A model for revocation forecasting in public-key infrastructures

One of the hardest tasks of a certification infrastructure is to manage revocation. This process consists in collecting and making the revocation status of certificates available to users. Research on this topic has focused on the trade-offs that different revocation mechanisms offer. Much less effort has been conducted to understand and model real-world revocation processes. For this reason, in this paper, we present a novel analysis of real-world collected revocation data and we propose a revocation prediction model. The model uses an autoregressive integrated moving average model. Our prediction model enables certification authorities to forecast the number of revoked certificates in short term.

[1]  Thierry Turletti,et al.  Routing in Delay-Tolerant Networks Comprising Heterogeneous Node Populations , 2009, IEEE Transactions on Mobile Computing.

[2]  Gene Tsudik,et al.  Privacy-Preserving Revocation Checking with Modified CRLs , 2007, EuroPKI.

[3]  Shouhuai Xu,et al.  Empirical Analysis of Certificate Revocation Lists , 2008, DBSec.

[4]  Yingjiu Li,et al.  On the Release of CRLs in Public Key Infrastructure , 2006, USENIX Security Symposium.

[5]  Diomidis Spinellis,et al.  Evaluating certificate status information mechanisms , 2000, CCS.

[6]  Jose L. Muñoz,et al.  EPA: An efficient and privacy-aware revocation mechanism for vehicular ad hoc networks , 2015, Pervasive Mob. Comput..

[7]  Matthew MacDonald,et al.  Web Services Architecture , 2004 .

[8]  Yingjiu Li,et al.  Certificate revocation release policies , 2009, J. Comput. Secur..

[9]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[10]  David W. Chadwick,et al.  Dynamic Delegation of Authority in Web Services , 2008 .

[11]  P. Phillips,et al.  Testing the null hypothesis of stationarity against the alternative of a unit root: How sure are we that economic time series have a unit root? , 1992 .

[12]  Sean W. Smith,et al.  BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs , 2010, TSEC.

[13]  Jose L. Muñoz,et al.  PPREM: Privacy Preserving REvocation Mechanism for Vehicular Ad Hoc Networks , 2014, Comput. Stand. Interfaces.

[14]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[15]  Bhavani M. Thuraisingham,et al.  Enhancing Security Modeling for Web Services Using Delegation and Pass-On , 2008, 2008 IEEE International Conference on Web Services.

[16]  Stephen Farrell,et al.  Bundle Security Protocol Specification , 2011, RFC.

[17]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1971 .

[18]  Sung Joo Park,et al.  Multiple time series model identification using concatenated sample cross-correlations , 1988 .

[19]  Spyros Makridakis,et al.  The M3-Competition: results, conclusions and implications , 2000 .

[20]  Giannis F. Marias,et al.  ADOPT. A Distributed OCSP for Trust Establishment in MANETs , 2005 .

[21]  Manuel Medina,et al.  Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4 , 2005, EuroPKI.

[22]  Jose L. Muñoz,et al.  RAR: Risk Aware Revocation Mechanism for Vehicular Networks , 2012, 2012 IEEE 75th Vehicular Technology Conference (VTC Spring).

[23]  Alice And Bob Privacy-Preserving Revocation Checking with Modified CRLs , 2007 .

[24]  John G. Proakis,et al.  Digital Communications , 1983 .

[25]  Johannes A. Buchmann,et al.  Life-cycle management of X.509 certificates based on LDAP directories , 2006, J. Comput. Secur..

[26]  Youjip Won,et al.  On-Line Prediction of Nonstationary Variable-Bit-Rate Video Traffic , 2010, IEEE Transactions on Signal Processing.

[27]  Silke Holtmanns,et al.  Evaluation of certificate validation mechanisms , 2006, Comput. Commun..

[28]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[29]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[30]  André Årnes Public Key Certificate Revocation Schemes , 2000 .

[31]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[32]  Jose L. Muñoz,et al.  COACH: COllaborative certificate stAtus CHecking mechanism for VANETs , 2013, J. Netw. Comput. Appl..

[33]  Jose L. Muñoz,et al.  PREON: An efficient cascade revocation mechanism for delegation paths , 2010, Comput. Secur..

[34]  Stephen Farrell,et al.  Delay-Tolerant Networking Security Overview , 2009 .

[35]  Nigel Meade,et al.  A note on the Robust Trend and ARARMA methodologies used in the M3 Competition , 2000 .

[36]  S. Micali Eecient Certiicate Revocation , 1996 .

[37]  Jose L. Muñoz,et al.  A Modeling of Certificate Revocation and Its Application to Synthesis of Revocation Traces , 2012, IEEE Transactions on Information Forensics and Security.

[38]  Jonathan Loo,et al.  BECSI: Bandwidth efficient certificate status information distribution mechanism for VANETs , 2013, Mob. Inf. Syst..

[39]  Gene Tsudik,et al.  Simple and Flexible Revocation Checking with Privacy , 2006, Privacy Enhancing Technologies.

[40]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[41]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[42]  H. Cruickshank,et al.  Security analysis for Delay/Disruption Tolerant satellite and sensor networks , 2009, 2009 International Workshop on Satellite and Space Communications.

[43]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[44]  Jose L. Muñoz,et al.  Certificate Revocation List Distribution System for the KAD Network , 2014, Comput. J..

[45]  Dominik R. Dersch,et al.  Multiresolution Forecasting for Futures Trading , 2001 .