网格中一种改进的代理证书链验证方案

Improved Scheme on Proxy Certificate Chain Verification in Grid

网格为了满足单点登陆和受限代理需求,引入了代理证书.实际运用中,多个代理的产生将形成代理证书链.对该证书链,需要按照算法进行验证,以确保各代理之间信任委托关系的正确.对当前证书链验证算法进行了分析,表明在一定条件下可以简化代理的认证,从而提高检验效率,降低验证时间.基于分析结论,通过引入一个数据结构提出一种该类验证算法的改进方案,该方案在验证代理证书链签名和收集安全政策方面有改进.尤其对于代理证书链的签名验证,实验表明其验证时间明显减少,且随着签署证书的密钥长度增加,以及代理证书链的增长,验证时间减少得越明显.该方案对在网格环境下广泛应用代理证书、信任证实现委托权限、建立信任关系等起到推动作用.

For the requirement of single sign on and limited proxy in grid, proxy certificate has been proposed and involved. As several proxies come into being while using them practically, it would come to a structure called proxy certificate chain. An algorithm is needed to verify the chain for assuring the trust relationship between each of proxies in it. So far, this kind of algorithm is seldom being discussed in terms of the algorithm efficiency. This paper, based on the analysis for the algorithm on verifying Proxy Certificate Chain, and a reference to a new data structure, proposes a solution on improving the algorithm efficiency. The improvement comes up not only in collection of security policy, but also verification of digital signature. Simulation test shows the improvement, especially on signature decryption, is notable. So for the application of proxy certificate and credential in grid to establish trust relationship and privilege delegation provide an occasion.