The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI’s users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied.
Titolo: | Efficient authentication and verification of certificate status within public-key infrastructures |
Autore/i: | FALDELLA, EUGENIO; PRANDINI, MARCO |
Autore/i Unibo: | |
Anno: | 2004 |
Titolo del libro: | Proceedings of the Third IASTED International Conference on Communications, Internet and Information Technology |
Pagina iniziale: | 182 |
Pagina finale: | 188 |
Abstract: | The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI’s users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied. |
Data prodotto definitivo in UGOV: | 12-ott-2005 |
Appare nelle tipologie: | 4.01 Contributo in Atti di convegno |