Skip to main content

Advertisement

Springer Nature Link
Log in

Distributing security-mediated PKI

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The security-mediated approach to PKI offers several advantages, such as instant revocation and compatibility with standard RSA tools. In this paper, we present a design and prototype that addresses its trust and scalability problems. We use trusted computing platforms linked with peer-to-peer networks to create a network of trustworthy mediators and improve availability. We use threshold cryptography to build a back-up and migration technique which allows recovery from a mediator crashing while also avoiding having all mediators share all secrets. We then use strong forward secrecy with this migration, to mitigate the damage should a crashed mediator actually be compromised.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alon, N., Kaplan, H., Krivelevich, M., Malkhi, D., Stern, J.: Scalable secure storage when half the system is faulty. Information and Computation 174(2), 203–213 (2002)

    Article  MathSciNet  Google Scholar 

  2. Andrews, G.: Paradigms for process interaction in distributed programs. ACM Computing Surveys 23(1), 49–90 (1991)

    Article  Google Scholar 

  3. Boneh, D., Ding, X., Tsudik, G.: Fine-grained control of security capabilities. ACM Transactions on Internet Technology 4(1), 60–82 (2004)

    Article  Google Scholar 

  4. Boneh, D., Ding, X., Tsudik, G., Wong, C.M.: A method for fast revocation of public key certificates and security capabilities. In: 10th USENIX Security Symposium, pp. 297–308 (2001)

  5. Burmester, M., Chrissikopoulos, V., Kotzanikolaou, P., Magkos, E.: Strong forward security. In: IFIP-SEC '01 Conference, pp. 109–121. Kluwer (2001)

  6. Cooper, D.: A model of certificate revocation. In: 15th Annual Computer Security Applications Conference (ACSAC'99), pp. 256–264. IEEE Computer Society (1999)

  7. Cooper, D.A.: A model of certificate revocation. In: Fifteenth Annual Computer Security Applications Conference, pp. 256–264. IEEE Computer Society (1999)

  8. Ding, X., Mazzocchi, D., Tsudik, G.: Experimenting with server-aided signatures. In: Network and Distributed Systems Security Symposium (2002)

  9. Dodis, Y., Katz, J., Xu, S., Yung, M.: Strong key-insulated public-key schemes. In: Public Key Cryptography—PKC 2003, pp. 109–121. Springer-Verlag LNCS 2567 (2003)

  10. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M.: Optimal resilience proactive public-key cryptosystems. In: IEEE Symposium on Foundations of Computer Science, pp. 384–393 (1997). URL citeseer.nj.nec.com/61609.html

  11. Frankel, Y., Gemmell, P., MacKenzie, P.D., Yung, M.: Proactive RSA. In: Advances in Cryptology—CRYPTO 97, pp. 440–454. Springer Verlag LNCS 1294 (1997). URL citeseer.nj.nec.com/frankel97proactive.html

  12. Garfinkel, T., Rosenblum, M., Boneh, D.: Flexible OS support and applications for trusted computing. In: 9th Hot Topics in Operating Systems (HOTOS-IX) (2003)

  13. Herzberg, A., Jakobsson, M., Jarecki, S., Krawczyk, H., Yung, M.: Proactive public key and signature systems. In: ACM Conference on Computer and Communications Security, pp. 100–110 (1997)

  14. Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Advanced in Cryptology—CRYPTO 95, pp. 339–352. Springer Verlag LNCS 963 (1995). URL citeseer.nj.nec.com/herzberg95proactive.html

  15. Iliadis, J., Gritzalis, S., Spinellis, D., de Cock, D., Preneel, B., Gritzalis, D.: Towards a framework for evaluating certificate status information mechanisms. Computer Communications 26(16), 1839–1850 (2003)

    Article  Google Scholar 

  16. Iliev, A., Smith, S.: Privacy-enhanced credential services. In: 2nd Annual PKI Research Workshop. NIST (2003)

  17. Jiang, S., Smith, S., Minami, K.: Securing web servers against insider attack. In: Seventeenth Annual Computer Security Applications Conference, pp. 265–276. IEEE Computer Society (2001)

  18. Lorch, M., Basney, J., Kafura, D.: A hardware-secured credential repository for grid PKIs. In: 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (2004)

  19. Marchesini, J., Smith, S.: Virtual Hierarchies: An architecture for building and maintaining efficient and resilient trust chains. In: Proceedings of the 7th Nordic Workshop on Secure IT Systems—NORDSEC 2002. Karlstad University Studies (2002)

  20. Marchesini, J., Smith, S.: Secure Hardware Enhanced MyProxy. Tech. Rep. TR2005-532, Dartmouth College (2005)

  21. Marchesini, J., Smith, S., Wild, O., MacDonald, R.: Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear. Tech. Rep. TR2003-476, Department of Computer Science, Dartmouth College (2003)

  22. Marchesini, J., Smith, S., Wild, O., Stabiner, J., Barsamian, A.: Open-source applications of tcpa hardware. In: 20th Annual ACSAC Conference (2004)

  23. McDaniel, P., Jamin, S.: Windowed certificate revocation. In: IEEE Symposium on Security and Privacy, pp. 1406–1414 (2000)

