The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI’s users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied.
Efficient authentication and verification of certificate status within public-key infrastructures
FALDELLA, EUGENIO;PRANDINI, MARCO
2004
Abstract
The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI’s users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
