论文信息 - A novel approach to on-line status authentication of public-key certificates

A novel approach to on-line status authentication of public-key certificates

The widespread use of public networks, such as the Internet, for the exchange of sensitive data, like legally valid documents and business transactions, poses severe security constraints. The approach relying on public-key certificates certainly represents a valuable solution from the viewpoint of data integrity and authentication. The effectiveness of the approach, however, may be arguable, especially when a trivial strategy is adopted within a public key infrastructure (PKI) to deal with the problem of revoked certificates. This paper presents a novel certificate status handling scheme, based on a purposely-conceived extension of the one-way accumulator (OWA) cryptographic primitive. The distinguishing characteristic of the devised Owa-based Revocation Scheme (ORS) is that it exploits a single directory-signed proof to collectively authenticate the status of all the certificates handled by a certification authority (CA) within a PKI. A thorough investigation on the performance attainable shows that ORS exhibits the same features of the well-known Online Certificate Status Protocol (OCSP) as regards security, scalability and certificate status-updating timeliness, at the same time drastically reducing the directory computational load that, in a high-traffic context, could be nearly unbearable when OCSP is applied.

Marco Prandini | Eugenio Faldella | M. Prandini | E. Faldella

[1] Carlisle M. Adams,et al. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[2] E. FALDELLA,et al. Efficient Handling of Certificates within Public-Key Infrastructures , 1999 .

[3] Russ Housley,et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[4] Carlisle M. Adams,et al. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[5] Josh Benaloh,et al. One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[6] Whitfield Diffie,et al. Multiuser cryptographic techniques , 1976, AFIPS '76.

[7] Marco Prandini. Efficient certificate status handling within PKIs: an application to public administration services , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8] James H. Burrows,et al. Secure Hash Standard , 1995 .

[9] Moni Naor,et al. Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[10] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[11] Whitfield Diffie,et al. New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.