基于入侵容忍的证书撤销列表机制研究

doi:10.3724/SP.J.1087.2013.00160

计算机应用 ›› 2013, Vol. 33 ›› Issue (01): 160-162.DOI: 10.3724/SP.J.1087.2013.00160

基于入侵容忍的证书撤销列表机制研究

吕红伟,徐蕾

沈阳航空航天大学计算机学院，沈阳 110136

收稿日期:2012-08-01 修回日期:2012-08-28 出版日期:2013-01-01 发布日期:2013-01-09
通讯作者: 徐蕾
作者简介:吕红伟(1988-)，男，吉林白山人，硕士研究生，主要研究方向：信息安全；徐蕾(1959-)，女，上海人，教授，主要研究方向：信息安全。

Research on certificate revocation list mechanism based on intrusion tolerance

LYU Hongwei,XU Lei

College of Computer Science, Shenyang Aerospace University, Shenyang Liaoning 110136, China

Received:2012-08-01 Revised:2012-08-28 Online:2013-01-01 Published:2013-01-09
Contact: XU Lei

摘要/Abstract

摘要： 公钥基础设施(PKI)系统中，认证机构(CA)签名不易伪造，对基于证书撤销列表(CRL)的证书撤销系统的入侵通常是破坏系统的可用性和数据的完整性，针对这一特点，设计了入侵容忍CRL服务系统。系统利用冗余的多台服务器存储CRL，在进行多机之间的数据复制和使用时，采取随机选择主服务器的被动复制算法及选择最近更新的CRL简单表决算法。在实验给定的入侵攻击条件下，入侵容忍的CRL系统比无容忍系统的证书撤销查询正确率提高了近20%，但也增加了系统的开销。实验结果表明，适当地增加CRL服务器的数量能够提高证书撤销查询的正确率且控制系统的开销。

关键词: 入侵容忍, 证书撤销列表, 复制, 表决, Over-Issued

Abstract: In Public Key Infrastructure (PKI) systems, the Certificate Authority (CA) signature is not easy to forge, thus, intrusions to these certificate revocation systems which are based on Certificate Revocation List (CRL) usually aim at destroying system usability and data integration. Concerning this intrusion feature, an intrusion tolerance CRL service system was designed in this paper. Within the system, CRL was stored on multiple redundant servers. In order to copy and use data among these servers, a passive replication algorithm of randomly selecting main server and a simple vote algorithm of selecting the most recent updated CRL were proposed. Under the given experiment intrusion conditions, although system expenses were increased, the query accuracy of certificate revocation of a system that tolerated intrusions was about 20% higher than that of a system that did not. The experimental results show that adding more servers properly increases the query accuracy of certificate revocation and controls the system expenses.

Key words: intrusion tolerance, Certificate Revocation List (CRL), copying, voting, Over-Issued

中图分类号:

TP393.083

吕红伟徐蕾. 基于入侵容忍的证书撤销列表机制研究[J]. 计算机应用, 2013, 33(01): 160-162.

LYU Hongwei XU Lei. Research on certificate revocation list mechanism based on intrusion tolerance[J]. Journal of Computer Applications, 2013, 33(01): 160-162.

参考文献

［1］王政,赵明,斯雪明,等.基于局部签名Hash表的证书撤销列表方案［J］.计算机工程,2009,35(1):36-40.

［2］吴庆涛,华彬,郑瑞娟,等.基于自律计算的入侵容忍模型［J］.计算机应用,2010,30(9):2386-2388.

［3］LIU J M, LI Y Z, ZHAO Y, et al. Research on computer immune system based on intrusion tolerance ［C］ // Proceedings of the 2010 International Conference on Future Information Technology and Management Engineering. Piscataway: IEEE Press, 2010: 200-203.

［4］LIU L X, XIA J B, MA Z Q, et al. Rapid-response replication: a fault tolerant algorithm based on active replication ［C］ // Proceedings of the 7th International Conference on Computational Science. Berlin: Springer-Verlag, 2007: 133-136.

［5］WANG Y J, LI S J. Research and performance evaluation of data replication technology in distributed storage systems ［J］. Computer and Mathematics with Applications, 2006, 51(11): 1625-1632.

