This paper presents an on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The proposed method has been devised as an alternative to the well-known Online Certificate Status Protocol (OCSP): it exhibits the same positive features of as regards scalability, security, timeliness and expressive power while significantly reducing the directory computational load, a particularly remarkable benefit especially in high-traffic scenarios, where performance bottlenecks could be exploited to induce a denial-of-service over the directory. This key feature has been achieved by means of a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, which permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable shows that the devised method allows reducing the computational load up to an order of magnitude under normal operating conditions of the PKI in which it is deployed, and, for very intensive query activity, even to fix an upper bound independent from the rate PKI users perform certificate status verification operations.

An efficient and secure alternative to OCSP for public-key certificate revocation / Faldella E.; Prandini M.. - STAMPA. - (2003), pp. 120-125. (Intervento presentato al convegno Proceedings of the IASTED International Conference on Communication, Network, an d Information Security tenutosi a New York, NY., usa nel 2003).

An efficient and secure alternative to OCSP for public-key certificate revocation

Faldella E.
Writing – Review & Editing
;
Prandini M.
Writing – Original Draft Preparation
2003

Abstract

This paper presents an on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The proposed method has been devised as an alternative to the well-known Online Certificate Status Protocol (OCSP): it exhibits the same positive features of as regards scalability, security, timeliness and expressive power while significantly reducing the directory computational load, a particularly remarkable benefit especially in high-traffic scenarios, where performance bottlenecks could be exploited to induce a denial-of-service over the directory. This key feature has been achieved by means of a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, which permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable shows that the devised method allows reducing the computational load up to an order of magnitude under normal operating conditions of the PKI in which it is deployed, and, for very intensive query activity, even to fix an upper bound independent from the rate PKI users perform certificate status verification operations.
2003
Proceedings of the IASTED International Conference on Communication, Network, and Information Security
120
125
An efficient and secure alternative to OCSP for public-key certificate revocation / Faldella E.; Prandini M.. - STAMPA. - (2003), pp. 120-125. (Intervento presentato al convegno Proceedings of the IASTED International Conference on Communication, Network, an d Information Security tenutosi a New York, NY., usa nel 2003).
Faldella E.; Prandini M.
File in questo prodotto:
Eventuali allegati, non sono esposti

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/904949
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? ND
social impact