文章指出了PKI(Public Key Infrastructure)安全的关键是CA(Certificate Authority)的私钥保护。由于ECC(EllipticCurve Cryptography)比RSA 等其他公钥密码系统能够提供更好的加密强度、更快的执行速度和更小的密钥长度,因此本文提出了一种基于椭圆曲线密码体制的组零知识证明方法和入侵容忍技术有机结合的私钥合成算法,通过影子服务器的影子安全地保护了私钥、无信息泄露地验证了私钥,而且在受攻击后仍能继续工作。通过可复原性和抗合谋性两方面的安全性分析得此策略有地解决了CA 私钥的安全保护问题。 关键词 CA;私钥;入侵容忍;椭圆曲线密码体制(ECC);组零知识证明 Abstract: This paper points out that linchpin upon PKI (Public Key Infrastructure) security is the protecting private key of CA (Certificate Authority). It is shown that ECC (Elliptic Curve Cryptography) can provide greater strength, higher speed and smaller keys than other systems, therefore putting forward the arithmetic of synthesized private key, which is based on the organic combination between the group zero-knowledge proof of the ECC and the intrusion tolerance technology. Through the share of the share servers, the private key can be protected safely, and validated without leaking information, further more the system can work sequentially after it is attacked. And also reveals that this tactic effectively solves the problem of protecting safely the CA private key to depend on analysis of the security from resilience and withstanding conspiracy attack. Keywords: CA; private key; intrusion tolerance; Elliptic Curve Cryptography (ECC); Group zero-knowledge proof