Abstract
Public-key cryptography is widely used as the underlying mechanism for securing many protocols and applications in the Internet. A Public Key Infrastructure (PKI) is required to securely deliver public-keys to widely-distributed users or systems. The public key is usually made public by way of a digital document called a certificate. Certificates are valid during a certain period of time, however, there are circumstances under which the validity of a certificate must be terminated sooner than assigned and thus, the certificate needs to be revoked. The revocation of certificates implies one of the major costs of the whole PKI. The goal of this paper is to present an efficient offline revocation system based on the Merkle Hash Tree (MHT) named Enhanced-MHT (E-MHT). The authors propose several mechanisms that allow the E-MHT to provide a response size that is close to (or even better than) online systems. These mechanisms include the optimization of the MHT \(\mathcal {P}\)aths for non-revoked certificates, the division of the status data among multiple MHTs and a low cost mechanism for re-utilization of MHT digests and E-MHT responses. Furthermore, an ASN.1 protocol for the E-MHT is introduced and discussed. Finally, a performance evaluation of the E-MHT using this protocol is presented.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adams, C., Farrell, S.: Internet X.509 Public Key Infrastructure Certificate Management Protocols, RFC 2510 (1999)
Buldas, A., Laud, P., Lipmaa, H.: Eliminating counterevidence with applications to accountable certificate management. Journal of Computer Security 10(3), 273–296 (2002)
Even, S., Goldreich, O., Micali, S.: Online/offline signatures. Journal of Criptology 9, 35–67 (1996)
Fox, B., LaMacchia, B.: Certificate Revocation: Mechanics and Meaning. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 158–164. Springer, Heidelberg (1998)
Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, RFC 2459 (1999)
ITU/ISO Recommendation. X.509 Information Technology Open Systems Interconnection - The Directory: Autentication Frameworks, Technical Corrigendum (2000)
Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 234–246. Springer, Heidelberg (1989)
Micali, S.: Efficient certificate revocation. Technical Report TM-542b, MIT Laboratory for Computer Science (1996)
Muñoz, J.L., Forné, J., Esparza, O., Soriano, M.: A Certificate Status Checking Protocol for the Authenticated Dictionary. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 255–266. Springer, Heidelberg (2003)
Muñoz, J.L., Forné, J., Esparza, O., Soriano, M.: Implementation of an Efficient Authenticated Dictionary for Certificate Revocation. In: The Eighth IEEE Symposium on Computers and Communications (ISCC 2003), June 2003, vol. 1, pp. 238–243. IEEE Computer Society, Los Alamitos (2003)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, RFC 2560 (1999)
Naor, M., Nissim, K.: Certificate Revocation and Certificate Update. IEEE Journal on Selected Areas in Communications 18(4), 560–561 (2000)
CCITT Recommendation X.500. The directory overview of concepts, models and services (1988)
ITU-T Recommendation X.680. Abstract syntax notation one (asn.1): Specification of basic notation (1995)
ITU-T Recommendation X.690. ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Muñoz, J.L., Forné, J., Esparza, O., Soriano, M. (2004). E-MHT. An Efficient Protocol for Certificate Status Checking. In: Chae, KJ., Yung, M. (eds) Information Security Applications. WISA 2003. Lecture Notes in Computer Science, vol 2908. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24591-9_31
Download citation
DOI: https://doi.org/10.1007/978-3-540-24591-9_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20827-3
Online ISBN: 978-3-540-24591-9
eBook Packages: Springer Book Archive