• PDF / 400,388 Bytes
• 13 Pages / 430 x 660 pts Page_size
• 86 Downloads / 257 Views

DOWNLOAD

REPORT

stract. A new certificate revocation system is presented. The basic idea is to divide the certificate space into several partitions, the number of partitions being dependent on the PKI environment. Each partition contains the status of a set of certificates. A partition may either expire or be renewed at the end of a time slot. This is done efficiently using hash chains. We evaluate the performance of our scheme following the framework and numbers used in previous papers. We show that for many practical values of the system parameters, our scheme is more efficient than the three well known certificate revocation techniques: CRL, CRS and CRT. Our scheme strikes the right balance between CA to directory communication costs and query costs by carefully selecting the number of partitions.

1

Introduction

A certificate is a digitally signed statement binding the key holder’s (principal’s) name to a public key and various other attributes. The signer (or the issuer) is commonly called a certificate authority (CA). Certificates act as a mean to provide trusted information about the CA’s declaration w. r. t. the principal. The declaration may be of the form: “We, the Certificate Authority, declare that we know Alice. The public key of Alice is ...” “We further declare that we trust Alice for ...” (optional part) Certificates are tamper-evident (modifying the data makes the signature invalid) and unforgeable (only the holder of the secret, signing key can produce the signature). Certificates are the building blocks of a Public Key Infrastructure (PKI). When a certificate is issued, the CA declares the period of time for which the certificate is valid. However, there may be situations when the certificate must abnormally be declared invalid prior to its expiration date. This is called certificate revocation. This can be viewed as “blacklisting” the certificate. This means that the existence of a certificate is a necessary but not sufficient evidence 

Work done while the author was a student at IT-BHU.

S. Dietrich and R. Dhamija (Eds.): FC 2007 and USEC 2007, LNCS 4886, pp. 247–259, 2007. c IFCA/Springer-Verlag Berlin Heidelberg 2007 

248

V. Goyal

for its validity. A method for revoking certificates and distributing this revocation information to all the involved parties is thus a requirement in PKI. The reasons for revoking a certificate may be: suspected or detected key compromise, change of principal name, change of relationship between a principal and the CA (e.g., Alice may leave or be fired from the company) or end of CA’s trust into the principle due to any possible reason. The revocation mechanism should have an acceptable degree of timeliness, i.e., the interval between when the CA made a record of revocation and when this information became available to the relying parties should be small enough to be acceptable. Further, it is very important for the revocation mechanism to be efficient as the running expenses of a PKI derives mainly from administering revocation [Stu95]. Existing Techniques for Certificate Revocation. Certificate Revoc

Recommend Documents

Certificate Revocation in Hybrid Ad Hoc Network

187 56 496KB

Blockchain-Based Certificate Transparency and Revocation Transparency

244 100 409KB

Death Certificate

181 66 57MB

Retail Certificate Workbook

185 74 17MB

Certificate Complexity and Exact Learning

179 50 162KB

Towards Fine-Grained Indoor White Space Sensing

154 75 48MB

A Permissioned Blockchain-Based Platform for Education Certificate Verification

179 65 55MB

Space Partitioning

189 13 2MB

Energy Efficiency Governance The Case of White Certificate Instrumen

160 56 3MB

A Non-Extendibility Certificate for Submodularity and Applications

147 72 16MB

Domain Authentication Protocol Based on Certificate Signcryption in Ipv6 Network

152 6 14MB

Exploring the Security of Certificate Transparency in the Wild

155 94 39MB