Skip to main content
SpringerLink
Log in

ℋ-OCSP: A protocol to reduce the processing burden in online certificate status validation

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

Public-key cryptography is widely used as the underlying mechanism for securing many protocols and applications in the Internet. A Public Key Infrastructure (PKI) is required to securely deliver public-keys to widely-distributed users or systems. The public key is usually made public by means of a digital document called certificate. Certificates are valid during a certain period of time; however, there are circumstances under which the validity of a certificate must be terminated sooner than assigned and thus, the certificate needs to be revoked. The Online Certificate Status Protocol (OCSP) is one of the most used protocols for retrieving certificate status information from the PKI. However, the OCSP protocol requires online signatures, which is a costly operation. In this article, we present an improvement over OCSP based on hash chains that reduces the processing burden in the server which in turn provides an additional protection against attacks based on flooding of queries.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Myers, M., Ankney, R., Malpani, A., Galperin, S., & Adams, C. (1999). X.509 Internet public key infrastructure online certificate status protocol—OCSP. RFC 2560, Internet Engineering Task Force, June 1999.

  2. Chokhani, S., & Ford, W. (1999). Internet X.509 public key infrastructure certificate policy and certification practices framework. RFC 2527, Internet Engineering Task Force, March 1999.

  3. Muñoz, J. L., Forné, J., Esparza, O., & Soriano, M. (2004). Certificate revocation system implementation based on the Merkle hash tree. International Journal of Information Security, 2(2), 110–124.

    Article  Google Scholar 

  4. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., & Polk, W. (2008). Internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) profile. RFC 5280, Internet Engineering Task Force, May 2008.

  5. CCITT (1988). Recommendation X.500. The directory overview of concepts, models and services.

  6. ITU/ISO (1997). Recommendation X.509. Information technology open systems interconnection—the directory: public key and attribute certificate frameworks.

  7. Cooper, D. A. (1999). A model of certificate revocation. In Fifteenth annual computer security applications conference, pp. 256–264.

  8. Deacon, A., & Hurst, R. (2007). The lightweight online certificate status protocol (OCSP) profile for high-volume environments. RFC 5019, Internet Engineering Task Force, September 2007.

  9. Even, S., Goldreich, O., & Micali, S. (1996). Online/offline signatures. Journal of Cryptology, 9, 35–67.

    Article  Google Scholar 

  10. Kuzmanovic, A., & Knightly, E. W. (2003). Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. In ACM SIGCOMM, August 2003.

  11. ITU-T (1995). Recommendation X.680. Abstract syntax notation one (ASN. 1): Specification of basic notation.

  12. ITU-T (1995). Recommendation X.690. ASN. 1 encoding rules: Specification of basic encoding rules (BER), canonical encoding rules (CER) and distinguished encoding rules (DER).

  13. Kocher, P. C. (1998). On certificate revocation and validation. In Lecture notes in computer science : Vol. 1465. International conference on financial cryptography (FC98), February 1998 (pp. 172–177). Berlin: Springer.

    Chapter  Google Scholar 

  14. Aho, A. V., Hopcroft, J. E., & Ullman, J. D. (1988). Data structures and algorithms. Reading: Addison-Wesley.

    Google Scholar 

  15. Kikuchi, H., Abe, K., & Nakanishi, S. (2000). Performance evaluation of public-key certificate revocation system with balanced hash tree. In Second international workshop on information security (ISW 99) (pp. 103–117). Berlin: Springer.

    Google Scholar 

  16. Kikuchi, H., Abe, K., & Nakanishi, S. (2001). Certificate revocation protocol using k-ary hash tree. IEICE Transactions on Communications, 8, 2026–2032.

    Google Scholar 

  17. Naor, M., & Nissim, K. (2000). Certificate revocation and certificate update. IEEE Journal on Selected Areas in Communications, 18(4), 561–560.

    Article  Google Scholar 

  18. Goodrich, M., & Tamassia, R. (2000). Efficient authenticated dictionaries with skip lists and commutative hashing. Technical report, Johns Hopkins Information Security Institute.

  19. Micali, S. (2002). NOVOMODO. Scalable certificate validation and simplified PKI management. In 1st Annual PKI research workshop, pp. 15–25.

  20. Micali, S. (1996). Efficient certificate revocation. Technical report TM-542b, MIT Laboratory for Computer Science.

  21. Zhou, J., Bao, F., & Deng, R. (2006). Minimizing TTP’s involvement in signature validation. International Journal of Information Security, 5(1), 37–47.

    Article  Google Scholar 

  22. Koga, S., Ryou, J.-C., & Sakurai, K. (2004). Pre-production methods of a response to certificates with the common status—design and theoretical evaluation. In Lecture notes in computer science : Vol. 3093. EuroPKI (pp. 85–97). Berlin: Springer.

    Google Scholar 

  23. Iliadis, J., Gritzalis, S., Spinellis, D., de Cock, D., Preneel, B., & Gritzalis, D. (2003). Towards a framework for evaluating certificate status information mechanisms. Computer Communications, 26(16), 1839–1850.

    Article  Google Scholar 

  24. Berkovits, S., Chokhani, S., Furlong, J., Geiter, J., & Guild, J. (1994). Public key infrastructure study: Final report. Technical report, The MITRE Corporation for NIST.

  25. Arnes, A. (2000). Public key certificate revocation schemes. Master thesis, Queen’s University, Ontario, Canada.

  26. Hormann, T. P., Wrona, K., & Holtmanns, S. (2006). Evaluation of certificate validation mechanisms. Computer Communications, 29(3), 291–305.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technical University of Catalonia, Jordi Girona 1-3, Campus Nord, 08034, Barcelona, Spain

    Jose L. Muñoz, Oscar Esparza, Jordi Forné & Esteve Pallares

Authors
  1. Jose L. Muñoz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oscar Esparza
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jordi Forné
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Esteve Pallares
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jose L. Muñoz.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Muñoz, J.L., Esparza, O., Forné, J. et al. ℋ-OCSP: A protocol to reduce the processing burden in online certificate status validation. Electron Commer Res 8, 255–273 (2008). https://doi.org/10.1007/s10660-008-9024-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10660-008-9024-y

Keywords

Search

Navigation