论文信息 - Certificate Revocation Guard (CRG): An Efficient Mechanism for Checking Certificate Revocation

Certificate Revocation Guard (CRG): An Efficient Mechanism for Checking Certificate Revocation

In the Public Key infrastructure (PKI) model, digital certificates play a vital role in securing online communication. Communicating parties exchange and validate these certificates, the validation fails if a certificate has been revoked. In this paper we propose the Certificate Revocation Guard (CRG) to efficiently check certificate revocation while minimising bandwidth, latency and storage overheads. CRG is based on OCSP, which caches the status of certificates locally. CRG could be installed on the user's machine, at the organisational proxy or even at the ISP level. Compared to a naive approach (where a client checks the revocation status of all certificates in the chain on every request), CRG decreases the bandwidth overheads and network latencies by 95%. Using CRG incurs 69% lower storage overheads compared to the CRL method. Our results demonstrate the effectiveness of our approach to improve certificate revocation.

Muhammad Rizwan Asghar | Nevil Brownlee | Qinwen Hu

[1] C. Jackson,et al. Towards Short-Lived Certificates , 2012 .

[2] Moni Naor,et al. Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[3] Carl A. Gunter,et al. Generalized certificate revocation , 2000, POPL '00.

[4] John S. Heidemann,et al. Measuring the Latency and Pervasiveness of TLS Certificate Revocation , 2016, PAM.

[5] Rafail Ostrovsky,et al. Fast Digital Identity Revocation (Extended Abstract) , 1998, CRYPTO.

[6] Paul C. Kocher. On Certificate Revocation and Validation , 1998, Financial Cryptography.

[7] Albert Levi,et al. Reducing Certificate Revocating Cost using NPKI , 2001, SEC.

[8] Adrian Perrig,et al. PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[9] Peter Gutmann,et al. PKI: It's Not Dead, Just Resting , 2002, Computer.

[10] Bruce M. Maggs,et al. An End-to-End Measurement of Certificate Revocation in the Web's PKI , 2015, Internet Measurement Conference.