Email this article An Efficient Certificate Revocation and Verification Scheme from Multi-Hashing
Abstract
Even though Public Key Infrastructure (PKI) and X.509 certificate has been a prominent security model for a variety of e-commerce applications and large scale distributed computing, it has not been sufficiently investigated in the certificate revocation and verification mechanism. In this paper, we discuss the need and importance of certificate revocation and verification, and analyze the limitations of several certificate validation schemes that are widely used in PKI environments. Then we propose an alternative scheme. The underlying idea is that the certificate holder provides certificate validation proof (CVP) to the verifiers in manner of initiative. According to this scheme, The CVP is a proof issued by a trusted third party (TTP) for the certificate stating whether it was revoked or not. For both parties in any transaction, the certificate holder provides the CVP to the verifier, the verifier knows about the validity status of the certificate by verifying CVP efficiently without any extra information except the certificate. The CVP is created by multi-operations with a HASH function and operations are associated with the current time. The suggested scheme is principally simple with characteristics of distributed processing, high security, low communication costs and good practicability.
Keywords
References
[1] Ambarish Malpani and Paul Hoffman. "Simple Certificate Validation Protocol (SCVP), " Internet Draft, work in progress, IETF PKIX work group, June 2000.
[2] Stefanos Gritzalis, Socrates Katsikas, Dimitrios Lekkas, Konstantinos Moulinos, Eleni Polydorou. "Securing The Electronic Market: The KEYSTONE Public Key Infrastructure Architecture," Computers & Security, Vol.19, No.8, pp.731-746, 2002.
http://dx.doi.org/10.1016/S0167-4048(00)08022-6
[3] Ian Foster, Carl Kesselman, Gene Tsudik, and Steven Tuecke, "A Security Architecture for Computational Grids," In Proc. 5th ACM Conference on Computer and Communications Security Conference, 1998.
http://dx.doi.org/10.1145/288090.288111
[4] ITU-T Rec X.509 | ISO/IEC 9594-8: Information technology - Open systems interconnection - The directory: Public-key and attribute certificate frameworks, 2001.
[5] Housley R, Polk W and Solo D. "Internet X.509 Public Key Infrastructure Certificate and CRL Profile"[RFC 3280]. IETF PKIX work group, April 2002.
[6] Phillip Hallam-Baker. "OCSP Extensions," Internet Draft, work in progress, IETF PKIX work group, Sept. 1999.
[7] Marianne A. Azer, Sherif M. El-Kassas, Magdy S. El-Soudani, "Certification and Revocation Schemes in Ad Hoc Networks Survey and Challenges," icsnc, pp.17, Second International Conference on Systems and Networks Communications (ICSNC 2007), 2007.
[8] A. Arnes, H. Meijer, S. Lloyd, M. Just, and S. J. Knapskog. "Selecting Revocation Solutions for PKI, " in Proceedings of The Fifth Nordic Workshop on Secure IT Systems (NORDSEC 2000), October 2000.
[9] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP" [ RFC 2560], June 1999.
[10] P. Kocher. "A Quick Introduction to Certificate Revocation Trees (CRTs)" http://www.valicert.com/company/crt.html.
[11] Micali S. "Efficient Certificate Revocation," MIT Laboratory for Computer Science, Technical Memo 542b, March 1996.
[12] M. Myers. "Revocation: Options and Challenges," In FC'98 Proceedings of the Second International Conference on Financial Cryptography, LNCS(1465), pp.165-171, 1998.
[13] J.K. Millen, R.N. Wright, "Certificate Revocation the Responsible Way," In Proceedings of Computer Security, Dependability, and Assurance: From Needs to Solutions(CSDA’98), IEEE Computer Society, pp.196-203, 1999,
[14] Genevieve Arboit et al., "A Localized Certificate Revocation Scheme for Mobile Ad Hoc Networks, " Ad Hoc Network, Volume 6, Issue 1, pp. 17-31, 2008.
http://dx.doi.org/10.1016/j.adhoc.2006.07.003
[15] R. Rivest. "Can We Eliminate Certificate Revocation Lists? ", In Proc. Financial Cryptography’98, LNCS 1465, pp.178-183, 1998.
[16] Y.B. Qian, B.H. Cao, etc. “A certificate revocation scheme for space network,” WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing, pp. 4458-4462, IEEE Press, 2009.
[17] http://www.ietf.org/html.charters/pkix-charter.html, Internet Draft, PKIX Working Group, 2005.
[18] B. Fox and B. LaMacchia. "Certificate Revocation: Mechanics and Meaning", In Proc. Financial Cryptology-FC’98, LNCS 1465, pp.158-164, 1998.
[19] M. Noar and K. Nassim. "Certificate Revocation and Certificate Update, "In: Proc. 7th USENIX Security Symposium, pp. 217-228, 1998.
[20] J. Mo, X.M. Wang, "Distributed Certificate Revocation Scheme for Ad Hoc Network, " Computer Engineer, Vol.36(10), pp.149-151, 2010.
[21] H. Zhong, C.X. Xu, Z.G. Qin, "A Distributed Certificate Revocation Scheme for Ad Hoc Networks, " Journal of University of Electronic Science and Technology of China, Vol.36(3), pp.496-499, 2007.
[22] S. Micali. "NOVOMODO: Scalable Certificate Validation and Simplified PKI Management," In 1st Annual PKI Research Workshop Proceedings, pp.15-25, 2002.
[23] P. Caballero-Gil and C. Hernández-Goya, “Efficient Public Key Certificate Management for Mobile Ad Hoc Networks,” EURASIP Journal on Wireless Communications and Networking Volume 2011, pp.01-11, 2011.
[24] Z. Huan, etc. “A Distributed Certificate Revocation Scheme for Ad Hoc Networks,” Journal of University of Electronic Science and Technology of China. V.01.36 No.3:496-499, Jun.2007.
[25] H. He, etc. “New Distributed Certificate Revocation Scheme in Ad Hoc Network,” Computer Engineering. Vol.34, No.16:180-182, August 2008.
Full Text: PDF