一种开放式PKI身份认证模型的研究

分析了传统PKI(Public Key Infrastructure)身份认证模型存在的问题,基于OCSP(Online Certificate Status Protocol)协议的证书状态验证服务和密钥验证服务相分离,造成了传统PKI身份认证模型的信任度下降,增加了身份认证的风险,跨CA(Certificate Authority)认证复杂度高,CA机构提供的身份认证服务不完整等问题。提出了一种开放式PKI身份认证模型,由CA中心独立完成两个验证服务,将OCSP应答机制改进为提供身份证明文件的方式,可有效解决上述问题。通过云信任评估模型对两种认证模型进行了量化评估,证明了本文提出的开放式身份认证模型可有效提高信任度。对该模型进行了原型实现,重点对性能问题进行了优化,实验测试表明,该模型具有实用价值。

Research on open identity authentication model for PKI

Some problems about the traditional identity authentication model for PKI(Public Key Infrastructure) were analyzed. For example, because certificate status verification service and key verification service depend on different service providers who have not enough trust degree in open network environment, the trust degree of the traditional model decreases and its risk increases. Additionally, there are other problems about cross-CAs and incomplete authentication service in the traditional model. Thus a new open identity authentication model was put forward for PKI, which can solve the above problems. In this model, the above two verification services were both provided by CA, and the service result was applied by providing identity certification file instead of OCSP answer. The trust degree of the traditional model and our model by using the cloud trust model presented by other researchers was calculated. The result of the calculating test shows that our model can improve the trust degree obviously. Finally, the prototype system of our model was completed, and especially the performance of the model was optimized. The test shows that the model has good practical value.