一种集成化的 PKI 数字证书验证安全增强方案.

Recently, there were several security incidents of certificate services in public key infrastructures (PKI): fraudulent TLS server certificates were signed by certification authorities (CA) due to network attacks, and bound the attacker ' s public key to the victim website's domain name. So various security-enhanced certification verification schemes were proposed to defeat against these attacks, and each scheme has its own advantage and disadvantage in security and/ or performance. This paper presented an integrated security-enhanced PKI certificate verification scheme based on Pinning, while the disadvantages of Pinning was solved by integrating other schemes. In this scheme, when a browser was faced with three different states of the TLS server certificate (i. e., initialization, normal usage and update), multiple security-enhanced verification schemes are integrated comprehensively in different ways. This scheme took both security and performance into account, and achieve the optimal security and performance over the integrated schemes. The proposed integrated security-enhanced PKI certificate verification scheme effectively defeats the attack of fraudulent TLS server certificates. [ABSTRACT FROM AUTHOR]