E. Faldella and M. Prandini (Italy)
Information Systems and the Internet, PKI, CertificateRevocation, Applied Cryptography
The paper presents a new on-line method for efficient authentication and verification of certificate status within Public-Key Infrastructures (PKIs). The method, based on a purposely conceived extension of the One-Way Accumulator (OWA) cryptographic primitive, permits to provide an explicit, concise, authenticated and not forgeable proof about the revocation status of each certificate. A thorough investigation on the performance attainable under different operating conditions shows that the devised method exhibits the same positive features of the well-known On-line Certificate Status Protocol (OCSP) as regards scalability, security and timeliness. Moreover, its peculiar characteristic of authenticating certificates status via a collective directory-signed proof leads to a significant reduction of the directory computational load, which turns out to be upper limited to a bound independent from the rate PKI's users perform certificate status verification operations. This feature is particularly remarkable in a high-traffic scenario, where performance bottlenecks could be exploited to induce a denial-of-service over the directory, as it may happen when OCSP is applied.
Important Links:
Go Back