  24. McDaniel, P., Rubin, A.: A response to “can we eliminate certificate revocation lists?” In: Financial Cryptography (2000)

  25. Micali, S.: NOVOMODO: Scalable certificate validation and simplified pki management. In: 1st Annual PKI ResearchWorkshop. NIST (2002)

  26. Novotny, J., Tueke, S., Welch, V.: An online credential repository for the grid: MyProxy. In: Proceedings of the Tenth International Symposium on High Performance Distributed Computing (HPDC-10). IEEE Press (2001)

  27. noz, J.M., Forné, J.: Evaluation of certificate revocation policies: OCSP vs. overissued CRL. In: DEXAWorshops 2002: Workshop on Trust and Privacy in Digital Business (TrustBus02), pp. 511–515. IEEE Computer Society (2002)

  28. noz, J.M., Forné, J., Esparza, O., Soriano, M.: A test-bed for certificate revocation policies. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (2003)

  29. Periera, M.: Trusted S/MIME Gateways. Senior Honors Thesis. Also available as Computer Science Technical Report TR2003-461, Dartmouth College (2003)

  30. Perrin, T., Bruns, L., Moreh, J., Olkin, T.: Delegated cryptography, online trusted third parties, and PKI. In: 1st Annual PKI Research Workshop. NIST (2002)

  31. Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)

    Article  MATH  MathSciNet  Google Scholar 

  32. Smith, S.: WebALPS: A survey of E-commerce privacy and security applications. ACM SIGecom Exchanges 2.3 (2001)

  33. Smith, S.: Outbound authentication for programmable secure coprocessors. Int. J. Inf. Secur. 3(1), 28–41 (2004)

    Article  MATH  Google Scholar 

  34. Smith, S.: Trusted Computing Platforms: Design and Applications. Springer (2005)

  35. Smith, S., Weingart, S.: Building a high-performance, programmable secure coprocessor. Computer Networks 31, 831–860 (1999)

    Article  Google Scholar 

  36. Stearns, B.: Trail: Java Native Interface. Sun Microsystems, Inc. (2004). URL http://java.sun.com/docs/books/tutorial/native1.1/

  37. Suh, G., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: AEGIS: Architecture for tamper-evident and tamper-resistant processing. In: Proceedings of the 17 International Conference on Supercomputing, pp. 160–171 (2003)

  38. Sun Microsystems, Inc.: Project JXTA: Java Programmers Guide (2001). URL http://www.jxta.org

  39. Trusted Computing Platform Alliance: TCPA Design Philosophies and Concepts, Version 1.0 (2001). URL http://www.trustedcomputinggroup.org

  40. Trusted Computing Platform Alliance: TCPA PC Specific Implementation Specification, Version 1.00 (2001). URL http://www.trustedcomputinggroup.org

  41. Trusted Computing Platform Alliance: Main Specification, Version 1.1b (2002). URL http://www.trusted- computinggroup.org

  42. Tsudik, G.: Weak forward security in mediated RSA. In: Security in Computer Networks Conference (2002)

  43. Tzeng, Z., Tzeng, W.: Robust Key-Evolving Public Key Encryption Schemes. Crypology Eprint Archive Report (2001). URL http://eprint.iacr.org/2001/009

  44. Vanrenen, G., Smith, S.: Distributing security-mediated PKI. In: 1st European PKIWorkshop: Research and Applications, pp. 218–231. Springer-Verlag LNCS 3093 (2004)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science/PKI Lab, Dartmouth College, Hanover, NH, 03755, USA

    Gabriel Vanrenen, Sean Smith & John Marchesini

Authors
  1. Gabriel Vanrenen
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Sean Smith
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. John Marchesini
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Gabriel Vanrenen.

Additional information

Gabriel Vanrenen is currently a software engineer at Wily Technology, Inc. in Brisbane, CA where he works on J2EE application performance management software. He received a B.A. in Computer Science (Summa Cum Laude) from Dartmouth College. At Dartmouth, he researched trusted third parties and PKI with his Senior Honors Thesis advisor Sean Smith

Sean Smith is on the faculty of the Department of Computer Science at Dartmouth College. His current research and teaching focus on how to build trustworthy systems in the real world. He previously worked as a scientist at IBM T.J. Watson Research Center, doing secure coprocessor design, implementation and validation; and at Los Alamos National Laboratory, doing security designs and analyses for a wide range of public-sector clients. Dr. Smith was educated at Princeton (B.A., Math, but only Magna Cum Laude) and Carnegie Mellon (M.S., Ph.D., Computer Science).

John Marchesiniis currently a Ph.D. candidate in the Computer Science Department at Dartmouth College. His advisor is Sean Smith, and his research interests are security, distributed systems, and PKI. Before going to Dartmouth, he worked as a software developer for the BindView Corporation and earned a B.S. in Computer Science from the University of Houston (Summa Cum Laude).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Vanrenen, G., Smith, S. & Marchesini, J. Distributing security-mediated PKI. Int. J. Inf. Secur. 5, 3–17 (2006). https://doi.org/10.1007/s10207-005-0076-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-005-0076-x

Keywords