Skip to main content
SpringerLink
Log in

Simple and Flexible Revocation Checking with Privacy

  • Conference paper
Privacy Enhancing Technologies (PET 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4258))

Included in the following conference series:

Abstract

Digital certificates signed by trusted certification authorities (CAs) are used for multiple purposes, most commonly for secure binding of public keys to names and other attributes of their owners. Although a certificate usually includes an expiration time, it is not uncommon that a certificate needs to be revoked prematurely. For this reason, whenever a client (user or program) needs to assert the validity of another party’s certificate, it performs revocation checking. There are many revocation techniques varying in both the operational model and underlying data structures. One common feature is that a client typically contacts an on-line third party (trusted, untrusted or semi-trusted), identifies the certificate of interest and obtains some form of a proof of either revocation or validity (non-revocation) for the certificate in question.

While useful, revocation checking can leak potentially sensitive information. In particular, third parties of dubious trustworthiness discover two things: (1) the identity of the party posing the query, as well as (2) the target of the query. The former can be easily remedied with techniques such as onion routing or anonymous web browsing. Whereas, hiding the target of the query is not as obvious. Arguably, a more important loss of privacy results from the third party’s ability to tie the source of the revocation check with the query’s target. (Since, most likely, the two are about to communicate.) This paper is concerned with the problem of privacy in revocation checking and its contribution is two-fold: it identifies and explores the loss of privacy inherent in current revocation checking, and, it constructs a simple, efficient and flexible privacy-preserving component for one well-known revocation method.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, Springer, Heidelberg (1998)

    Google Scholar 

  2. The OpenPGP Alliance. Openpgp: Open pretty good privacy, http://www.openpgp.org/

  3. Berkovits, S., Chokhani, S., Furlong, J., Geiter, J., Guild, J.: Public key infrastructure study: Final report, Produced by the MITRE Corporation for NIST (April 1994)

    Google Scholar 

  4. Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylog communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, Springer, Heidelberg (1999)

    Google Scholar 

  5. Verisign Corporation. Compare all ssl certificates from verisign, inc., http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/compare/index.html

  6. Verisign Corporation. Corporate overview: Fact sheet from verisign, inc., http://www.verisign.com/verisign-inc/corporate-overview/fact-sheet/index.html

  7. Verisign Corporation. Public online crl repository, http://crl.verisign.com/

  8. Inc. Free Software Foundation. Gnu privacy guard, http://www.gnupg.org/

  9. Goodrich, M., Tamassia, R., Schwerin, A.: Implementation of an authenticated dictionary with skip lists and commutative hashing. In: Proceedings of DARPA DISCEX II (2001)

    Google Scholar 

  10. OpenSSL User Group. The openssl project web page, http://www.openssl.org

  11. Hackerson, J.: Rethinking department of defense public key infrastructure. In: Proceedings of 23rd National Information Systems Security Conference (October 2000)

    Google Scholar 

  12. Kent, S., Atkinson, R.: Security architecture for the internet protocol. Internet Request for Comments: RFC 2401. Network Working Group (November 1998)

    Google Scholar 

  13. Kikuchi, H.: Privacy-preserving revocation check in pki. In: 2nd US-Japan Workshop on Critical Information Infrastructure Protection, July 2005, pp. 480–494 (2005)

    Google Scholar 

  14. Klensin, J.: Role of the domain name system (dns). Internet Request for Comments: RFC 3467. Network Working Group (February 2003)

    Google Scholar 

  15. Kocher, P.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  16. Kushilevitz, E., Ostrovsky, R.: Computationally private information retrieval with polylog communication. In: Proceedings of IEEE Symposium on Foundation of Computer Science, pp. 364–373 (1997)

    Google Scholar 

  17. US Army Research Laboratory. Using the cac with pki - faqs, http://www.usaarl.army.mil/CBT/EndUser/chapter_06b/chapter06b.html

  18. Lenstra, A., Wang, X., de Weger, B.: Colliding x.509 certificates. Cryptology ePrint Archive, Report 2005/067 (2005), http://eprint.iacr.org/

  19. Merkle, R.: Secrecy, Authentication, and Public-Key Systems. PhD thesis, Stanford University, PH.D Dissertation, Department of Electrical Engineering (1979)

    Google Scholar 

  20. Micali, S.: Certificate revocation system. United States Patent 5666416 (September 1997)

    Google Scholar 

  21. Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Internet public key infrastructure online certificate status protocol - OCSP. Internet Request for Comments: RFC 2560. Network Working Group (1999)

    Google Scholar 

  22. Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE Journal on Selected Areas in Communications (JSAC) 18(4), 561–570 (2000)

    Article  Google Scholar 

  23. National Institute of Standards and Technology. Federal information processing standards (fips), publication 180-2, secure hash standard (shs) (February 2004)

    Google Scholar 

  24. International Telecommunication Union. Recommendation x.509 (1997 e): Information technology open systems interconnection - the directory: Authentication framework, 6-1997 (1997) Also published as ISO/IEC International Standard 9594-8

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of California, Irvine

    John Solis & Gene Tsudik

Authors
  1. John Solis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gene Tsudik
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Microsoft Research, Cambridge, UK

    George Danezis

  2. Palo Alto Research Center, 3333 Coyote Hill Rd, 94304, Palo Alto, CA, USA

    Philippe Golle

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Solis, J., Tsudik, G. (2006). Simple and Flexible Revocation Checking with Privacy. In: Danezis, G., Golle, P. (eds) Privacy Enhancing Technologies. PET 2006. Lecture Notes in Computer Science, vol 4258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11957454_20

Download citation

  • DOI: https://doi.org/10.1007/11957454_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-68790-0

  • Online ISBN: 978-3-540-68793-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation