Geographic server distribution model for key revocation

Key management is one of the important issues in ensuring the security of network services. The aim of key management is to ensure availability of the keys at both the receiver’s and the sender’s ends. Key management involves two aspects: key distribution and key revocation. Key distribution involves the distribution of keys to various nodes with secrecy to provide authenticity and privacy. Key revocation involves securely and efficiently managing the information about the keys which have been compromised. This paper presents the geographic server distributed model for key revocation which concerns about the security and performance of the system. The concept presented in this paper is more reliable, faster and scalable than the existing Public Key Infrastructure (PKI) framework in various countries, as it provides optimization of key authentication in a network. It proposes auto-seeking of a geographically distributed certifying authority’s key revocation server, which holds the revocation lists by the client, based on the best service availability. The network is divided itself into the strongest availability zones (SAZ), which automatically allows the new receiver to update the address of the authentication server and replace the old address with the new address of the SAZ, in case it moves to another location in the zone, or in case the server becomes unavailable in the same zone. In this way, it reduces the time to gain information about the revocation list and ensures availability and, thus, improvement of the system as a whole. Hence, the proposed system results in scalable, reliable and faster PKI infrastructure and will be attractive for the users who frequently change their location in the network. Our scheme eases out the revocation mechanism and enables key revocation in the legacy systems. It discusses the architecture as well as the performance of our scheme as compared to the existing scheme. However, our scheme does not call for the entire change in PKI, but is compatible with the existing scheme. Our simulations show that the proposed scheme is better for key revocation.

[1]  Jean-Jacques Quisquater,et al.  Efficient revocation and threshold pairing based cryptosystems , 2003, PODC '03.

[2]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[3]  Ning Zhang,et al.  Revocation invocation for accountable anonymous PKI certificate trees , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[4]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[5]  Colin Boyd,et al.  Security-Mediated Certificateless Cryptography , 2006, Public Key Cryptography.

[6]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[7]  Brian Hunter Simplifying PKI usage through a client-server architecture and dynamic propagation of certificate paths and repository addresses , 2002, Proceedings. 13th International Workshop on Database and Expert Systems Applications.

[8]  Levente Buttyán,et al.  A framework for the revocation of unintended digital signatures initiated by malicious terminals , 2005, IEEE Transactions on Dependable and Secure Computing.

[9]  Tzonelih Hwang,et al.  Revocation-free public-key encryption based on security-mediated public-key infrastructure , 2007, IET Inf. Secur..

[10]  Petra Wohlmacher,et al.  Digital certificates: a survey of revocation methods , 2000, MULTIMEDIA '00.

[11]  Sean W. Smith,et al.  Distributing Security-Mediated PKI , 2004, EuroPKI.

[12]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .

[13]  Benny Pinkas Efficient state updates for key management , 2004, Proceedings of the IEEE.

[14]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[15]  Gianluca Dini,et al.  An efficient key revocation protocol for wireless sensor networks , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).

[16]  Rebecca N. Wright,et al.  Certificate revocation the responsible way , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[17]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[18]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[19]  Michael Myers Revocation: Options and Challenges , 1998, Financial Cryptography.

[20]  Peifang Zheng,et al.  Tradeoffs in certificate revocation schemes , 2003, CCRV.

[21]  Michael Mealling,et al.  Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database , 2002, RFC.

[22]  David A. Cooper,et al.  A model of certificate revocation , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[23]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[24]  David A. Cooper A more efficient use of delta-CRLs , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[25]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[26]  Craig Gentry,et al.  Certificate-Based Encryption and the Certificate Revocation Problem , 2003, EUROCRYPT.

[27]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[28]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.

[29]  Xuemin Shen,et al.  Self-healing group-wise key distribution schemes with time-limited node revocation for wireless sensor networks , 2007, IEEE Wirel. Commun..

[30]  Craig A. Finseth,et al.  An Access Control Protocol, Sometimes Called TACACS , 1993, RFC.

[31]  Ueli Maurer New approaches to digital evidence , 2004, Proceedings of the IEEE.

[32]  Ju-Sung Kang,et al.  An efficient key distribution scheme with self-healing property , 2005, IEEE Communications Letters.

[33]  Hyoung-Jun Kim,et al.  The autoconfiguration of recursive DNS server and the optimization of DNS name resolution in hierarchical mobile IPv6 , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).