Trusted Principal-Hosted Certificate Revocation

  • Sufatrio
  • Roland H. C. Yap
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 358)

Abstract

Public Key Infrastructure is a key infrastructure for secure and trusted communication on the Internet. This paper revisits the problem of providing timely certificate revocation focusing on the needs of mobile devices. We survey existing schemes then present a new approach where the principal’s server functions as the directory for its own revocation information. We evaluate the properties and trust requirements in this approach, and propose two new schemes, CREV-I and CREV-II, which meet the security requirements and performance goals. Evaluation of CREV shows it is more lightweight on the verifier and more scalable at the CA and the principals while providing near real-time revocation.

References

  1. 1.
    Lopez, J., Oppliger, R., Pernul, G.: Why Have Public Key Infrastructures Failed so Far? Internet Research 15(5), 544–556 (2005)CrossRefGoogle Scholar
  2. 2.
    Gutmann, P.: PKI: It’s Not Dead, Just Resting. Computer 35(8), 41–49 (2002)CrossRefGoogle Scholar
  3. 3.
    ITU-T Recommendation X.509: Information Technology - Open Systems Interconnection - The Directory: Public-key and Attribute Certificate Frameworks (2000)Google Scholar
  4. 4.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (2008)Google Scholar
  5. 5.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (1999)Google Scholar
  6. 6.
    VeriSign, Inc., VeriSign Certification Practice Statement Version 3.8.1 (2009)Google Scholar
  7. 7.
    Iliadis, J., Gritzalis, S., Spinellis, D., de Cock, D., Preneel, B., Gritzalis, D.: Towards a Framework for Evaluating Certificate Status Information Mechanisms. Computer Communications 26(16), 1839–1850 (2003)CrossRefGoogle Scholar
  8. 8.
    Micali, S.: Efficient Certificate Revocation. Technical report, MIT-LCS-TM-542b, Massachusetts Institute of Technology (1996)Google Scholar
  9. 9.
    Micali, S.: NOVOMODO: Scalable Certificate Validation and Simplified PKI Management. In: PKI Research Workshop (2002)Google Scholar
  10. 10.
    Muñoz, J.L., Forné, J., Esparza, O., Soriano, B.M.: Using OCSP to secure certificate-using transactions in M-commerce. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 280–292. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Berbecaru, D.: MBS-OCSP: An OCSP based Certificate Revocation System for Wireless Environments. In: Signal Processing and Information Technology (2004)Google Scholar
  12. 12.
    Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 137. Springer, Heidelberg (1998)Google Scholar
  13. 13.
    Kocher, P. C.: On Certificate Revocation and Validation. In: Financial Cryptography (1998)Google Scholar
  14. 14.
    Naor, M., Nissim, K.: Certificate Revocation and Certificate Update. In: USENIX Security (1998)Google Scholar
  15. 15.
    Goyal, V.: Certificate Revocation Using Fine Grained Certificate Space Partitioning. In: Financial Cryptography and Data Security (2007)Google Scholar
  16. 16.
    Solworth, J. A.: Instant Revocation. In: European PKI workshop on Public Key Infrastructure: Theory and Practice (2008)Google Scholar
  17. 17.
    Solworth, J. A.: Beacon Certificate Push Revocation. In: Computer Security Architecture Workshop (2008)Google Scholar
  18. 18.
    Scheibelhofer, K.: PKI without Revocation Checking. In: PKI R&D Workshop (2005)Google Scholar
  19. 19.
    Lioy, A., Marian, M., Moltchanova, N., Pala, M.: PKI Past, Present and Future. International Journal of Information Security 5, 18–29 (2006)CrossRefGoogle Scholar
  20. 20.
    Lim, T.-L., Lakshminarayanan, A.: On the Performance of Certificate Validation Schemes Based on Pre-Computed Responses. In: GLOBECOM (2007)Google Scholar
  21. 21.
    Zheng, P.: Tradeoffs in Certificate Revocation Schemes. ACM Computer Communication Review 33(2), 103–112 (2003)CrossRefGoogle Scholar
  22. 22.
    Perlines Hormann, T., Wrona, K., Holtmanns, S.: Evaluation of Certificate Validation Mechanisms. Computer Communications 29(3), 291–305 (2006)CrossRefGoogle Scholar
  23. 23.
    Jakobsson, M.: Fractal Hash Sequence Representation and Traversal. IEEE International Symposium on Information Theory, 437–444 (2002)Google Scholar

Copyright information

© International Federation for Information Processing 2011

Authors and Affiliations

  • Sufatrio
    • 1
  • Roland H. C. Yap
    • 2
  1. 1.Temasek LaboratoriesNational University of SingaporeSingapore
  2. 2.School of ComputingNational University of SingaporeSingapore

Personalised recommendations