［6］DI R H, WANG T, LIANG Y, et al. The analysis and implementation of partition replication-based distributed cache system ［C］// Proceedings of the 12th International Conference on High Performance Computing and Communications. Piscataway: IEEE Press, 2010: 719-724.

［7］de JUAN-MARIN R, DECKER H, MUNOZ-ESCO F D. Revisiting hot passive replication ［C］// Proceedings of the Second International Conference on Availability, Reliability and Security. Washington, DC: IEEE Computer Society, 2007: 93-102.

［8］刘海蛟,荆继武,林璟锵,等.一种入侵容忍的资料库［J］.中国科学院研究生院学报,2006,23(1):46-51.

［9］SAMYDURAI A, MUKHERJEE S. Fully distributed active software objects replication in OO-Middleware ［C］// Proceedings of the 16th IEEE International Conference on Networks. Piscataway: IEEE Press, 2008: 1-6.

［10］TARIQ Q I. Learning from experience: better design techniques for an improved consensus protocol ［C］// Proceedings of the 2nd IEEE International Conference on Computer Technology and Development. Piscataway: IEEE Press, 2010: 420-424.

［11］AMIR Y, COAN B, KIRSCH J, et al. Prime: Byzantine replication under attack ［J］. IEEE Transactions on Dependable and Secure Computing, 2011, 8(4): 564-577.

［12］ZHAO J, TANG S P. An improved over-issued CRLs method ［C］// Proceedings of the Second International Conference on Innovative Computing, Information and Control. Piscataway: IEEE Press, 2007: 481-484.

[1]	颜普, 苏亮亮, 邵慧, 吴东升. 基于多支持区域局部亮度序的图像伪造检测[J]. 计算机应用, 2019, 39(9): 2707-2711.
[2]	张健, 汪洋, 刘丹丹. 分布式一致性算法Yac[J]. 计算机应用, 2017, 37(9): 2524-2530.
[3]	赵利平, 林涛, 龚迅炜, 朱蓉. 帧内微块复制的屏幕图像编码算法[J]. 计算机应用, 2016, 36(7): 1938-1943.
[4]	林晶, 黄添强, 赖玥聪, 卢贺楠. 采用量化离散余弦变换系数检测视频单帧连续多次复制粘贴篡改[J]. 计算机应用, 2016, 36(5): 1356-1361.
[5]	陈柳, 周伟. 面向服务计算的拜占庭容错方案及其正确性证明[J]. 计算机应用, 2016, 36(2): 505-510.
[6]	段菊, 陈旺虎, 王润平, 俞茂义, 王世凯. 云环境下基于聚簇的科学工作流执行优化策略[J]. 计算机应用, 2015, 35(6): 1580-1584.
[7]	廖声扬, 黄添强. 基于几何均值分解和结构相似度的同源视频时间域复制粘贴篡改快速检测及恢复方法[J]. 计算机应用, 2015, 35(3): 821-825.
[8]	黄亮, 姜帆, 荀浩, 马多贺, 王利明. 面向软件定义网络的入侵容忍控制器架构及实现[J]. 计算机应用, 2015, 35(12): 3429-3436.
[9]	李勇, 吴立慧, 黄宁, 吴维刚. 基于HBase的地理分布副本管理机制[J]. 计算机应用, 2015, 35(11): 3097-3101.
[10]	张巧龙张桂珠吴德龙. 基于任务复制的多维QoS云计算任务调度[J]. 计算机应用, 2014, 34(9): 2527-2531.
[11]	焦丽鑫杜振龙. 基于均值漂移的图像复制粘贴伪造盲检测[J]. 计算机应用, 2014, 34(3): 806-809.
[12]	李庆民李华徐立袁伟. 系统可靠性结构识别方法[J]. 计算机应用, 2014, 34(11): 3340-3343.
[13]	陈雅琳黄宏光李燕斌. CORBA分布式系统中网络分割协议可行度分析[J]. 计算机应用, 2013, 33(08): 2124-2127.
[14]	景丽张慧娟. 基于相位相关的图像区域复制篡改检测与定位[J]. 计算机应用, 2013, 33(03): 660-662.
[15]	张龙翔. 一种基于不可复制功能的RFID认证协议的安全性分析[J]. 计算机应用, 2012, 32(08): 2280-2282.

基于入侵容忍的证书撤销列表机制研究

Research on certificate revocation list mechanism based on intrusion tolerance

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics