证书,
证书撤销列表
Abstract: Large scale environment, unreasonable certificate revocation management will bring enormous operations and burden of network transmission. This paper analyzes some kinds of CRL mechanisms, puts forward a maintenance scheme of certificate revocation list named PSHT-CRL, which inherits the character of segment-CRL, redirect-CRL and over issue-CRL. PSHT-CRL uses Hash table, partial signature, and link method to ensure the scheme’s security, to reduce the cost of user request response and certificate updating. PSHT-CRL solves the problems of other revocation schemes. The security and capability of this scheme are analyzed and PSHT-CRL compared with other CRL scheme.
Key words:
Public Key Infrastructure(PKI),
Hash table,
certificate,
Certificate Revocation List(CRL)
中图分类号:
王 政;赵 明;斯雪明;韩文报. 基于局部签名Hash表的证书撤销列表方案[J]. 计算机工程, 2009, 35(1): 36-39,4.
WANG Zheng; ZHAO Ming; SI Xue-ming; HAN Wen-bao. Certificate Revocation List Scheme Based on Partial Signature Hash Table[J]. Computer Engineering, 2009, 35(1): 36-39,4.