Abstract
Certificate Revocation Lists (CRLs) are a popular means of revocation checking. A CRL is a signed and time-stamped list containing information about all revoked certificates issued by a certification authority. One of the shortcomings of CRLs is poor scalability, which influences update, bandwidth and storage costs. We claim that other (more efficient) revocation techniques leak potentially sensitive information. Information leaks occur since third parties (agents, servers) of dubious trustworthiness discover the identities of the parties posing revocation check queries as well as identities of the queries’ targets. An even more important privacy loss results from the third party’s ability to tie the source of the revocation check with the query’s target. (Since, most likely, the two are about to communicate.) This paper focuses on privacy and efficiency in revocation checking. Its main contribution is a simple modified CRL structure that allows for efficient revocation checking with customizable levels of privacy.
Keywords
- Anonymity and Privacy
- Certificate Revocation
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, Springer, Heidelberg (1998)
The OpenPGP Alliance. Openpgp: Open pretty good privacy, http://www.openpgp.org/
Baric, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)
Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylog communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, IACR, vol. 1592, Springer, Heidelberg (1999)
Verisign Corporation. Compare all ssl certificates from verisign, inc. http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/compare/index.html
Dierks, T., Rescorla, E.: The transport layer security (tls) protocol, version 1.1. Internet Request for Comments: RFC 4346, April 2006, Network Working Group (2006)
Inc. Free Software Foundation. Gnu privacy guard, http://www.gnupg.org/
Goodrich, M., Tamassia, R., Schwerin, A.: Implementation of an authenticated dictionary with skip lists and commutative hashing. In: Proceedings of DARPA DISCEX II (2001)
OpenSSL User Group. The openssl project web page, http://www.openssl.org
Kent, S., Seo, K.: Security architecture for the internet protocol. Internet Request for Comments: RFC 4301, December 2005, Network Working Group (2005)
Kikuchi, H.: Privacy-preserving revocation check in pki. In: 2nd US-Japan Workshop on Critical Information Infrastructure Protection, July 2005, pp. 480–494 (2005)
Kocher, P.: On certificate revocation and validation. In: Proceedings of Financial Cryptography 1998, pp. 172–177 (1998)
Kushilevitz, E., Ostrovsky, R.: Computationally private information retrieval with polylog communication. In: Proceedings of IEEE Symposium on Foundation of Computer Science, pp. 364–373. IEEE Computer Society Press, Los Alamitos (1997)
RSA Laboratories.: Crypto faq: Chapter 4.1.3.16. what are certificate revocation lists (crls)? http://www.rsa.com/rsalabs/node.asp?id=2283
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)
Merkle, R.: Secrecy, Authentication, and Public-Key Systems. PhD thesis, Stanford University, PH.D Dissertation, Department of Electrical Engineering (1979)
Micali, S.: Certificate revocation system. United States Patent 5666416 (September 1997)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Internet public key infrastructure online certificate status protocol - OCSP. Internet Request for Comments: RFC 2560, 1999. Network Working Group (1999)
Mykletun, E., Narasimha, M., Tsudik, G.: Authentication and integrity in outsourced databases. In: Symposium on Network and Distributed Systems Security (NDSS 2004) (February 2004)
Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE Journal on Selected Areas in Communications (JSAC) 18(4), 561–570 (2000)
Solis, J., Tsudik, G.: Simple and flexible revocation checking with privacy. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, Springer, Heidelberg (2006)
Sun Microsystems: Sun Fire T1000, and T2000 Servers Benchmarks, http://www.sun.com/servers/coolthreads/t1000/benchmarks.jsp
International Telecommunication Union. Recommendation x.509: Information technology open systems interconnection - the directory: Authentication framework, 6-1997, 1997. Also published as ISO/IEC International Standard 9594-8 (1997e)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Narasimha, M., Tsudik, G. (2007). Privacy-Preserving Revocation Checking with Modified CRLs. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds) Public Key Infrastructure. EuroPKI 2007. Lecture Notes in Computer Science, vol 4582. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73408-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-73408-6_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73407-9
Online ISBN: 978-3-540-73408-6
eBook Packages: Computer ScienceComputer Science (R0)