PKIX Certificate Status in Hybrid MANETs

  • Jose L. Muñoz
  • Oscar Esparza
  • Carlos Gañán
  • Javier Parra-Arnau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5746)


Certificate status validation is a hard problem in general but it is particularly complex in Mobile Ad-hoc Networks (MANETs) because we require solutions to manage both the lack of fixed infrastructure inside the MANET and the possible absence of connectivity to trusted authorities when the certification validation has to be performed. In this sense, certificate acquisition is usually assumed as an initialization phase. However, certificate validation is a critical operation since the node needs to check the validity of certificates in real-time, that is, when a particular certificate is going to be used. In such MANET environments, it may happen that the node is placed in a part of the network that is disconnected from the source of status data at the moment the status checking is required. Proposals in the literature suggest the use of caching mechanisms so that the node itself or a neighbour node has some status checking material (typically on-line status responses or lists of revoked certificates). However, to the best of our knowledge the only criterion to evaluate the cached (obsolete) material is the time. In this paper, we analyse how to deploy a certificate status checking PKI service for hybrid MANET and we propose a new criterion based on risk to evaluate cached status data that is much more appropriate and absolute than time because it takes into account the revocation process.


Certification Public Key Infrastructure Revocation Hybrid MANET Risk 


  1. 1.
    Corson, S., Macker, J.: Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations. RFC 2501 (Informational) (January 1999)Google Scholar
  2. 2.
    Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    Capkun, S., Buttyan, L., Hubaux, J.P.: Self-organized public-key management for mobile ad hoc networks. IEEE Transactions on Mobile Computing (2003)Google Scholar
  4. 4.
    Hubaux, J.-P., Buttyan, L., Capkun, S.: The quest for security in mobile ad hoc networks. In: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking and Computing, MobiHOC 2001 (2001)Google Scholar
  5. 5.
    Zsako, J.: PGP Authentication for RIPE Database Updates. RFC 2726 (Proposed Standard) (December 1999)Google Scholar
  6. 6.
    Almenárez, F., Marín, A., Campo, C., García, C.: Managing ad-hoc trust relationships in pervasive environments. In: Proceedings of the Workshop on Security and Privacy in Pervasive Computing SPPC (2004)Google Scholar
  7. 7.
    Zhou, L., Haas, Z.J.: Securing ad hoc networks. IEEE Networks 13(6), 24–30 (1999)CrossRefGoogle Scholar
  8. 8.
    Zhou, L., Schneider, F.B., Renesse, R.V.: Coca: A secure distributed on-line certification authority. ACM Transactions on Computer Systems 20(4), 329–368 (2002)CrossRefGoogle Scholar
  9. 9.
    Yi, S., Kravets, R.: Moca: Mobile certificate authority for wireless ad hoc networks. In: Proceedings of the 10th IEEE International Conference on Network Protocols, ICNP 2002 (2002)Google Scholar
  10. 10.
  11. 11.
    Yin, L., Cao, G.: Supporting cooperative caching in ad hoc networks. IEEE Transactions on Mobile Computing 5(1), 77–89 (2006)CrossRefGoogle Scholar
  12. 12.
    Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459 (Proposed Standard), Obsoleted by RFC 3280 (January 1999)Google Scholar
  13. 13.
    Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. RFC 3820 (Proposed Standard) (June 2004)Google Scholar
  14. 14.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (Proposed Standard) (June 1999)Google Scholar
  15. 15.
    Go, H.W., Chan, P.Y., Dong, Y., Sui, A.F., Yiu, S.M., Hui, L.C.K., Li, V.O.K.: Performance evaluation on crl distribution using flooding in mobile ad hoc networks (manets). In: Proceedings of the 43rd annual southeast regional conference on ACM Southeast Regional Conference archive, Kennesaw, Georgia, vol. 2, pp. 75–80 (2005)Google Scholar
  16. 16.
    Forné, J., Muñoz, J.L., Esparza, O., Hinarejos, F.: Certificate status validation in mobile ad hoc networks. IEEE Wireless Communications 16(11), 55–62 (2009)CrossRefGoogle Scholar
  17. 17.
    Marias, G.F., Papapanagiotou, K., Tsetsos, V., Sekkas, O., Georgiadis, P.: Integrating a trust framework with a distributed certificate validation scheme for manets. Wireless Communications and Networking 1155(10), 1–18 (2006)Google Scholar
  18. 18.
    Marias, G.F., Papapanagiotou, K., Tsetsos, V., Sekkas, O., Georgiadis, P.: Integrating a trust framework with a distributed certificate validation scheme for manets. EURASIP Journal on Wireless Communications and Networking 2006(2), 1–18 (2006)CrossRefGoogle Scholar
  19. 19.
    Deacon, A., Hurst, R.: The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments. RFC 5019 (Proposed Standard) (September 2007)Google Scholar
  20. 20.
    Arnes, A.: Public key certificate revocation schemes, Queen’s University. Ontario, Canada. Master Thesis (February 2000)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Jose L. Muñoz
    • 1
  • Oscar Esparza
    • 1
  • Carlos Gañán
    • 1
  • Javier Parra-Arnau
    • 1
  1. 1.Departament Enginyeria TelemàticaUniversitat Politècnica de CatalunyaBarcelonaSpain

Personalised recommendations